XCTF分站赛SCTF 2023|Misc Writeup

1cePeak 1cePeak 收录于 CTF Writeup
 约 2000 字 预计阅读 10 分钟 - 次阅读   - 条评论  

这次比赛恰逢周末,周五晚上聚餐,组里4个小伙伴都食物中毒了,这算不算供应链投毒🤮 周天下午爬起来看了两道题目,顺便记录一下,希望大家看完有所收获。

Fly over the Fuchun River

题目描述:

开玩笑吗

Rapper坐在经济舱

面子伤不伤

我说这是通往成功的方向

图片拍摄于4月的某一天的12:15分(UTC+8)

flag格式

SCTF{起飞机场缩写_落地机场缩写_飞机航班号_日期}(全部大写)

日期格式:6月17日写作617

/images/1687226854926.jpeg

题目名是富春江,搜索后发现在杭州一带,大概率杭州萧山机场起降落,然后再查看文件详情:

/images/1687226904009.png

观察文件名可以发现日期和拍摄时间,2023年4月13日,12点47分59秒,应该是SYC的师傅从成都-杭州参加比赛,落地的时候拍的。 那么直接查航旅纵横就行了。

/images/1687226953505.png

bittorrent

首先需要解析dht.dat数据,根据Aria2官方文档对DHT文件结构的介绍:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---+-+---+-----+---------------+---------------+---------------+
    |MGC|F|VER| RSV |     MTIME     |     RSV       |LOCAL NODE ID  :
    |(2)|M|(2)| (3) |      (8)      |     (8)       |      (20)     :
    |   |T|   |     |               |               |               :
    +---+-+---+-----+-------+-------+-------+-------+---------------+
    :LOCAL NODE ID          |  RSV  |  NUM  |  RSV  |
    :  (continued)          |  (4)  |  NODE |  (4)  |
    :                       |       |  (4)  |       |
    +-+-------------+-------+-------+-+-----+-------+---------------+
    |P|     RSV     |COMPACT PEER INFO|            RSV              | <-+
    |L|     (7)     |     (PLEN)      |         (24 - PLEN)         |   |
    |E|             |                 |                             |   |
    |N|             |                 |                             |   |
    +-+-------------+-----------------+-----+-------+---------------+   |
    |            NODE ID                    |  RSV  |                   |
    |             (20)                      |  (4)  | <-----------------+
    +---------------------------------------+-------+   Repeated in
                                                         (NUM NODE) times.

/images/1687226372319.png

除了第一块数据比较特殊含有文件头版本等信息,除此之外其他数据块都是0x06开头,每一个块数据56个字节,由此我们可以写脚本从dht.dat文件解析拿到Node ID、IP、Port数据:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# -*- coding: utf-8 -*-
# @Author  : 1cePeak

import struct

# 读取dht.dat文件
with open('dht.dat', 'rb') as file:
    data = file.read()

# 计算节点数量
node_count = len(data) // 56

# 解析每个节点的信息
for i in range(node_count):
    # 读取IP地址和端口号
    ip_bytes = data[i * 56 + 8:i * 56 + 14]
    ip = ".".join(str(byte) for byte in ip_bytes[:4])
    port = str(int.from_bytes(ip_bytes[4:6], byteorder='big'))

