當(dāng)前位置：首頁 > news >正文

深圳企業(yè)做網(wǎng)站百度賬號安全中心官網(wǎng)

news 2025/7/5 16:06:56

深圳企業(yè)做網(wǎng)站,百度賬號安全中心官網(wǎng),網(wǎng)站建設(shè)有哪種方式,做企業(yè)網(wǎng)站10萬起步四川技能大賽——2023年四川網(wǎng)信人才技能大賽（網(wǎng)絡(luò)安全管理員賽項）決賽文章目錄四川技能大賽——2023年四川網(wǎng)信人才技能大賽（網(wǎng)絡(luò)安全管理員賽項）決賽C1-比64少的bas - DONEC2-affine - DONEC3-簡單的RSA - DONEM1-不要動我的f…

四川技能大賽——2023年四川網(wǎng)信人才技能大賽（網(wǎng)絡(luò)安全管理員賽項）決賽

文章目錄

四川技能大賽——2023年四川網(wǎng)信人才技能大賽（網(wǎng)絡(luò)安全管理員賽項）決賽
- C1-比64少的bas - DONE
- C2-affine - DONE
- C3-簡單的RSA - DONE
- M1-不要動我的flag - DONE
- M2-simpleUSB -
- M3-我我我是誰 -
- P1-getitez -
- P2-bbstack -
- R1-誰的DNA動了 - DONE
- R2-DontTouchMe - DONE
- W1-little_game - DONE
- W2-justppb - DONE
- W3-ezbbs -
- W4-smart -

C1-比64少的bas - DONE

2i9Q8AtDZiEsSn13rF6xchPe1EaiU5u7qKbEd2HDH5jS7N4UfiL3DwFsBa

在這里插入圖片描述

flag{2a098f9f-d384-b6d0-4096-9eaf0f5654a3}

C2-affine - DONE

wohz{k533q73q-t76t-9292-351w-h880t22q2q59}
a=3 b=7

CyberChef一把：
在這里插入圖片描述

flag{b533d73d-e76e-9292-351f-a880e22d2d59}

C3-簡單的RSA - DONE

chall.py

from Crypto.Util.number import *
from secret import flag
from sympy import nextprimeflag=b''r = getRandomNBitInteger(64)
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*qdef enc(flag, n):m = bytes_to_long(flag)return pow(m, 65537, n)c = enc(flag, n)
print(n)
print(c)# 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
# 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422

$n == p ? q == (r ? ? 5 + ...) ? (r ? ? 5 ? ...)$

由上可知， n約為r的10次方。如果對n開10次方，則低位可忽略，爆破一下即可求出r。

exp:

from Crypto.Util.number import *
from gmpy2 import irootN = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
t,f = iroot(N, 10)for r in range(t-10000,t+10000):p = r**5 + r**4 - r**3 + r**2 - r + 2023q = r**5 - r**4 + r**3 - r**2 + r + 2023p =nextprime(p)q =nextprime(q)n = p*qif n==N:print(f"p = {p}\nq = {q}\n")break
# 得到：
p = 158324975897082020097339281935818129320954195255971408941591049179715138878370817761203475160123
q = 158324975897082020068454470275147007824077754451975255433855101769279209145578273309232489165459

再常規(guī)RSA:

n = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
c = 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}

M1-不要動我的flag - DONE

追蹤TCP流，在第0個流中發(fā)現(xiàn)代碼：

import hashlibwith open("flag") as f:flag=f.readlines()[0]
if "c7e6ea42b7301e6330ba****fe407930191d371885935ad4cd51e95e********" == hashlib.sha256(flag.encode()).hexdigest():print("......")
else:print("......")

在第3個TCP流中發(fā)現(xiàn)flag(部分)：

flag{22af230f-bbed-????-95fa-b6b1ca6dc32e}

爆破sha256:

from hashlib import sha256
from string import hexdigits
from itertools import productfor i in product(hexdigits, repeat=4):f = "flag{22af230f-bbed-" + ''.join(i) + "-95fa-b6b1ca6dc32e}"h = sha256(f.encode()).hexdigest()if h[:20]== 'c7e6ea42b7301e6330ba':print(f, h)
# flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e}  c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155

M2-simpleUSB -

原題：HWS第七期夏令營（硬件安全營）預(yù)選賽wp Misc1
https://www.cnblogs.com/fuxuqiannian/p/17560359.html

usb流量包.

