20250919_QQ_ICMP

Tags:流量分析,ICMP,data_len,pyshark

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：20250919_QQ_ICMP.zip

0x01. WP

1. 流量分析

整个流量包仅涉及ICMP协议，每次请求仅在data_len发生变化

2. 编写脚本提取数据

wireshark_exp.py

# -*- coding: utf-8 -*-
import pyshark, os, re,time
import base64# Author: Jason.J.Hu
# Create : 2023/12/11# 初始化全局参数，包括流量包名称，tshark位置
strCapPath = "icmp.pcapng"
strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"# Wireshark过滤表达式，提高数据包分析效率，过滤掉无效请求
strFomula=''cap = pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)print(time.strftime("%H:%M:%S", time.localtime()), "流量分析开始 ... ...")# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[0].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
print("=" * 16)# 流量内容分析开始
lstResult=['','','','']
sFlag=""
for pkt in cap:intRequestNumber = pkt.numberprint("\r\tFrame Number: %s ..." % str(intRequestNumber), end="")print("icmp.data_len: ",pkt.icmp.data_len)lstResult.append(chr(int(pkt.icmp.data_len)))print("\r")
sFlag="".join(lstResult)
print(sFlag)    
print("\r")
print(base64.b64decode(sFlag).decode())
print(time.strftime("%H:%M:%S", time.localtime()), "分析结束。")# ZmxhZ3tlMmRlMThkOS03N2M3LTRlNGEtYWNjMS02ODkxZWQ2MzU2NjV9
# flag{e2de18d9-77c7-4e4a-acc1-6891ed635665}

最终得到flag为flag{e2de18d9-77c7-4e4a-acc1-6891ed635665}