首页 流量 流量分析

本题的考点在于 MQTT 协议流量的分析和 rsa 解密,首先看到流量包

很干净不需要过滤,去了解下 MQTT 协议能知道

每个包的 message 字段中存储了需要传输的值,先看了头几个包

发现了 rsakey 字段,于是使用命令提取数据

1
tshark -r Covertchannel.pcap -Y "mqtt" -T fields -e mqtt.msg > 1.txt

简单做一下处理:(删除逗号和换行)并进行 16 进制转换和 base64 解码,得到私钥,secret.txt 和 data.zip
发现 data.zip 文件需要密码

那么猜测需要利用私钥去解密被公钥加密的文件 secret.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1YaMyRuhD9Pu5
w6GNhfYTQ0Vo/0OjZPKyDS3viCZIuXUsUn/vQxMJPWlCQq7rRv2c7+z8PTxeirV7
1fPT/sFxgxHbjZeFDRCvU7Pc4ZknT8rTymGWR9WB6XEi8s06gWQegxOKgq7smDJs
Qow+7OGes1Xm8HxgeDjjghzeN2dS75kswo+HF6hzZVKiJGoju/jyp2hqdjuMYySv
BHzlLoH5r1Yrdg/hEIOaua2h7s5p5ybJ+8aIqTEFz5Q/FuM4z9LE0O8ysJxo4WRV
+cbtWCD17kGIjRxHW5tTTszqrwHMISVyZq+5Ib1K7DGE3a/Ek/weYp5Fh8bX8LbH
RSwBsopXAgMBAAECggEADw3xDSm8enN5dzQpEwWE5JlnR+0z8Hpe+G9GmkR7JPsb
oheg3bt7937c3y6ItSd5wk5ZpZ/xhElQAdzCtZxF8wV1dHsekeEBOwQgABvLaeti
As0f52jD7FnzVXrAlPQLWsr3Ur5BBYsmWDz3xftESLdK0HWyZRFla2Cvw7PmhAgS
CDYvj5S0qk0h7KrNGJMfM8o+j7lE3ZKv5pTTVQ+/GUwF0q+Ujk75Zg3WMfGQQVOT
nM0kOa970Yfb7V2UHcQn9HCxHY0wc+/PK4jtn2h4htTrNBBTa4B6zTDY8sfYg0XB
+M2H57We0r7azWmdeVAM3woocqbNYMUFUB/PVR36CQKBgQDD5OxBcMepIDnWXb0c
ict5/O67VhkWUb64vA695P9luBtCKxfnhlSnPjPt3olCy5KInB02MnNJMHV4haqY
Gtxb+1GeXK3pJo837s7w7bnVAE3eP3OmYHk4aq8LMtxacd8WZ0UyUH16+4hKbrh+
JowSwZvLixWaJq0XaSIOkmO83wKBgQDtCMMjMzhiNEhNDHtc+SlVzqlXKtIp61ag
pavufiUUEKyRoG8i1GoIIPn7u2hEBF8Rm3euuWLl1SHAjWswNEUJnp2rO5sFGJBK
sgpIyxFkiSYFoXWKVd0r7k/KNPk1ShpHZhSJqEsYqmDjbTFFVxUCj3xerfZlqLQT
dzdOnoVpiQKBgQCG3RDmEL30qtIGyixK/HbQehjlcmX9HrQePKIti/1kyzZA/KgN
ZkbbiRB5QA7hpIMyd8AIsvz5s1n8apHC/CMfVEuhqg61CC3rhQaFijS49uelDawS
LDLoa1ItdIuN3P2IT/qspAtvYsI29Dkh6Gng89fNbuilYuEhz+h5fcEaowKBgBlc
aqSFgm7fcSztPPXBou6PYgb1ie76QxaFI1QtIwJ2lkAujjWHzKB6BsUsVAeTACj+
HVwQcchteWMEvoc10H0q/2umwPtWmXmkev023PGIywynLdBTR4q/wMG90TwmZZFm
FqRz4TUOZbdvo2nr20+e0ou+yTIvTrUWeFBtHZEhAoGACualPMp1+DKOnGRKqpBA
c/W/ObkBBgQsV11k+wy1AZ0SVUjY0DkEKdKAMxQ6v0+ERCrbgVOux0xGR7MF7RGY
OwuVNDyCUT/gbqkxU3aUmT9oa+kbnxHtdUsbqeziEJ9xMLWlDygVfv4ae+InKbS0
MnZAAXUNDQIu5dxYCGPlrfA=
-----END PRIVATE KEY-----

secret.txt:

