第十五届蓝桥杯大赛网络安全赛项个人赛WP

数据分析

packet

题目内容:

wireshark在手,简单的数据包分析就是小case。

查看tcp流19

image-20240427090459838

一段base64,解码后得到

image-20240427090526706

flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

缺失的数据

题目内容:随着数字技术的迅猛发展,图像在网络上的传播日益广泛。然而,这也带来了版权保护、信息认证和内容完整性验证等一系列问题。数字水印技术作为一种有效的信息隐藏和认证手段,请分析出图片中隐藏的信息。

orign.zip里面有个srcret.txt,这个是个字典

用arch爆破一下

image-20240427090423940

密码为pavilion

解压出来

得到原先文件a.png

原先有个lose.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 

class WaterMarkDWT:
    def __init__(self, origin: str, watermark: str, key: int, weight: list):
        self.key = key
        self.img = cv2.imread(origin)
        self.mark = cv2.imread(watermark)
        self.coef = weight
 

    def arnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c):  
                    x = (i + b * j) % r
                    y = (a * i + (a * b + 1) * j) % c
                    p[x, y] = img[i, j]
        return p
 
    def deArnold(self, img):
        r, c = img.shape
        p = np.zeros((r, c), np.uint8)
 
        a, b = 1, 1
        for k in range(self.key):
            for i in range(r):
                for j in range(c): 
                        x = ((a * b + 1) * i - b * j) % r
                        y = (-a * i + j) % c
                    p[x, y] = img[i, j]
        return p
 

 
    def get(self, size: tuple = (1200, 1200), flag: int = None):
        img = cv2.resize(self.img, size)
 
        img1 = cv2.cvtColor(img, cv2.COLOR_RGB2GRAY)
        img2 = cv2.cvtColor(self.mark, cv2.COLOR_RGB2GRAY)
 
        c = pywt.wavedec2(img2, 'db2', level=3)
        [cl, (cH3, cV3, cD3), (cH2, cV2, cD2), (cH1, cV1, cD1)] = c
 
        d = pywt.wavedec2(img1, 'db2', level=3)
        [dl, (dH3, dV3, dD3), (dH2, dV2, dD2), (dH1, dV1, dD1)] = d
 
        a1, a2, a3, a4 = self.coef
 
        ca1 = (cl - dl) * a1
        ch1 = (cH3 - dH3) * a2
        cv1 = (cV3 - dV3) * a3
        cd1 = (cD3 - dD3) * a4
 
        waterImg = pywt.waverec2([ca1, (ch1, cv1, cd1)], 'db2')
        waterImg = np.array(waterImg, np.uint8)
 
        waterImg = self.deArnold(waterImg)
 
        kernel = np.ones((3, 3), np.uint8)
        if flag == 0:
            waterImg = cv2.erode(waterImg, kernel)
        elif flag == 1:
            waterImg = cv2.dilate(waterImg, kernel)
 
        cv2.imwrite('水印.png', waterImg)
        return waterImg


if __name__ == '__main__':
    img = 'a.png'
    k = 20
    xs = [0.2, 0.2, 0.5, 0.4]
    W1 = WaterMarkDWT(img, waterImg, k, xs)

在下面添加

1
2
3
4
5
6
7
8
9
10
11
12
if __name__ == '__main__':
    img = 'a.png'
    waterImg= 'newImg.png'
    k = 20
    xs = [0.2, 0.2, 0.5, 0.4]
    W1 = WaterMarkDWT(img, waterImg, k, xs)
    W1.get()
    # 读取嵌入水印图像
    coef = [5, 5, 2, 2.5]
    # 水印提取
    W2 = WaterMarkDWT(img, waterImg, k, coef)
    W2.get()

2

flag{e642820a-44c0-4c7d-a259-68b15aca8840}

密码破解

Theorem

模运算在密码学中是一种常见的加密手段,而中国剩余定理则提供了一种解密的方法。小蓝同学运用这个定理来获得c,进而获得了flag。

题目提示为中国剩余定理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from Crypto.Util.number import *
from gmpy2 import *
flag = b'xxx'
m =  bytes_to_long(flag)
p = getPrime(512)
q = next_prime(p)
e = 65537
n = p * q
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
d1 = d % q
d2 = d % p
c = pow(m, e, n)

print(n)
print(d1)
print(d2)
print(c)


# 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791
# 4218387668018915625720266396593862419917073471510522718205354605765842130260156168132376152403329034145938741283222306099114824746204800218811277063324566
# 9600627113582853774131075212313403348273644858279673841760714353580493485117716382652419880115319186763984899736188607228846934836782353387850747253170850
# 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829

那么我本地分解n

得到

1
2
p=9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156717
q=9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156923

然后用中国剩余定理求解d

image-20240427105630981

1
d=16274627469323658020589694125355102078171945618183550089886876111726937759620406764753872712862622777504627744686702230218104540449429843170443878584960942840452389958277172050363451217281865524786664548719891698019886281320616343024921778856123031662486194480265470207869211834623432645722806441606504246774

