全国网络空间安全技术大赛-writeup

web

welcome

签到题,直接复制粘贴提交;

web1

1、用户名密码均为admin,登录进去;
2、提交远程图片链接http://127.0.0.1/flag.php
3、保存图片,以记事本打开得到flag;

misc

misc1

1、给了一张图片,binwalk分离出一段密文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
b2Q5dU==
aDk5Ni==
ZG8wOW==
ZzYxYh==
ZjU4NT==
aXBjNF==
Q3dTM2==
d1Y5c1==
dFA3WV==
ZDNQUP==
ejhBMT==
dUowaW==
OVQ2ZD==
aUM5ZU==
NnFFek==
ZGc0T/==
NGpWNE==
NVZpUW==
ejZDTm==
a1VEN5==
azNMUX==
TXlhNW==
bjZwWm==
Q2Q0b1==

2、解密如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res

def solve_stego():
with open('stego.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
print (bin_str)
else:
bin_str += '0' * pads_num * 2
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i+8], 2))
print (res_str)

solve_stego()

misc3

1、下下来是一段MP3的音乐,一开始以为是MP3隐写,尝试了一下没有思路;
2、放出了提示需要在windows环境下解决,想到了NTFS流隐写;
3、下载一个ntfsInfo来分析文件,分离出一个文档;
4、打开文档全局搜索,得到一半flag;
5、这里想到另一应该是白色字体之类的,直接搜索},然后改一下字体颜色就找到了另一半flag;

misc3

1、下载得到一个流量包;
2、筛选icmp&&ip.src==10.175.XXX.XXX;
3、观察hex窗口,有两位会变化;
4、提取出来后加上flag{}提交即可;

crypto

RSA1

1、题目给的信息如下

1
2
3
4
5
{p:q:e:c}
{111052706592359766492182549474994387389169491981939276489132990221393430874991652628482505832745103981784837665110819809096264457329836670397000634684595709283710756727662219358743235400779394350023790569023369287367240988429777113514012101219956479046699448481988253039282406274512111898037689623723478951613
,146182161315365079136034892629243958871460254472263352847680359868694597466935352294806409849433942550149005978761759458977642785950171998444382137410141550212657953776734166481126376675282041461924529145282451064083351825934453414726557476469773468589060088164379979035597652907191236468744400214917268039573
,200
,7797067792814175554801975939092864905908878472965854967525218347636721153564161093453344819975650594936628697646242713415817737235328825333281389820202851500260665233910426103904874575463134970160306453553794787674331367563821223358610113031883172742577264334021835304931484604571485957116313097395143177603380107508691261081725629713443494783479897404175199621026515502716868988672289887933681890547568860707175288422275073767747544353536862473367590288531216644146154729962448906402712219657000812226637887827912541098992158458173920228864293993030475885461755767069329678218760943185942331149777258713727459739405}

2、脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import math

def fastExpMod(b, e, m):
result = 1
while e != 0:
if (e&1) == 1:
# ei = 1, then mul
result = (result * b) % m
e >>= 1
# b, b^2, b^4, b^8, ... , b^(2^n)
b = (b*b) % m
return result

p = 111052706592359766492182549474994387389169491981939276489132990221393430874991652628482505832745103981784837665110819809096264457329836670397000634684595709283710756727662219358743235400779394350023790569023369287367240988429777113514012101219956479046699448481988253039282406274512111898037689623723478951613
q = 146182161315365079136034892629243958871460254472263352847680359868694597466935352294806409849433942550149005978761759458977642785950171998444382137410141550212657953776734166481126376675282041461924529145282451064083351825934453414726557476469773468589060088164379979035597652907191236468744400214917268039573
c = 7797067792814175554801975939092864905908878472965854967525218347636721153564161093453344819975650594936628697646242713415817737235328825333281389820202851500260665233910426103904874575463134970160306453553794787674331367563821223358610113031883172742577264334021835304931484604571485957116313097395143177603380107508691261081725629713443494783479897404175199621026515502716868988672289887933681890547568860707175288422275073767747544353536862473367590288531216644146154729962448906402712219657000812226637887827912541098992158458173920228864293993030475885461755767069329678218760943185942331149777258713727459739405
print("p:{}\nq:{}\nc:{}\n\n".format(p, q, c))