    # 读取节点ID
    node_id = data[i * 56 + 32:i * 56 + 52].hex()

    # 打印节点信息
    print(f"Node {i + 1}: IP={ip}, Port={port}, Node ID={node_id}")

可以提取出所有Node节点的数据:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

Node 1: IP=0.0.0.0, Port=25698, Node ID=60985d0e96afb7951141d5fc00000000000000ba
Node 2: IP=83.108.5.50, Port=24450, Node ID=003a997c5f44d68f84f4aaaca85e2f11dae09d68
Node 3: IP=82.200.141.146, Port=24518, Node ID=007dab9697565c43a51e4766c0036a0b6d8ea98b
Node 4: IP=110.10.225.212, Port=40603, Node ID=01589e5e9fd445ae4fbc6aeff28fc383ef5092f6
Node 5: IP=175.125.146.56, Port=51413, Node ID=026a5402666773089eef9ab60d298c60a0c9d5b2
Node 6: IP=175.211.204.4, Port=42284, Node ID=034a27d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 7: IP=175.205.28.30, Port=40998, Node ID=0575ac1d43862f99749617da83ec0ef1197cfdc3
Node 8: IP=120.221.80.52, Port=6883, Node ID=0690b6c6d0cfb9fe060c51da1f54c754a029b1c5
Node 9: IP=210.121.221.20, Port=40849, Node ID=3eae107d27feef1941888d3a9a37654461a43bd3
Node 10: IP=180.64.27.12, Port=40602, Node ID=4437098e58b23af6f3a20f532abb673bfca37091
Node 11: IP=222.103.70.161, Port=25161, Node ID=4319fd356a783c5b29eb147b158c47e7036af0d6
Node 12: IP=189.219.213.62, Port=26709, Node ID=402d7756a468e274708d173637b8ba84a1480f1e
Node 13: IP=1.242.207.120, Port=7808, Node ID=43f06e4a789168dc65cc79620427526491bebc55
Node 14: IP=175.194.118.28, Port=64696, Node ID=431615d7b1e3f6f2d3640363fdb1f92410ba5f34
Node 15: IP=210.121.221.20, Port=40849, Node ID=422d5e587cc109b7c157b840e8b0271498696898
Node 16: IP=121.66.11.45, Port=41036, Node ID=478d42afa784da97cbcdee55794230a0d28d5002
Node 17: IP=188.163.95.78, Port=43038, Node ID=40d3c3bd6becbd81ffd93e67510f543ad7bfbe51
Node 18: IP=189.174.135.11, Port=37757, Node ID=48035e9878ce505e9ef2de32f29c5fd2d30addf9
Node 19: IP=49.49.229.18, Port=23616, Node ID=480382355fe9641b3322df7dd52077402a884c52
Node 20: IP=114.176.3.5, Port=20598, Node ID=4802e678b319d54aa16bd2ba57727bc18084e1f8
Node 21: IP=121.132.183.175, Port=40238, Node ID=4802c8a44563e23941dfbc41c39fdb4d18459455
Node 22: IP=171.76.137.22, Port=5964, Node ID=48006c9468c91689abfbae96db21a2dbd053741b
Node 23: IP=181.46.71.11, Port=31272, Node ID=48035bd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 24: IP=79.42.216.11, Port=61009, Node ID=4800b2d622d0fc3f56d65dcbdc3140b579aa432f
Node 25: IP=133.32.179.155, Port=1214, Node ID=480350d8b862c21d4fa9cad9d51ab3f56e68c51e
Node 26: IP=211.250.39.201, Port=6881, Node ID=480422bdd886197ee67f062a05a574ae967bbfe2
Node 27: IP=87.225.67.79, Port=49001, Node ID=48041ef1f661ffd98c331e51a3c96d874dbb47c7
Node 28: IP=167.179.150.46, Port=6881, Node ID=48045cd3b1f7110a778d37c58d051b8a8be4e75c
Node 29: IP=73.173.38.91, Port=58495, Node ID=4804282b6ad60b33d5558fdd6efe7ab36eb56a90
Node 30: IP=69.174.173.119, Port=40183, Node ID=48044501fa48dc9053fb1b203c896218f51ba927
Node 31: IP=83.209.224.227, Port=16881, Node ID=48040585be6b1dcc78412a0f808f82f7f0382eef
Node 32: IP=191.197.65.22, Port=50321, Node ID=480404cc14a700051303d3a641abbe8a065c8feb
Node 33: IP=5.227.199.193, Port=6881, Node ID=480402e7c71a411df394d6058b4d477ecb3376c3
Node 34: IP=201.141.96.126, Port=6881, Node ID=4804a889c586f675c3b0d20062df64ca4839bb7b
Node 35: IP=79.9.40.35, Port=6889, Node ID=4804b2e7497922a1d13eee62f3a3e673f3874da7
Node 36: IP=125.130.70.161, Port=7586, Node ID=480488dc8cc952cda1bfebcf1f081717d928548a
