題目:
近日,公司Windows伺服器被入侵,駭客使用了一個比較隱蔽的通道將機密憑據傳輸了出去,但是蛛絲馬跡還是被流量採集裝置捕獲了,你能從中找回丟失的flag嗎?
分析:
分析該流量包發現了有一個 rsa.key,並且在資料包長度為 126 和 119 中發現了,secrets.txt 和 data.zip,接下來就是寫指令碼提取出資料
exp:
import subprocess
import re
command = 'tshark -r Covertchannel.pcap -Y "mqtt" -T json > msg.txt'
proc = subprocess.Popen(command, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc.communicate()
with open('msg.txt', 'r', encoding='utf-8') as f:
data = f.read()
pattern = r'"mqtt\.msg": "(.*?)"'
msg_data = re.findall(pattern, data)
print(msg_data)
with open('msg_data.txt', 'w', encoding='utf-8') as f:
for i in msg_data:
f.write(i + '\n')
接下來在 msg_data.txt 可以觀察出有三段大概如下:
rsa.key
LS0tLS1CRUdJTiBQ
...secrets.txt:
bFBkNlE3SDF1ZjRT...
data.zip:
VUVzREJBb0FBQUFB
然後將三段都分別丟進 cyber 進行解碼,data.zip: 那一段 base64 2次 就能看到 PK
接下來就是利用 rsa 的私鑰進行解密,
exp:
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from Crypto.Util.number import *
import base64
private_key = '''-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1YaMyRuhD9Pu5
w6GNhfYTQ0Vo/0OjZPKyDS3viCZIuXUsUn/vQxMJPWlCQq7rRv2c7+z8PTxeirV7
1fPT/sFxgxHbjZeFDRCvU7Pc4ZknT8rTymGWR9WB6XEi8s06gWQegxOKgq7smDJs
Qow+7OGes1Xm8HxgeDjjghzeN2dS75kswo+HF6hzZVKiJGoju/jyp2hqdjuMYySv
BHzlLoH5r1Yrdg/hEIOaua2h7s5p5ybJ+8aIqTEFz5Q/FuM4z9LE0O8ysJxo4WRV
+cbtWCD17kGIjRxHW5tTTszqrwHMISVyZq+5Ib1K7DGE3a/Ek/weYp5Fh8bX8LbH
RSwBsopXAgMBAAECggEADw3xDSm8enN5dzQpEwWE5JlnR+0z8Hpe+G9GmkR7JPsb
oheg3bt7937c3y6ItSd5wk5ZpZ/xhElQAdzCtZxF8wV1dHsekeEBOwQgABvLaeti
As0f52jD7FnzVXrAlPQLWsr3Ur5BBYsmWDz3xftESLdK0HWyZRFla2Cvw7PmhAgS
CDYvj5S0qk0h7KrNGJMfM8o+j7lE3ZKv5pTTVQ+/GUwF0q+Ujk75Zg3WMfGQQVOT
nM0kOa970Yfb7V2UHcQn9HCxHY0wc+/PK4jtn2h4htTrNBBTa4B6zTDY8sfYg0XB
+M2H57We0r7azWmdeVAM3woocqbNYMUFUB/PVR36CQKBgQDD5OxBcMepIDnWXb0c
ict5/O67VhkWUb64vA695P9luBtCKxfnhlSnPjPt3olCy5KInB02MnNJMHV4haqY
Gtxb+1GeXK3pJo837s7w7bnVAE3eP3OmYHk4aq8LMtxacd8WZ0UyUH16+4hKbrh+
JowSwZvLixWaJq0XaSIOkmO83wKBgQDtCMMjMzhiNEhNDHtc+SlVzqlXKtIp61ag
pavufiUUEKyRoG8i1GoIIPn7u2hEBF8Rm3euuWLl1SHAjWswNEUJnp2rO5sFGJBK
