CTF

2023-03-27 04:52| 来源: 网络整理| 查看: 265

题目题目名称：键盘流量

题目类型：MISC

解题思路

题目下载解压发现是55.pcapng、miwen.txt两个文件

miwen.txt

miwen.txt内容为base64编码假flag，文件大小与实际内容不符，发现txt隐写了零宽字符如何发现零宽字符，vim打开文件，如下图： CTF—MISC—USB键盘流量分析_宽字符

python脚本解密

python3 -m pip install zwsp-steg-py #!/usr/bin/python # -*- coding: utf-8 -*- import zwsp_steg decoded = zwsp_steg.decode('Z‎‍‍‍‏‏‎‏‍‏‌‎‍‌‏‌‍‎‍‎‌‏‏‍‌‍‏‌‌‍‍‏‍‎‏‎‎‍‏‏‎‌‌‏‍‏‌‎‍‌‍‎‎‍‎‍‏‌‍‎‎‍‎‌‏‎‌‍‏‏‏‍‎‍‎‎‌‏‍‌‌‌‎‎‎‍‎‏‏‍‍‎‍‏‎‍‏‏‍‌‍‎‍‍‍‏‏‎‌‎‎‌‍‎‌‍‏‏‎‍‎‎‏‏‌‍‏‎‌‌‏‎‍‎‌‌‏‍‏‌‏‎‌‍‍‏‍‏‎‏‏‏‌‏‍‏‌‏‏‍‎‏‏‎‍‏‎‎‏‏‍‍‏‎‎‍‏‎‍‎‍‍‎‍‎‎‍‍‏‎‏‌‏‏‌‏‍‏‏‏‎‎‍‍‏‍‌‏‏‎‌‌‍‍‌‍‍‌mxhZ3toYWhhfmZha2VmbGFnIX0=',zwsp_steg.MODE_FULL) print (decoded) output: U2FsdGVkX19j4fOZJQd2l3DCeDBtJq5T8+XdfCsJ9WJSPBFuNy6QuP/edRHwx/ex5duvz6ZFX2CN4gmmJgWf1Q==

CTF—MISC—USB键盘流量分析_宽字符_02

55.pcapng

打开pcap包，发现是usb的键盘流量，键盘流量的数据记录在Data中，需要把所有Data数据提取出来，进行十六进制键位转换得出数据包记录的键盘敲击内容 1、利用wireshark tshark.exe命令提取流量数据，详情如下：

tshark.exe -T json -r 55.pcapng > test.json //用法 tshark.exe -T json -r 数据包名称 > 要导出的文件

导出的文件如下，键盘数据存储在usbhid.data中，将所有的usbhid.data值提取出来 CTF—MISC—USB键盘流量分析_python_03 CTF—MISC—USB键盘流量分析_宽字符_04 CTF—MISC—USB键盘流量分析_3d_05

2、利用python编写的脚本对提取出来的所有usbhid.data转化生成敲击内容,脚本原理

#!/usr/bin/env python # -*- coding:utf-8 -*- normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"","29":"","2a":"", "2b":"\t","2c":"","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"","33":";","34":"'","35":"","36":",","37":".","38":"/","39":"","3a":"","3b":"", "3c":"","3d":"","3e":"","3f":"","40":"","41":"","42":"","43":"","44":"","45":""} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"","29":"","2a":"", "2b":"\t","2c":"","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"","33":"\"","34":":","35":"","36":"","38":"?","39":"","3a":"","3b":"", "3c":"","3d":"","3e":"","3f":"","40":"","41":"","42":"","43":"","44":"","45":""} output = [] keys = open('usbdata.txt') for line in keys: try: if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00": continue if line[6:8] in normalKeys.keys(): output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2'] else: output += ['[unknown]'] except: pass keys.close() flag=0 print("".join(output)) for i in range(len(output)): try: a=output.index('') del output[a] del output[a-1] except: pass for i in range(len(output)): try: if output[i]=="": flag+=1 output.pop(i) if flag==2: flag=0 if flag!=0: output[i]=output[i].upper() except: pass print ('output :' + "".join(output))

CTF—MISC—USB键盘流量分析_宽字符_06 CTF—MISC—USB键盘流量分析_宽字符_07

内容为

plkeaeseyfiindtsheryealykeydwords output :pleasefindtherealkeyword 解密

发现miwen是AES加密的密文，需要密钥进行解密解密工具用pleasefindtherealkeyword没有解密成功用del删除的字节发现"keyisyyds"实际密钥为yyds，解出flag

CTF—MISC—USB键盘流量分析_3d_08

tshark.exe使用参考

【本文地址】

公司简介

联系我们