Node 37: IP=93.25.187.47, Port=42513, Node ID=480496d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 38: IP=99.228.192.118, Port=22124, Node ID=48048ffdd3d8e3623248251bc69370fe16f2a202
Node 39: IP=187.106.33.236, Port=17350, Node ID=4804a2d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 40: IP=119.202.225.236, Port=33831, Node ID=4804a7c9d342828ac9f3effd80e616cc84c013d1
Node 41: IP=5.34.70.161, Port=54487, Node ID=4804883aa10d95dd0a279875387910cbdafecc4a
Node 42: IP=73.38.95.19, Port=50321, Node ID=4804c9d476fb3d9e0748a5933474e82db70ac981
Node 43: IP=77.79.44.23, Port=40217, Node ID=4804cd6f3f335f95f2c06b8fe93d4a8f9855f1fe
Node 44: IP=177.223.108.23, Port=45613, Node ID=4804c8c29c8422d1051c92ad7e263141dbd4214e
Node 45: IP=115.96.217.196, Port=45974, Node ID=4804ccf1bbe9ebb3a6db3c870c3e99245e0d1c49
Node 46: IP=109.62.235.82, Port=41276, Node ID=4804c7a5006e15fba5c672f2da1fc812536420b4
Node 47: IP=91.122.227.15, Port=6881, Node ID=4804de783fa12bc532ff7470cad3436bd2629770
Node 48: IP=77.70.95.19, Port=39945, Node ID=4804c8fecaa83a33aeb6257329d2672bc8ea87d9
Node 49: IP=167.250.227.15, Port=54118, Node ID=4804d9156bd2c1951c8f508261a9d778bfc77908
Node 50: IP=202.61.240.22, Port=6881, Node ID=4804e3ddffc9c057eab51abee41e5842a1e98546
Node 51: IP=37.187.158.135, Port=15055, Node ID=4804e3ddffc9c057eab5343496138aa43a99b77e
Node 52: IP=85.184.62.137, Port=39286, Node ID=4804e1d0035b5d0c95b373c57b03247373d517da
Node 53: IP=81.97.141.141, Port=6881, Node ID=4804e3931374a1c3c5e7ed6c94fc5e73e5ae2e2d
Node 54: IP=85.81.13.141, Port=44768, Node ID=4804e3ddffc9c057eab5343496138af16d78ecb5
Node 55: IP=113.81.13.141, Port=1044, Node ID=4804e2a740399e5bbd3090f0ad1db52dcccdd7d5
Node 56: IP=95.211.186.223, Port=51413, Node ID=4804e3104c39ab9e2e8abbcea258f5835bfbb6c1
Node 57: IP=157.49.77.141, Port=51015, Node ID=4804e0701ae041ac3e9efb30baf292c159f283fd
Node 58: IP=65.108.201.176, Port=56881, Node ID=4804e43a9459add560985d0e96afb7951141ce6a
Node 59: IP=173.72.190.137, Port=6889, Node ID=4804e4b6c62849c4838dbc61e7f7edfa0fce4b9a
Node 60: IP=203.78.120.94, Port=59771, Node ID=4804e5b6618d8e430020793a43b9a02a7af39d22
Node 61: IP=136.243.96.42, Port=1688, Node ID=4804e43a9459add560985d0e96afb7951141d216
Node 62: IP=202.61.226.152, Port=6883, Node ID=4804e43a9459add56098ed13c14ee94b04dc8743
Node 63: IP=223.238.120.94, Port=61130, Node ID=4804e7abd292fb22178838b3dd2ed7f4840e84ba
Node 64: IP=213.24.126.137, Port=7171, Node ID=4804e79cc991942aaa8632a8140cc48b5146d43a
Node 65: IP=213.49.77.141, Port=44853, Node ID=4804e6b56a54d9630ac99ff51bc33b43cfab0045
Node 66: IP=137.97.77.141, Port=57014, Node ID=4804e717eff09a9212d90b2660811657c4636bfd
Node 67: IP=54.194.124.68, Port=6882, Node ID=4804e7f68ee286df408893a966a4a59bb8748622
Node 68: IP=58.11.3.57, Port=1036, Node ID=4804e7de1e924f9567149c7cdf8637efc387780a
Node 69: IP=177.8.126.137, Port=3865, Node ID=4804e7bddc1a890eb55c33fc85f9939d7d46710a
Node 70: IP=117.97.205.141, Port=2067, Node ID=4804e7f68ee286df4088edd6ae30656f1d992d75
Node 71: IP=157.32.202.200, Port=49387, Node ID=4804ea02fbf83658f04b0bb62962cdefd26691ff
Node 72: IP=59.102.204.31, Port=6881, Node ID=4804ef8cfa5273c314fc3f0318051e00feef07ef
Node 73: IP=27.63.191.27, Port=62077, Node ID=4804ee51b48b668e770b622cfab54a96067ac048
Node 74: IP=157.48.138.200, Port=37731, Node ID=4804ec5cbb818ccd068621f15ef18195492fc487
