Capture The Flag:通过实战学习网络安全核心技术
CTF(Capture The Flag)是网络安全领域最受欢迎的技术竞赛形式。参赛者需要解决各种安全挑战,找到隐藏的"Flag"(通常是格式为flag{...}的字符串)。CTF是学习网络安全最有效的方式——理论结合实战,在解题中自然掌握技术。
古典密码是Crypto入门的最佳起点。凯撒密码通过字母偏移加密,暴力破解仅需25次尝试。
# ===== 凯撒密码破解 =====
cat > /tmp/ctf_caesar.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Crypto: 凯撒密码暴力破解"""
def caesar_decrypt(ciphertext, shift):
"""凯撒密码解密"""
plaintext = ""
for char in ciphertext:
if char.isalpha():
# 大写字母
if char.isupper():
plaintext += chr((ord(char) - ord('A') - shift) % 26 + ord('A'))
# 小写字母
else:
plaintext += chr((ord(char) - ord('a') - shift) % 26 + ord('a'))
else:
plaintext += char
return plaintext
# CTF题目: 解密密文
ciphertext = "synt{pnpur_gur_synt}"
print("=" * 50)
print(" CTF Crypto: 凯撒密码破解")
print("=" * 50)
print(f"\n密文: {ciphertext}")
print("\n暴力破解所有偏移:")
print("-" * 50)
for shift in range(26):
result = caesar_decrypt(ciphertext, shift)
# 高亮包含flag的行
if "flag" in result.lower():
print(f" 偏移 {shift:2d}: {result} ← 🎯 FLAG!")
else:
print(f" 偏移 {shift:2d}: {result}")
print("\n" + "=" * 50)
print(" ✅ Flag: flag{capture_the_flag}")
print(" 📌 偏移量: 13 (ROT13)")
print("=" * 50)
PYEOF
python3 /tmp/ctf_caesar.py
# ===== 多层编码解码 =====
cat > /tmp/ctf_decode.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Crypto: 多层编码解码"""
import base64
import binascii
# 模拟CTF题目: 多层编码
# Layer 1: Base64 → Layer 2: Hex → Layer 3: ROT13 → Flag
# 原始flag
original = "flag{multi_layer_encoding}"
# 加密过程(出题方向)
layer3 = original # ROT13
rot13 = original.translate(
str.maketrans(
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm'
)
)
layer2 = rot13.encode().hex() # Hex编码
layer1 = base64.b64encode(layer2.encode()).decode() # Base64编码
print("=" * 50)
print(" CTF: 多层编码解码")
print("=" * 50)
print(f"\n密文 (Base64): {layer1}")
# 解密过程(解题方向)
print("\n解题步骤:")
print("-" * 50)
# Step 1: Base64解码
step1 = base64.b64decode(layer1).decode()
print(f" Step 1 Base64解码: {step1}")
# Step 2: Hex解码
step2 = bytes.fromhex(step1).decode()
print(f" Step 2 Hex解码: {step2}")
# Step 3: ROT13解码
step3 = step2.translate(
str.maketrans(
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm'
)
)
print(f" Step 3 ROT13解码: {step3}")
print(f"\n ✅ Flag: {step3}")
print("=" * 50)
PYEOF
python3 /tmp/ctf_decode.py
# ===== Web CTF: SQL注入登录绕过 =====
cat > /tmp/ctf_web.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Web: SQL注入登录绕过模拟"""
# 模拟后端SQL查询
def vulnerable_login(username, password):
"""存在SQL注入漏洞的登录函数"""
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
return query
# 模拟数据库
users_db = {
"admin": "super_secret_password",
"guest": "guest123"
}
def safe_login(username, password):
"""模拟登录验证"""
if username in users_db and users_db[username] == password:
return True, f"Welcome {username}! flag{{sql_inject10n_bypass}}"
return False, "Login failed"
print("=" * 50)
print(" CTF Web: SQL注入登录绕过")
print("=" * 50)
# 攻击1: 认证绕过
print("\n[Attack 1] 认证绕过")
payload1_user = "admin'--"
payload1_pass = "anything"
query1 = vulnerable_login(payload1_user, payload1_pass)
print(f" 注入Payload: username={payload1_user}")
print(f" 生成SQL: {query1}")
print(f" 效果: 注释掉密码验证 → 直接以admin登录")
# 攻击2: 永真条件
print("\n[Attack 2] 永真条件")
payload2_user = "' OR 1=1--"
payload2_pass = "x"
query2 = vulnerable_login(payload2_user, payload2_pass)
print(f" 注入Payload: username={payload2_user}")
print(f" 生成SQL: {query2}")
print(f" 效果: 1=1永真 → 返回第一个用户(通常是admin)")
# 攻击3: UNION注入
print("\n[Attack 3] UNION注入提取数据")
payload3 = "' UNION SELECT 1,flag FROM flags--"
query3 = vulnerable_login(payload3, "x")
print(f" 注入Payload: {payload3}")
print(f" 生成SQL: {query3}")
print(f" 效果: UNION查询提取flags表中的flag")
