西湖论剑——指鹿为马
前几天被hxd拉去看看题,其中MISC的指鹿为马很有意思,我来说说这题我的解法。
首先nc服务器down下了三个信息,首先是python的源代码
import numpy as np
from PIL import Image
import math
import operator
import os
import time
import base64
import randomdef load_horse():data = []p = Image.open('./horse.png').convert('L')p = np.array(p).reshape(-1)p = np.append(p,0)data.append(p)return np.array(data)def load_deer():data = []p = Image.open('./deer.png').convert('L')p = np.array(p).reshape(-1)p = np.append(p,1)data.append(p)return np.array(data)def load_test(pic):data = []p = Image.open(pic).convert('L')p = np.array(p).reshape(-1)p = np.append(p,1)data.append(p)return np.array(data)def euclideanDistance(instance1, instance2, length):distance = 0for x in range(length):distance += pow((instance1[x] - instance2[x]), 2)return math.sqrt(distance)def getNeighbors(trainingSet, testInstance, k):distances = []length = len(testInstance) - 1for x in range(len(trainingSet)):dist = euclideanDistance(testInstance, trainingSet[x], length)distances.append((trainingSet[x], dist))distances.sort(key=operator.itemgetter(1))neighbors = []for x in range(k):neighbors.append(distances[x][0])return neighborsdef getResponse(neighbors):classVotes = {}for x in range(len(neighbors)):response = neighbors[x][-1]if response in classVotes:classVotes[response] += 1else:classVotes[response] = 1sortedVotes = sorted(classVotes.items(), key=operator.itemgetter(1), reverse=True)return sortedVotes[0][0]def getAccuracy(testSet, predictions):correct = 0for x in range(len(testSet)):if testSet[x][-1] == predictions[x]:correct += 1return (correct / float(len(testSet))) * 100.0def check(pic):source_p = Image.open('deer.png')try:c_p = Image.open(pic)except:print("Please upload right picture.")exit()diff_pixel = 0a, b = source_p.sizeif c_p.size[0] != a and c_p.size[1] != b:print("Please upload right picture size("+str(a)+','+str(b)+')')exit()for y in range(b):for x in range(a):diff_pixel += abs(source_p.getpixel((x, y)) - c_p.getpixel((x, y)))return diff_pixeldef main():while 1:print('-' * 134)print(''' ____ __ _ _ _ _ _ _ _ | __ \ / _| | | | | | | | | | | | | | | | |__) |___| |_ ___ _ __ | |_ ___ | |_| |__ ___ __| | ___ ___ _ __ __ _ ___ | |_| |__ ___ | |__ ___ _ __ ___ ___ | _ // _ \ _/ _ \ '__| | __/ _ \ | __| '_ \ / _ \ / _` |/ _ \/ _ \ '__| / _` / __| | __| '_ \ / _ \ | '_ \ / _ \| '__/ __|/ _ \\| | \ \ __/ || __/ | | || (_) | | |_| | | | __/ | (_| | __/ __/ | | (_| \__ \ | |_| | | | __/ | | | | (_) | | \__ \ __/|_| \_\___|_| \___|_| \__\___/ \__|_| |_|\___| \__,_|\___|\___|_| \__,_|___/ \__|_| |_|\___| |_| |_|\___/|_| |___/\___|''')print('-'*134)print('\t1.show source code')print('\t2.give me the source pictures')print('\t3.upload picture')print('\t4.exit')choose = input('>')if choose == '1':w = open('run.py','r')print(w.read())continueelif choose == '2':print('this is horse`s picture:')h = base64.b64encode(open('horse.png','rb').read())print(h.decode())print('-'*134)print('this is deer`s picture:')d = base64.b64encode(open('deer.png', 'rb').read())print(d.decode())continueelif choose == '4':breakelif choose == '3':print('Please input your deer picture`s base64(Preferably in png format)')pic = input('>')try:pic = base64.b64decode(pic)except:exit()if b"<?php" in pic or b'eval' in pic:print("Hacker!!This is not WEB,It`s Just a misc!!!")exit()salt = str(random.getrandbits(15))pic_name = 'tmp_'+salt+'.png'tmp_pic = open(pic_name,'wb')tmp_pic.write(pic)tmp_pic.close()if check(pic_name)>=100000:print('Don`t give me the horse source picture!!!')os.remove(pic_name)breakma = load_horse()lu = load_deer()k = 1trainingSet = np.append(ma, lu).reshape(2, 5185)testSet = load_test(pic_name)neighbors = getNeighbors(trainingSet, testSet[0], k)result = getResponse(neighbors)if repr(result) == '0':os.system('clear')print('Yes,I want this horse like deer,here is your flag encoded by base64')flag = base64.b64encode(open('flag','rb').read())print(flag.decode())os.remove(pic_name)breakelse:print('I want horse but not deer!!!')os.remove(pic_name)breakelse:print('wrong choose!!!')breakexit()if __name__=='__main__':main()
马的base64
iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAAAAABwhuybAAAFeElEQVR4nO2Xy28TVxTGvzN2ZpLYIY5dkgImIU4I2DFqQqiaqGpL2gXqv8AC2lUX/BFl032lSpWqblqpGyQ2LQhERQhUDSqk4ZnEtHnxCATn4TjP8fOeLmZszzPEUpeclefeM7/z3e/OfRh4G/9n+Dtk907v7jnKh42vc6690u5BTe/u1FsFyEPVgGoaqkAbw+pR5+m5689dq+5QxApSWjuO/DhbGoRgU6dcv7E7UH1472EUw2fuFDVS8e+UKblmX3JXoHBfiEKAOJjSClPOOpTOp2k3kCG19aN3IADA08habGyZk7nxRN2bFTWc8AuEWiWADtG8AIAF1ZLNrZ77SwynqIAa19cpHpMZgLddmcsTCpmwBACFZLGcFQ69TKoaivPragVKxl/9Z/YI/WlxRiVtoKC1qyoAtJzyAgAx66+LrWdPNu2KGL2n/el6vaFZntogzUBS8wCALXUPA2CQXl0KBPbdXtFfN5gdPxt68M210lNTNFj6mSxooJdWX5ibB3w20JEv9vLMqyeFUlJDtEX7pb4kSZIInFi3rTZuOWIdWuTLfUJiVNxjpUuZFwA8xwVAUzNYvTvgs03ZoYRqAsW+CgnAh3rDWL3t8tMCULMfAD0H8CxzbH+NQQ4A9jeYQF3fHR1LE/fXdHkMNaWD8kyGwAAKaQBIpkJBWRsf1YeCEgOSvmtqrW3fnxTp+2kiYov21alNAkDL1zLWQdW2xQMMcX1eKwoA9edPFjnQG2AWVg+CsSAA8LSNg8w/N1cq7ksA8P7nAuBAT4CJyDwz3HC0BcCLaRsHwModtZztBYC4XwDgpt6RJY/gBo+JVNslL6/N+f12Tl59PRczgXQsN937SRY43StM+d5ION9nx5DILSeWyqvQCwDjmz4GQBt/LQIYOqqYX5FqXTaPgz3p5flSEgDcveohgDyXRwFgctK2NbNzCA50HJYNoO2vL2xJ0uYv51UAyA5btyH3YBz4WPtEdXt8J7p5fGxbe1DO9QmXFx0i98NdA8gcvecUp2bnkB59m4XLSTsxUcUpye0H4AbKVeES2Bd2BWGyGklSozuoKknat+hSuSpJtAMod8NdkvPtxq1w4pFbD684XtuMZ78n3Fx+u7hWdKxMuZnNQFuNvcMI6vqk8h1yIzuBqHB58XgKDiTDAChSKyrheMJT4cpvOULqWX4nRZKX4Walzslf/bVAABw0WW9sBX222OFKTdlLV3Sj7SQLSEoOaQtfdMet0yalLo6UzmE7yaZoQ99BVItJxE8uJgCQv0ySjSm7u/kTide3bq0DQEenftmZHTvVZCC5ghjQ55S5sD1//552UwsNKAwAtPBHMnk2UCG5gho8QPbWGoGLanpxKau1Kv26iumRNYzCQLKCvB5NudzvFdL4BctqoN4IA6Dio9EMYCJZpka0HNNaYt0C6rB1VUXeAwBSR25rJ/joz6ul784AKqYBeD/o8QCQB+sgjScsnOCAAkBKDz0snYujQ6U+o6KHrwio6WsuCbppEaQMBBmgV9dmy84o7WScFz3SQwuE4sMlQD5ZB2li0syhnggDmP7d8D8i1i2gzllBSA0tiNGxAhCNOzjU3gOQeHBjzaBxsA7SZAKwzlrqRsu/RUAerBM2QcEBhUkdfVw0tEVjAupw1g7CygrgLEjpDzHSf84Zl4U8WCekSa2g0wfpKKgzwsgMvzC1RbvLghz3bEeH/B5QbtVaECVBTiD507KDO0c0LpC5mXUFxQyCDWG7XmqCJvQnu0dGBw2RXWPaNO1R0bhAplzQDup2FpSYZYhtW8GSIDtIcRaErBUdMwmyexSLOQqyhdkhh//9n/kEOQiyRfwYpKyhoA00PgU8frMg5C8JWp94c97bqMR/qKdMxhtIpukAAAAASUVORK5CYII=
附转码后的图片(推荐个转码的网站:https://tool.jisuapi.com/base642pic.html)
鹿的base64
iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAAAAABwhuybAAAEXUlEQVR4nO2XS2xbRRSG/5l7b/xSb2wnDqbBSdU0FcQUmsRZVCAkorZJumkrFWEkWLJgyZINC5bsQQKEVAkhNRKJRKWqjUiFEAgUkYRQtYQ+ZCc4jzbk4dgkaWzfOSwSP+7D9r3Jtmc198ycz/+ZmTMzBp6Zc2N959wAXGdjDEDTxY6DggJfXT8FoOv7L/wArox/xG2FmUcpHsUNwKO4FYB3QNABQaCKyGi39pc9kKzT8p/Yb3pdfkhNSvTtpvu/2eLoQBfPfjkNAGh7+bTqlYIfs8aGha9XHYOkUyd7pgFAes/L8iIHldIzo4/scSpB2mPRpWYAwLtwK1EAINZW8jY5utQmzr8Uv5YB+MKnf9uNtwTdGbt8uWtW8tG4c44OVPiWBqJRiELSOUcHQvbqw4FjDR4qHBbU/mane0MJy+e2Z7VDgFj3W01ZhZFGL4bGx2wvVzG63IzF/TMjZwYYh0Dh1k2HpHKtxeIqJZcfaqRpRPLgkGI3cM9KqcXiKjHCfoWSPIiamviQd3KuspyL4FhcJcALLyuRampiJ4Y+OFMxL0VFvXGVAOpTTkg2NQktcGm5YsNxAGCxd/wAQIH+SElu3XkSgV6jotbXsptySNKfafXnCWGpvN1kANB+JzraLxnH1SVJFZMkA0BWcvlebTAfqSQPSjef1tJkAG0pA17F6mgm+XxoLCUseqxB9AveCO5lxhViABVjifd13vlzYctUepVZASiVCGsMKQAg2j8JCrDtmaelgYzl0umcEcQiR4jf/ax8TuzvI0qn9xrJxCsaoC3Pl9MjOdRiToUI5A8vlL6NJbP73bYQgrfplpCE2Qig1vejVUH46Z4EUIvfzrVIR989WRW0el0AcEdscADRfEmtBsKNJQ6g1WvrphYdxTIxgx7c5gCpYVuSwHtc1UDaaIYBUti4UayNwoFqIExMcQCyTZBbrQrKjhYA8cRWYQCSUhWEHxKySM7ZU1SqDdmiK/XNlfUnebsgVAfRyPNHWJljyJFZ/4IVCKnp/nK0K6iP3NmwDxK3OyNFkgi+rp/H3amUVYz123dlZL3UwbjevLE2+yDcu5ood+lTI48lyTI1ALPLvd3HJQBM7EqGsuOntUVTQI1FDn8YIIAt/2xYNmrpyUvB4pf2+d2aigAUCADY6o/GA7vVxRtEs8Fp74+G3hjn+X/WioDQwUEAWG5+bW9W+IXYYUBguflFAgBqjEftgaosB9u6NskAgPzHgZqTvR9Q5VnKVh4tsT4C9t9m9RSxjV+tSSKhZYcny3LrKGLp4T+sO9YXgcwwSk+kOorYxJTZ6eMAJXcAbN7IFDXVS23H7JLaGNjW3p2+W8r7AMvf/BwBqU2D9wCgdheQSxrvT+cgXwRgj1eMbuegVpUgEqY94RgkHeNg60smv2NQcwuB5syL6RjU7gLbmjP7nYJ8EQCpjLmjVokwTtxY+y80guUTpBtTD7Q95iF23+icBnb+1Y95UEPMM6uw/wEb7IPCRqC/gwAAAABJRU5ErkJggg==
附转码后的图片
经过代码审阅,发现题目的要求是要你输入一张图片(这里称为test)的base64编码,通过他的条件就会得到flag。
我们发现在传入马和鹿和test时,load_horse(),load_deer(),load_test(),图片的尾部会被添加一个值,除了马是0,其他两张都是1,这是重点!!
在看输入图片后的判断流程,第一个条件check(),check()的作用是将test和鹿的像素差的绝对值相加,如果大于10w就不通过。第二个条件getNeighbors(),比较test和马和鹿的像素的欧式距离。如果test和马的欧氏距离最近才能通过。getResponse()的作用就是判断图片的尾部是否为0(感觉这代码也是作者从其他地方扒拉过来的,图片对抗)。
所以我们就理清思路了,我们要输入一张test,test的总像素差和鹿不能超过10w,并且和马的欧式距离最近。真是“指鹿为马”啊。
一开始我是想用PS将两个图片叠加再一起的,可是一直过不了,还尝试了几次不同比例叠加,也不行,听说有大佬用PS过了。我还是交给脚本吧···,我的思路是在鹿的基础上将马的像素点一个一个加上去,直到满足两个条件就停止。
from PIL import Imagema = Image.open('./horse.png').convert('L')
print(ma)
print(ma.size)
print(ma.getpixel((0, 70)))
lu = Image.open('./deer.png').convert('L')
luandma = Image.open('./deer.png').convert('L')
for i in range(72):for j in range(72):px = ma.getpixel((i, j))luandma.putpixel((i,j),px)diff_pixel = 0distance1 = 0distance2 = 0for y in range(72):for x in range(72):distance1 += pow(abs(lu.getpixel((x, y)) - luandma.getpixel((x, y))), 2)distance2 += pow(abs(ma.getpixel((x, y)) - luandma.getpixel((x, y))), 2)diff_pixel += abs(lu.getpixel((x, y)) - luandma.getpixel((x, y)))if diff_pixel <= 100000 and distance1 > distance2:print("ok")luandma.save('done.png')exit()
然后就得到了一张test的图片(这是我跑完的最后一张),半马半鹿,妙啊。
提交成功得到flag
然后base64转码成txt后发现里面还有图片的base64,再转,才是最后的flag
解题就完成了,如果我讲的有哪里不对,请各位师傅多多包涵,也请评论点出,谢谢!