Node 75: IP=173.82.155.70, Port=6881, Node ID=4804e974e4d0b19050334437d4e1a7b748a60999
Node 76: IP=79.95.127.27, Port=50289, Node ID=4804ec39b6529ed4634b1a9b241b75f57581f2d0
Node 77: IP=18.223.137.220, Port=6881, Node ID=4804e974e4d0b1905033a8d064fbf862e10783ae
Node 78: IP=189.153.249.204, Port=47551, Node ID=4804e974e4d0b19050334437d4e1a74daf360bb0
Node 79: IP=35.155.156.153, Port=6881, Node ID=4804f32226553db5c077b17b35513d9c166d160d
Node 80: IP=223.77.113.145, Port=3477, Node ID=4804f02ad1b9a54324a36c4d9273714fe42a7e7c
Node 81: IP=113.11.183.70, Port=61787, Node ID=4804f0cc3eef7d593628b4cf0d57777bfa47a6ac
Node 82: IP=223.189.241.145, Port=11808, Node ID=4804f279059d9f115798477811cf508ac3c7608c
Node 83: IP=37.195.131.7, Port=26331, Node ID=4804fdd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 84: IP=49.34.72.8, Port=52307, Node ID=4805f7ab615f7a71dc9e51aacf5856a1dc26236d
Node 85: IP=193.123.249.239, Port=16384, Node ID=48058d67a450ee74b6962ded13a058b793518e93
Node 86: IP=194.190.49.35, Port=24750, Node ID=48057cd49fe5b0a2fa6881157e73b8ae505e0f1b
Node 87: IP=47.210.95.194, Port=31182, Node ID=48052dd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 88: IP=195.13.255.56, Port=23743, Node ID=48058e66341cba3b5f4d1a7e2febe93f527d78cb
Node 89: IP=153.144.68.97, Port=60822, Node ID=48059726663f227882506b2a4bbf9ceefbdf5998
Node 90: IP=112.8.184.118, Port=4026, Node ID=4805a8bf9ec3cc04acbb745f49a36019f91291fb
Node 91: IP=91.233.166.138, Port=35228, Node ID=4805ca234d9116e110def799c1145a7eba67edf0
Node 92: IP=175.113.5.150, Port=33056, Node ID=4806358149f41e58f056a98616c14f5d0e5b2bb7
Node 93: IP=45.142.182.96, Port=61044, Node ID=4806b4f6b84819f9cdf08383ec7818f8ef228533
Node 94: IP=87.227.141.57, Port=21521, Node ID=4806afb38c937ac418f28f2b2e105d89fc2bba48
Node 95: IP=59.24.116.113, Port=10584, Node ID=480648d6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 96: IP=2.154.177.248, Port=51413, Node ID=480688c89ca0334581a840800e19d348d73af421
Node 97: IP=99.246.89.161, Port=58242, Node ID=4807636af00a693352f2c90b23b61c7bd8c69fe4
Node 98: IP=1.36.20.240, Port=27527, Node ID=4806fb3d0823d07f3fc54b2352d48a60e8661a22
Node 99: IP=213.135.133.100, Port=64439, Node ID=4806b45f638beaf64a12e0b56adb4a6d9f637da4
Node 100: IP=69.118.230.255, Port=35086, Node ID=480ee7f241c403114eaffc28f118058b726e06cf
Node 101: IP=106.211.52.46, Port=14729, Node ID=480afe509f8c7b9a1ab0cd5e1c8fedeb6d025c11
Node 102: IP=46.53.240.141, Port=30635, Node ID=4809aaec8188d028a01527ae8ca92def2e395db6
Node 103: IP=200.86.255.240, Port=50321, Node ID=480a11c74071e384838061ee06290e2bf11375dd
Node 104: IP=188.23.97.65, Port=6892, Node ID=480896194dc9f8aa8dce84b29aae62bddb3c7b6a
Node 105: IP=96.35.120.243, Port=52673, Node ID=4808d1f837b8edd57aa05c4efa9f21fc3c3685d9
Node 106: IP=170.51.105.28, Port=39636, Node ID=48088fca987e88293a9e5d520890ae2774d39246
Node 107: IP=91.121.7.176, Port=53340, Node ID=4808671481fefd4c6109672da7384026ecbff140
Node 108: IP=211.247.36.247, Port=11819, Node ID=48102ef1f1bbe9ebb3a6db3c870c3e99245e0d90
Node 109: IP=211.221.152.25, Port=31665, Node ID=4810bba2b903a89ebc51f7473e94128612a0916a
Node 110: IP=174.88.149.103, Port=3975, Node ID=481026d9e3f45fbb15062a9f3ebb5de95dddee6e
Node 111: IP=73.97.48.230, Port=6881, Node ID=48107a584afcd4fcb4a2ee05e34e6bcbcd6d5497
