Single

[XMAN2018排位赛]记两道流量分析2 min read

AutoKey

题目下载

看到这种题第一反应就是提取usb协议的数据:

tshark -r attachment.pcapng -T fields -e usb.capdata > usbdata.txt

去掉换行符,两两一个,用冒号分割,生成usbdata2.txt,如下:

import re
a = open("usbdata2.txt",'w+')
for line in open("usbdata.txt"):
    result = re.sub(r"(?<=\w)(?=(?:\w\w)+$)", ":", line)
    a.write(result)
    print(result)

拿jio本翻译一下:

#!usr/bin/env python
#-*- coding:utf-8 -*-

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

得到:

[unknown]A[unknown]UTOKEY”.DECIPHER'[unknown]MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXO[DEL]PZE[DEL]IZ’

仔细看字符串开头,提示说“AUTOKEY”,但是autokey是需要密钥的,暂且不谈,先对字符串进行处理,把[unknown]A[unknown]UTOKEY”.删掉,然后把所有的[DEL]以及它前面的一个字符删掉,得:

MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ

查询了资料,get到了一个爆破密钥的脚本:

http://www.practicalcryptography.com/cryptanalysis/stochastic-searching/cryptanalysis-autokey-cipher/

HELLOBOYSANDGIRLSYOUARESOSMARTTHATYOUCANFINDTHEFLAGTHATIHIDEINTHEKEYBOARDPACKAGEFLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF

flag是第二行中间“FLAGIS”往后的部分:

flag{JHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF}

ppap

题目下载

追踪流找到了非常可疑的这个:

save,去掉开头和结尾,取base64这一段放在notepad++里解码保存为jpg,得到一张图片,然后拿binwalk取出文件其他的数据,得到一个加密的zip。

在这个网站可以解出zip密码:skullandcrossbones

https://passwordrecovery.io/zip-file-password-removal/

flag{b31Ng_4_P1r4tE_1s_4lR1GHT_w1Th_M3}