2023-蓝桥杯-wp

蓝桥杯

最后成绩是省二啊

情报收集(web)

爬虫协议

image-20240427102727733

访问/robots.txt

image-20240427102809280

最后一个可访问

image-20240427102841917

flag在第二个里面(91……)

image-20240427103008944

flag{79f508c3-12fa-4514-aa2d-69165aa3bfed}

安全知识(理论)

单选1

image-20240427103219978

C

单选2

image-20240427103302357

C

单选3

image-20240427103326315

这道我做错了 选的A

应该是A(好像是按错了)

单选4

image-20240427103434930

A

单选5

image-20240427103512863

好像是B

单选6

image-20240427103630512

B

单选7

image-20240427103649524

C

单选8

image-20240427103706466

C

单选9

image-20240427103724848

B

单选10

image-20240427103750962

B

数据分析(misc)

packet

简单的流量分析

wireshark打开附件

找到发的shell.php

image-20240427104226841

跟踪流

image-20240427104253115

base64解码

image-20240427104354755

flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

消失的数据

爆破解压包密码:

pavilion

发现应该是水印

exp:

import cv2
import numpy as np
import pywt

class WaterMarkDWT:
    def __init__(self, origin: str, watermark: str, key: int, weight: list):
        self.key = key
        self.img = cv2.imread(origin)
        self.mark = cv2.imread(watermark)
        self.coef = weight

    def arnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c):  
                    x = (i + b * j) % r
                    y = (a * i + (a * b + 1) * j) % c
                    p[x, y] = img[i, j]
        return p
 
    def deArnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c): 
                        x = ((a * b + 1) * i - b * j) % r
                        y = (-a * i + j) % c
                        p[x, y] = img[i, j]
        return p
    # 省略了Arnold和deArnold方法的定义

    def get(self, size: tuple = (1200, 1200), flag: int = None):
        img = cv2.resize(self.img, size)

        img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY)
        img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY)

        c = pywt.wavedec2(img2, 'db2', level=3)
        [cl, (cH3, cV3, cD3), (cH2, cV2, cD2), (cH1, cV1, cD1)] = c

        d = pywt.wavedec2(img1, 'db2', level=3)
        [dl, (dH3, dV3, dD3), (dH2, dV2, dD2), (dH1, dV1, dD1)] = d

        a1, a2, a3, a4 = self.coef

        ca1 = (cl - dl) * a1
        ch1 = (cH3 - dH3) * a2
        cv1 = (cV3 - dV3) * a3
        cd1 = (cD3 - dD3) * a4

        waterImg = pywt.waverec2([ca1, (ch1, cv1, cd1)], 'db2')
        waterImg = np.array(waterImg, np.uint8)

        waterImg = self.deArnold(waterImg)

        kernel = np.ones((3, 3), np.uint8)
        if flag == 0:
            waterImg = cv2.erode(waterImg, kernel)
        elif flag == 1:
            waterImg = cv2.dilate(waterImg, kernel)

        return waterImg

if __name__ == '__main__':
    img = 'a.png'
    k = 20
    xs = [0.2, 0.2, 0.5, 0.4]
    watermark_img = 'newImg.png'
    W1 = WaterMarkDWT(img, watermark_img, k, xs)

    decrypted_w
    atermark = W1.get()
    cv2.imwrite('shuiying.png', decrypted_watermark)

image-20240427114530936

得解:

flag{e642820a-44c0-4c7d-a259-68b15aca8840}

密码破解(crypto)

cc

image-20240427104735618

对称加密

image-20240427133002886

flag{6500e76e-15fb-42e8-8f29-a309ab73ba38}

Theorem

from Crypto.Util.number import *
from gmpy2 import *
flag = b'xxx'
m =  bytes_to_long(flag)
p = getPrime(512)
q = next_prime(p)
e = 65537
n = p * q
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
d1 = d % q
d2 = d % p
c = pow(m, e, n)

print(n)
print(d1)
print(d2)
print(c)


# 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791
# 4218387668018915625720266396593862419917073471510522718205354605765842130260156168132376152403329034145938741283222306099114824746204800218811277063324566
# 9600627113582853774131075212313403348273644858279673841760714353580493485117716382652419880115319186763984899736188607228846934836782353387850747253170850
# 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829

exp:

from gmpy2 import *
from Crypto.Util.number import *
from sympy import  *

n = 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791


p = nextprime(gmpy2.iroot(n,2)[0])

while n % p != 0:
    p = nextprime(p)


q = n//p
c = 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829


phi = (p-1)*(q-1)
# print(gcd(phi,65537))
e = 65537
d = inverse(e, phi)
m = pow(c,d,n)
print(long_to_bytes(m))

flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}

逆向分析(re)

rc4

IDA打开

在main函数return处下断点

image-20240427105408996

调试 双击v5查看栈

image-20240427105440148

flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}