鍵盤是8字節(jié):   usbhid.data
鼠標(biāo)是4字節(jié):

在這里插入圖片描述

將鍵盤流量全部導(dǎo)出后加冒號：

#!/usr/bin/env python
# -*- coding:utf-8 -*-import ospcapfile = "misc1.pcapng"
if not os.path.exists(pcapfile):print("Pcap file not found!")exit(0)# hid.txt
usbKBf = 'usbKBf.txt'
cmd = "tshark -r " + pcapfile + " -T fields -Y \"usb.usbpcap_header_len==27\" -e usbhid.data > " + usbKBf
os.system(cmd)
# 刪除空行，并加冒號
lline2 = []
lline1 = open(usbKBf, 'r').readlines()
for line in lline1:line = line.strip()if line:newline = ':'.join([ line[i:i+2] for i in range(0, len(line), 2)])lline2.append(newline)
with open('out.txt', 'w') as f:f.write('\n'.join(lline2))normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j","0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r", "16": "s", "17": "t","18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4","22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>","2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\", "32": "<NON>", "33": ";","34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>","3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>","45": "<F12>"
}shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J","0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R", "16": "S", "17": "T","18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$","22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>","2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"","34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>","3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>","45": "<F12>"
}output = []
keys = open('out.txt')for line in keys:try:if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":continueif line[6:8] in normalKeys.keys():output += [normalKeys[line[6:8]], shiftKeys[line[6:8]]][line[1] == '2']else:output += ['[unknown]']except:passkeys.close()flag = 0
print("".join(output))for i in range(len(output)):try:a = output.index('<DEL>')del output[a]del output[a - 1]except:passfor i in range(len(output)):try:if output[i] == "<CAP>":flag += 1output.pop(i)if flag == 2:flag = 0if flag != 0:output[i] = output[i].upper()except:passprint('output: ' + "".join(output))

運行得到：

AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]
output: AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]

猜測是base85解密，但未成功。再看一下導(dǎo)出的HID Data，發(fā)現(xiàn)流量中有20開頭的，這個20開頭的也算是shiftKeys。

添加條件到代碼中，重新運行得到：


base85 --> flag{ec1b8b96-56a9-f15c-4e39-503e92ab45d2}

M3-我我我是誰 -

P1-getitez -

P2-bbstack -

R1-誰的DNA動了 - DONE

先F12看一下字符串，發(fā)現(xiàn)有：

flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \"7c76fb919bab9a1abfe854cf80725a09\",just 4 bytes

爆破一下md5，結(jié)果是Fak3：

from hashlib import md5
from string import ascii_letters
from itertools import productfor i in product("FAKE43fake", repeat=4):f = ''.join(i)h = md5(f.encode()).hexdigest()if h== '7c76fb919bab9a1abfe854cf80725a09':print(f, h)
# Fak3 7c76fb919bab9a1abfe854cf80725a09  --> flag{Th14_15_a_Fak3_flAg}

但提交不正確。明顯是一個fake flag.

有以下判斷邏輯：

for ( i = 0; i < v4; ++i )
{memset(&s, 0, sizeof(s));encode((unsigned int)inputs[i], &s);  // 對輸入的flag進行編碼outputs[4 * i + 3] = s;               // 這里是4字符中，高低位的字符互換： 1234 --> 4321outputs[4 * i + 2] = BYTE1(s);outputs[4 * i + 1] = BYTE2(s);outputs[4 * i] = HIBYTE(s);
}
if ( judge((__int64)outputs, (__int64)CODE, v4) )  // judge()函數(shù)需返回為真
{puts("well done!you get it");
}

CODE的內(nèi)容是：
在這里插入圖片描述

Shift+E導(dǎo)出：

"CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"ps: 開始以為是DNA編碼，使用ToolxFX解碼未成功。只能硬逆了。

先看下judge()函數(shù)：

bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{int v4; // ebxint v5; // ebxint v6; // r12dint v8; // [rsp+28h] [rbp-18h]int i; // [rsp+2Ch] [rbp-14h]v8 = 0;if ( 4 * a3 > strlen(CODE) )return 0;for ( i = 0; i < a3; ++i )       // 主要邏輯在這里。{v4 = Int((unsigned int)*(char *)(i + a1));v5 = Int((unsigned int)*(char *)(i + a2)) + v4;v6 = Int(75LL);  // 75 --> 'K':Int('K')=7if ( v5 == v6 - (unsigned int)Int(66LL) ) // 66 --> 'B':Int('B')=4++v8;}return 4 * v8 == strlen(CODE);
}// Int()函數(shù)可以視為一個字典：
__int64 __fastcall Int(char a1)
{__int64 result; // raxswitch ( a1 ){case 'A':result = 0LL;break;case 'B':result = 4LL;break;case 'C':result = 2LL;break;case 'D':result = 5LL;break;case 'F':result = 6LL;break;case 'G':result = 1LL;break;case 'K':result = 7LL;break;case 'M':result = 8LL;break;case 'T':result = 3LL;break;default:result = 10LL;break;}return result;
}

