Misc 流量分析2
流量分析2
1 题目描述
流量分析,你知道完整内容是什么吗(请关注流量包本身,和对应网址的内容无关)
题目附件: 下载附件
2 exp
$ tshark -T text -Y "ip.src == 39.105.136.196 and http" -x -nr test.pcapng | grep -A 1 "Type:"
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 66 6c n....fl
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 7b n....{
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 31 n....1
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 37 n....7
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 75 n....u
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 61 n....a
--
0140 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 -Type: text/plai
0150 6e 0d 0a 0d 0a 6a n....j
--
0140 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c nt-Type: text/pl
0150 61 69 6e 0d 0a 0d 0a 69 ain....i
--
0140 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c nt-Type: text/pl
0150 61 69 6e 0d 0a 0d 0a 31 ain....1
--
0140 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c nt-Type: text/pl
0150 61 69 6e 0d 0a 0d 0a 6c ain....l
--
0140 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c nt-Type: text/pl
0150 61 69 6e 0d 0a 0d 0a 7d ain....}
--
0140 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c nt-Type: text/pl
0150 61 69 6e 0d 0a 0d 0a 0a ain.....
3 flag
添加上ag
: flag{17uaji1l}
Wire1
1 题目描述:
分析下这段流量?
题目附件: 下载附件
2 exp
hamilton@hamilton-Lenovo-G470:~$ tshark -T text -Y "http and ip.src == 192.168.246.23" -nr Downloads/timu.pcapng
6 1.189723003 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=33--+ HTTP/1.1
18 1.196738281 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=34--+ HTTP/1.1
30 1.201540617 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=35--+ HTTP/1.1
42 1.206332464 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=36--+ HTTP/1.1
54 1.211268502 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=37--+ HTTP/1.1
66 1.215975504 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=38--+ HTTP/1.1
78 1.220707529 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=39--+ HTTP/1.1
... 略 ...
762 1.486061036 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=96--+ HTTP/1.1
774 1.490645441 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=97--+ HTTP/1.1
786 1.495176321 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=98--+ HTTP/1.1
798 1.499403286 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=99--+ HTTP/1.1
810 1.503953208 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=100--+ HTTP/1.1
822 1.508871046 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=101--+ HTTP/1.1
834 1.513736216 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=102--+ HTTP/1.1
846 1.518484067 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=33--+ HTTP/1.1
858 1.522676255 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=34--+ HTTP/1.1
870 1.527136158 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=35--+ HTTP/1.1
... 略 ...
1676 1.846652789 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=102--+ HTTP/1.1
1688 1.850861982 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=103--+ HTTP/1.1
1700 1.855211681 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=104--+ HTTP/1.1
1712 1.859769906 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=105--+ HTTP/1.1
1724 1.864033614 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=106--+ HTTP/1.1
1736 1.868368414 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=107--+ HTTP/1.1
1748 1.872609447 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),2,1))=108--+ HTTP/1.1
1760 1.877031568 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=33--+ HTTP/1.1
1772 1.881590322 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=34--+ HTTP/1.1
1784 1.886769105 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=35--+ HTTP/1.1
1796 1.890935373 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=36--+ HTTP/1.1
1808 1.895535085 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=37--+ HTTP/1.1
1820 1.900234875 192.168.246.23 → 192.168.246.1 HTTP 287 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),3,1))=38--+ HTTP/1.1
... 略 ...
