Link: https://pan.baidu.com/s/1e3ZcfioIOmebbUs-xGRnUA?pwd=9jmc
Extraction code: 9jmc
The first few questions are relatively simple and are the most common and frequently tested types.
1.pcap——zip
There are compressed packages in traffic analysis
Check the string or regular expression and find the flag-related content at the bottom of the package.
We track the flow
3 ways to save
1. Save directly in ascii and name it 1.zip
2. If it is damaged, select the original data, save it as 1.txt, open the 010 editor, create a new file, and import the hexadecimal file
Today's computers are all smart. After saving, you can directly modify it to zip. There is no need to import it as follows.
Then drag 1.txt in
Save and rename to zip file
3.foremost or binwalk separation
binwalk
Directly separate the 1.pcap package, which contains the compressed package.
My window comes with foremost
This comes with kali
flag is a picture
2.pcap——php file (1)
This question talks about the second method - exporting objects
ctrl+f can’t find the flag
Export object
I found a lot of pictures. Let’s first look for php files.
Can be easily filtered
find flag
Method 2
First put the exported directory into it
Use Linux strings so that if there are multiple directories or too many files, you can quickly find them
strings $(find . | xargs) |grep flag -i
3.pcap——php file (2)
ctrl+f can’t find the flag
Export object
I found a base64 encoding. I’m curious, what is it? Let’s take a look.
get
It’s base64 encrypted, no wonder it can’t be found
john-in-the-middle - picture_steganography
This question begins to provide new ideas, picture steganography
We still search normally, first ctrl+f, but it cannot be found.
Export, look at php, there is no php, here, you can try linux strings to find the flag
You can also analyze it. TCP, http and ftp traffic are all used to transfer things. Usually when asked about what happened to hackers, you need to go and observe carefully in the flow. This question does not exist. It is a very ordinary transmission. There is no What attack content. So there is no need to analyze
Let’s go straight to the topic. Flag is this picture, because flag means chess piece.
png has high steganography, zip hiding, lsb steganography, exiftool, steghind, etc.
I tried them all and found that it is LSB steganography.
This time I don’t export the flag, just copy it down.
TTL.pcapng——ttl steganography
The most common steganography of imcp's ping is to convert ttl to ascii
View with tshark, which comes with wireshark and is equivalent to the command line version of wireshark.
After opening it, enter it and write it in the command line
tshark.exe -r D:\Desktop\Outline\Traffic Analysis\TTL.pcap -T fields -e ip.ttl
Process it, you can use anything, it's very smart
Remove 0
SQL blind injection.pacp
Directly use ctrl+f to search for flag. It can be seen that this is a total of sql injected packages (I sorted by info)
Then we need to observe the request header to find the flag. It is convenient to export the image.
Look directly backwards
Let’s look for them one by one.
Traceability analysis - Ice Scorpion (difficulty begins to increase)
ctrl+f has echo
After tracing, I found something similar to base64, which was garbled when decoded.
Export objects and filter them
After browsing briefly, you can see the word upload, indicating that this is a traffic package for file upload.
It's probably Ice Scorpion or Godzilla, because base64 can't be decoded. It depends on your AES encryption, which requires a key and displacement (iv) Let's browse the PHP files briefly and find that most of them are 404 errors, and there are only config*.php files. It's suspicious. It's also the base64 we decrypted just now. We assume it's Ice Scorpion. We looked for the key and IV but couldn't find it. We guessed it was the default one. When installing Ice Scorpion, we wrote a default script.
The default password in shell.php is: e45e329feb5d925b
The default iv can be replaced by: 0123456789abcdef. I don’t know why. The teacher said it.
Let's decrypt
inferred
base64 decryption
Get the path required by flag
You can also follow the offline decryption tool, pay attention to the location of the plaintext and ciphertext
Longjian Cup——ez_web_01-03
https://5ime.cn/longjiancup-2023.html
SmallSword
The correct password to connect to Ant Sword is ______________? (Example answer: 123asd)
The value retained by the attacker is ______________? (Example answer: d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)
What is the flag downloaded by the attacker? (Example answer: flag3{uuid})
Browse the entire analysis package, let’s export the file directly! !
To find php files, you can use ctrl+shift+f to find keywords, search for system, eval, etc. did not find
We found this type of package (don’t use 404, look for the one that responds)
6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3B%24D%3Ddirname(%24_SERVER%5B% 22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D %09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22A%22%2C%22Z%22)as%20%24L(if) is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22 %3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s %3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D %22%3Becho%20%24R%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3B
It can be seen that 6ea280898e404bfabd0ebb702327b19f may be the answer to the first question, which is the value of the passed parameter. Of course, it may also be encrypted in hexadecimal. I decrypted it, but I can't figure it out.
The flag of the first question is:
The correct password to connect to Ant Sword is6ea280898e404bfabd0ebb702327b19f
Now that you have found the Trojan file, continue searching
Found this file, the size is very abnormal, very large, according to the previous package information, it may be an exe file
We modify, delete the extra characters (delete the ->|MZ before and after, there seems to be none after), save and run
No, try modifying it with 010 and delete it.
If it still doesn’t work, try binwalk or foremost, it doesn’t seem to work~~
Just re-export the object and then delete it again.
Lao Liu, save it to the upper level directory, put it in the folder, and it will be displayed on the desktop.
This picture is hidden in width and height and can be roughly decrypted.
Just change it to 0f01
You can also see that this is the header of a png picture
I’m too lazy to try it after extracting it.
flag3{8fOdffac-5801-44a9-bd49-e66192ce4f57}
0ahoah or something like that, try it yourself
What is the flag downloaded by the attacker? (Example answer: flag3{uuid})
Continue reading
Two different base64s were found in this, which happened to be the answer after decryption
The value retained by the attacker is___ad6269b7-3ce2-4ae8-b97f-f259515e7a91___?(Answer example: d1c3f0d3-68bb- 4d85-a337-fb97cf99ee2e)
this_web
What is the name of the backdoor file that comes with the server? (including file suffix)
What is the internal IP of the server?
What is the key that the attacker writes to the server?
Don't talk too much nonsense, just enlighten me directly.
Filter out php files
Find similar Trojan files quickly
Found that the second one has ifconfig
Look directly at the returned packet, and then try the IPs in it one by one.
What is the internal IP of the server? ————192.168.101.132
15 packets seems to be 1 password
7e03864b0db7e6f9
The 19th one is the compressed package
Save as, found that decompression requires a password, and finally got the flag
What is the key that the attacker writes to the server? ————7d9ddff2-2d67-4eba-9e48-b91c26c42337
You can save it as in wireshark to prevent the compressed package from being damaged.
How to locate it quickly? We intercepted part of the 19th php and then searched for it.
What is the name of the backdoor file that comes with the server? (including file suffix)
How do I find this? I tried d00r.php, but it didn’t work.
This file was written into the trial, so there must be a file written into it. Let’s search for d00r.php directly.
The answer is the file name ViewMore.php