iT邦幫忙

2024 iThome 鐵人賽
DAY 13
0
Security

picoCTF系列 第 13

[Day 13] FindAndOpen

16th鐵人賽
104 瀏覽

  • 分享至 

  • xImage
    •  

看到題目要求,得知要解鎖一個檔案,並且題目有給我們 tracefile,讓我們好分析 key 是甚麼。提示也告訴我們,密碼跟 pcap 檔案有很大關係。
https://ithelp.ithome.com.tw/upload/images/20240818/20168342lZJOjxiFUY.png
hint 1:Download the pcap and look for the password or flag.
hint 2:Don't try to use a password cracking tool, there are easier ways here.

那什麼是 pcap 檔案?可以將 pcap 檔案視作一種按照特定格式儲存的文件格式,常常用來儲存封包相關的資訊,可以使用 Wireshark 打開這種文件。詳情可以參考:什麼是 pcap?

回到正題,將題目給的檔案下載下來,得到一個 pcap 檔和一個壓縮檔。

$ ls 
README.txt  dump.pcap  flag.zip

我們嘗試解壓縮 flag.zip,會出現填入密碼的提示。

$ unzip flag.zip 
Archive:  flag.zip
[flag.zip] flag password: 
password incorrect--reenter: 
   skipping: flag                    incorrect password

想起提示,於是來查看 pcap 檔案裏面有沒有可能的密碼,在這裡我會用 strings 來查看 pcap 檔案裏面的資訊,底下是完整資訊。( 您也可以使用 Wireshark 開啟 pcap 檔案 )

$ strings dump.pcap 
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
Flying on Ethernet secret: Is this the flag
_googlecast
_tcp
local
_googlecast
_tcp
local
_googlecast
_tcp
local
_googlecast
_tcp
local
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
_googlecast
_tcp
local
_googlecast
_tcp
local
_googlecast
_tcp
local
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
.+Chromecast-18e2a8da30459b730aec93a71af19988
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
I$18e2a8da-3045-9b73-0aec-93a71af19988
_googlecast
_tcp
local
.+Chromecast-18e2a8da30459b730aec93a71af19988
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
I$18e2a8da-3045-9b73-0aec-93a71af19988
_googlecast
_tcp
local
.+Chromecast-18e2a8da30459b730aec93a71af19988
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
I$18e2a8da-3045-9b73-0aec-93a71af19988
_googlecast
_tcp
local
.+Chromecast-18e2a8da30459b730aec93a71af19988
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
I$18e2a8da-3045-9b73-0aec-93a71af19988
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
ScTo
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
iBwaWNvQ1RGe1Could the flag have been splitted?
AABBHHPJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
PBwaWUvQ1RGe1Maybe try checking the other file
_googlecast
_tcp
local
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
.+Chromecast-18e2a8da30459b730aec93a71af19988
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2
I$18e2a8da-3045-9b73-0aec-93a71af19988
+Chromecast-18e2a8da30459b730aec93a71af19988
_googlecast
_tcp
local
#id=18e2a8da30459b730aec93a71af19988#cd=EB3B62CAFB4F51F0114CFB58C4FE2C2F
rm=B8B7BA5A0CEB76E5
ve=05
md=Chromecast
ic=/setup/icon.png
fn=Living Room TV       ca=465413
st=0
bs=FA8FCA54567B
nf=2

其中,我看到一串很熟悉的字串,看起來使用了 base64 編碼。

AABBHHPJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=

於是嘗試以 base64 的方法解碼,發現會出現 invalid input 的錯誤,這可能是因為字串長度為 70。

$ echo 'AABBHHPJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=' | base64 -d
As1Q,F22FR6V7&WC65Dg#3DDuEbase64: invalid input

於是嘗試將其字串刪減至 4 的倍數 ( 長度變成64 ),再次使用 base64 解碼,可以得到部分 flag。
而這裡要是 4 的倍數是因為,如果編碼後的長度不是 4 位元組的倍數,解碼器將無法正確解碼數據,導致資料遺失或損壞。

$ echo 'PJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=' | base64 -d
<This is the secret: picoCTF{R34DING_LOKd_

最後再以得到的部分 flag 作為 password,發現可以 unzip flag.zip,便可以得到 flag。

$ unzip flag.zip 
Archive:  flag.zip
[flag.zip] flag password: 
 extracting: flag                    
$ cat flag
picoCTF{R34DING_LOKd_fil56_succ3ss_494c4f32}

小結:
概略了解 pcap 檔案。


上一篇
[Day 12] CanYouSee
下一篇
[Day 14] ReadMyCert
系列文
picoCTF30
  1. 26
    [Day 26] heap2
  2. 27
    [Day 27] format string 2
  3. 28
    [Day 28] Mob psycho
  4. 29
    [Day 29] rsa_oracle
  5. 30
    [Day 30] Classic Crackme 0x100
完整目錄
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言
iThome鐵人賽
參賽組數
1064
團體組數
40
累計文章數
22189
完賽人數
602
iT+看影片追技術 看影片追技術 看更多
熱門tag 看更多
15th鐵人賽 16th鐵人賽 13th鐵人賽 14th鐵人賽 12th鐵人賽 11th鐵人賽 鐵人賽 2019鐵人賽 javascript 2018鐵人賽 python 2017鐵人賽 windows php c# windows server linux css react vue.js
熱門問題
熱門回答
熱門文章
IT邦幫忙