2018年金融業ctf競賽 backdoor 流量資料分析writeup
Backdoor
flag:flag{b3c4r3fortheChinaChopperFHGJKUI^U%}
解題過程:
利用wireshark開啟檔案,過濾http報文,任意選擇一個報文右鍵選擇追蹤流->http流
追蹤流裡面包含大量16進位制程式碼,觀察前幾位發現它是zip壓縮檔案的檔案頭
將z1後面的引數複製下來
以16進位制形式貼上到C32asm工具裡
(檔案->新建十六進位制檔案,新建後中間的內容框內含有內容,此時我們應先刪除其內容。刪除後,編輯->特別貼上,選擇“ASCII Hex”->確定,儲存為zip檔案)
通過檔案頭可觀察到該檔案為zip壓縮檔案儲存後可將其改成副檔名為zip檔案
開啟壓縮包可以看到裡面包含一張圖片
開啟圖片是一個二維碼
掃描二維碼即可得到flag
附:常見檔案檔案頭
FFD8FFFE00, .JPEG;.JPE;.JPG, "JPGGraphic File"
FFD8FFE000, .JPEG;.JPE;.JPG, "JPGGraphic File"
474946383961, .gif, "GIF 89A"
474946383761, .gif, "GIF 87A"
424D, .bmp, "Windows Bitmap"
4D5A,.exe;.com;.386;.ax;.acm;.sys;.dll;.drv;.flt;.fon;.ocx;.scr;.lrc;.vxd;
.cpl;.x32, "Executable File"
504B0304, .zip, "Zip Compressed"
3A42617365, .cnt, ""
D0CF11E0A1B11AE1,.doc;.xls;.xlt;.ppt;.apr, "MS Compound Document v1 or Lotus Approach APRfile"
0100000058000000, .emf, ""
03000000C466C456, .evt, ""
3F5F0300, .gid;.hlp;.lhp, "Windows HelpFile"
1F8B08, .gz, "GZ Compressed File"
28546869732066696C65, .hqx, ""
0000010000, .ico, "Icon File"
4C000000011402, .lnk, "Windows LinkFile"
25504446, .pdf, "Adobe PDF File"
5245474544495434, .reg, ""
7B5C727466,.rtf, "Rich Text Format File"
lh, .lzh, "Lz compression file"
MThd, .mid, ""
0A050108, .pcx, ""
25215053, .eps, "Adobe EPS File"
2112, .ain, "AIN Archive File"
1A02, .arc, "ARC/PKPAK Compressed 1"
1A03, .arc, "ARC/PKPAK Compressed 2"
1A04, .arc, "ARC/PKPAK Compressed 3"
1A08, .arc, "ARC/PKPAK Compressed 4"
1A09, .arc, "ARC/PKPAK Compressed 5"
60EA, .arj, "ARJ Compressed"
41564920, .avi, "Audio Video Interleave(AVI)"
425A68, .bz;.bz2, "Bzip Archive"
49536328, .cab, "Cabinet File"
4C01, .obj, "Compiled Object Module"
303730373037, .tar;.cpio, "CPIO ArchiveFile"
4352555348, .cru;.crush, "CRUSH ArchiveFile"
3ADE68B1, .dcx, "DCX Graphic File"
1F8B, .gz;.tar;.tgz, "Gzip ArchiveFile"
91334846, .hap, "HAP Archive File"
3C68746D6C3E,.htm;.html, "HyperText Markup Language 1"
3C48544D4C3E,.htm;.html, "HyperText Markup Language 2"
3C21444F4354, .htm;.html, "HyperText MarkupLanguage 3"
100, .ico, "ICON File"
5F27A889, .jar, "JAR Archive File"
2D6C68352D,.lha, "LHA Compressed"
20006040600, .wk1;.wks, "Lotus 123 v1 Worksheet"
00001A0007800100, .fm3, "Lotus 123 v3 FMTfile"
00001A0000100400, .wk3, "Lotus 123 v3Worksheet"
20006800200, .fmt, "Lotus 123 v4 FMTfile"
00001A0002100400, .wk4, "Lotus 123 v5"
5B7665725D, .ami, "Lotus Ami Pro"
300000041505052, .adx, "Lotus ApproachADX file"
1A0000030000, .nsf;.ntf, "Lotus NotesDatabase/Template"
4D47582069747064, .ds4, "MicrografixDesigner 4"
4D534346, .cab, "Microsoft CAB FileFormat"
4D546864, .mid, "Midi Audio File"
000001B3, .mpg;.mpeg, "MPEG Movie"
0902060000001000B9045C00, .xls, "MS Excel v2"
0904060000001000F6055C00, .xls, "MS Excel v4"
7FFE340A,.doc, "MS Word"
1234567890FF, .doc, "MS Word 6.0"
31BE000000AB0000, .doc, "MS Word forDOS 6.0"
1A00000300001100, .nsf, "NotesDatabase"
7E424B00, .psp, "PaintShop Pro Image File"
504B0304, .zip, "PKZIP Compressed"
89504E470D0A, .png, "PNG Image File"
6D646174, .mov, "QuickTime Movie"
6D646174, .qt, "Quicktime MovieFile"
52617221, .rar, "RAR Archive File"
2E7261FD, .ra;.ram, "Real AudioFile"
EDABEEDB, .rpm, "RPM Archive File"
2E736E64, .au, "SoundMachine AudioFile"
53495421, .sit, "Stuffit v1 ArchiveFile"
53747566664974, .sit, "Stuffit v5Archive File"
1F9D, .z, "TAR Compressed ArchiveFile"
49492A, .tif;.tiff, "TIFF (Intel)"
4D4D2A,.tif;.tiff, "TIFF (Motorola)"
554641, .ufa, "UFA Archive File"
57415645666D74, .wav, "Wave Files"
D7CDC69A,.wmf, "Windows Meta File"
4C000000, .lnk, "Windows Shortcut (LinkFile)"
504B3030504B0304, .zip, "WINZIPCompressed"
FF575047, .wpg, "WordPerfectGraphics"
FF575043, .wp, "WordPerfect v5 orv6"
3C3F786D6C,.xml, "XML Document"
FFFE3C0052004F004F0054005300540055004200, .xml, "XML Document(ROOTSTUB)"
3C21454E54495459, .dtd, "XML DTD"
5A4F4F20, .zoo, "ZOO Archive File"