Node 112: IP=138.94.53.243, Port=23532, Node ID=481e885ed3a91b0ca4341f94fcc757eb688f79ba
Node 113: IP=113.14.128.57, Port=8999, Node ID=4810f39df4972dec677ea5e6bd49dc01124c6633
Node 114: IP=217.43.43.99, Port=6889, Node ID=4815a955bfa3857afe042f11859d2de971490fba
Node 115: IP=178.34.158.37, Port=64889, Node ID=481e44aaa922c6918b986056a0fd7bbcbc878fff
Node 116: IP=191.189.19.172, Port=4659, Node ID=482433dabda0c59b3b209675021326c93815718d
Node 117: IP=37.48.111.199, Port=62292, Node ID=483786facc2cb57a54c057f85c94b69723677f5c
Node 118: IP=187.74.91.174, Port=6881, Node ID=482540e4418d506bcabc66dd5ca4252078bcd33c
Node 119: IP=65.19.134.36, Port=6881, Node ID=48304b7549697250c365d47861505b608d1bd29e
Node 120: IP=58.189.221.66, Port=8250, Node ID=482dceacc68c6ce61ac465520d8e6485275dd9b7
Node 121: IP=5.196.75.146, Port=6881, Node ID=482ab6a66f6e64ff96ddb80d4c45923187990e33
Node 122: IP=178.195.68.148, Port=57139, Node ID=48336589a6debc4a84701430784694b6307a5427
Node 123: IP=24.62.122.53, Port=6881, Node ID=482b1cae5ff576ed518d7d29308b9ecee8764515
Node 124: IP=171.42.61.196, Port=51413, Node ID=484d25e01dbb5b9d73b3dee95d0f63de9590a812
Node 125: IP=78.138.185.101, Port=21526, Node ID=48510123b318df1777329eeff2f6ef697ab6e6dc
Node 126: IP=213.24.126.19, Port=13569, Node ID=4848a43b3d9a4d01e6e4d572bb32c35d18fdfe94
Node 127: IP=78.192.63.16, Port=13215, Node ID=485366426217271fb1bad1a2de4e057f1f4633f1
Node 128: IP=84.52.216.104, Port=62141, Node ID=48520202f0958979f58ada310bcfbbc2fb556561
Node 129: IP=2.47.147.40, Port=28528, Node ID=48477763c38492ab08a3aa3ff03f1c55ad514ffc
Node 130: IP=5.9.6.196, Port=50001, Node ID=484030a715d0cefe53665b863648ba72a684af44
Node 131: IP=46.232.211.220, Port=22409, Node ID=4847d0c2f2de71376965af95582e0839f58eaf2f
Node 132: IP=47.61.99.94, Port=45682, Node ID=489ff6c762cad903f4849d28727d91ea9422c541
Node 133: IP=93.100.178.117, Port=49001, Node ID=4894be6ca4341582c947acf356a4e113ab9441e2
Node 134: IP=218.31.193.17, Port=5138, Node ID=489c0c0ba2ba233fe66583b51fb7709f39019d84
Node 135: IP=185.193.196.152, Port=1801, Node ID=48bb329c35e899f99e95d53937a043bfb2f6351f
Node 136: IP=54.153.139.11, Port=12498, Node ID=48b9e96eb096cdf1e369d25553524e3205890ef4
Node 137: IP=88.204.29.201, Port=49001, Node ID=48853c783dfabc87b5e637114f3f3a8943bfbe4a
Node 138: IP=108.20.119.70, Port=57277, Node ID=48af3ee2194ed84aa33826b099b5ac6d67266e46
Node 139: IP=212.7.200.16, Port=51457, Node ID=48dbb979926cdf96fd6b91c6a0d3958bb17742f6
Node 140: IP=125.253.104.112, Port=24570, Node ID=4950a65179f655a3a54fee2a5d8096c41be6c361
Node 141: IP=159.138.22.50, Port=6969, Node ID=4e45564e322e56462e43424a52455348595cd16f
Node 142: IP=188.209.56.20, Port=28092, Node ID=49383a270cb6f7ca9ae70cce5be75b2330fbe627
Node 143: IP=46.233.56.122, Port=9346, Node ID=4963175f0a73307eb2ad24f39b5738c448362b7e
Node 144: IP=177.137.61.97, Port=29731, Node ID=494db8c615c53740cf8773a3402314dfd20cf704
Node 145: IP=113.73.242.53, Port=33867, Node ID=4905ab16ed92d664de725aa3f6e805c27ee394d4
Node 146: IP=192.81.128.206, Port=6891, Node ID=4957e6f8e8647e0013dc2ae04fb710e342534b5f
Node 147: IP=176.63.12.200, Port=57458, Node ID=4929ddd6ae529049f1f1bbe9ebb3a6db3c870ce1
Node 148: IP=121.159.46.85, Port=41148, Node ID=4a844dbb7048135893a00f0edb7868f9ef845843
Node 149: IP=106.216.69.197, Port=3282, Node ID=4a2618a01eb5c109cf757ca84994ece1af875baf
