XCTF分站赛SCTF 2023|Misc Writeup

这次比赛恰逢周末,周五晚上聚餐,组里4个小伙伴都食物中毒了,这算不算供应链投毒🤮
周天下午爬起来看了两道题目,顺便记录一下,希望大家看完有所收获。

Fly over the Fuchun River

题目描述:

开玩笑吗
Rapper坐在经济舱
面子伤不伤
我说这是通往成功的方向
图片拍摄于4月的某一天的12:15分(UTC+8)
flag格式
SCTF{起飞机场缩写_落地机场缩写_飞机航班号_日期}(全部大写)
日期格式:
6月17日写作617


题目名是富春江,搜索后发现在杭州一带,大概率杭州萧山机场起降落,然后再查看文件详情:

观察文件名可以发现日期和拍摄时间,2023年4月13日,12点47分59秒,应该是SYC的师傅从成都-杭州参加比赛,落地的时候拍的。
那么直接查航旅纵横就行了。

bittorrent

首先需要解析dht.dat数据,根据Aria2官方文档对DHT文件结构的介绍:

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---+-+---+-----+---------------+---------------+---------------+
    |MGC|F|VER| RSV |     MTIME     |     RSV       |LOCAL NODE ID  :
    |(2)|M|(2)| (3) |      (8)      |     (8)       |      (20)     :
    |   |T|   |     |               |               |               :
    +---+-+---+-----+-------+-------+-------+-------+---------------+
    :LOCAL NODE ID          |  RSV  |  NUM  |  RSV  |
    :  (continued)          |  (4)  |  NODE |  (4)  |
    :                       |       |  (4)  |       |
    +-+-------------+-------+-------+-+-----+-------+---------------+
    |P|     RSV     |COMPACT PEER INFO|            RSV              | <-+
    |L|     (7)     |     (PLEN)      |         (24 - PLEN)         |   |
    |E|             |                 |                             |   |
    |N|             |                 |                             |   |
    +-+-------------+-----------------+-----+-------+---------------+   |
    |            NODE ID                    |  RSV  |                   |
    |             (20)                      |  (4)  | <-----------------+
    +---------------------------------------+-------+   Repeated in
                                                         (NUM NODE) times.


除了第一块数据比较特殊含有文件头版本等信息,除此之外其他数据块都是0x06开头,每一个块数据56个字节,由此我们可以写脚本从dht.dat文件解析拿到Node ID、IP、Port数据:

# -*- coding: utf-8 -*-
# @Author  : 1cePeak

import struct

# 读取dht.dat文件
with open('dht.dat', 'rb') as file:
    data = file.read()

# 计算节点数量
node_count = len(data) // 56

# 解析每个节点的信息
for i in range(node_count):
    # 读取IP地址和端口号
    ip_bytes = data[i * 56 + 8:i * 56 + 14]
    ip = ".".join(str(byte) for byte in ip_bytes[:4])
    port = str(int.from_bytes(ip_bytes[4:6], byteorder='big'))

    # 读取节点ID
    node_id = data[i * 56 + 32:i * 56 + 52].hex()

    # 打印节点信息
    print(f"Node {i + 1}: IP={ip}, Port={port}, Node ID={node_id}")

可以提取出所有Node节点的数据:

Node 1: IP=0.0.0.0, Port=25698, Node ID=60985d0e96afb7951141d5fc00000000000000ba
Node 2: IP=83.108.5.50, Port=24450, Node ID=003a997c5f44d68f84f4aaaca85e2f11dae09d68
Node 3: IP=82.200.141.146, Port=24518, Node ID=007dab9697565c43a51e4766c0036a0b6d8ea98b
Node 4: IP=110.10.225.212, Port=40603, Node ID=01589e5e9fd445ae4fbc6aeff28fc383ef5092f6
Node 5: IP=175.125.146.56, Port=51413, Node ID=026a5402666773089eef9ab60d298c60a0c9d5b2
Node 6: IP=175.211.204.4, Port=42284, Node ID=034a27d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 7: IP=175.205.28.30, Port=40998, Node ID=0575ac1d43862f99749617da83ec0ef1197cfdc3
Node 8: IP=120.221.80.52, Port=6883, Node ID=0690b6c6d0cfb9fe060c51da1f54c754a029b1c5
Node 9: IP=210.121.221.20, Port=40849, Node ID=3eae107d27feef1941888d3a9a37654461a43bd3
Node 10: IP=180.64.27.12, Port=40602, Node ID=4437098e58b23af6f3a20f532abb673bfca37091
Node 11: IP=222.103.70.161, Port=25161, Node ID=4319fd356a783c5b29eb147b158c47e7036af0d6
Node 12: IP=189.219.213.62, Port=26709, Node ID=402d7756a468e274708d173637b8ba84a1480f1e
Node 13: IP=1.242.207.120, Port=7808, Node ID=43f06e4a789168dc65cc79620427526491bebc55
Node 14: IP=175.194.118.28, Port=64696, Node ID=431615d7b1e3f6f2d3640363fdb1f92410ba5f34
Node 15: IP=210.121.221.20, Port=40849, Node ID=422d5e587cc109b7c157b840e8b0271498696898
Node 16: IP=121.66.11.45, Port=41036, Node ID=478d42afa784da97cbcdee55794230a0d28d5002
Node 17: IP=188.163.95.78, Port=43038, Node ID=40d3c3bd6becbd81ffd93e67510f543ad7bfbe51
Node 18: IP=189.174.135.11, Port=37757, Node ID=48035e9878ce505e9ef2de32f29c5fd2d30addf9
Node 19: IP=49.49.229.18, Port=23616, Node ID=480382355fe9641b3322df7dd52077402a884c52
Node 20: IP=114.176.3.5, Port=20598, Node ID=4802e678b319d54aa16bd2ba57727bc18084e1f8
Node 21: IP=121.132.183.175, Port=40238, Node ID=4802c8a44563e23941dfbc41c39fdb4d18459455
Node 22: IP=171.76.137.22, Port=5964, Node ID=48006c9468c91689abfbae96db21a2dbd053741b
Node 23: IP=181.46.71.11, Port=31272, Node ID=48035bd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 24: IP=79.42.216.11, Port=61009, Node ID=4800b2d622d0fc3f56d65dcbdc3140b579aa432f
Node 25: IP=133.32.179.155, Port=1214, Node ID=480350d8b862c21d4fa9cad9d51ab3f56e68c51e
Node 26: IP=211.250.39.201, Port=6881, Node ID=480422bdd886197ee67f062a05a574ae967bbfe2
Node 27: IP=87.225.67.79, Port=49001, Node ID=48041ef1f661ffd98c331e51a3c96d874dbb47c7
Node 28: IP=167.179.150.46, Port=6881, Node ID=48045cd3b1f7110a778d37c58d051b8a8be4e75c
Node 29: IP=73.173.38.91, Port=58495, Node ID=4804282b6ad60b33d5558fdd6efe7ab36eb56a90
Node 30: IP=69.174.173.119, Port=40183, Node ID=48044501fa48dc9053fb1b203c896218f51ba927
Node 31: IP=83.209.224.227, Port=16881, Node ID=48040585be6b1dcc78412a0f808f82f7f0382eef
Node 32: IP=191.197.65.22, Port=50321, Node ID=480404cc14a700051303d3a641abbe8a065c8feb
Node 33: IP=5.227.199.193, Port=6881, Node ID=480402e7c71a411df394d6058b4d477ecb3376c3
Node 34: IP=201.141.96.126, Port=6881, Node ID=4804a889c586f675c3b0d20062df64ca4839bb7b
Node 35: IP=79.9.40.35, Port=6889, Node ID=4804b2e7497922a1d13eee62f3a3e673f3874da7
Node 36: IP=125.130.70.161, Port=7586, Node ID=480488dc8cc952cda1bfebcf1f081717d928548a
Node 37: IP=93.25.187.47, Port=42513, Node ID=480496d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 38: IP=99.228.192.118, Port=22124, Node ID=48048ffdd3d8e3623248251bc69370fe16f2a202
