Written by G3rling@N0wayback/C0ba1t

Forensics

Telnet用户密码抓取

追踪TCP流量，但是发现流量包中存在数据的杂糅，对单个方向进行查看

可以得到用户和密码

flag{login:fake&password:user}

PrivateChannel

在唯一的一个数据包中发现了一串字符串

CDAISIWillWin

但是并提交后发现并不是Flag

继续观察发现，STP 数据包都是一样的，DNS 也没有任何特别之处

但是 ICMP 类型的 ping 数据包很奇怪，这里先对ping的数据包进行提取

tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==8 or icmp.type==0"

得到的结果如下

  376 616.966522 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) request  id=0x06ef, seq=1/256, ttl=64
  378 617.965929 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) request  id=0x06ef, seq=2/512, ttl=64
  379 617.990279 192.168.0.50 → 192.168.50.10 ICMP 98 Echo (ping) reply    id=0x06ef, seq=2/512, ttl=41 
  395 641.491491 192.168.0.50 → 192.168.50.10 ICMP 98 Echo (ping) request  id=0x152c, seq=1/256, ttl=41
  396 641.492213 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) reply    id=0x152c, seq=1/256, ttl=64 
  479 796.186499 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
  480 796.205229 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply    id=0x0000, seq=0/0, ttl=41 
  481 796.297219 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
  482 796.316115 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply    id=0x0000, seq=0/0, ttl=41 
  483 796.408717 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
  484 796.427036 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply    id=0x0000, seq=0/0, ttl=41 
  485 796.516729 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
  486 796.527942 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply    id=0x0000, seq=0/0, ttl=41 

发现只有前 5 个数据包的字段都填写了(id=)，其他的都是0x0000，我们对0填充的ping流量包进行查看，发现不同的地方是 Identification ，过滤值为 ip.id

tshark进行筛取

tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==0 or icmp.type==8" -T fields -e ip.id > output.txt

进行From Hex后，发现中间带有部分杂糅字符

研究后发现，icmp.type==0 即reply的 Identification ，只对 icmp.type==8 进行筛取

tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==8" -T fields -e ip.id > output.txt

进行 From Hex 后，得到

整理一下

"here is your flag : S3cr3t4g3nt

http

快乐的翻Flag时间，在流19中找到Flag

Hey this is a flag FLAG-GehFMsqCeNvof5szVpB2Dmjx

DNS

先通过tshark把DNS提取出来

shark.exe -r dns.pcap -T fields -e dns.qry.name | sed '/^\s*$/d' | uniq > output.txt

前几条是这样的

5647687063794270.192.168.191.129
6379426849484e6c.192.168.191.129
google.ca
88.46.194.173.in-addr.arpa
6379426849484e6c.192.168.191.129
88.46.194.173.in-addr.arpa
59334a6c64434230.192.168.191.129
128.191.168.192.in-addr.arpa
2.191.168.192.in-addr.arpa
……

可以看到有一些奇怪的Hex数据，全部筛出来，并且将重复行删除

56476870637942706379426849484e6c59334a6c64434230636d4675633231706448526c5a43423061484a766457646f494752756379427864575679655341364b534247544546484c555a554e44646a545667794e6e425865555a5453545a53554664685533493157564a330a

From Hex ---> From Base64

This is a secret transmitted through dns query :) FLAG-FT47cMX26pWyFSI6RPWaSr5YRw

（这里一开始设置的正确Flag的倒数第二位是小写，前两血的怎么做出来的大家都心里有数嗷）

webshell

倒着翻找到payload

捕捉到z2参数中的Zmxh头

ZmxhZ3tJbmYwcm00dGkwbjUzY3VyaXR5fQ

Base64解码得到Flag

flag{Inf0rm4ti0n53curity}

tribalwars账户密码

在流109中找到账户和密码

user=Falken&password=Joshua&cookie=true&clear=true

Transfer

在流4中找到一个代码以及密文

import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
# dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
    _rot13 = string.maketrans( 
        "ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", 
        "NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
    return string.translate(s, _rot13)

def b64e(s):
    return b64encode(s)

def caesar(plaintext, shift=3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def encode(pt, cnt=50):
    tmp = '2{}'.format(b64encode(pt))
    for cnt in xrange(cnt):
        c = random.choice(enc_ciphers)
        i = enc_ciphers.index(c) + 1
        _tmp = globals()[c](tmp)
        tmp = '{}{}'.format(i, _tmp)

    return tmp

if __name__ == '__main__':
    print encode(FLAG, cnt=?)

大致逻辑如下，根据密文的第一位数字判断解密方式

'2' ----> b64encode(flag)
'1' ----> rot13(tmp1)
'3' ----> caesar(tmp2)

手搓可以实现，也可以代码实现

from string import *
from base64 import *

def rot13(s):
    _rot13 = str.maketrans(
        "ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
        "NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
    return s.translate(_rot13)

def b64d(s):
    return b64decode(s.encode()).decode()

def caesar(s):
    shifted_alphabet = ascii_lowercase[3:] + ascii_lowercase[:3]
    table = str.maketrans(shifted_alphabet, ascii_lowercase)
    return s.translate(table)

def decrypt(s):
    n, s = int(s[0]) - 1, s[1:]
    return [rot13, b64d, caesar][n](s)

s = '[这里填写密文，太多了就不放上去了]'
while s[0] in '123':
    s = decrypt(s)
print(s)

解密得到Flag

flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}

Networking

直接给出Flag

flag{d316759c281bf925d600be698a4973d5}