解压后发现是流量包,好多icmp包
发现icmp包尾部有$$STRAT打头16进制的字符串,好多重复得。我们只需要提取尾部这些字符串是当icmp的type=0时上图标识为褐色的字符串,还需要把16进制的字符串转为对应的字符串(bytes 类型)并去重。
使用python脚本
import pyshark
import binascii
def process_pcap():
# 使用pyshark的FileCapture打开名为out.pcap的文件,
# 并设置显示过滤器,只捕获icmp.type等于0的ICMP数据包
packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")
res = []
# 以写入模式打开名为out.txt的文件,指定编码为'utf - 8'
with open('out.txt', 'w', encoding='utf - 8') as f:
# 遍历捕获到的每个数据包
for each in packets:
try:
# 将数据包中的十六进制数据(each.icmp.data)先转换为字节串,
# 再使用'utf - 8'编码将字节串解码为字符串
data = binascii.unhexlify(each.icmp.data).decode('utf - 8')
# 如果解码后的字符串不在结果列表res中
if data not in res:
# 将该字符串写入到out.txt文件中
f.write(data)
# 将该字符串添加到结果列表res中,实现去重功能
res.append(data)
# 如果在binascii.unhexlify或decode操作中出现错误,捕获binascii.Error异常并跳过
except binascii.Error:
pass
# 关闭数据包捕获对象
packets.close()
print('done')
if __name__ == '__main__':
process_pcap()
把out.txt首行和尾的开始和结束标志去除,去掉每行的头部的
,
复制内容到cyberchef
或者使用下面python脚本直接输出processed_out.txt。内容复制到cyberchef
import os
import pyshark
import binascii
from tqdm import tqdm
def process_pcap():
packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")
res = []
total_packets = len(list(packets))
packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")
with open('out.txt', 'w', encoding='utf - 8') as f:
for each in tqdm(packets, total = total_packets):
try:
data = binascii.unhexlify(each.icmp.data).decode('utf - 8')
if data not in res:
res.append(data)
except binascii.Error:
pass
packets.close()
new_res = res[1: - 1]
new_content = []
for line in new_res:
if line.startswith('$$START$$'):
line = line.replace('$$START$$', '', 1)
line = line.rstrip('\n')
new_content.append(line)
output_file = 'processed_out.txt'
with open(output_file, 'w', encoding='utf - 8') as f_out:
for line in new_content:
f_out.write(line + '\n')
print('done')
if __name__ == '__main__':
process_pcap()
或使用这个脚本,有两个好处一是直接生成最终结果,二是由于数据较大处理时间约两分钟,初始化有提示带进度条用户体验好。
import os
import pyshark
import binascii
from tqdm import tqdm
def process_pcap():
packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")
res = []
print('正在初始化数据包读取,请稍候...')
total_packets = len(list(packets))
packets = pyshark.FileCapture('out.pcap', display_filter="icmp.type==0")
progress_bar = tqdm(total = total_packets)
for each in packets:
try:
data = binascii.unhexlify(each.icmp.data).decode('utf - 8')
if data not in res:
res.append(data)
except binascii.Error as e:
print(f"处理数据包时出现binascii.Error异常: {e}")
progress_bar.update(1)
progress_bar.close()
packets.close()
if not res:
print("没有获取到有效的数据,可能是过滤条件问题或者pcap文件内容问题")
return
new_res = res[1: - 1]
new_content = []
for line in new_res:
if line.startswith('$$START$$'):
line = line.replace('$$START$$', '', 1)
line = line.rstrip('\n')
new_content.append(line)
output_file = 'processed_out.txt'
with open(output_file, 'w', encoding='utf - 8') as f_out:
for line in new_content:
f_out.write(line + '\n')
print('done')
if __name__ == '__main__':
process_pcap()
cyberchef识别出是zip文件,点击保存图标,另存为zip文件,解压得flag.gif
把这个gif文件拷贝进kali,输入下面命令
identify -format "%T" flag.gif
把使用identify得到隐写信息
2050502050502050205020202050202020205050205020502050205050505050202050502020205020505050205020206666
我们去掉尾部6666,把20用0替换,50用1替换
205050205050205020502020205020202020505020502050205020505050505020205050202020502050505020502020
使用python和qt写个程序实现,源码如下:
import sys
from PyQt5.QtWidgets import QApplication, QWidget, QVBoxLayout, QHBoxLayout, QLabel, QLineEdit, QPushButton, QTextEdit
class TextReplaceTool(QWidget):
def __init__(self):
super().__init__()
self.init_ui()
def init_ui(self):
# 查找输入框及标签
self.find_label = QLabel('查找内容:')
self.find_input = QLineEdit()
# 替换输入框及标签
self.replace_label = QLabel('替换内容:')
self.replace_input = QLineEdit()
# 查找按钮
self.find_button = QPushButton('查找')
self.find_button.clicked.connect(self.find_text)
# 替换按钮
self.replace_button = QPushButton('替换')
self.replace_button.clicked.connect(self.replace_text)
# 文本编辑区域
self.text_edit = QTextEdit()
# 布局设置
hbox1 = QHBoxLayout()
hbox1.addWidget(self.find_label)
hbox1.addWidget(self.find_input)
hbox2 = QHBoxLayout()
hbox2.addWidget(self.replace_label)
hbox2.addWidget(self.replace_input)
hbox3 = QHBoxLayout()
hbox3.addWidget(self.find_button)
hbox3.addWidget(self.replace_button)
vbox = QVBoxLayout()
vbox.addLayout(hbox1)
vbox.addLayout(hbox2)
vbox.addLayout(hbox3)
vbox.addWidget(self.text_edit)
self.setLayout(vbox)
self.setWindowTitle('文本查找替换工具')
self.show()
def find_text(self):
find_str = self.find_input.text()
text = self.text_edit.toPlainText()
start_index = text.find(find_str)
if start_index!= -1:
self.text_edit.moveCursor(QTextEdit.MoveOperation.Start)
cursor = self.text_edit.textCursor()
cursor.setPosition(start_index)
self.text_edit.setTextCursor(cursor)
def replace_text(self):
find_str = self.find_input.text()
replace_str = self.replace_input.text()
text = self.text_edit.toPlainText()
new_text = text.replace(find_str, replace_str)
self.text_edit.setPlainText(new_text)
if __name__ == '__main__':
app = QApplication(sys.argv)
ex = TextReplaceTool()
sys.exit(app.exec_())
运行gui如图:两次替换可得结果
011011010100010000110101010111110011000101110100
去cyterchef
先binary(二进制)-bytes(字符串)再MD5编码
得 f0f1003afe4ae8ce4aa8e8487a8ab3b6
flag{f0f1003afe4ae8ce4aa8e8487a8ab3b6}
![[Linux]网络配置指令](https://img-blog.csdnimg.cn/img_convert/36d104391233ad088292b450a0129624.png)