Node 39: IP=187.106.33.236, Port=17350, Node ID=4804a2d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 40: IP=119.202.225.236, Port=33831, Node ID=4804a7c9d342828ac9f3effd80e616cc84c013d1
Node 41: IP=5.34.70.161, Port=54487, Node ID=4804883aa10d95dd0a279875387910cbdafecc4a
Node 42: IP=73.38.95.19, Port=50321, Node ID=4804c9d476fb3d9e0748a5933474e82db70ac981
Node 43: IP=77.79.44.23, Port=40217, Node ID=4804cd6f3f335f95f2c06b8fe93d4a8f9855f1fe
Node 44: IP=177.223.108.23, Port=45613, Node ID=4804c8c29c8422d1051c92ad7e263141dbd4214e
Node 45: IP=115.96.217.196, Port=45974, Node ID=4804ccf1bbe9ebb3a6db3c870c3e99245e0d1c49
Node 46: IP=109.62.235.82, Port=41276, Node ID=4804c7a5006e15fba5c672f2da1fc812536420b4
Node 47: IP=91.122.227.15, Port=6881, Node ID=4804de783fa12bc532ff7470cad3436bd2629770
Node 48: IP=77.70.95.19, Port=39945, Node ID=4804c8fecaa83a33aeb6257329d2672bc8ea87d9
Node 49: IP=167.250.227.15, Port=54118, Node ID=4804d9156bd2c1951c8f508261a9d778bfc77908
Node 50: IP=202.61.240.22, Port=6881, Node ID=4804e3ddffc9c057eab51abee41e5842a1e98546
Node 51: IP=37.187.158.135, Port=15055, Node ID=4804e3ddffc9c057eab5343496138aa43a99b77e
Node 52: IP=85.184.62.137, Port=39286, Node ID=4804e1d0035b5d0c95b373c57b03247373d517da
Node 53: IP=81.97.141.141, Port=6881, Node ID=4804e3931374a1c3c5e7ed6c94fc5e73e5ae2e2d
Node 54: IP=85.81.13.141, Port=44768, Node ID=4804e3ddffc9c057eab5343496138af16d78ecb5
Node 55: IP=113.81.13.141, Port=1044, Node ID=4804e2a740399e5bbd3090f0ad1db52dcccdd7d5
Node 56: IP=95.211.186.223, Port=51413, Node ID=4804e3104c39ab9e2e8abbcea258f5835bfbb6c1
Node 57: IP=157.49.77.141, Port=51015, Node ID=4804e0701ae041ac3e9efb30baf292c159f283fd
Node 58: IP=65.108.201.176, Port=56881, Node ID=4804e43a9459add560985d0e96afb7951141ce6a
Node 59: IP=173.72.190.137, Port=6889, Node ID=4804e4b6c62849c4838dbc61e7f7edfa0fce4b9a
Node 60: IP=203.78.120.94, Port=59771, Node ID=4804e5b6618d8e430020793a43b9a02a7af39d22
Node 61: IP=136.243.96.42, Port=1688, Node ID=4804e43a9459add560985d0e96afb7951141d216
Node 62: IP=202.61.226.152, Port=6883, Node ID=4804e43a9459add56098ed13c14ee94b04dc8743
Node 63: IP=223.238.120.94, Port=61130, Node ID=4804e7abd292fb22178838b3dd2ed7f4840e84ba
Node 64: IP=213.24.126.137, Port=7171, Node ID=4804e79cc991942aaa8632a8140cc48b5146d43a
Node 65: IP=213.49.77.141, Port=44853, Node ID=4804e6b56a54d9630ac99ff51bc33b43cfab0045
Node 66: IP=137.97.77.141, Port=57014, Node ID=4804e717eff09a9212d90b2660811657c4636bfd
Node 67: IP=54.194.124.68, Port=6882, Node ID=4804e7f68ee286df408893a966a4a59bb8748622
Node 68: IP=58.11.3.57, Port=1036, Node ID=4804e7de1e924f9567149c7cdf8637efc387780a
Node 69: IP=177.8.126.137, Port=3865, Node ID=4804e7bddc1a890eb55c33fc85f9939d7d46710a
Node 70: IP=117.97.205.141, Port=2067, Node ID=4804e7f68ee286df4088edd6ae30656f1d992d75
Node 71: IP=157.32.202.200, Port=49387, Node ID=4804ea02fbf83658f04b0bb62962cdefd26691ff
Node 72: IP=59.102.204.31, Port=6881, Node ID=4804ef8cfa5273c314fc3f0318051e00feef07ef
Node 73: IP=27.63.191.27, Port=62077, Node ID=4804ee51b48b668e770b622cfab54a96067ac048
Node 74: IP=157.48.138.200, Port=37731, Node ID=4804ec5cbb818ccd068621f15ef18195492fc487
Node 75: IP=173.82.155.70, Port=6881, Node ID=4804e974e4d0b19050334437d4e1a7b748a60999
