2023 福建省第三届工业互联网创新大赛CTF Misc-Covertchannel2题目:
近日,公司Windows服务器被入侵,黑客使用了一个比较隐蔽的信道将机密凭据传输了出去,但是蛛丝马迹还是被流量采集设备捕获了,你能从中找回丢失的flag吗?
分析:
分析该流量包发现了有一个 rsa.key,并且在数据包长度为 126 和 119 中发现了,secrets.txt 和 data.zip,接下来就是写脚本提取出数据
exp:
import subprocess
import recommand = 'tshark -r Covertchannel.pcap -Y "mqtt" -T json > msg.txt'proc = subprocess.Popen(command, shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc.communicate()with open('msg.txt', 'r', encoding='utf-8') as f:data = f.read()pattern = r'"mqtt\.msg": "(.*?)"'
msg_data = re.findall(pattern, data)
print(msg_data)with open('msg_data.txt', 'w', encoding='utf-8') as f:for i in msg_data:f.write(i + '\n')
接下来在 msg_data.txt 可以观察出有三段大概如下:
rsa.key
LS0tLS1CRUdJTiBQ
...secrets.txt:
bFBkNlE3SDF1ZjRT...
data.zip:
VUVzREJBb0FBQUFB
然后将三段都分别丢进 cyber 进行解码,data.zip: 那一段 base64 2次 就能看到 PK
接下来就是利用 rsa 的私钥进行解密,
exp:
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from Crypto.Util.number import *
import base64private_key = '''-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1YaMyRuhD9Pu5
w6GNhfYTQ0Vo/0OjZPKyDS3viCZIuXUsUn/vQxMJPWlCQq7rRv2c7+z8PTxeirV7
1fPT/sFxgxHbjZeFDRCvU7Pc4ZknT8rTymGWR9WB6XEi8s06gWQegxOKgq7smDJs
Qow+7OGes1Xm8HxgeDjjghzeN2dS75kswo+HF6hzZVKiJGoju/jyp2hqdjuMYySv
BHzlLoH5r1Yrdg/hEIOaua2h7s5p5ybJ+8aIqTEFz5Q/FuM4z9LE0O8ysJxo4WRV
+cbtWCD17kGIjRxHW5tTTszqrwHMISVyZq+5Ib1K7DGE3a/Ek/weYp5Fh8bX8LbH
RSwBsopXAgMBAAECggEADw3xDSm8enN5dzQpEwWE5JlnR+0z8Hpe+G9GmkR7JPsb
oheg3bt7937c3y6ItSd5wk5ZpZ/xhElQAdzCtZxF8wV1dHsekeEBOwQgABvLaeti
As0f52jD7FnzVXrAlPQLWsr3Ur5BBYsmWDz3xftESLdK0HWyZRFla2Cvw7PmhAgS
CDYvj5S0qk0h7KrNGJMfM8o+j7lE3ZKv5pTTVQ+/GUwF0q+Ujk75Zg3WMfGQQVOT
nM0kOa970Yfb7V2UHcQn9HCxHY0wc+/PK4jtn2h4htTrNBBTa4B6zTDY8sfYg0XB
+M2H57We0r7azWmdeVAM3woocqbNYMUFUB/PVR36CQKBgQDD5OxBcMepIDnWXb0c
ict5/O67VhkWUb64vA695P9luBtCKxfnhlSnPjPt3olCy5KInB02MnNJMHV4haqY
Gtxb+1GeXK3pJo837s7w7bnVAE3eP3OmYHk4aq8LMtxacd8WZ0UyUH16+4hKbrh+
JowSwZvLixWaJq0XaSIOkmO83wKBgQDtCMMjMzhiNEhNDHtc+SlVzqlXKtIp61ag
pavufiUUEKyRoG8i1GoIIPn7u2hEBF8Rm3euuWLl1SHAjWswNEUJnp2rO5sFGJBK