25153 11.147293585 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=46--+ HTTP/1.1
25165 11.152221867 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=47--+ HTTP/1.1
25177 11.156936975 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=48--+ HTTP/1.1
25189 11.161667980 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=49--+ HTTP/1.1
25201 11.166589368 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=50--+ HTTP/1.1
25213 11.171287488 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=51--+ HTTP/1.1
25225 11.175677202 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=52--+ HTTP/1.1
25237 11.180292712 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=53--+ HTTP/1.1
25249 11.185158169 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=54--+ HTTP/1.1
25261 11.190003090 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=55--+ HTTP/1.1
25273 11.194529812 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=56--+ HTTP/1.1
25285 11.199234804 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=57--+ HTTP/1.1
25297 11.204016360 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=58--+ HTTP/1.1
25309 11.208888026 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=59--+ HTTP/1.1
25321 11.213662620 192.168.246.23 → 192.168.246.1 HTTP 288 GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),30,1))=60--+ HTTP/1.1
sql盲注,通过上述命令过滤grep ",1,1"
,grep ",2,1"
取最后一个字符,得到盲注结果:
tshark -T text -Y "http and ip.src == 192.168.246.23" -nr Downloads/timu.pcapng > timu.txt
END=30
for i in $(seq 1 $END); do
grep ",$i,1" timu.txt | tail -1 | grep -E -o "([0-9]+)--+.*$" | grep -E -o "^[0-9]+" | tr -d '\n'
echo -n ","
done
102,108,97,103,123,119,49,114,101,115,104,65,82,75,95,101,122,95,49,115,110,116,105,116,125,126,126,126,126,60,
>>> r=[102,108,97,103,123,119,49,114,101,115,104,65,82,75,95,101,122,95,49,115,110,116,105,116,125,126,126,126,126,60,]
>>> bytes(r)
b'flag{w1reshARK_ez_1sntit}~~~~<'
简单流量分析
1 题目描述
不久前,运维人员在日常安全检查的时候发现现场某设备会不时向某不知名ip发出非正常的ICMP PING包。这引起了运维人员的注意,他在过滤出ICMP包分析并马上开始做应急处理很可能已被攻击的设备。运维人员到底发现了什么? flag形式为 flag{}
题目附件: 下载附件
2 exp
$ tshark -Y "ip.src==192.168.3.73" -nr fetus_pcap.pcap -T json | grep data.len | grep -o -E "[0-9]+\"$" | grep -o -E "[0-9]+" | tr "\n" ","
79,106,112,99,98,109,49,118,98,109,100,118,90,71,73,54,73,84,111,120,78,122,103,48,77,122,111,119,79,106,107,53,79,84,107,53,79,106,99,54,79,106,112,99,98,110,86,105,100,87,53,48,100,84,111,107,78,105,82,77,97,69,104,83,98,50,49,85,82,83,82,78,78,48,77,48,98,106,103,48,86,87,78,71,84,69,70,72,101,51,104,52,77,109,73,52,89,86,56,50,98,87,48,50,78,71,78,102,90,110,78,118,89,50,108,108,100,72,108,57,79,106,111,61,
>>> x=[79,106,112,99,98,109,49,118,98,109,100,118,90,71,73,54,73,84,111,120,78,122,103,48,77,122,111,119,79,106,107,53,79,84,107,53,79,106,99,54,79,106,112,99,98,110,86,105,100,87,53,48,100,84,111,107,78,105,82,77,97,69,104,83,98,50,49,85,82,83,82,78,78,48,77,48,98,106,103,48,86,87,78,71,84,69,70,72,101,51,104,52,77,109,73,52,89,86,56,50,98,87,48,50,78,71,78,102,90,110,78,118,89,50,108,108,100,72,108,57,79,106,111,61,]
>>> bytes(x)
b'Ojpcbm1vbmdvZGI6IToxNzg0MzowOjk5OTk5Ojc6OjpcbnVidW50dTokNiRMaEhSb21URSRNN0M0bjg0VWNGTEFHe3h4MmI4YV82bW02NGNfZnNvY2lldHl9Ojo='
>>> base64.b64decode(bytes(x))
b'::\\nmongodb:!:17843:0:99999:7:::\\nubuntu:$6$LhHRomTE$M7C4n84UcFLAG{xx2b8a_6mm64c_fsociety}::'
3 flag
flag{xx2b8a_6mm64c_fsociety}
Bus (150 pts)
1 题目
https://infern0o.medium.com/blackhat-mea-ctf-qualifications-forensics-writeup-c71836d326dc
2 exp
tshark -r bus.pcap -T fields -e modbus.data -Y "modbus.data != 0 and tcp.dstport == 502"
b'your FLAG is: Modbus_is_easy_after_all!'