Node 76: IP=79.95.127.27, Port=50289, Node ID=4804ec39b6529ed4634b1a9b241b75f57581f2d0
Node 77: IP=18.223.137.220, Port=6881, Node ID=4804e974e4d0b1905033a8d064fbf862e10783ae
Node 78: IP=189.153.249.204, Port=47551, Node ID=4804e974e4d0b19050334437d4e1a74daf360bb0
Node 79: IP=35.155.156.153, Port=6881, Node ID=4804f32226553db5c077b17b35513d9c166d160d
Node 80: IP=223.77.113.145, Port=3477, Node ID=4804f02ad1b9a54324a36c4d9273714fe42a7e7c
Node 81: IP=113.11.183.70, Port=61787, Node ID=4804f0cc3eef7d593628b4cf0d57777bfa47a6ac
Node 82: IP=223.189.241.145, Port=11808, Node ID=4804f279059d9f115798477811cf508ac3c7608c
Node 83: IP=37.195.131.7, Port=26331, Node ID=4804fdd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 84: IP=49.34.72.8, Port=52307, Node ID=4805f7ab615f7a71dc9e51aacf5856a1dc26236d
Node 85: IP=193.123.249.239, Port=16384, Node ID=48058d67a450ee74b6962ded13a058b793518e93
Node 86: IP=194.190.49.35, Port=24750, Node ID=48057cd49fe5b0a2fa6881157e73b8ae505e0f1b
Node 87: IP=47.210.95.194, Port=31182, Node ID=48052dd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 88: IP=195.13.255.56, Port=23743, Node ID=48058e66341cba3b5f4d1a7e2febe93f527d78cb
Node 89: IP=153.144.68.97, Port=60822, Node ID=48059726663f227882506b2a4bbf9ceefbdf5998
Node 90: IP=112.8.184.118, Port=4026, Node ID=4805a8bf9ec3cc04acbb745f49a36019f91291fb
Node 91: IP=91.233.166.138, Port=35228, Node ID=4805ca234d9116e110def799c1145a7eba67edf0
Node 92: IP=175.113.5.150, Port=33056, Node ID=4806358149f41e58f056a98616c14f5d0e5b2bb7
Node 93: IP=45.142.182.96, Port=61044, Node ID=4806b4f6b84819f9cdf08383ec7818f8ef228533
Node 94: IP=87.227.141.57, Port=21521, Node ID=4806afb38c937ac418f28f2b2e105d89fc2bba48
Node 95: IP=59.24.116.113, Port=10584, Node ID=480648d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 96: IP=2.154.177.248, Port=51413, Node ID=480688c89ca0334581a840800e19d348d73af421
Node 97: IP=99.246.89.161, Port=58242, Node ID=4807636af00a693352f2c90b23b61c7bd8c69fe4
Node 98: IP=1.36.20.240, Port=27527, Node ID=4806fb3d0823d07f3fc54b2352d48a60e8661a22
Node 99: IP=213.135.133.100, Port=64439, Node ID=4806b45f638beaf64a12e0b56adb4a6d9f637da4
Node 100: IP=69.118.230.255, Port=35086, Node ID=480ee7f241c403114eaffc28f118058b726e06cf
Node 101: IP=106.211.52.46, Port=14729, Node ID=480afe509f8c7b9a1ab0cd5e1c8fedeb6d025c11
Node 102: IP=46.53.240.141, Port=30635, Node ID=4809aaec8188d028a01527ae8ca92def2e395db6
Node 103: IP=200.86.255.240, Port=50321, Node ID=480a11c74071e384838061ee06290e2bf11375dd
Node 104: IP=188.23.97.65, Port=6892, Node ID=480896194dc9f8aa8dce84b29aae62bddb3c7b6a
Node 105: IP=96.35.120.243, Port=52673, Node ID=4808d1f837b8edd57aa05c4efa9f21fc3c3685d9
Node 106: IP=170.51.105.28, Port=39636, Node ID=48088fca987e88293a9e5d520890ae2774d39246
Node 107: IP=91.121.7.176, Port=53340, Node ID=4808671481fefd4c6109672da7384026ecbff140
Node 108: IP=211.247.36.247, Port=11819, Node ID=48102ef1f1bbe9ebb3a6db3c870c3e99245e0d90
Node 109: IP=211.221.152.25, Port=31665, Node ID=4810bba2b903a89ebc51f7473e94128612a0916a
Node 110: IP=174.88.149.103, Port=3975, Node ID=481026d9e3f45fbb15062a9f3ebb5de95dddee6e
Node 111: IP=73.97.48.230, Port=6881, Node ID=48107a584afcd4fcb4a2ee05e34e6bcbcd6d5497
Node 112: IP=138.94.53.243, Port=23532, Node ID=481e885ed3a91b0ca4341f94fcc757eb688f79ba
