202312_Dest0g3_StrageTraiffic

Tags:流量分析,Modbus,pyshark

0x00. 题目

Dest0g3迎新赛

附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称:202312_Dest0g3_StrageTraiffic.zip

0x01. WP

1. 浏览流量请求,定位数据存放位置

(modbus) && (ip.src == 192.168.219.139)

image

2. 编写exp.py抽取数据

import pyshark
import base64

strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = ".\\StrangeTraffic.pcapng"

# 根据wireshark过滤表达式筛选有效数据帧
filter_slow = 'modbus && ip.src == 192.168.219.139'
sDT=""
sTmp="" 
# 第一次读取:找到高延迟的响应包,记录对应的请求帧号
with pyshark.FileCapture(strCapPath, display_filter=filter_slow, tshark_path=strTsharkPath) as cap:
    for pkt in cap:
        print(f"\rProcessing frame: {pkt.number} ", end="")
        # print(pkt.tcp.payload)
        # 01:17:00:00:00:17:01:03:14:00:49:00:31:00:4e:00:7a:00:45:00:77:00:4f:00:45:00:4a:00:39
        # 截取有效TCP数据,根据显示数据从30位开始 
        tmpDT=pkt.tcp.payload[30:]
        # 初始有效数据帧为'ABCDEFGHIJ'
        if len(sDT)==0:
            sDT=tmpDT
            print(sDT)
        # 为保证效率,仅当所有字符位都刷新后再读取数据
        if tmpDT[-2:] != sDT[-2:]:
            sDT=tmpDT
            # print(sDT)
            lstDT = sDT.split(":")
            for dt in lstDT:
                # 抛弃无效00数据
                if dt=="00":
                    continue
                # 将有效十六进制字符转为字符串并进行拼接
                else:
                    sTmp += bytes.fromhex(dt).decode("utf-8")

# 替换初始帧和结束帧
sTmp=sTmp.replace('ABCDEFGHIJ','')
print("\n")
print(sTmp)
# RGVzdDBnM3szMUE1QkVBNi1GMjBELUYxOEEtRThFQS0yOUI0RjI1NzEwOEJ9

# Base64转码获得flag
print(base64.b64decode(sTmp).decode("utf-8"))

# Dest0g3{31A5BEA6-F20D-F18A-E8EA-29B4F257108B}
posted @ 2025-09-22 10:29  JasonJHu  阅读(17)  评论(0)    收藏  举报