西湖论剑——指鹿为马相关推荐
- 2023西湖论剑wirteup
2023西湖论剑wirteup 文章目录 2023西湖论剑wirteup 机你太美 take_the_zip_easy mp3 Isolated Machine Memory Analysis 前言: ...
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代...
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 远禾科技出席阿里ASRC生态大会 并参与安恒西湖论剑...
近日,由阿里安全响应中心举办的2019 ASRC生态大会与安恒承办的2019西湖论剑·网络安全大会在互联网之都杭州成功召开,作为网络安全行业的两大盛会,得到了协会领导.业界权威.行业大咖.领导品牌.企 ...
- 远禾科技出席阿里ASRC生态大会 并参与安恒西湖论剑
近日,由阿里安全响应中心举办的2019 ASRC生态大会与安恒承办的2019西湖论剑·网络安全大会在互联网之都杭州成功召开,作为网络安全行业的两大盛会,得到了协会领导.业界权威.行业大咖.领导品牌.企 ...
- 2023西湖论剑——misc——MP3
西湖论剑--misc--MP3 附件下载 链接:https://pan.baidu.com/s/1A-QFz3qC4Q2mSdZKBYqZNw 提取码:lulu MP3详解 这个应该是2023年这一届 ...
- 西湖论剑CTF2019
Crypto 哈夫曼之谜 哈夫曼.png 下载下来就一个文件,里面全是0101和一些字符. 搜索哈夫曼,了解到哈夫曼压缩时用到的哈夫曼树. 猜测下面的字符代表频率. 哈夫曼树建立过程如下 哈夫曼树建立 ...
- 西湖论剑预选赛Misc第二题Write-UP
近期铺天盖地宣传的"西湖论剑"网络安全技能赛预选已经结束了.在这里随便糊一篇文章(也是我第一次写Write-Up文章),就聊聊杂项最先放出的那个第二题的解法. 首先拿到题,解压,发 ...
- WP-2021西湖论剑
2021西湖论剑-wp 前言 全靠大佬打,我是划水的. 灏妹的web 页面开发中 Dirsearch扫一下,idea泄露 ezupload 查看页面源代码,发现提示 ?source=1 发现使用_FI ...
- 2022西湖论剑-初赛CTF部分wp-Zodiac
2022西湖论剑-初赛CTF部分wp-Zodiac 文章目录 2022西湖论剑-初赛CTF部分wp-Zodiac WEB real_ez_node 扭转乾坤 Node Magical Login PW ...
最新文章
- Fleury算法找欧拉环游
- python的river安装
- LeetCode 1323. 6 和 9 组成的最大数字
- 滤波器开发之五:基于算术平均的限幅滤波器
- 22 C#中的异常处理入门 try catch throw
- pyQT指定窗口截图
- 与 SQL Server 建立连接时出现与网络相关的或特定于实例的错误
- Notepad++ 安装 Zen Coding / Emmet 插件
- 使用bintray-release工具上传gradle项目至bintray.com
- 安装sqlyog和使用注册码
- 记使用springboot过程中遇到的一个问题
- 山东省计算机科学与技术排名,2016山东省大学各学科门类最佳专业排行榜|大学排行榜|最佳专业排行榜_新浪教育_新浪网...
- 瑞幸小鹿茶正面杠上喜茶,茶饮新零售鹿死谁手?
- 【英语:基础进阶_听口实战运用】D1.听口实战运用
- 管程法----生产者和消费者
- python中geometry_python shapely.geometry.polygon任意两个四边形的IOU计算实例
- 【SuperMap-Leaflet】等值线/面裁剪参数设置
- shell判断命令是否执行成功
- 都整理好了,总有一个你用得上
- nodemcu能不能用c语言开发,NodeMcu: 编译及运行esp-open-rtos系统