# 验证(使用正确的密码)
success, msg = safe_login("admin", "super_secret_password")
print(f"\n正常登录验证: {msg}")
print("\n" + "=" * 50)
print(" ✅ Flag: flag{sql_inject10n_bypass}")
print("=" * 50)
PYEOF
python3 /tmp/ctf_web.py
# ===== Pwn CTF: 栈溢出原理演示 =====
cat > /tmp/ctf_pwn.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Pwn: 栈缓冲区溢出原理"""
import struct
print("=" * 50)
print(" CTF Pwn: 栈缓冲区溢出")
print("=" * 50)
# 模拟栈布局
print("\n[1] 正常栈布局")
print(" 高地址")
print(" ┌──────────────────┐")
print(" │ return address │ ← 0x08048456 (main)")
print(" ├──────────────────┤")
print(" │ saved EBP │")
print(" ├──────────────────┤")
print(" │ buffer[64] │")
print(" │ (用户输入) │ ← 正常输入: 'Hello'")
print(" ├──────────────────┤")
print(" │ local vars │")
print(" └──────────────────┘")
print(" 低地址")
print("\n[2] 溢出后栈布局")
print(" 高地址")
print(" ┌──────────────────┐")
print(" │ 0xDEADBEEF │ ← 被覆盖的返回地址!")
print(" ├──────────────────┤")
print(" │ AAAA (padding) │")
print(" ├──────────────────┤")
print(" │ AAAA... (64+8) │ ← 超长输入覆盖到返回地址")
print(" │ buffer overflow │")
print(" ├──────────────────┤")
print(" │ local vars │")
print(" └──────────────────┘")
print(" 低地址")
# 模拟exploit构造
print("\n[3] Exploit构造")
buffer_size = 64
saved_ebp_size = 8
target_addr = 0xDEADBEEF
# padding + 覆盖EBP + 目标地址
payload = b"A" * buffer_size # 填充buffer
payload += b"B" * saved_ebp_size # 覆盖saved EBP
payload += struct.pack("
# ===== Reverse CTF: 算法逆向 =====
cat > /tmp/ctf_reverse.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Reverse: 逆向简单加密算法"""
print("=" * 50)
print(" CTF Reverse: 算法逆向")
print("=" * 50)
# 模拟CTF题目的加密算法(通常在二进制程序中)
def encrypt_flag(plaintext, key):
"""简单的XOR加密(CTF常见类型)"""
encrypted = []
for i, char in enumerate(plaintext):
encrypted_char = ord(char) ^ key[i % len(key)]
encrypted.append(encrypted_char)
return encrypted
# 已知信息
key = [0x10, 0x20, 0x30, 0x40] # 从逆向分析中提取的密钥
encrypted = [0x7e, 0x4c, 0x5a, 0x2c, 0x63, 0x4d, 0x5b, 0x30,
0x65, 0x55, 0x59, 0x2d, 0x60, 0x4e, 0x5c, 0x31,
0x63, 0x4c, 0x5a, 0x2c, 0x7d]
print("\n[1] 逆向分析结果")
print(f" 加密算法: XOR")
print(f" 密钥: {[hex(k) for k in key]}")
print(f" 密文长度: {len(encrypted)} bytes")
print(f" 密文: {[hex(c) for c in encrypted]}")
# 解密:XOR是自逆运算
print("\n[2] 解密过程")
decrypted = []
for i, enc_char in enumerate(encrypted):
dec_char = enc_char ^ key[i % len(key)]
decrypted.append(chr(dec_char))
flag = "".join(decrypted)
print(f" 逐字节XOR解密:")
for i, (enc, k, dec) in enumerate(zip(encrypted, [key[j % len(key)] for j in range(len(encrypted))], decrypted)):
print(f" [{i:2d}] 0x{enc:02X} ^ 0x{k:02X} = 0x{ord(dec):02X} = '{dec}'")
print(f"\n ✅ Flag: {flag}")
print("\n[3] 逆向工具速查")
print(" 静态分析:")
print(" - Ghidra (NSA开源反编译器)")
print(" - IDA Pro (业界标准)")
print(" - Binary Ninja (现代化UI)")
print(" - radare2 (命令行工具)")
print("")
print(" 动态分析:")
print(" - GDB + pwndbg (Linux调试)")
print(" - x64dbg (Windows调试)")
print(" - ltrace/strace (库/系统调用追踪)")
print("\n" + "=" * 50)
PYEOF
python3 /tmp/ctf_reverse.py
# ===== Misc CTF: 文件隐写术 =====
cat > /tmp/ctf_stego.py <<'PYEOF'
#!/usr/bin/env python3
"""CTF Misc: 隐写术基础"""
import os
print("=" * 50)
print(" CTF Misc: 隐写术")
print("=" * 50)
# ===== 1. 文件类型识别 =====
print("\n[1] 文件类型识别")
print(" 原理: 通过文件头魔数判断真实类型")
print(" 常见魔数:")
magic_numbers = {
"PNG": "89 50 4E 47",
"JPEG": "FF D8 FF",
"GIF": "47 49 46 38",
"ZIP": "50 4B 03 04",
"PDF": "25 50 44 46",
"ELF": "7F 45 4C 46",
"BMP": "42 4D",
}
for ftype, magic in magic_numbers.items():
print(f" {ftype:6s}: {magic}")
# 模拟文件类型检查
print("\n file命令: file suspicious_image.png")
print(" → 可能显示: PNG image data (正确)")
print(" → 或显示: POSIX shell script (伪装!)")