Node 113: IP=113.14.128.57, Port=8999, Node ID=4810f39df4972dec677ea5e6bd49dc01124c6633
Node 114: IP=217.43.43.99, Port=6889, Node ID=4815a955bfa3857afe042f11859d2de971490fba
Node 115: IP=178.34.158.37, Port=64889, Node ID=481e44aaa922c6918b986056a0fd7bbcbc878fff
Node 116: IP=191.189.19.172, Port=4659, Node ID=482433dabda0c59b3b209675021326c93815718d
Node 117: IP=37.48.111.199, Port=62292, Node ID=483786facc2cb57a54c057f85c94b69723677f5c
Node 118: IP=187.74.91.174, Port=6881, Node ID=482540e4418d506bcabc66dd5ca4252078bcd33c
Node 119: IP=65.19.134.36, Port=6881, Node ID=48304b7549697250c365d47861505b608d1bd29e
Node 120: IP=58.189.221.66, Port=8250, Node ID=482dceacc68c6ce61ac465520d8e6485275dd9b7
Node 121: IP=5.196.75.146, Port=6881, Node ID=482ab6a66f6e64ff96ddb80d4c45923187990e33
Node 122: IP=178.195.68.148, Port=57139, Node ID=48336589a6debc4a84701430784694b6307a5427
Node 123: IP=24.62.122.53, Port=6881, Node ID=482b1cae5ff576ed518d7d29308b9ecee8764515
Node 124: IP=171.42.61.196, Port=51413, Node ID=484d25e01dbb5b9d73b3dee95d0f63de9590a812
Node 125: IP=78.138.185.101, Port=21526, Node ID=48510123b318df1777329eeff2f6ef697ab6e6dc
Node 126: IP=213.24.126.19, Port=13569, Node ID=4848a43b3d9a4d01e6e4d572bb32c35d18fdfe94
Node 127: IP=78.192.63.16, Port=13215, Node ID=485366426217271fb1bad1a2de4e057f1f4633f1
Node 128: IP=84.52.216.104, Port=62141, Node ID=48520202f0958979f58ada310bcfbbc2fb556561
Node 129: IP=2.47.147.40, Port=28528, Node ID=48477763c38492ab08a3aa3ff03f1c55ad514ffc
Node 130: IP=5.9.6.196, Port=50001, Node ID=484030a715d0cefe53665b863648ba72a684af44
Node 131: IP=46.232.211.220, Port=22409, Node ID=4847d0c2f2de71376965af95582e0839f58eaf2f
Node 132: IP=47.61.99.94, Port=45682, Node ID=489ff6c762cad903f4849d28727d91ea9422c541
Node 133: IP=93.100.178.117, Port=49001, Node ID=4894be6ca4341582c947acf356a4e113ab9441e2
Node 134: IP=218.31.193.17, Port=5138, Node ID=489c0c0ba2ba233fe66583b51fb7709f39019d84
Node 135: IP=185.193.196.152, Port=1801, Node ID=48bb329c35e899f99e95d53937a043bfb2f6351f
Node 136: IP=54.153.139.11, Port=12498, Node ID=48b9e96eb096cdf1e369d25553524e3205890ef4
Node 137: IP=88.204.29.201, Port=49001, Node ID=48853c783dfabc87b5e637114f3f3a8943bfbe4a
Node 138: IP=108.20.119.70, Port=57277, Node ID=48af3ee2194ed84aa33826b099b5ac6d67266e46
Node 139: IP=212.7.200.16, Port=51457, Node ID=48dbb979926cdf96fd6b91c6a0d3958bb17742f6
Node 140: IP=125.253.104.112, Port=24570, Node ID=4950a65179f655a3a54fee2a5d8096c41be6c361
Node 141: IP=159.138.22.50, Port=6969, Node ID=4e45564e322e56462e43424a52455348595cd16f
Node 142: IP=188.209.56.20, Port=28092, Node ID=49383a270cb6f7ca9ae70cce5be75b2330fbe627
Node 143: IP=46.233.56.122, Port=9346, Node ID=4963175f0a73307eb2ad24f39b5738c448362b7e
Node 144: IP=177.137.61.97, Port=29731, Node ID=494db8c615c53740cf8773a3402314dfd20cf704
Node 145: IP=113.73.242.53, Port=33867, Node ID=4905ab16ed92d664de725aa3f6e805c27ee394d4
Node 146: IP=192.81.128.206, Port=6891, Node ID=4957e6f8e8647e0013dc2ae04fb710e342534b5f
Node 147: IP=176.63.12.200, Port=57458, Node ID=4929ddd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 148: IP=121.159.46.85, Port=41148, Node ID=4a844dbb7048135893a00f0edb7868f9ef845843
Node 149: IP=106.216.69.197, Port=3282, Node ID=4a2618a01eb5c109cf757ca84994ece1af875baf
Node 150: IP=89.179.47.89, Port=22903, Node ID=4bec176b2d27e55bd6fd35391adcd1f571737fb5
