2025青岛网络安全大赛决赛题解与知识点教学<\/h1>

题目附件<\/h2>
下载链接：https:\/\/pan.quark.cn\/s\/44903a187039?pwd=79es 提取码：79es<\/p>

Web1<\/h2>

考察点<\/h3>

网络数据包拦截与修改（BurpSuite等工具使用）<\/li>

基础HTTP协议理解<\/li> <\/ul>

解题过程<\/h3>

环境为一个植物大战僵尸游戏，系统会不断向后台请求阳光值<\/li>
使用抓包工具（如BurpSuite）拦截请求<\/li>
将阳光值参数修改为极大数值（如999999）<\/li>

放行数据包，游戏获胜后获得flag<\/li> <\/ol>

教学要点<\/h3>

抓包工具基本操作：拦截、修改、重放请求<\/li>
理解客户端-服务器交互机制<\/li>

数值验证漏洞的利用方式<\/li> <\/ul>

Web2<\/h2>

考察点<\/h3>

目录扫描与信息收集<\/li>
后台弱口令漏洞<\/li>
SSRF（服务端请求伪造）<\/li>

LFI（本地文件包含）绕过技巧<\/li> <\/ul>

解题过程<\/h3>

目录扫描发现 www.zip 和 admin\/login.php<\/li>
访问后台使用弱口令 admin\/admin 登录成功<\/li>
在"友链"功能中发现漏洞点（eof.php）<\/li>

分析源码发现两层不一致的过滤机制：

第一层：只检查第一行，不区分大小写<\/li>
第二层：检查整个输入，区分大小写<\/li> <\/ul> <\/li>

构造绕过payload：

%0AFILE:\/\/\/flag<\/code>

%0A（换行符）使第一行为空<\/li>
FILE:\/\/\/flag 使用大写绕过第二层检查<\/li>
<\/ul>
<\/li>
成功读取服务器上的\/flag文件<\/li>
<\/ol>
教学要点<\/h3>

信息收集：目录扫描、源码泄露<\/li>
弱口令漏洞利用<\/li>
多层级过滤机制的绕过方法<\/li>
PHP流包装器的大小写特性<\/li>
SSRF到LFI的利用链构造<\/li>
<\/ul>
密码学1<\/h2>
考察点<\/h3>

Beaufort密码算法<\/li>
RSA加密体制<\/li>
dp泄露攻击<\/li>
Coppersmith算法应用<\/li>
<\/ul>
解题过程<\/h3>
加密流程分析<\/h4>

明文格式：DASCTF{22个大写字母}<\/li>
位置移位：每个字符右移(index+1)位（模26运算）<\/li>
Beaufort加密：使用密钥"DASCTF"加密<\/li>
转换为整数：m = bytes_to_long(FLAG_string.encode())<\/li>
RSA加密：生成P = m^p mod n，Q = m^q mod n，N = P*Q<\/li>
泄露：n, N, dp, e等参数<\/li>
<\/ol>
解密步骤<\/h4>
第一步：利用dp泄露恢复P、Q<\/strong><\/p>
# SageMath代码<\/span>
<\/span><\/span>for<\/span> k in<\/span> range(1<\/span>, 100000<\/span>):
<\/span><\/span>    P =<\/span> (dp*<\/span>e -<\/span> 1<\/span>) \/\/<\/span> k +<\/span> 1<\/span>
<\/span><\/span>    if<\/span> N %<\/span> P ==<\/span> 0<\/span>:
<\/span><\/span>        Q =<\/span> N \/\/<\/span> P
<\/span><\/span>        break<\/span>
<\/span><\/span><\/code><\/pre>第二步：Coppersmith算法求m<\/strong><\/p>
# SageMath代码<\/span>
<\/span><\/span>P =<\/span> ...<\/span> # 从第一步得到<\/span>
<\/span><\/span>Q =<\/span> ...<\/span> # 从第一步得到<\/span>
<\/span><\/span>n =<\/span> ...<\/span> # 原始RSA的n<\/span>
<\/span><\/span>
<\/span><\/span>R.<<\/span>x><\/span> =<\/span> Zmod(n)[]
<\/span><\/span>f =<\/span> x^<\/span>2<\/span> -<\/span> (P+<\/span>Q)*<\/span>x +<\/span> P*<\/span>Q
<\/span><\/span>roots =<\/span> f.<\/span>small_roots()
<\/span><\/span>m =<\/span> roots[0<\/span>]
<\/span><\/span><\/code><\/pre>第三步：逆向加密过程<\/strong><\/p>
# Python代码<\/span>
<\/span><\/span>def<\/span> beaufort_decrypt<\/span>(cipher, key):
<\/span><\/span>    # Beaufort解密实现<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> reverse_shift<\/span>(enc_str):
<\/span><\/span>    # 反向移位操作<\/span>
<\/span><\/span>    result =<\/span> ""<\/span>
<\/span><\/span>    for<\/span> i, char in<\/span> enumerate(enc_str):
<\/span><\/span>        if<\/span> char.<\/span>isupper():
<\/span><\/span>            # 反向移动(i+1)位<\/span>
<\/span><\/span>            shifted =<\/span> (ord(char) -<\/span> ord('A'<\/span>) -<\/span> (i+<\/span>1<\/span>)) %<\/span> 26<\/span>
<\/span><\/span>            result +=<\/span> chr(shifted +<\/span> ord('A'<\/span>))
<\/span><\/span>        else<\/span>:
<\/span><\/span>            result +=<\/span> char
<\/span><\/span>    return<\/span> result
<\/span><\/span>
<\/span><\/span># 解密流程<\/span>
<\/span><\/span>flag_string =<\/span> long_to_bytes(m).<\/span>decode()
<\/span><\/span>beaufort_decrypted =<\/span> beaufort_decrypt(flag_string, "DASCTF"<\/span>)
<\/span><\/span>original_flag =<\/span> reverse_shift(beaufort_decrypted)
<\/span><\/span><\/code><\/pre>教学要点<\/h3>

