Hack.lu CTF 2021 - MISC - Emergency Operations(Mid)
Dave is a notoriously bored system administrator at RipOffMobileNetworks. During the GME frenzy, Dave really got into /r/wallstreetbets, and wants to share some insider knowledge with his fellow traders. Since Dave likes his Job, and doesn’t want the SEC to get involved, he decided to not post his info on reddit, but use the tools he has at hand to distribute his message. Unfortuneatly, Dave wasn’t particularly stealthy in his attempt, and got caught misusing mobile network infrastructure. He even tried to spread his news via the network.All that we could find so far is a traffic dump and a mysterious note he posted online, saying “DLT=149”.
Can you figure out what action Dave wants his folks to take?
Note: Flag format is non-standard. It is not wrapped in flag{}.
这就是第一个考点了,根据题目描述Dave使用的协议大概率是个移动设备的协议,同时wireshark直接识别出为PKTAP,貌似很符合题意,但是通过分析PKTAP协议的相关标识符,发现其在后部有无法解释的部分。且赛后看选手们交流才发现,每条流量的头部都是0xbeefdead开头,这同时印证了为什么PKTAP为什么不对(毕竟不可能header length高达2917068734)。
回想到题目中强调了一个"DLT=149",网上冲浪发现这个参数是指DLT_USER=2,且在wireshark中可以设置该参数。(编辑→首选项→Protocols→DLT_USER→Edit→添加一个User2,这时候协议无法识别了,是因为没有设置后边的Payload protocol。
得知每条消息的Bit2Bit3是GSM7编码,且是小端序,根据这条线索看流量长度为139(frame.len == 139)的即是出现message的流量,且每两条为一组交互,每8条就重复一组。
提出数据为d332 6c36 d429 cc20,解密得到SellTSLA,即为flag
# -*- coding: utf-8 -*-
# @Project: ctf-exp
# @File : tmp
# @Author : Tr0jAn <tr0jan@birkenwald.cn>
# @Date : 2021-11-02
def gsm7decode(f):
f = ''.join(["{0:08b}".format(int(f[i:i + 2], 16))for i in range(0, len(f), 2)][::-1])
return ''.join([chr(int(f[::-1][i:i + 7][::-1], 2))for i in range(0, len(f), 7)])
cipher =['d332', '6c36', 'd429', 'cc20']
for c in cipher:
print(gsm7decode(c).replace("\x00", ""), end="")
# SellTSLA