Node 151: IP=36.14.90.109, Port=8930, Node ID=4a30bcd210c67d3d00a22ea4a471cfd129fd1773
Node 152: IP=185.162.184.12, Port=59547, Node ID=4a54af79303047847d4f0c8fe2fcfcd7ae082b90
Node 153: IP=78.20.221.204, Port=57458, Node ID=4a49231d4e5629cd2ed70ffce9a044b1aa81e804
Node 154: IP=185.107.71.139, Port=28109, Node ID=4b0b66c3df12a456df34f3f39dfe07dd5e35af75
Node 155: IP=185.107.95.77, Port=28073, Node ID=4af86c9efc7046ac928d23411f4cf0b4d6940b53
Node 156: IP=136.243.151.244, Port=61580, Node ID=4e63a68414dc79dfe993f6837552d406045a22c9
Node 157: IP=108.46.251.196, Port=6881, Node ID=4c2d48ace0211080f9240cece9c671dac6456220
Node 158: IP=84.71.97.92, Port=55404, Node ID=4cd8447c4f75f92e70955beba15e6ccd0e500108
Node 159: IP=78.22.229.83, Port=51413, Node ID=4ce80018438ac5a574a3cbf7ca024304ba48a61f
Node 160: IP=176.232.56.42, Port=62186, Node ID=4d955d49f1f1bbe9ebb3a6db3c870c3e99245e52
Node 161: IP=37.42.40.115, Port=46334, Node ID=4c6888a9fe15215b7b255a48c0c62e1a9d60d9f7
Node 162: IP=199.36.223.15, Port=21665, Node ID=4eb7eecd8b60136c92a1184fe4dd05bf54e9fee3
Node 163: IP=114.31.210.42, Port=6881, Node ID=4c39557eb6debe386b9b1df6116d0d14171edf67
Node 164: IP=140.249.62.48, Port=6886, Node ID=51012e72869f509227ee8c3f09b5ac8522b6d858
Node 165: IP=218.91.199.146, Port=6889, Node ID=50029b881f6e3c75ca1efb336c5ca9cface46a13
Node 166: IP=121.32.0.192, Port=1553, Node ID=56afc48205a257dfa00bc05fc52abae9d99f61a0
Node 167: IP=124.229.40.30, Port=6881, Node ID=51c26cb08fd4fe4a2f38315ce77794ad6d9c5353
Node 168: IP=45.87.251.34, Port=28047, Node ID=5cbe7db57e027faaa109d467fb461f09d400f9a1
Node 169: IP=188.80.202.8, Port=49001, Node ID=5f7405f330619359bad4aa854c2f1e9ec0719c85
Node 170: IP=125.139.28.20, Port=40894, Node ID=52e19b5fe342cbd264577f08555bb186f38cde7f
Node 171: IP=106.207.50.160, Port=6449, Node ID=50c222d06106a48350fd14c38a26650ad599dd77
Node 172: IP=187.149.124.245, Port=54686, Node ID=6ab6be63f673523e66058f410da8f284f96f7e67
Node 173: IP=47.39.14.179, Port=6881, Node ID=77a8fe36fc937bb83e7f7c30fa26714c8451c443
Node 174: IP=60.114.29.250, Port=6889, Node ID=607d95abf7caa6b4a830036ebbd9267bb57766e0
Node 175: IP=62.210.38.222, Port=6881, Node ID=7a268ddfef50b2728384f98b3e4be1626996ddea
Node 176: IP=69.243.64.15, Port=6882, Node ID=609a22d36745d1e5c0bec1f67f8bacedb2ccd247
Node 177: IP=186.81.118.176, Port=33361, Node ID=607df46925684201b1342c61900f7be9ca22d549
Node 178: IP=42.98.106.253, Port=27413, Node ID=6b034359c5e70218d60dc380d6a18dd3167e6153
Node 179: IP=167.179.150.46, Port=6881, Node ID=6627dc03f9fe5a961d67d76d47150df8264e5713
Node 180: IP=223.65.73.211, Port=17726, Node ID=ffced111d1263a864a5471cdcf3c845637c27960
Node 181: IP=51.159.104.81, Port=8305, Node ID=cecbddf184412b66d1bb5527ac63da8596776475
Node 182: IP=86.167.69.95, Port=6881, Node ID=ffcd90244880e2bd2ed8b4f1a811a142de01e6f7
Node 183: IP=178.48.211.7, Port=59084, Node ID=ffcd42e9ebb3a6db3c870c3e99245e0d1c06b7f1
Node 184: IP=178.147.94.14, Port=56953, Node ID=ffcdaaf2e2435329a66a7312725675e999e7d475
Node 185: IP=78.130.91.168, Port=55196, Node ID=ffcddcf1e452e685c422647dc3b15ce9c323efde
Node 186: IP=72.137.117.42, Port=6882, Node ID=ffcde04098b906b313dc61602f0b4a77368d7eb3
Node 187: IP=185.203.56.10, Port=6881, Node ID=c10c154e7276dd39ca694ddfb50cdd35348a6ed6

