NSSCTF
[LitCTF 2023]easy_shark
下载附件,发现是加密的zip
盲猜伪加密,把9改成0
解压得到流量包
在 TCP 追踪流里可以看到整个利用一句话木马注入的过程,但是没有看到 flag 有关的信息
先过滤下http流,在这个流中找到线索
解方程,得到x=17或77
下面一串疑似flag
猜测仿射密码,a和b的值分别为17和77
丢到cyberchef解码
题目提示还要找到连接的key
直接追踪tcp流,看请求包
在第二个流找到密码
拼一下得到flag
NSSCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}
2023黑盾杯
打开题目发现是dns流量包
一下就发现敏感字符,zip的文件头
过滤一下
命令
dns and ip.dst==192.168.50.1
先留下来要导出的
接着导出为纯文本
直接导出
然后再去掉没用的,得到十六进制文本
010导入
修改后缀得到zip文件
暴力破解得到密码
得到flag
攻防世界
Ditf
打开题目附件,发现是一张图片
丢到kali去binwalk一下
发现里面藏了rar文件,直接分离
但是打开也没有提示密码
估计要改高度,改成1300
得到密码
解压完得到流量包
过滤http,再搜一下png
追踪http流,发现一串字符串
base64一下,得到flag
m0_01
解压完得到流量包,打开发现是USB的流量
找到Capture,应用为列
发现是USB键盘流量,那么我们要提取抓获的数据
把流量包放到和tshark同一个文件夹下
输入下面命令
tshark -r 12.pcapng -T fields -e usb.capdata > usbdata.txt
得到数据
或者在Ubuntu系统输入下面命令得到没有换行的
tshark -r usb.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt
手动去掉换行
提取出来的数据可能会带冒号,也可能不带(有可能和wireshark的版本相关),但是一般的脚本都会按照有冒号的数据来识别,这里参考一个添加冒号的脚本
把usbdata.txt放到脚本同一个文件夹下,运行脚本
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # 鼠标流量的话len改为8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()
得到带冒号的
再将鼠标流量转换数据
脚本
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output: ' + "".join(output))
运行脚本,得到一串字符串
发现只有 01248 几个数字,猜测是云影密码
解密脚本
#!/usr/bin/python
# -*- coding=utf8 -*-
def de_code(c):
dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
flag = []
c2 = [i for i in c.split("0")]
for i in c2:
c3 = 0
for j in i:
c3 += int(j)
flag.append(dic[c3 - 1])
return flag
def encode(plaintext):
dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
m = [i for i in plaintext]
tmp = [];flag = []
for i in range(len(m)):
for j in range(len(dic)):
if m[i] == dic[j]:
tmp.append(j + 1)
for i in tmp:
res = ""
if i >= 8:
res += int(i/8)*"8"
if i%8 >=4:
res += int(i%8/4)*"4"
if i%4 >=2:
res += int(i%4/2)*"2"
if i%2 >= 1:
res += int(i%2/1)*"1"
flag.append(res + "0")
print ("".join(flag)[:-1])
if __name__ == '__main__':
c = input("输入要解密的数字串:")
print (de_code(c))
m_code = input("请输入要加密的数字串:")
encode (m_code)
得到flag
流量分析1
解压完附件,得到流量包
先过滤下http,随便点一个追踪一下http流
丢到syberchef里,url解码两次
发现是的SSRF+SQL时间盲注
结合时间盲注知识,我们只需要找那些满足执行时间大于等于3秒的包
过滤语句
http.time >= 3
或
frame.time_delta>3&&http
得到14个包
对每个包进行追踪http流,url二次解码,再对应ASCII码表找出对应字符
如下图第一个ASCII为102的对应的字符是是f
以此类推,拼接起来
得到flag
flag{1qwy2781}