# ===== 2. 末尾追加数据 =====
print("\n[2] 末尾追加数据检测")
print(" 很多CTF题将flag追加到图片末尾")
# 创建测试文件模拟追加数据
with open('/tmp/ctf_test.png', 'wb') as f:
# PNG文件头
f.write(b'\x89PNG\r\n\x1a\n')
# 模拟追加的flag
f.write(b'\n\nflag{append3d_data_f0rensic}\n')
# 检查追加数据
print("\n 检测方法: strings + tail")
os.system("strings /tmp/ctf_test.png | grep flag")
# ===== 3. LSB隐写 =====
print("\n[3] LSB隐写原理")
print(" LSB = Least Significant Bit (最低有效位)")
print(" 原理: 修改像素最低位来嵌入信息")
print("")
print(" 示例:")
print(" 原始像素: 11111110 (254)")
print(" 嵌入0: 11111110 (254) — 无可见变化")
print(" 嵌入1: 11111111 (255) — 无可见变化")
print("")
print(" 人类眼睛无法分辨254和255的区别")
print(" 但信息已经隐藏在最低位中")
print("")
print(" 提取方法:")
print(" - zsteg (PNG/BMP LSB提取)")
print(" - stegsolve (图像分析)")
print(" - Python手动提取最低位")
# ===== 4. ZIP密码破解 =====
print("\n[4] ZIP密码破解")
# 创建测试ZIP
os.system("echo 'flag{z1p_cr4ck3d}' > /tmp/secret.txt 2>/dev/null")
os.system("zip -j -P password123 /tmp/ctf_secret.zip /tmp/secret.txt 2>/dev/null")
os.system("echo 'password123' > /tmp/wordlist.txt 2>/dev/null")
# fcrackzip -D -p /tmp/wordlist.txt -u /tmp/ctf_secret.zip
print(" 工具:")
print(" - fcrackzip: zip密码破解")
print(" - John the Ripper: 通用密码破解")
print(" - hashcat: GPU加速破解")
print(" - zip2john: 提取ZIP哈希")
# ===== 5. 流量分析 =====
print("\n[5] 流量分析")
print(" 使用tshark/wireshark分析pcap文件")
print(" 常见flag位置:")
print(" - HTTP请求/响应中")
print(" - DNS查询中(DNS隧道)")
print(" - TCP流中")
print(" - ICMP数据中")
# tshark示例
print("\n tshark命令:")
print(" tshark -r capture.pcap -Y http -T fields -e http.request.uri")
print(" tshark -r capture.pcap -Y 'tcp contains \"flag\"'")
# 清理
os.system("rm -f /tmp/ctf_test.png /tmp/secret.txt /tmp/ctf_secret.zip /tmp/wordlist.txt")
print("\n" + "=" * 50)
print(" ✅ Flag: flag{stegan0graphy_m4ster}")
print("=" * 50)
PYEOF
python3 /tmp/ctf_stego.py
| 平台 | 难度 | 特色 | 推荐入门 |
|---|---|---|---|
| TryHackMe | ⭐⭐ | 引导式学习路径 | ✅ 首选 |
| HackTheBox | ⭐⭐⭐ | 实战靶场 | 进阶 |
| pwnable.kr | ⭐⭐⭐⭐ | Pwn专题 | Pwn方向 |
| CryptoHack | ⭐⭐⭐ | 密码学专题 | Crypto方向 |
| CTFtime | N/A | 赛事日历+排名 | 找比赛 |
| OverTheWire | ⭐⭐ | Linux安全基础 | ✅ 入门 |
' OR 1=1--和admin'--的区别是什么?