Preface

I had the pleasure of attending 2022 The competition of the enterprise group of the second network security skills competition in Shanxi Province , This is the first time to participate ctf match , In order to accumulate practical experience , Even rank 14, It's a little unexpected .

Tips ： The following is the main body of this article .

One 、 subject

subject ：

Flow analysis questions , I didn't remember the specific title .

The attachment ：

Plaintext-TS Attachments to .pcapng

Two 、 The problem solving steps

1. Their thinking

First, I have a general look ,FTP Most packets , see TCP flow , When viewing stream by stream , It is found that there are two successful login , Once for anonymous users , One time for root user , among root Users are constantly tested for passwords .

root After the user logs in , There is data transmission behavior , And that includes flag Content .

2. The problem solving process

Keep probing root User password ：

220 (vsFTPd 2.3.4)

USER root

331 Please specify the password.

PASS 12345678

530 Login incorrect.

USER root

331 Please specify the password.

PASS hint:

530 Login incorrect.

USER root

331 Please specify the password.

PASS thomas

530 Login incorrect.

USER root

Login success information ：

TCP 18 flow ：

220 (vsFTPd 2.3.4)

USER anonymous

331 Please specify the password.

PASS [email protected]

230 Login successful.

PASV

227 Entering Passive Mode (192,168,80,145,241,8).

LIST

150 Here comes the directory listing.

226 Directory send OK.

QUIT

TCP 41 flow ：

220 (vsFTPd 2.3.4)

OPTS UTF8 ON

200 Always in UTF8 mode.

USER root

331 Please specify the password.

PASS @_Fa1se

230 Login successful.

PORT 192,168,80,1,118,103

200 PORT command successful. Consider using PASV.

NLST

150 Here comes the directory listing.

226 Directory send OK.

PORT 192,168,80,1,118,104

200 PORT command successful. Consider using PASV.

RETR flag.zip

150 Opening BINARY mode data connection for flag.zip (192 bytes).

226 Transfer complete.

PORT 192,168,80,1,118,105

200 PORT command successful. Consider using PASV.

RETR pass.txt

150 Opening BINARY mode data connection for pass.txt (774 bytes).

226 Transfer complete.

QUIT

221 Goodbye.

You can see , Two files were transferred ,flag.zip and pass.txt.

TCP 43 Flow to flag.zip data , Save it locally as original data , Prompt for password when opening .

TCP 44 Flow to pass.txt Content , Is shown as ：

446966666572656E74204D6F727365EFBC9A5C2D2E2E2E2D2E2E2D2D2D2D2E2E2E2D2D5C2E2D2E2D2E2E2D2D2D2E2E2E2D2E2D2D5C2E2D2E2D2D2E2D2D2D2D2E2E2E2D2D2E5C2E2D2D2D2D2E2E2E2E2E2E2E2E2E2E2D5C2E2D2E2D2D2D2D2E2E2D2D2D2E2D2D2E5C2E2D2E2E2D2D2D2E2E2E2E2E2D2D2E2D5C2E2D2E2D2E2D2D2D2E2E2D2E2D2E2E2E5C2D2E2E2E2D2D2D2D2D2D2E2D2D2E2E2D5C2D2E2E2D2E2E2E2D2D2D2E2E2D2D2E2E5C2D2D2D2D2D2D2D2D2E2E2E2E2D2D2E2E5C2E2D2E2E2D2D2D2E2E2E2E2E2D2D2E2D5C2E2D2E2D2D2E2E2D2D2E2E2E2E2E2D2E5C2D2E2E2E2D2E2D2D2D2D2E2D2E2D2E2D5C2D2E2E2E2D2E2D2D2D2D2E2D2E2D2E2D5C2E2E2D2E5C2D5C2E2D2D2E5C2E2D2D2E2E2D2D2D2E2E2E2E2D2D2E2D5C2E2D2E2D2E2E2D2E2D2E2D2E2E2E2E2D5C2E2D2E2D2E2D2D2E2E2D2D2E2D2E2E2E5C2E2D2D2D2E2D2D2E2D2E2E2E2E2D2E2E5C2E2D2E2D2D2E2D2D2D2D2E2E2E2D2D2E5C2E2D2D2D2D2E2E2E2E2E2E2E2E2E2E2D5C2D2D2D2D2D2D2D2D2E2E2E2D2D2D2D2D

Put it HEX Decode and get ：

Different Morse：\-...-..----...--\.-.-..---...-.--\.-.--.----...--.\.----..........-\.-.----..---.--.\.-..---.....--.-\.-.-.---..-.-...\-...------.--..-\-..-...---..--..\--------....--..\.-..---.....--.-\.-.--..--.....-.\-...-.----.-.-.-\-...-.----.-.-.-\..-.\-\.--.\.--..---....--.-\.-.-..-.-.-....-\.-.-.--..--.-...\.---.--.-....-..\.-.--.----...--.\.----..........-\--------...-----

Morse decode ：

The decompression password is not here , Why don't you try FTP The password of the server ？

According to the prompt , The password for [email protected] or @_Fa1se

After testing , The password for @_Fa1se.

Unpack and get flag

flag{5658b3cc5f625339f207b7547ba5e6c3}

3、 ... and 、 summary

The game has been solved , But some links were skipped , Password is required in the compressed package , First of all, I thought of the first two FTP password , Use it directly @_Fa1se Unpack and get flag.

Writing WP when , Seriously pass.txt Content , Only then did I know that there was HEX and Morse Decoding steps .