3.心仪的公司

先下载附件，是一个wireshark流量包，名字有webshell字样，直接使用Wireshark进行打开查看，并进行锁定HTTP流：http contains “shell”

锁定最后一条，直接追踪HTTP流，发现flag

15.simple_transfer

内容是个pcap文件，果断用wireshark打开，题目提示，文件里有flag，找到它。那么说明数据流中包含flag，我们使用wireshark中的分组字节流查找flag关键字，如图：

说明文件中有隐藏pdf，因此自然想到了文件分离，用binwalk和dd或者foremost

17.安恒9月赛-Ditf

首先拿到图片，使用binwalk工具检查发现存在文件包含，foremost拆解后打开rar压缩包有一个pcapng，且rar是加密压缩包

猜测密码在图片里，使用010Editor打开。发现crc报错，猜测可能是图片隐写，修改高度后得到一段字符串：StRe1izia

即压缩包密码，成功解开压缩包。打开pcapng文件后搜索ctf等关键词无果；当尝试搜索字符串png时发现kiss.png，右键打开追踪http流，发现神秘字符串：

base64解码得到
flag值即为：flag{Oz_4nd_Hir0_lov3_For3ver}

19.m0_01-太湖杯(USB流量分析）

用wireshark打开文件，一看protocol协议都是USB，那首先可以考虑到USB的流量数据分析，USB流量数据都在Leftover Capture Data中， USB流量数据常见的有两个：
1.鼠标流量数据
鼠标流量数据长度为4个字节：

第一个字节,代表按键：
当取0×00时,代表没有按键，取0×01时,代表按左键，取0×02时,代表当前按键为右键

第二个字节,可看作为signed byte类型，其最高位为符号位：
当值为正时，代表鼠标右移像素位；值为负时，代表鼠标左移像素位。

第三个字节,代表垂直上下移动的偏移：
当值为正时，代表鼠标上移像素位；值为负时，代表鼠标下移像素位。

2.键盘流量数据：
键盘流量数据为8个字节：

键盘流量数据一般来说仅有1,3字节有信息，如过说出现其他字节的非0x00那么可能是多个键一起按
下：
第一个字节：代表按键（00时,代表没有按键；不论
02或者20做题时统一当shift键）

第三个字节：代表键盘敲击时具体字母。
其它字节暂时不做考虑。

这部分数据都是16进制的，有八个字节，那么可判断出该部分数据为键盘流量数据。先用以下指令提取出来

tshark -r exa.pcap -T fields -e usb.capdata > 1.txt
tshark -r exa.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > 1.txt #提取并去除空行

根据USB协议中HID设备描述符以及键盘按键值对应编码表，编写脚本得到

import os
import re
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
file = r'2.txt'
with open(file, 'r') as file:
    contents = file.read().split()
    # print(contents)
    for cont in contents:
        if len(cont) == 16:
            # 两个字符 '0000100000000000' => ['00', '00', '10', '00', '00', '00', '00', '00']
            a = re.findall('.{2}', cont)
            # print(":".join(a))
            cont = ":".join(a)  # 00:00:10:00:00:00:00:00
            try:
                # 去除不合条件的
                if cont[0] != '0' or (cont[1] != '0' and cont[1] != '2') or cont[3] != '0' or cont[4] != '0' or cont[9] != '0' or cont[10] != '0' or cont[12] != '0' or cont[13] != '0' or cont[15] != '0' or cont[16] != '0' or cont[18] != '0' or cont[19] != '0' or cont[21] != '0' or cont[22] != '0' or cont[6:8] == "00":
                    continue
                if cont[6:8] in normalKeys.keys():
                    # 没有按 Shift 键
                    if cont[1] != '2':
                        output += normalKeys[cont[6:8]]
                        # print(cont, output)
                    # 按了 Shift 键
                    else:
                        output += shiftKeys[cont[6:8]]
                else:
                    output += "äă"  # 随便
            except:
                pass
print("结果：", output)
flag = ""
for i in range(0, len(output)):
    flag += output[i][0]
print(flag)
flag = re.sub("<CAP>(.*?)<CAP>", lambda matchStr: matchStr.group(1).upper(), flag)
# 循环去除 比如  aaaa<DEL><DEL>这种情况  => aa
while re.findall(r".<DEL>", flag, re.DOTALL):
    flag = re.sub(r".<DEL>", "", flag, re.DOTALL)
print(flag)

这是云影密码，用以下脚本

# -- coding: utf-8 --
def decode(cipher):
    charList = [chr(i) for i in range(ord('A'),ord('Z')+1)]
    ret = []
    plaintext = [i for i in cipher.split('0')]
    for i in plaintext:
        tmp = 0
        for j in range(len(i)):
            tmp += int(i[j])
        ret.append(charList[tmp-1])
    return ''.join(ret).lower()
c = decode('884080810882108108821042084010421')
print (c)