sgpIyxFkiSYFoXWKVd0r7k/KNPk1ShpHZhSJqEsYqmDjbTFFVxUCj3xerfZlqLQT
dzdOnoVpiQKBgQCG3RDmEL30qtIGyixK/HbQehjlcmX9HrQePKIti/1kyzZA/KgN
ZkbbiRB5QA7hpIMyd8AIsvz5s1n8apHC/CMfVEuhqg61CC3rhQaFijS49uelDawS
LDLoa1ItdIuN3P2IT/qspAtvYsI29Dkh6Gng89fNbuilYuEhz+h5fcEaowKBgBlc
aqSFgm7fcSztPPXBou6PYgb1ie76QxaFI1QtIwJ2lkAujjWHzKB6BsUsVAeTACj+
HVwQcchteWMEvoc10H0q/2umwPtWmXmkev023PGIywynLdBTR4q/wMG90TwmZZFm
FqRz4TUOZbdvo2nr20+e0ou+yTIvTrUWeFBtHZEhAoGACualPMp1+DKOnGRKqpBA
c/W/ObkBBgQsV11k+wy1AZ0SVUjY0DkEKdKAMxQ6v0+ERCrbgVOux0xGR7MF7RGY
OwuVNDyCUT/gbqkxU3aUmT9oa+kbnxHtdUsbqeziEJ9xMLWlDygVfv4ae+InKbS0
MnZAAXUNDQIu5dxYCGPlrfA=
-----END PRIVATE KEY-----
'''
enc = 'lPd6Q7H1uf4SNEKH4IE1Kg2iDFk0DBhJwCBsdI2WhzOGap08kdPYQFr6apSvZiTHvjiX2tmUlI9i2wh/1ghwIK97PbHDq1+SxE1nr46m0P/C1zgkB22+u3V2q19IOAatnasrkPDJLPim+xnx7t1NyA7VJLwsRNCPoqEgLmfQBwuzPBjXCtufQY/kAih7Ku4OnUWkJXDydIlONzejeI+mQG/8UQHM4PbscjoovRvec+aJR1lj8031qcm+2ZvIdR+dIDbCW2kYjmNbmW+L6PnKCe/suJJ4AeR4JmMleQERLzimgXnWnFRv8ZziUsrKYUUtMol9WXJk88V7QHMr/L3FEg=='
# 解析私鑰
private_key = RSA.import_key(private_key)
# print(private_key)
# 提取加密資料
n = private_key.n
e = private_key.e
d = private_key.d
p = private_key.p
q = private_key.q
c = bytes_to_long(base64.b64decode(enc))
m = pow(c, d, n)
print(long_to_bytes(m))
也可以利用網站:RSA 加密/解密 - 錘子線上工具 (toolhelper.cn)
最後,將解出來的字串作為壓縮包的密碼,開啟後在 1.txt 就能找到 flag
flag{a3e0f096-17ed-4c0b-8895-4dd0cbabafaf}
總結:
在利用 tshark 提取字串時,本來是 tshark -r Covertchannel.pcap -Y "mqtt" -T json > 1.json 轉換成 json 的,然在從 json 去提取
貼一下我原來的指令碼,但是後面發現這個 1.json 不是標準的資料格式,在用一層下有 2 個 mqtt ,我們在提取的時候只能提取到最後一個,預設把前面的覆蓋了,這裡我看了半天,我一直以為資料有問題,然後發現又的資料沒有提取出來,所有最後利用正則把需要的資料都提取出來了
import os
import subprocess
import json
import re
command = 'tshark -r Covertchannel.pcap -Y "mqtt" -T json > 1.json'
proc = subprocess.Popen(command, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc.communicate()
with open('1.json', 'r', encoding='utf-8') as f:
data=json.load(f)
a1 = []
for i in data:
try:
b1 = i['_source']['layers']['mqtt']['mqtt.msg']
a1.append(b1)
except:
pass
print(a1)