p_q_ = (p-1)*(q-1)
n = p*q
print("p_q_:{}\nn:{}\n\n".format(p_q_, n))

k0_ = p_q_ + 1
e2 = 0
while True:
if k0_%25==0:
e2 = k0_ // 25
break
k0_ += p_q_

ce2 = fastExpMod(c, e2, n)
print("k0_:{}\ne2:{}\nce2:{:x}\n\n".format(k0_, e2, ce2))

def newton_int_sqrt(n):
x0 = n
x1 = (n+1)//2
while x1 < x0:
x0 = x1
x1 = (x0+n//x0)//2
return x0

t = ce2
print("t:{:x}".format(t))
t_2 = newton_int_sqrt(t)
print("t_2:{:x} [{}]".format(t_2, t_2**2-ce2))
t_4 = newton_int_sqrt(t_2)
print("t_4:{:x} [{}]".format(t_4, t_4**4-ce2))
t_8 = newton_int_sqrt(t_4)
print("t_8:{:x} [{}]".format(t_8, t_8**8-ce2))

flag = []
t_8_ = t_8
while t_8 > 0:
flag.append(chr(t_8%256))
t_8 //= 256
flag.reverse()
print("".join(flag))

binary

Reverse1

1、下载得到一个pyc文件,在线反编译一下得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
from hashlib import md5
import base64
from time import time
from datetime import datetime
import sys

def encodestr(string):
UC_KEY = '123456789'
key = md5(UC_KEY.encode('utf-8')).hexdigest()
keya = md5(key[0:16].encode('utf-8')).hexdigest()
keyb = md5(key[16:32].encode('utf-8')).hexdigest()
ckey_length = 4
keyc = md5(string.encode('utf-8')).hexdigest()[-ckey_length:]
cryptkey = md5((keya + keyc).encode('utf-8')).hexdigest()
key_length = len(cryptkey)
expiry = 20
string = '%10d' % expiry + md5((string + keyb).encode('utf-8')).hexdigest()[0:16] + string
box = range(256)
rndkey = [
0] * 256
for i in range(256):
rndkey[i] = ord(cryptkey[i % key_length])

string_length = len(string)
result = ''
j = 0
for i in range(256):
j = (j + box[i] + rndkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp

a = 0
j = 0
for i in range(string_length):
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(ord(string[i]) ^ box[(box[a] + box[j]) % 256])

return result

if __name__ == '__main__':
str1 = raw_input('please enter the flag:')
res = encodestr(str1)
lenn = len(res)
d = [128,220,109,113,242,153,181,203,21,122,2,101,42,55,56,19,190,181,99,47,217,109,129,221,9,65,235,48,197,103,123,86,25,112,172,175,42,168,232,81,224,170,16,210,98,229,15,30,134]
for i in range(lenn):
if ord(res[i]) == d[i] or i == lenn - 1:
print 'you get it'

print 'wrong'
break

2、解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from hashlib import md5
import base64
from time import time
from datetime import datetime
import sys
de = [128,220,109,113,242,153,181,203,21,122,2,101,42,55,56,19,190,181,99,47,217,109,129,221,9,65,235,48,197,103,123,86,25,112,172,175,42,168,232,81,224,170,16,210,98,229,15,30,134]

key = '25f9e794323b453885f5181f1b624d0b'
keya = '3953774fdb05a8c20c2533e2f76c054e'
keyb = 'aa58c10da0dc0562655fafacdfbbde96'
ckey_length = 4
string_length = len(de)


#file1=open('11111.txt','w')
strx=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
for a1 in strx:
for b1 in strx:
for c1 in strx:
for d1 in strx:
keyc=a1+b1+c1+d1
cryptkey = md5((keya + keyc).encode('utf-8')).hexdigest()
key_length = len(cryptkey)
expiry = 20
box = range(256)
rndkey = [0] * 256
for i in range(256):
rndkey[i] = ord(cryptkey[i % key_length])

j = 0
for i in range(256):
j = (j + box[i] + rndkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp
a = 0
j = 0
result=''
for i in range(string_length):
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(de[i]^box[(box[a] + box[j]) % 256])
#file1.write(result)
if 'flag' in result:
print result
#file1.close()

------ 本文结束感谢您的阅读 ------
坚持记录生活,您的支持将鼓励我继续创作!