202312_Dest0g3_StrageTraiffic

Tags:流量分析,Modbus,pyshark

0x00. 题目

Dest0g3迎新赛

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202312_Dest0g3_StrageTraiffic.zip

0x01. WP

1. 浏览流量请求，定位数据存放位置

(modbus) && (ip.src == 192.168.219.139)

2. 编写exp.py抽取数据

import pyshark
import base64strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = ".\\StrangeTraffic.pcapng"# 根据wireshark过滤表达式筛选有效数据帧
filter_slow = 'modbus && ip.src == 192.168.219.139'
sDT=""
sTmp="" 
# 第一次读取：找到高延迟的响应包，记录对应的请求帧号
with pyshark.FileCapture(strCapPath, display_filter=filter_slow, tshark_path=strTsharkPath) as cap:for pkt in cap:print(f"\rProcessing frame: {pkt.number} ", end="")# print(pkt.tcp.payload)# 01:17:00:00:00:17:01:03:14:00:49:00:31:00:4e:00:7a:00:45:00:77:00:4f:00:45:00:4a:00:39# 截取有效TCP数据，根据显示数据从30位开始 tmpDT=pkt.tcp.payload[30:]# 初始有效数据帧为'ABCDEFGHIJ'if len(sDT)==0:sDT=tmpDTprint(sDT)# 为保证效率，仅当所有字符位都刷新后再读取数据if tmpDT[-2:] != sDT[-2:]:sDT=tmpDT# print(sDT)lstDT = sDT.split(":")for dt in lstDT:# 抛弃无效00数据if dt=="00":continue# 将有效十六进制字符转为字符串并进行拼接else:sTmp += bytes.fromhex(dt).decode("utf-8")# 替换初始帧和结束帧
sTmp=sTmp.replace('ABCDEFGHIJ','')
print("\n")
print(sTmp)
# RGVzdDBnM3szMUE1QkVBNi1GMjBELUYxOEEtRThFQS0yOUI0RjI1NzEwOEJ9# Base64转码获得flag
print(base64.b64decode(sTmp).decode("utf-8"))# Dest0g3{31A5BEA6-F20D-F18A-E8EA-29B4F257108B}