sgpIyxFkiSYFoXWKVd0r7k/KNPk1ShpHZhSJqEsYqmDjbTFFVxUCj3xerfZlqLQT
dzdOnoVpiQKBgQCG3RDmEL30qtIGyixK/HbQehjlcmX9HrQePKIti/1kyzZA/KgN
ZkbbiRB5QA7hpIMyd8AIsvz5s1n8apHC/CMfVEuhqg61CC3rhQaFijS49uelDawS
LDLoa1ItdIuN3P2IT/qspAtvYsI29Dkh6Gng89fNbuilYuEhz+h5fcEaowKBgBlc
aqSFgm7fcSztPPXBou6PYgb1ie76QxaFI1QtIwJ2lkAujjWHzKB6BsUsVAeTACj+
HVwQcchteWMEvoc10H0q/2umwPtWmXmkev023PGIywynLdBTR4q/wMG90TwmZZFm
FqRz4TUOZbdvo2nr20+e0ou+yTIvTrUWeFBtHZEhAoGACualPMp1+DKOnGRKqpBA
c/W/ObkBBgQsV11k+wy1AZ0SVUjY0DkEKdKAMxQ6v0+ERCrbgVOux0xGR7MF7RGY
OwuVNDyCUT/gbqkxU3aUmT9oa+kbnxHtdUsbqeziEJ9xMLWlDygVfv4ae+InKbS0
MnZAAXUNDQIu5dxYCGPlrfA=
-----END PRIVATE KEY-----
'''enc = 'lPd6Q7H1uf4SNEKH4IE1Kg2iDFk0DBhJwCBsdI2WhzOGap08kdPYQFr6apSvZiTHvjiX2tmUlI9i2wh/1ghwIK97PbHDq1+SxE1nr46m0P/C1zgkB22+u3V2q19IOAatnasrkPDJLPim+xnx7t1NyA7VJLwsRNCPoqEgLmfQBwuzPBjXCtufQY/kAih7Ku4OnUWkJXDydIlONzejeI+mQG/8UQHM4PbscjoovRvec+aJR1lj8031qcm+2ZvIdR+dIDbCW2kYjmNbmW+L6PnKCe/suJJ4AeR4JmMleQERLzimgXnWnFRv8ZziUsrKYUUtMol9WXJk88V7QHMr/L3FEg=='# 解析私钥
private_key = RSA.import_key(private_key)
# print(private_key)# 提取加密数据
n = private_key.n
e = private_key.e
d = private_key.d
p = private_key.p
q = private_key.qc = bytes_to_long(base64.b64decode(enc))
m = pow(c, d, n)print(long_to_bytes(m))
也可以利用网站:RSA 加密/解密 - 锤子在线工具 (toolhelper.cn)
最后,将解出来的字符串作为压缩包的密码,打开后在 1.txt 就能找到 flag
flag{a3e0f096-17ed-4c0b-8895-4dd0cbabafaf}
总结:
在利用 tshark 提取字符串时,本来是 tshark -r Covertchannel.pcap -Y "mqtt" -T json > 1.json 转换成 json 的,然在从 json 去提取
贴一下我原来的脚本,但是后面发现这个 1.json 不是标准的数据格式,在用一层下有 2 个 mqtt ,我们在提取的时候只能提取到最后一个,默认把前面的覆盖了,这里我看了半天,我一直以为数据有问题,然后发现又的数据没有提取出来,所有最后利用正则把需要的数据都提取出来了
import os
import subprocess
import json
import recommand = 'tshark -r Covertchannel.pcap -Y "mqtt" -T json > 1.json'proc = subprocess.Popen(command, shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc.communicate()with open('1.json', 'r', encoding='utf-8') as f:data=json.load(f)a1 = []
for i in data:try:b1 = i['_source']['layers']['mqtt']['mqtt.msg']a1.append(b1)except:pass
print(a1)