完整解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from gmpy2 import *
from Crypto.Util.number import long_to_bytes

c=36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829
e = 65537
p=9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156717
q=9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156923
d=16274627469323658020589694125355102078171945618183550089886876111726937759620406764753872712862622777504627744686702230218104540449429843170443878584960942840452389958277172050363451217281865524786664548719891698019886281320616343024921778856123031662486194480265470207869211834623432645722806441606504246774
e = 65537
phi_N = (p - 1) * (q - 1)
d = invert(e, phi_N)

m = pow(c, d, p * q)
print(long_to_bytes(m))

# b'flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}'

flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}

预期解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from Cryptodome.Util.number import long_to_bytes
import gmpy2

n = 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791
d1 = 4218387668018915625720266396593862419917073471510522718205354605765842130260156168132376152403329034145938741283222306099114824746204800218811277063324566
d2 = 9600627113582853774131075212313403348273644858279673841760714353580493485117716382652419880115319186763984899736188607228846934836782353387850747253170850
c = 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829
e = 65537

p = gmpy2.next_prime(gmpy2.isqrt(n))
q = n // p

phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)

mp = pow(c, d % (p-1), p)
mq = pow(c, d % (q-1), q)
a = gmpy2.invert(p, q)
b = gmpy2.invert(q, p)
tmp1 = mp * p * a
tmp2 = mq * q * b
m = (tmp1 + tmp2) % (p * q)
print(long_to_bytes(m))

# flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}

cc

image-20240427092422207

反向解密Z

image-20240427092542304

flag{6500e76e-15fb-42e8-8f29-a309ab73ba38}

signature

题目内容:椭圆曲线数字签名算法,它利用椭圆曲线密码学(ECC)对数字签名算法(DSA)进行模拟,其安全性基于椭圆曲线离散对数问题。但是当某些数值相同时会出现一些安全问题。

情报收集

爬虫协议

题目内容:
小蓝同学在开发网站时了解到了一个爬虫协议,该协议指网站可建立一个特别的txt文件来告诉搜索引擎哪些页面可以抓取,哪些页面不能抓取,而搜索引擎则通过读取该txt文件来识别这个页面是否允许被抓取。爬虫协议并不是一个规范,而只是约定俗成的,所以并不能保证网站的隐私。

访问/robots.txt

得到

1
2
3
4
User-agent: *
Disallow: /cgi-bin/
Disallow: /tmp/
Disallow: /36e27d8696f7bab1287760e086673812/

访问/36e27d8696f7bab1287760e086673812/

image-20240427093010547

image-20240427093025856

flag{110978d6-a4d3-4f61-b8c7-ed83830445e9}

逆向分析

欢乐时光

题目内容:

flag被使用了算法分成若干个小块,每个块使用相同的加密解密方法,但是这个算法是对称加密,请将分析密文并还原。

rc4

题目内容:

RC4是一种流加密算法,密钥长度可变,它加解密使用相同的密钥,因此也属于对称加密算法。

漏洞挖掘分析

fd

题目内容:

小蓝同学学习了栈溢出的知识后,又了解到linux系统中文件描述符(File Descriptor)是一个非常重要的概念,它是一个非负整数,用于标识一个特定的文件或其他输入输出资源,如套接字和管道。

ezheap

题目内容:

小蓝同学第二次尝试使用C语言编写程序时,由于缺乏良好的安全开发经验和习惯,导致了未初始化的指针漏洞(Use After Free,UAF漏洞)。在他的程序中,他没有正确释放动态分配的内存空间,并且在之后继续使用了已经释放的指针,造成了悬空指针的问题。这种错误会导致程序在运行时出现未定义的行为,可能被恶意利用来执行恶意代码,破坏数据或者系统安全性。你能找到该漏洞并利用成功吗?

ezjava

题目内容:

小蓝同学在使用java的jetbrick模板开发程序时,没有严格过滤用户的输入,导致了SSTI(Server Side Template Injection)的模板注入漏洞。由于jetbrick模板引擎的特性,恶意用户可以利用未经安全过滤的输入,将恶意代码注入到模板中,导致服务器执行恶意代码并可能导致系统被攻击者控制。环境制定了安全策略,禁止访问公共网络。

数据库安全

sqlinj

题目内容:

小蓝同学在使用PHP开发web网站时,遇到了一个问题,他没有正确地使用字符集编码(sjis),导致了SQL的宽字节注入漏洞。这个漏洞让黑客可以利用特殊字符来绕过数据的转义处理,从而执行恶意的SQL查询。为了避免这种情况发生,小蓝同学需要确保在处理用户输入时,进行正确的字符编码处理,以防止SQL注入等安全问题的发生。这也提醒我们在开发Web应用程序时,始终要注意数据处理时字符集编码的安全性,并采取必要的防范措施,以保护用户数据和系统的安全。

我是真的菜!!

202404271349746