使用wireshark打开
看这里的域名发现像是base64
使用tshark提取出来这些域名到result.txt
tshark -T fields -e dns.qry.name -Y "dns && ip.dst == 8.8.8.8 && dns.qry.type == 1" -r tunnel.pcap > result.txt
然后使用python脚本将其中的base64提取出来并补全=符号
import re
with open('./result.txt','r') as f:
content = f.readlines()
for i in content:
result = re.findall('(.*?).evil.im',i)
result = result[0] + (4 - len(result[0])%4) * '='
with open('./base64.txt','a+') as f1:
f1.write(result+'\n')
然后尝试base64隐写解密
file = open('./base64.txt','r')
a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
aaa = ''
while True:
text = file.readline() # 只读取一行内容
# 判断是否读取到内容
text = text.replace("\n", "")
if not text:
break
if text.count('=') == 1:
aaa = aaa + \
str('{:02b}'.format((a.find(text[len(text)-2])) % 4))
if text.count('=') == 2:
aaa = aaa + \
str('{:04b}'.format((a.find(text[len(text)-3])) % 16))
file.close()
t = ""
ttt = len(aaa)
ttt = ttt//8*8
for i in range(0,ttt,8):
t = t + chr(int( aaa[i:i+8],2))
print(t)
得到结果为
password: B@%MG"6FjbS8^c#r
base64解密这些密文发现是二进制数据,将其写入文件
from base64 import b64decode
with open('./base64.txt','r+') as f:
content = f.read()
content = content.splitlines()
with open('1','ab') as f1:
for i in content:
f1.write(b64decode(i))
使用010发现是pk头,将后缀修改为zip
然后解压需要密码,就是刚才base64隐写解密的到的密码 B@%MG"6FjbS8^c#r
得到图片
得到flag
flag{D01n't_5pY_0nmE}