Node 150: IP=89.179.47.89, Port=22903, Node ID=4bec176b2d27e55bd6fd35391adcd1f571737fb5
Node 151: IP=36.14.90.109, Port=8930, Node ID=4a30bcd210c67d3d00a22ea4a471cfd129fd1773
Node 152: IP=185.162.184.12, Port=59547, Node ID=4a54af79303047847d4f0c8fe2fcfcd7ae082b90
Node 153: IP=78.20.221.204, Port=57458, Node ID=4a49231d4e5629cd2ed70ffce9a044b1aa81e804
Node 154: IP=185.107.71.139, Port=28109, Node ID=4b0b66c3df12a456df34f3f39dfe07dd5e35af75
Node 155: IP=185.107.95.77, Port=28073, Node ID=4af86c9efc7046ac928d23411f4cf0b4d6940b53
Node 156: IP=136.243.151.244, Port=61580, Node ID=4e63a68414dc79dfe993f6837552d406045a22c9
Node 157: IP=108.46.251.196, Port=6881, Node ID=4c2d48ace0211080f9240cece9c671dac6456220
Node 158: IP=84.71.97.92, Port=55404, Node ID=4cd8447c4f75f92e70955beba15e6ccd0e500108
Node 159: IP=78.22.229.83, Port=51413, Node ID=4ce80018438ac5a574a3cbf7ca024304ba48a61f
Node 160: IP=176.232.56.42, Port=62186, Node ID=4d955d49f1f1bbe9ebb3a6db3c870c3e99245e52
Node 161: IP=37.42.40.115, Port=46334, Node ID=4c6888a9fe15215b7b255a48c0c62e1a9d60d9f7
Node 162: IP=199.36.223.15, Port=21665, Node ID=4eb7eecd8b60136c92a1184fe4dd05bf54e9fee3
Node 163: IP=114.31.210.42, Port=6881, Node ID=4c39557eb6debe386b9b1df6116d0d14171edf67
Node 164: IP=140.249.62.48, Port=6886, Node ID=51012e72869f509227ee8c3f09b5ac8522b6d858
Node 165: IP=218.91.199.146, Port=6889, Node ID=50029b881f6e3c75ca1efb336c5ca9cface46a13
Node 166: IP=121.32.0.192, Port=1553, Node ID=56afc48205a257dfa00bc05fc52abae9d99f61a0
Node 167: IP=124.229.40.30, Port=6881, Node ID=51c26cb08fd4fe4a2f38315ce77794ad6d9c5353
Node 168: IP=45.87.251.34, Port=28047, Node ID=5cbe7db57e027faaa109d467fb461f09d400f9a1
Node 169: IP=188.80.202.8, Port=49001, Node ID=5f7405f330619359bad4aa854c2f1e9ec0719c85
Node 170: IP=125.139.28.20, Port=40894, Node ID=52e19b5fe342cbd264577f08555bb186f38cde7f
Node 171: IP=106.207.50.160, Port=6449, Node ID=50c222d06106a48350fd14c38a26650ad599dd77
Node 172: IP=187.149.124.245, Port=54686, Node ID=6ab6be63f673523e66058f410da8f284f96f7e67
Node 173: IP=47.39.14.179, Port=6881, Node ID=77a8fe36fc937bb83e7f7c30fa26714c8451c443
Node 174: IP=60.114.29.250, Port=6889, Node ID=607d95abf7caa6b4a830036ebbd9267bb57766e0
Node 175: IP=62.210.38.222, Port=6881, Node ID=7a268ddfef50b2728384f98b3e4be1626996ddea
Node 176: IP=69.243.64.15, Port=6882, Node ID=609a22d36745d1e5c0bec1f67f8bacedb2ccd247
Node 177: IP=186.81.118.176, Port=33361, Node ID=607df46925684201b1342c61900f7be9ca22d549
Node 178: IP=42.98.106.253, Port=27413, Node ID=6b034359c5e70218d60dc380d6a18dd3167e6153
Node 179: IP=167.179.150.46, Port=6881, Node ID=6627dc03f9fe5a961d67d76d47150df8264e5713
Node 180: IP=223.65.73.211, Port=17726, Node ID=ffced111d1263a864a5471cdcf3c845637c27960
Node 181: IP=51.159.104.81, Port=8305, Node ID=cecbddf184412b66d1bb5527ac63da8596776475
Node 182: IP=86.167.69.95, Port=6881, Node ID=ffcd90244880e2bd2ed8b4f1a811a142de01e6f7
Node 183: IP=178.48.211.7, Port=59084, Node ID=ffcd42e9ebb3a6db3c870c3e99245e0d1c06b7f1
Node 184: IP=178.147.94.14, Port=56953, Node ID=ffcdaaf2e2435329a66a7312725675e999e7d475
Node 185: IP=78.130.91.168, Port=55196, Node ID=ffcddcf1e452e685c422647dc3b15ce9c323efde
Node 186: IP=72.137.117.42, Port=6882, Node ID=ffcde04098b906b313dc61602f0b4a77368d7eb3
Node 187: IP=185.203.56.10, Port=6881, Node ID=c10c154e7276dd39ca694ddfb50cdd35348a6ed6