然后再写一个脚本来判断这些Node节点是否存活。

# -*- coding: utf-8 -*-
# @Author  : 1cePeak

import socket

def check_node_availability(node):
    ip, port = node.split(':')

    # 创建TCP套接字
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(1)  # 设置连接超时时间为1秒

    try:
        # 尝试连接节点
        result = sock.connect_ex((ip, int(port)))
        if result == 0:
            print("节点 {} 存活".format(node))
        else:
            print("节点 {} 不可达".format(node))
    except socket.error:
        print("节点 {} 连接失败".format(node))
    finally:
        # 关闭套接字
        sock.close()

# DHT节点列表
nodes = ['ip:port', '...', 'ip:port']

# 遍历节点列表,检查节点是否存活
for node in nodes:
    check_node_availability(node)

最后发现有一个比较可疑的存活Node节点159.138.22.50:6969,访问之后发现提示:

You are not powerful 😕


Burpsuite抓包查看发现状态码是403,猜测需要带一些参数或者token访问,于是开始坐牢……🫤

找到几篇比较靠谱的文章:

DHT出现之后,假设一个新的节点想要加入该网络,只需要获取到已经在网络中的任何一个node信息,向其发送find_node请求即可。想要获取某个info_hash的peer,也可直接发送get_peers,而无需连接到Tracker服务器。如此,DHT可理解为一个去中心化的P2P网络。
Torrent(种子)就保存了一个文件的一些信息,名字/长度/子文件目录/子文件长度等信息,其中最重要是拥有该文件的peers服务器,也因此,可以通过种子,向这些peers发送下载请求下载文件。

检索资料发现,6969端口一般是BT Tracker站点提供的服务,那么BT Tracker站点有什么用呢?有请ChaGPT来回答:
BT Tracker 是 BitTorrent 协议中的一个重要组件,它具有以下作用:

  • 协调下载和上传:BT Tracker 充当了一个中央服务器的角色,它记录了参与特定种子的所有用户(也称为 peers)的信息,包括它们的 IP 地址和端口号。通过连接到 Tracker,下载者可以获取种子文件的相关信息,并与其他下载者建立连接来获取文件的各个分块。
  • 跟踪下载进度:Tracker 跟踪每个 peer 下载特定种子的进度,包括已下载和未下载的分块。这使得 Tracker 能够提供下载者有关其他 peer 的信息,例如哪些 peer 具有完整的文件,以及哪些分块还需要下载。
  • 提供种子健康度信息:Tracker 通过跟踪每个 peer 的进度,可以为特定种子提供健康度信息。这包括种子的可用性、下载速度和活动 peer 的数量等指标。下载者可以使用这些信息来选择最佳的 peer 进行连接,提高下载效率。
  • 维护用户统计信息:Tracker 还可以记录用户的下载和上传统计信息,如下载速度、上传量和分享比率等。这些信息可以用于维护 BitTorrent 社区中用户的参与度和公平性。
    总而言之,BT Tracker 在 BitTorrent 下载过程中起到了协调和管理的作用,它使下载者能够找到其他下载者,并从中获取所需的文件分块,从而实现高效的文件共享和分发。

所以我们可以访问http://159.138.22.50:6969/announce,发现还是没有什么用。所以现在要解决的是如果去访问这个BT Tracker站点,通常情况下,当我们需要下载一个文件的时候会用到BitTorrent客户端,我们不如打开一个Motrix下载器看看,打开高级设置可以看到Aria的请求头aria2/1.35.0信息:

那么,如何与BT Tracker站点通信呢?
与 BT Tracker 站点进行通信主要是通过发送 HTTP GET 请求来与 Tracker 服务器交互。以下是与 BT Tracker 站点通信的一般步骤:

  • 获取 Tracker URL:在您想要与之通信的 BT Tracker 站点上,通常会提供 Tracker URL。这是一个特定的 URL,用于连接到 Tracker 服务器并获取种子文件的 Peers 列表。
  • 构建请求 URL:将 Tracker URL 与您的下载信息(如种子哈希值、下载端口等)组合在一起,构建一个完整的请求 URL。请求 URL 的格式通常是将参数附加到 Tracker URL 后面,形成类似于:http://tracker.example.com/announce?info_hash=xxxxxx&port=xxxx 的 URL。
  • 发送 HTTP GET 请求:使用您选择的编程语言或工具,发送 HTTP GET 请求到构建的请求 URL。确保请求头中包含适当的 User-Agent 字段,以便 Tracker 服务器可以识别您的请求。示例中提到的 aria2/1.35.0 是一种常见的 User-Agent 标识。
  • 解析响应:接收到 Tracker 服务器的响应后,您需要解析响应数据以获取 Peers 列表和其他相关信息。通常,Tracker 服务器会返回一个字典或字节串形式的响应,其中包含了可用 Peers 的 IP 地址、端口号等信息。
  • 处理响应数据:根据 Tracker 服务器返回的数据格式和规范,您可以提取和处理所需的信息。您可能需要处理 Peer 列表、更新下载状态、计算上传下载速度等操作。
  • 保持通信:根据 Tracker 服务器的规则和约定,您可能需要定期与 Tracker 服务器进行通信以更新下载状态、提供健康信息等。这有助于维护您的下载连接和共享状态。

所以,当我们添加aria2/1.35.0请求头之后再去访问http://159.138.22.50:6969/announce可以发现出现了Nginx页面:

保存页面上的Nginx图片到本地,使用十六进制编辑器打开可以发现藏了一个zip压缩包:

打开之后发现是一个经过加密的压缩包,里面的文件是flag.torrent

压缩包备注是Do you remember the last time we update dht.dat?,这里暗示压缩包的密码是dht.dat文件最后一次修改的时间,所以回过头来再提取dht.dat文件的MTIME时间。根据Aria官方文档的介绍:

MTIME: 8 bytes
This is the time when aria2 saved the file. The value is the time since the Epoch(1970/1/1 00:00:00) in 64 bits integer.

所以我们可以直接从文件第8个字节开始提取,也就是0x000000006462E61C

int('0x000000006462E61C ', 16)
# 1684203036

使用1684203036打开压缩包,再查看flag.torrent文件:

d8:announce30:http://127.0.0.1:8080/announce7:comment7:crackme10:created by13:mktorrent 1.113:creation datei1686759814e4:infod6:lengthi40e4:name4:flag12:piece lengthi4e6:pieces200:

发现是一个使用Bencode编码的字典结构,表示一个种子文件的元数据信息。

  • announce表示Tracker的URL,是一个本地BT Tracker服务。
  • comment注释为crackme。
  • info表示文件的信息:
    • length为长度,一共40个字节。
    • name为flag。
    • piece length为分块大小,长度是4个字节。
    • pieces就是分块的哈希值。

接下来就是提取分块的哈希值:

284F3E527B475C0DCBE1A7AED94CE31539131545
E4AF700F9921ED71C190316CD5564F8CE1303F94
B4AA9BC1E62E19828A370C50A4CFF71BD9736BB4
AD2AF979ABD26A0A35CCA0218F32277D01B7F7D3
F9CCF51238CBEE2EE8282F28FF1A526A8A39D8E4
89B4EBDC6413BEC34138A3B63F23671932EA5696
9329C7181085B1D6484E4FBC826FB3C25CA25F32
AB4400A33C16525C50A2E6DDA8C05EACD5B3D7F0
386B00CD1573492BF3DD76DA57EB73759C7DE8E1
9DE01D0BC2F7B7440B99E96DAAF372F93E53B140

最后解密sha1,可以直接用somd5解密,也可以使用hashcat来跑字典。

然后查询每一条sha1即可拿到flag。
如果用字典来跑的话可以先生成一个字典:

# -*- coding: utf-8 -*-
# @Author  : 1cePeak
import itertools
import string

# 生成所有可能的组合
combinations = itertools.product('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{_}', repeat = 4)

# 将组合写入密码字典文件
with open('dictionary.txt', 'w') as f:
    for combination in combinations:
        password = ''.join(combination)
        f.write(password + '\n')

然后再用hashcat来跑:

hashcat -m 100 -a 0 40_bytes_hash_data.txt dictionary.txt

最终flag为SCTF{du4nq1k3_l0v3s_d0wnlO4d1ng_t0rRent},卒🤡