Beaufort密码算法的自反性质<\/li>
RSA系统中dp参数的意义与泄露利用<\/li>
Coppersmith算法在小根求解中的应用<\/li>
多步加密流程的逆向分析方法<\/li>
<\/ul>
密码学2<\/h2>
考察点<\/h3>

小指数攻击（Low Exponent Attack）<\/li>
中国剩余定理（CRT）<\/li>
有限域上多项式求根<\/li>
多轮加密回溯分析<\/li>
<\/ul>
解题过程<\/h3>
加密流程分析<\/h4>

明文转为整数m<\/li>
生成特殊质数p,q：满足(p-1) % e² == 0，q为p的下一个质数<\/li>
计算N = p*q<\/li>
加密：C = m^e mod N<\/li>
重复25轮加密<\/li>
<\/ol>
解密步骤<\/h4>
# SageMath脚本<\/span>
<\/span><\/span># 读取所有N, C, e参数<\/span>
<\/span><\/span>Ns =<\/span> [...<\/span>] # 25轮的N值<\/span>
<\/span><\/span>Cs =<\/span> [...<\/span>] # 25轮的密文值<\/span>
<\/span><\/span>e =<\/span> 19<\/span>
<\/span><\/span>
<\/span><\/span># 从最后一轮开始向前解密<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(24<\/span>, -<\/span>1<\/span>, -<\/span>1<\/span>):
<\/span><\/span>    N =<\/span> Ns[i]
<\/span><\/span>    C =<\/span> Cs[i]
<\/span><\/span>    
<\/span><\/span>    # 恢复p,q：在sqrt(N)附近搜索满足条件的质数<\/span>
<\/span><\/span>    root =<\/span> isqrt(N)
<\/span><\/span>    for<\/span> p in<\/span> range(root-<\/span>1000<\/span>, root+<\/span>1000<\/span>):
<\/span><\/span>        if<\/span> is_prime(p) and<\/span> (p-<\/span>1<\/span>) %<\/span> (e^<\/span>2<\/span>) ==<\/span> 0<\/span>:
<\/span><\/span>            if<\/span> N %<\/span> p ==<\/span> 0<\/span>:
<\/span><\/span>                q =<\/span> N \/\/<\/span> p
<\/span><\/span>                break<\/span>
<\/span><\/span>    
<\/span><\/span>    # 在GF(p)和GF(q)上解方程<\/span>
<\/span><\/span>    Fp =<\/span> GF(p)
<\/span><\/span>    Fq =<\/span> GF(q)
<\/span><\/span>    
<\/span><\/span>    # 求根<\/span>
<\/span><\/span>    roots_p =<\/span> (Fp(C).<\/span>nth_root(e, all=<\/span>True<\/span>))
<\/span><\/span>    roots_q =<\/span> (Fq(C).<\/span>nth_root(e, all=<\/span>True<\/span>))
<\/span><\/span>    
<\/span><\/span>    # CRT组合解<\/span>
<\/span><\/span>    for<\/span> rp in<\/span> roots_p:
<\/span><\/span>        for<\/span> rq in<\/span> roots_q:
<\/span><\/span>            m =<\/span> crt(int(rp), int(rq), p, q)
<\/span><\/span>            # 检查m的比特长度是否符合要求<\/span>
<\/span><\/span>            if<\/span> m.<\/span>nbits() ==<\/span> expected_bits:
<\/span><\/span>                next_plaintext =<\/span> m
<\/span><\/span>                break<\/span>
<\/span><\/span><\/code><\/pre>教学要点<\/h3>

小指数攻击的条件与限制<\/li>
特殊质数生成方式的密码学意义<\/li>
中国剩余定理在密码分析中的应用<\/li>
多轮加密系统的回溯解密方法<\/li>
有限域上多项式求根技术<\/li>
<\/ul>
Misc1<\/h2>
考察点<\/h3>

文件格式分析（HEX编辑）<\/li>
基础编码转换<\/li>
<\/ul>
解题过程<\/h3>

解压得到图片文件<\/li>
使用010 Editor等工具分析文件头部<\/li>
发现HEX编码字符串<\/li>
转换HEX到ASCII获得flag<\/li>
<\/ol>
教学要点<\/h3>

