WriteUp
Ph4nt0m 1ntrud3r
4 分鐘
約 742 字
- 分類:Forensics
- 難度:Medium
- 題目連結:https://play.picoctf.org/practice/challenge/459
工具 #
- tshark
- sort
- awk
- xxd
- base64
過程 #
- 題目給了個
.pcap檔,並提示時間很重要,所以先用 tshark 整理時間 - 先試試看封包有什麼
tshark -r traffic.pcap 1 0.000000 192.168.0.2 → 192.168.1.2 TCP 48 20 → 80 [SYN] Seq=0 Win=8192 Len=8
2 0.003558 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12 [TCP PDU reassembled in 2]
3 0.001685 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
4 0.004344 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12
5 0.003324 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12
6 -0.000716 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
7 0.000744 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
8 0.003893 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12
9 0.000478 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
10 0.000973 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
11 0.001205 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
12 0.002624 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
13 0.002153 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
14 0.002383 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
15 0.003102 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12
16 0.004117 192.168.0.2 → 192.168.1.2 TCP 52 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=12
17 0.001922 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
18 0.002861 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
19 0.001444 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
20 0.004564 192.168.0.2 → 192.168.1.2 TCP 44 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=4
21 -0.000250 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8
22 0.000241 192.168.0.2 → 192.168.1.2 TCP 48 [TCP Retransmission] 20 → 80 [SYN] Seq=0 Win=8192 Len=8- 看起來都是 TCP 也不用篩選(
-Y "tcp")了,直接篩選我們要的欄位,tcp 內容欄位tcp.payload,時間欄位frame.time
tshark -r myNetworkTraffic.pcap -T fields -e frame.time -e tcp.payload2025-03-06T11:31:28.575305000+0800 54636c672f33733d
2025-03-06T11:31:28.578863000+0800 626e52666447673064413d3d
2025-03-06T11:31:28.576990000+0800 524878687453343d
2025-03-06T11:31:28.579649000+0800 4e6a5a6b4d474a6d59673d3d
2025-03-06T11:31:28.578629000+0800 657a46305833633063773d3d
2025-03-06T11:31:28.574589000+0800 524d712b77544d3d
2025-03-06T11:31:28.576049000+0800 37754443636c673d
2025-03-06T11:31:28.579198000+0800 587a4d3063336c6664413d3d
2025-03-06T11:31:28.575783000+0800 4f77466550304d3d
2025-03-06T11:31:28.576278000+0800 347063597754673d
2025-03-06T11:31:28.576510000+0800 326437314b5a493d
2025-03-06T11:31:28.577929000+0800 6f46705a5047383d
2025-03-06T11:31:28.577458000+0800 716f39717069593d
2025-03-06T11:31:28.577688000+0800 4a6247325137773d
2025-03-06T11:31:28.578407000+0800 63476c6a62304e5552673d3d
2025-03-06T11:31:28.579422000+0800 596d68664e484a664f513d3d
2025-03-06T11:31:28.577227000+0800 5a314764796a6b3d
2025-03-06T11:31:28.578166000+0800 684b765a4b47413d
2025-03-06T11:31:28.576749000+0800 367734365137303d
2025-03-06T11:31:28.579869000+0800 66513d3d
2025-03-06T11:31:28.575055000+0800 39447049626b413d
2025-03-06T11:31:28.575546000+0800 514b7a46582b633d- 接著說時間很重要,所以我們嘗試先排序,使用 Linux 內建指令
sort -k1對第一個欄位做排序
tshark -r myNetworkTraffic.pcap -T fields -e frame.time -e tcp.payload | sort -k12025-03-06T11:31:28.574589000+0800 524d712b77544d3d
2025-03-06T11:31:28.575055000+0800 39447049626b413d
2025-03-06T11:31:28.575305000+0800 54636c672f33733d
2025-03-06T11:31:28.575546000+0800 514b7a46582b633d
2025-03-06T11:31:28.575783000+0800 4f77466550304d3d
2025-03-06T11:31:28.576049000+0800 37754443636c673d
2025-03-06T11:31:28.576278000+0800 347063597754673d
2025-03-06T11:31:28.576510000+0800 326437314b5a493d
2025-03-06T11:31:28.576749000+0800 367734365137303d
2025-03-06T11:31:28.576990000+0800 524878687453343d
2025-03-06T11:31:28.577227000+0800 5a314764796a6b3d
2025-03-06T11:31:28.577458000+0800 716f39717069593d
2025-03-06T11:31:28.577688000+0800 4a6247325137773d
2025-03-06T11:31:28.577929000+0800 6f46705a5047383d
2025-03-06T11:31:28.578166000+0800 684b765a4b47413d
2025-03-06T11:31:28.578407000+0800 63476c6a62304e5552673d3d
2025-03-06T11:31:28.578629000+0800 657a46305833633063773d3d
2025-03-06T11:31:28.578863000+0800 626e52666447673064413d3d
2025-03-06T11:31:28.579198000+0800 587a4d3063336c6664413d3d
2025-03-06T11:31:28.579422000+0800 596d68664e484a664f513d3d
2025-03-06T11:31:28.579649000+0800 4e6a5a6b4d474a6d59673d3d
2025-03-06T11:31:28.579869000+0800 66513d3d- 排序好了,接著我們用
awk '{print $2}'篩選出第二欄位,也就是會剩下 tcp.payload
tshark -r myNetworkTraffic.pcap -T fields -e frame.time -e tcp.payload | sort -k1 | awk '{print $2}'524d712b77544d3d
39447049626b413d
54636c672f33733d
514b7a46582b633d
4f77466550304d3d
37754443636c673d
347063597754673d
326437314b5a493d
367734365137303d
524878687453343d
5a314764796a6b3d
716f39717069593d
4a6247325137773d
6f46705a5047383d
684b765a4b47413d
63476c6a62304e5552673d3d
657a46305833633063773d3d
626e52666447673064413d3d
587a4d3063336c6664413d3d
596d68664e484a664f513d3d
4e6a5a6b4d474a6d59673d3d
66513d3d- 接著使用
xxd -r -p將 16 進位轉成原始的二進位資料
tshark -r myNetworkTraffic.pcap -T fields -e frame.time -e tcp.payload | sort -k1 | awk '{print $2}' | xxd -p -rRMq+wTM=9DpIbkA=Tclg/3s=QKzFX+c=OwFeP0M=7uDCclg=4pcYwTg=2d71KZI=6w46Q70=RHxhtS4=Z1Gdyjk=qo9qpiY=JbG2Q7w=oFpZPG8=hKvZKGA=cGljb0NURg==ezF0X3c0cw==bnRfdGg0dA==XzM0c3lfdA==YmhfNHJfOQ==NjZkMGJmYg==fQ==- 看起來就會是 base64 的編碼結果,接著我們用
base64 -d解碼
tshark -r myNetworkTraffic.pcap -T fields -e frame.time -e tcp.payload | sort -k1 | awk '{print $2}' | xxd -p -r | base64 -dDʾ�3�:Hn@M�`�{@��_�;^?C���rX��8���)��:C�D|a�.gQ��9��j�&%��C��ZY<o���(`picoCTF{1t_w4snt_th4t_34sy_tbh_4r_966d0bfb}看到後面的結果就是答案了