CTF traffic analysis learning

Link: https://pan.baidu.com/s/1e3ZcfioIOmebbUs-xGRnUA?pwd=9jmc
Extraction code: 9jmc

The first few questions are relatively simple and are the most common and frequently tested types.

1.pcap——zip

There are compressed packages in traffic analysis

Check the string or regular expression and find the flag-related content at the bottom of the package.

We track the flow

3 ways to save

1. Save directly in ascii and name it 1.zip

2. If it is damaged, select the original data, save it as 1.txt, open the 010 editor, create a new file, and import the hexadecimal file

Today's computers are all smart. After saving, you can directly modify it to zip. There is no need to import it as follows.

Then drag 1.txt in

Save and rename to zip file

3.foremost or binwalk separation

binwalk

Directly separate the 1.pcap package, which contains the compressed package.

My window comes with foremost

This comes with kali

flag is a picture

2.pcap——php file (1)

This question talks about the second method - exporting objects

ctrl+f can’t find the flag

Export object

I found a lot of pictures. Let’s first look for php files.

Can be easily filtered

find flag

Method 2

First put the exported directory into it

Use Linux strings so that if there are multiple directories or too many files, you can quickly find them

strings $(find . | xargs) |grep flag -i

3.pcap——php file (2)

ctrl+f can’t find the flag

Export object

I found a base64 encoding. I’m curious, what is it? Let’s take a look.

get

It’s base64 encrypted, no wonder it can’t be found

john-in-the-middle - picture_steganography

This question begins to provide new ideas, picture steganography

We still search normally, first ctrl+f, but it cannot be found.

Export, look at php, there is no php, here, you can try linux strings to find the flag

You can also analyze it. TCP, http and ftp traffic are all used to transfer things. Usually when asked about what happened to hackers, you need to go and observe carefully in the flow. This question does not exist. It is a very ordinary transmission. There is no What attack content. So there is no need to analyze

Let’s go straight to the topic. Flag is this picture, because flag means chess piece.

png has high steganography, zip hiding, lsb steganography, exiftool, steghind, etc.

I tried them all and found that it is LSB steganography.

This time I don’t export the flag, just copy it down.

TTL.pcapng——ttl steganography

The most common steganography of imcp's ping is to convert ttl to ascii

View with tshark, which comes with wireshark and is equivalent to the command line version of wireshark.

After opening it, enter it and write it in the command line

tshark.exe -r D:\Desktop\Outline\Traffic Analysis\TTL.pcap -T fields -e ip.ttl

Process it, you can use anything, it's very smart

Remove 0

SQL blind injection.pacp

Directly use ctrl+f to search for flag. It can be seen that this is a total of sql injected packages (I sorted by info)

Then we need to observe the request header to find the flag. It is convenient to export the image.

Look directly backwards

Let’s look for them one by one.

Traceability analysis - Ice Scorpion (difficulty begins to increase)

ctrl+f has echo

After tracing, I found something similar to base64, which was garbled when decoded.

Export objects and filter them

After browsing briefly, you can see the word upload, indicating that this is a traffic package for file upload.

It's probably Ice Scorpion or Godzilla, because base64 can't be decoded. It depends on your AES encryption, which requires a key and displacement (iv) Let's browse the PHP files briefly and find that most of them are 404 errors, and there are only config*.php files. It's suspicious. It's also the base64 we decrypted just now. We assume it's Ice Scorpion. We looked for the key and IV but couldn't find it. We guessed it was the default one. When installing Ice Scorpion, we wrote a default script.

The default password in shell.php is: e45e329feb5d925b

The default iv can be replaced by: 0123456789abcdef. I don’t know why. The teacher said it.

Let's decrypt

inferred

base64 decryption

Get the path required by flag

You can also follow the offline decryption tool, pay attention to the location of the plaintext and ciphertext

Longjian Cup——ez_web_01-03

https://5ime.cn/longjiancup-2023.html

SmallSword

The correct password to connect to Ant Sword is ______________? (Example answer: 123asd)

The value retained by the attacker is ______________? (Example answer: d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)

What is the flag downloaded by the attacker? (Example answer: flag3{uuid})

Browse the entire analysis package, let’s export the file directly! !

To find php files, you can use ctrl+shift+f to find keywords, search for system, eval, etc. did not find

We found this type of package (don’t use 404, look for the one that responds)

6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3B%24D%3Ddirname(%24_SERVER%5B% 22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D %09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22A%22%2C%22Z%22)as%20%24L(if) is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22 %3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s %3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D %22%3Becho%20%24R%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3B

It can be seen that 6ea280898e404bfabd0ebb702327b19f may be the answer to the first question, which is the value of the passed parameter. Of course, it may also be encrypted in hexadecimal. I decrypted it, but I can't figure it out.

The flag of the first question is:

The correct password to connect to Ant Sword is6ea280898e404bfabd0ebb702327b19f

Now that you have found the Trojan file, continue searching

Found this file, the size is very abnormal, very large, according to the previous package information, it may be an exe file

We modify, delete the extra characters (delete the ->|MZ before and after, there seems to be none after), save and run

No, try modifying it with 010 and delete it.

If it still doesn’t work, try binwalk or foremost, it doesn’t seem to work~~

Just re-export the object and then delete it again.

Lao Liu, save it to the upper level directory, put it in the folder, and it will be displayed on the desktop.

This picture is hidden in width and height and can be roughly decrypted.

Just change it to 0f01

You can also see that this is the header of a png picture

I’m too lazy to try it after extracting it.

flag3{8fOdffac-5801-44a9-bd49-e66192ce4f57}

0ahoah or something like that, try it yourself

What is the flag downloaded by the attacker? (Example answer: flag3{uuid})

Two different base64s were found in this, which happened to be the answer after decryption

The value retained by the attacker is___ad6269b7-3ce2-4ae8-b97f-f259515e7a91___?(Answer example: d1c3f0d3-68bb- 4d85-a337-fb97cf99ee2e)

this_web

What is the name of the backdoor file that comes with the server? (including file suffix)

What is the internal IP of the server?

What is the key that the attacker writes to the server?

Don't talk too much nonsense, just enlighten me directly.

Filter out php files