1
bFBkNlE3SDF1ZjRTTkVLSDRJRTFLZzJpREZrMERCaEp3Q0JzZEkyV2h6T0dhcDA4a2RQWVFGcjZhcFN2WmlUSHZqaVgydG1VbEk5aTJ3aC8xZ2h3SUs5N1BiSERxMStTeEUxbnI0Nm0wUC9DMXpna0IyMit1M1YycTE5SU9BYXRuYXNya1BESkxQaW0reG54N3QxTnlBN1ZKTHdzUk5DUG9xRWdMbWZRQnd1elBCalhDdHVmUVkva0FpaDdLdTRPblVXa0pYRHlkSWxPTnplamVJK21RRy84VVFITTRQYnNjam9vdlJ2ZWMrYUpSMWxqODAzMXFjbSsyWnZJZFIrZElEYkNXMmtZam1OYm1XK0w2UG5LQ2Uvc3VKSjRBZVI0Sm1NbGVRRVJMemltZ1huV25GUnY4WnppVXNyS1lVVXRNb2w5V1hKazg4VjdRSE1yL0wzRkVnPT=

在线网站分解私钥之后使用脚本进行解密
http://www.hiencode.com/priv_asys.html

1
2
3
4
5
6
7
8
from base64 import *
from Crypto.Util.number import *
n = 22897280037618974619340846752999631827813818170571516093336584434775675187911179854957453351224025346333112420553633170369593452474468994360875843672122891197414738125554960475847811974999960386639323750005461211814555798539418918028176295505664790681416998283240971057298698033755526560483652785000652359544503171667435140921558876010825999934580334820605796539553023241585105667208475754931859753698830927470458071231845332752109628151991221800856650720139024371213297529175153974325381443615718839995260607889829031612063951205623842853683671813857941916059109130631113924524369318816564540461224076941697301514839
d = 1900449437182483367287250498389329650844458305061625673889624960449246764188822540260327257945635074406502662795085030291673460560215971051863590821284350316131917360177551726633415829806251194334873453746047366551189042314344098823782976935213141109778716788404859271345595128776312414754273606115797923459124942020459641900581560513546440430423068817960532088772269553080009423772016559433423351574011538603757410467222208992113233166851765907432319285253284046549512288457264075133865582854163144527301952940757041488705998905401183446222196348514190895895140391122398911374890210750891922002358312637449887414793
ksecret = b"lPd6Q7H1uf4SNEKH4IE1Kg2iDFk0DBhJwCBsdI2WhzOGap08kdPYQFr6apSvZiTHvjiX2tmUlI9i2wh/1ghwIK97PbHDq1+SxE1nr46m0P/C1zgkB22+u3V2q19IOAatnasrkPDJLPim+xnx7t1NyA7VJLwsRNCPoqEgLmfQBwuzPBjXCtufQY/kAih7Ku4OnUWkJXDydIlONzejeI+mQG/8UQHM4PbscjoovRvec+aJR1lj8031qcm+2ZvIdR+dIDbCW2kYjmNbmW+L6PnKCe/suJJ4AeR4JmMleQERLzimgXnWnFRv8ZziUsrKYUUtMol9WXJk88V7QHMr/L3FEg=="

c = bytes_to_long(b64decode(ksecret))
print(long_to_bytes(pow(c,d,n)))

得到密码:b4ddfa11-4c91-48da-8e57-37d86a3f40ee

解压压缩包得到 1.txt 文件,是个 mimikatz 爆破结果,在里面找到 username 为 flag

password 便是 flag

更新于