BUUCTF蜘蛛侠呀

解压后发现是流量包，好多icmp包

发现icmp包尾部有$$STRAT打头16进制的字符串，好多重复得。我们只需要提取尾部这些字符串是当icmp的type=0时上图标识为褐色的字符串，还需要把16进制的字符串转为对应的字符串（bytes 类型）并去重。

使用python脚本

import pyshark
import binasciidef process_pcap():# 使用pyshark的FileCapture打开名为out.pcap的文件，# 并设置显示过滤器，只捕获icmp.type等于0的ICMP数据包packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")res = []# 以写入模式打开名为out.txt的文件，指定编码为'utf - 8'with open('out.txt', 'w', encoding='utf - 8') as f:# 遍历捕获到的每个数据包for each in packets:try:# 将数据包中的十六进制数据（each.icmp.data）先转换为字节串，# 再使用'utf - 8'编码将字节串解码为字符串data = binascii.unhexlify(each.icmp.data).decode('utf - 8')# 如果解码后的字符串不在结果列表res中if data not in res:# 将该字符串写入到out.txt文件中f.write(data)# 将该字符串添加到结果列表res中，实现去重功能res.append(data)# 如果在binascii.unhexlify或decode操作中出现错误，捕获binascii.Error异常并跳过except binascii.Error:pass# 关闭数据包捕获对象packets.close()print('done')if __name__ == '__main__':process_pcap()

把out.txt首行和尾的开始和结束标志去除，去掉每行的头部的,

复制内容到cyberchef

或者使用下面python脚本直接输出processed_out.txt。内容复制到cyberchef

import os
import pyshark
import binascii
from tqdm import tqdmdef process_pcap():packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")res = []total_packets = len(list(packets))packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")with open('out.txt', 'w', encoding='utf - 8') as f:for each in tqdm(packets, total = total_packets):try:data = binascii.unhexlify(each.icmp.data).decode('utf - 8')if data not in res:res.append(data)except binascii.Error:passpackets.close()new_res = res[1: - 1]new_content = []for line in new_res:if line.startswith('$$START$$'):line = line.replace('$$START$$', '', 1)line = line.rstrip('\n')new_content.append(line)output_file = 'processed_out.txt'with open(output_file, 'w', encoding='utf - 8') as f_out:for line in new_content:f_out.write(line + '\n')print('done')if __name__ == '__main__':process_pcap()

或使用这个脚本，有两个好处一是直接生成最终结果，二是由于数据较大处理时间约两分钟，初始化有提示带进度条用户体验好。

import os
import pyshark
import binascii
from tqdm import tqdmdef process_pcap():packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")res = []print('正在初始化数据包读取，请稍候...')total_packets = len(list(packets))packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")progress_bar = tqdm(total = total_packets)for each in packets:try:data = binascii.unhexlify(each.icmp.data).decode('utf - 8')if data not in res:res.append(data)except binascii.Error as e:print(f"处理数据包时出现binascii.Error异常: {e}")progress_bar.update(1)progress_bar.close()packets.close()if not res:print("没有获取到有效的数据，可能是过滤条件问题或者pcap文件内容问题")returnnew_res = res[1: - 1]new_content = []for line in new_res:if line.startswith('$$START$$'):line = line.replace('$$START$$', '', 1)line = line.rstrip('\n')new_content.append(line)output_file = 'processed_out.txt'with open(output_file, 'w', encoding='utf - 8') as f_out:for line in new_content:f_out.write(line + '\n')print('done')if __name__ == '__main__':process_pcap()

cyberchef识别出是zip文件，点击保存图标，另存为zip文件，解压得flag.gif

把这个gif文件拷贝进kali，输入下面命令

identify -format "%T" flag.gif
 

把使用identify得到隐写信息

2050502050502050205020202050202020205050205020502050205050505050202050502020205020505050205020206666

我们去掉尾部6666，把20用0替换，50用1替换

205050205050205020502020205020202020505020502050205020505050505020205050202020502050505020502020

使用python和qt写个程序实现，源码如下：

import sys
from PyQt5.QtWidgets import QApplication, QWidget, QVBoxLayout, QHBoxLayout, QLabel, QLineEdit, QPushButton, QTextEditclass TextReplaceTool(QWidget):def __init__(self):super().__init__()self.init_ui()def init_ui(self):# 查找输入框及标签self.find_label = QLabel('查找内容:')self.find_input = QLineEdit()# 替换输入框及标签self.replace_label = QLabel('替换内容:')self.replace_input = QLineEdit()# 查找按钮self.find_button = QPushButton('查找')self.find_button.clicked.connect(self.find_text)# 替换按钮self.replace_button = QPushButton('替换')self.replace_button.clicked.connect(self.replace_text)# 文本编辑区域self.text_edit = QTextEdit()# 布局设置hbox1 = QHBoxLayout()hbox1.addWidget(self.find_label)hbox1.addWidget(self.find_input)hbox2 = QHBoxLayout()hbox2.addWidget(self.replace_label)hbox2.addWidget(self.replace_input)hbox3 = QHBoxLayout()hbox3.addWidget(self.find_button)hbox3.addWidget(self.replace_button)vbox = QVBoxLayout()vbox.addLayout(hbox1)vbox.addLayout(hbox2)vbox.addLayout(hbox3)vbox.addWidget(self.text_edit)self.setLayout(vbox)self.setWindowTitle('文本查找替换工具')self.show()def find_text(self):find_str = self.find_input.text()text = self.text_edit.toPlainText()start_index = text.find(find_str)if start_index!= -1:self.text_edit.moveCursor(QTextEdit.MoveOperation.Start)cursor = self.text_edit.textCursor()cursor.setPosition(start_index)self.text_edit.setTextCursor(cursor)def replace_text(self):find_str = self.find_input.text()replace_str = self.replace_input.text()text = self.text_edit.toPlainText()new_text = text.replace(find_str, replace_str)self.text_edit.setPlainText(new_text)if __name__ == '__main__':app = QApplication(sys.argv)ex = TextReplaceTool()sys.exit(app.exec_())

运行gui如图：两次替换可得结果

011011010100010000110101010111110011000101110100

去cyterchef

先binary（二进制）-bytes（字符串）再MD5编码

得 f0f1003afe4ae8ce4aa8e8487a8ab3b6

flag{f0f1003afe4ae8ce4aa8e8487a8ab3b6}