Int()函數(shù)可以視為一個字典：

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}

judge是一個簡單的加減算法，逆一下：

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}
CODE = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"
# uniq一下CODE，只有AGCT共4個字符，對應(yīng)于0123.
CODE2 = ''
for i in range(len(CODE)):v5 = 3t = intD[CODE[i]]v4 = v5 - tfor k in intD.keys():if intD[k] == v4:D = kprint(D)CODE2 += Dbreakelse:print("WRONG", v4, t)
print(CODE2) # GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG

再看以下代碼和encode()函數(shù)：

  for ( i = 0; i < v4; ++i ){memset(&s, 0, sizeof(s));encode((unsigned int)inputs[i], &s);  // 對輸入的flag進行編碼outputs[4 * i + 3] = s;               // 這里是4字符中，高低位的字符互換： 1234 --> 4321outputs[4 * i + 2] = BYTE1(s);outputs[4 * i + 1] = BYTE2(s);outputs[4 * i] = HIBYTE(s);}__int64 __fastcall encode(unsigned int a1, __int64 a2)
{__int64 result; // raxint i; // [rsp+1Ch] [rbp-4h]result = a1;for ( i = 0; i <= 3; ++i ){result = (unsigned __int8)box[((char)a1 >> (2 * i)) & 3];*(_BYTE *)(i + a2) = result;}return result;
}

可以發(fā)現(xiàn)，該代碼邏輯是將字符轉(zhuǎn)換為二進制（8bit），分4個2bit分別處理，映射為：

00 --> 0 --> A
01 --> 1 --> G
10 --> 2 --> C
11 --> 3 --> T

于是，寫一下逆向代碼：

CODE2 = GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
box = "AGCT"
for i in range(0, len(CODE2), 4):t = box.index(CODE2[i]) * 64 + box.index(CODE2[i+1]) * 16 + box.index(CODE2[i+2]) * 4 + box.index(CODE2[i+3])print(chr(t), end='')
# flag{725008a5e6e65da01c04914c476ae087}

R2-DontTouchMe - DONE

W1-little_game - DONE

js代碼小游戲。找到success()函數(shù)，在瀏覽器中F12，在控制臺下運行一下即可得到flag:
在這里插入圖片描述

arr='1234567890qwertyuiopasdfghjklzxcvbnm{}-'
index = [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
s = ''
for i in index:s += arr[i]print(s)
# flag{24874-39068s-047od-ju7oy}

W2-justppb - DONE

題目提示：使用Burp。

題目給了一個登錄框，輸入admin等常規(guī)的賬號名時，提示用戶名錯誤。

【考點】：使用Burp中自帶的字典、密碼。
在這里插入圖片描述

爆破成功后，登錄即顯示flag. 【坑】

W3-ezbbs -

一個jar。

W4-smart -

smarty反序列化漏洞利用。

賽后評價：

1 - 線下賽，現(xiàn)場不提供零食，中午卻可以一起就餐…

2 - 題目質(zhì)量嘛：呵呵，

（1）W2-justppb

考點是Burp自帶的用戶名、密碼字典，這個。

我現(xiàn)場用自己的fuzz字典、爆破的字典，居然都不行。哎，痛失5分。

（2）M3-我我我是誰

這個題硬是不知道怎么做。聽大佬說，是他們用自己團隊的一個腳本自動跑出來的。

哎！

（3）C1-比64少的base, C2-affine：

這2題是拿來當(dāng)省級賽事的嗎？

（4）M2-simpleUSB

原題。HWS第七期夏令營（硬件安全營）預(yù)選賽wp Misc1

（5）其他

反正不會做了。

查看全文

http://m.aloenet.com.cn/news/40634.html

国产亚洲精品福利在线无卡一,国产精久久一区二区三区,亚洲精品无码国模,精品久久久久久无码专区不卡