常见文件格式结构分析<\/li>
HEX编辑工具使用方法<\/li>
编码识别与转换技巧<\/li>
<\/ul>
Misc2<\/h2>
考察点<\/h3>

Steghide隐写工具使用<\/li>
Base64编码解码<\/li>
二进制数据处理<\/li>
逆向工程分析<\/li>
异或加密破解<\/li>
<\/ul>
解题过程<\/h3>

解压得到图片文件<\/li>
010 Editor分析发现尾部Base64字符串<\/li>
解码得到二进制串：1000011010100000010101111001110011100100000110100101000001010101<\/li>
图片属性中发现密钥提示：jzxcvb123<\/li>
Steghide提取隐写内容：steghide extract -sf x.jpeg -p jzxcvb123<\/li>
获得test.zip，破解伪加密<\/li>
逆向分析ELF文件中的加密逻辑：

64字节循环密钥异或加密<\/li>
密钥：1000011010100000010101111001110011100100000110100101000001010101<\/li>
<\/ul>
<\/li>
将图片尾部的64位二进制与密钥异或得到：HELLo123<\/li>
使用该密码解压获得flag.txt<\/li>
<\/ol>
教学要点<\/h3>

Steghide隐写工具参数与使用<\/li>
ZIP文件伪加密识别与破解<\/li>
ELF文件逆向分析基础<\/li>
异或加密原理与破解方法<\/li>
多步骤隐写分析流程<\/li>
<\/ul>
RE<\/h2>
考察点<\/h3>

壳识别与脱壳技术（Themida\/WinLicense）<\/li>
花指令识别与清除<\/li>
魔改RC4算法分析<\/li>
魔改TEA算法分析<\/li>
加密算法逆向工程<\/li>
<\/ul>
解题过程<\/h3>

检测到Themida\/WinLicense壳，使用unlicense工具脱壳<\/li>
IDA分析发现花指令，手动NOP清除<\/li>
分析主程序逻辑：

读取输入 → loc_421290处理 → loc_4213C0处理 → 与密文比较<\/li>
<\/ul>
<\/li>
分析loc_421290：魔改RC4算法

密钥："thOs_IO_ke9"<\/li>
加密：output[i] = input[i] + (K_i ^ 0x33)<\/li>
<\/ul>
<\/li>
分析loc_4213C0：魔改TEA算法

128-bit固定密钥<\/li>
33轮迭代加密<\/li>
<\/ul>
<\/li>
解密流程：先TEA解密再RC4解密<\/li>
<\/ol>
教学要点<\/h3>

常见壳的特征与脱壳方法<\/li>
花指令的识别与清除技术<\/li>
RC4算法原理与魔改分析<\/li>
TEA算法原理与魔改分析<\/li>
复合加密系统的逆向分析方法<\/li>
<\/ul>
PWN<\/h2>
考察点<\/h3>

栈溢出漏洞利用<\/li>
Shellcode编写与构造<\/li>
漏洞利用链设计<\/li>
保护机制绕过<\/li>
<\/ul>
解题过程<\/h3>

检查保护机制：NX disabled, No PIE, No Canary → 栈可执行<\/li>
IDA分析发现栈溢出漏洞：

char s[24]缓冲区<\/li>
fgets(s, 50, stdin) → 可写入49字节<\/li>
<\/ul>
<\/li>
构造利用payload：

前24字节：shellcode（execve("\/bin\/sh")）<\/li>
填充至36字节<\/li>
覆盖返回地址：jmp esp指令地址<\/li>
添加esp调整指令：sub esp,40; call esp<\/li>
<\/ul>
<\/li>
发送payload获得shell<\/li>
<\/ol>
教学要点<\/h3>

栈溢出漏洞原理与利用方法<\/li>
Shellcode编写技术<\/li>
漏洞利用链设计思路<\/li>
保护机制识别与绕过技术<\/li>
利用工具（pwntools等）的使用<\/li>
<\/ul>
综合教学要点<\/h2>

CTF解题方法论<\/strong>：信息收集→漏洞识别→利用构造→flag获取<\/li>
多知识点融合<\/strong>：实际题目往往融合多个安全领域知识点<\/li>
工具链使用<\/strong>：掌握各类安全工具的配合使用<\/li>
脚本编写能力<\/strong>：自动化处理复杂计算或重复操作<\/li>
文档记录习惯<\/strong>：详细记录解题过程与发现，便于复盘学习<\/li>
<\/ol>
通过系统学习上述知识点和解题技巧，可以有效提升网络安全竞赛能力和实际安全分析技能。<\/p>

2025青岛网络安全大赛决赛题解与知识点教学<\/h1>

题目附件<\/h2> 下载链接：https:\/\/pan.quark.cn\/s\/44903a187039?pwd=79es 提取码：79es<\/p>

Web1<\/h2>

Web2<\/h2>

密码学1<\/h2>

解题过程<\/h3>

密码学2<\/h2>

解题过程<\/h3>

Misc1<\/h2>

Misc2<\/h2>

RE<\/h2>

PWN<\/h2>

题目附件<\/h2>
下载链接：https:\/\/pan.quark.cn\/s\/44903a187039?pwd=79es 提取码：79es<\/p>