然后再写一个脚本来判断这些Node节点是否存活。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# -*- coding: utf-8 -*-
# @Author  : 1cePeak

import socket

def check_node_availability(node):
    ip, port = node.split(':')

    # 创建TCP套接字
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(1)  # 设置连接超时时间为1秒

    try:
        # 尝试连接节点
        result = sock.connect_ex((ip, int(port)))
        if result == 0:
            print("节点 {} 存活".format(node))
        else:
            print("节点 {} 不可达".format(node))
    except socket.error:
        print("节点 {} 连接失败".format(node))
    finally:
        # 关闭套接字
        sock.close()

# DHT节点列表
nodes = ['ip:port', '...', 'ip:port']

# 遍历节点列表,检查节点是否存活
for node in nodes:
    check_node_availability(node)

最后发现有一个比较可疑的存活Node节点159.138.22.50:6969,访问之后发现提示:

You are not powerful :/

/images/1687165381670.png

Burpsuite抓包查看发现状态码是403,猜测需要带一些参数或者token访问,于是开始坐牢……🫤

/images/1687165500161.png

找到几篇比较靠谱的文章:

DHT出现之后,假设一个新的节点想要加入该网络,只需要获取到已经在网络中的任何一个node信息,向其发送find_node请求即可。想要获取某个info_hash的peer,也可直接发送get_peers,而无需连接到Tracker服务器。如此,DHT可理解为一个去中心化的P2P网络。 Torrent(种子)就保存了一个文件的一些信息,名字/长度/子文件目录/子文件长度等信息,其中最重要是拥有该文件的peers服务器,也因此,可以通过种子,向这些peers发送下载请求下载文件。

检索资料发现,6969端口一般是BT Tracker站点提供的服务,那么BT Tracker站点有什么用呢?有请ChaGPT来回答: BT Tracker 是 BitTorrent 协议中的一个重要组件,它具有以下作用:

  • 协调下载和上传:BT Tracker 充当了一个中央服务器的角色,它记录了参与特定种子的所有用户(也称为 peers)的信息,包括它们的 IP 地址和端口号。通过连接到 Tracker,下载者可以获取种子文件的相关信息,并与其他下载者建立连接来获取文件的各个分块。
  • 跟踪下载进度:Tracker 跟踪每个 peer 下载特定种子的进度,包括已下载和未下载的分块。这使得 Tracker 能够提供下载者有关其他 peer 的信息,例如哪些 peer 具有完整的文件,以及哪些分块还需要下载。
  • 提供种子健康度信息:Tracker 通过跟踪每个 peer 的进度,可以为特定种子提供健康度信息。这包括种子的可用性、下载速度和活动 peer 的数量等指标。下载者可以使用这些信息来选择最佳的 peer 进行连接,提高下载效率。
  • 维护用户统计信息:Tracker 还可以记录用户的下载和上传统计信息,如下载速度、上传量和分享比率等。这些信息可以用于维护 BitTorrent 社区中用户的参与度和公平性。 总而言之,BT Tracker 在 BitTorrent 下载过程中起到了协调和管理的作用,它使下载者能够找到其他下载者,并从中获取所需的文件分块,从而实现高效的文件共享和分发。

所以我们可以访问http://159.138.22.50:6969/announce,发现还是没有什么用。所以现在要解决的是如果去访问这个BT Tracker站点,通常情况下,当我们需要下载一个文件的时候会用到BitTorrent客户端,我们不如打开一个Motrix下载器看看,打开高级设置可以看到Aria的请求头aria2/1.35.0信息:

/images/1687166763204.png

那么,如何与BT Tracker站点通信呢? 与 BT Tracker 站点进行通信主要是通过发送 HTTP GET 请求来与 Tracker 服务器交互。以下是与 BT Tracker 站点通信的一般步骤:

  • 获取 Tracker URL:在您想要与之通信的 BT Tracker 站点上,通常会提供 Tracker URL。这是一个特定的 URL,用于连接到 Tracker 服务器并获取种子文件的 Peers 列表。
  • 构建请求 URL:将 Tracker URL 与您的下载信息(如种子哈希值、下载端口等)组合在一起,构建一个完整的请求 URL。请求 URL 的格式通常是将参数附加到 Tracker URL 后面,形成类似于:http://tracker.example.com/announce?info_hash=xxxxxx&port=xxxx 的 URL。
  • 发送 HTTP GET 请求:使用您选择的编程语言或工具,发送 HTTP GET 请求到构建的请求 URL。确保请求头中包含适当的 User-Agent 字段,以便 Tracker 服务器可以识别您的请求。示例中提到的 aria2/1.35.0 是一种常见的 User-Agent 标识。
  • 解析响应:接收到 Tracker 服务器的响应后,您需要解析响应数据以获取 Peers 列表和其他相关信息。通常,Tracker 服务器会返回一个字典或字节串形式的响应,其中包含了可用 Peers 的 IP 地址、端口号等信息。
  • 处理响应数据:根据 Tracker 服务器返回的数据格式和规范,您可以提取和处理所需的信息。您可能需要处理 Peer 列表、更新下载状态、计算上传下载速度等操作。
  • 保持通信:根据 Tracker 服务器的规则和约定,您可能需要定期与 Tracker 服务器进行通信以更新下载状态、提供健康信息等。这有助于维护您的下载连接和共享状态。

所以,当我们添加aria2/1.35.0请求头之后再去访问http://159.138.22.50:6969/announce可以发现出现了Nginx页面:

/images/1687167872480.png

保存页面上的Nginx图片到本地,使用十六进制编辑器打开可以发现藏了一个zip压缩包:

/images/1687167985176.png

打开之后发现是一个经过加密的压缩包,里面的文件是flag.torrent

/images/1687168052090.png

压缩包备注是Do you remember the last time we update dht.dat?,这里暗示压缩包的密码是dht.dat文件最后一次修改的时间,所以回过头来再提取dht.dat文件的MTIME时间。根据Aria官方文档的介绍:

MTIME: 8 bytes This is the time when aria2 saved the file. The value is the time since the Epoch(1970/1/1 00:00:00) in 64 bits integer.

所以我们可以直接从文件第8个字节开始提取,也就是0x000000006462E61C

/images/1687168504043.png

1
2

int('0x000000006462E61C ', 16)
# 1684203036

使用1684203036打开压缩包,再查看flag.torrent文件:

/images/1687168704303.png

1

d8:announce30:http://127.0.0.1:8080/announce7:comment7:crackme10:created by13:mktorrent 1.113:creation datei1686759814e4:infod6:lengthi40e4:name4:flag12:piece lengthi4e6:pieces200:

发现是一个使用Bencode编码的字典结构,表示一个种子文件的元数据信息。

  • announce表示Tracker的URL,是一个本地BT Tracker服务。
  • comment注释为crackme。
  • info表示文件的信息:
    • length为长度,一共40个字节。
    • name为flag。
    • piece length为分块大小,长度是4个字节。
    • pieces就是分块的哈希值。

接下来就是提取分块的哈希值:

/images/1687169519039.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

284F3E527B475C0DCBE1A7AED94CE31539131545
E4AF700F9921ED71C190316CD5564F8CE1303F94
B4AA9BC1E62E19828A370C50A4CFF71BD9736BB4
AD2AF979ABD26A0A35CCA0218F32277D01B7F7D3
F9CCF51238CBEE2EE8282F28FF1A526A8A39D8E4
89B4EBDC6413BEC34138A3B63F23671932EA5696
9329C7181085B1D6484E4FBC826FB3C25CA25F32
AB4400A33C16525C50A2E6DDA8C05EACD5B3D7F0
386B00CD1573492BF3DD76DA57EB73759C7DE8E1
9DE01D0BC2F7B7440B99E96DAAF372F93E53B140

最后解密sha1,可以直接用somd5解密,也可以使用hashcat来跑字典。

/images/1687169391450.png

然后查询每一条sha1即可拿到flag。 如果用字典来跑的话可以先生成一个字典:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# -*- coding: utf-8 -*-
# @Author  : 1cePeak
import itertools
import string

# 生成所有可能的组合
combinations = itertools.product('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{_}', repeat = 4)

# 将组合写入密码字典文件
with open('dictionary.txt', 'w') as f:
    for combination in combinations:
        password = ''.join(combination)
        f.write(password + '\n')

然后再用hashcat来跑:

1

hashcat -m 100 -a 0 40_bytes_hash_data.txt dictionary.txt

最终flag为SCTF{du4nq1k3_l0v3s_d0wnlO4d1ng_t0rRent},卒🤡

更新于 2023-06-20 
阅读原始文档
CTFWriteup
返回 | 主页
0%