比赛地址：2025数字中国创新大赛数字安全赛道时空数据安全赛题暨三明市第五届“红明谷”杯大赛初赛

比赛时间：22 Mar 2025 10:00 CST - 22 Mar 2025 15:00 CST

复现的题目用🔁标注

Misc

异常行为溯源

Challenge

异常行为溯源

题目内容：

某企业网络安全部门人员正在对企业网络资产受到的攻击行为进行溯源分析，该工作人员发现攻击者删除了一段时间内的访问日志数据，但是攻击者曾传输过已被删除的访问日志数据并且被流量监控设备捕获，工作人员对流量数据进行了初步过滤并提取出了相应数据包。已知该攻击者在开始时曾尝试低密度的攻击，发现未被相关安全人员及时发现后进行了连续多日的攻击，请协助企业排查并定位攻击者IP，flag格式为：flag{md5(IP)}

附件下载提取码（GAME）备用下载

Solution

附件是一个流量包network_traffic.pcap，先用 wireshark 打开分析一下

发现所有流量包的 Data 都有这样的 Base64 数据

进一步分析发现这里面有一段 Json 数据，并且还包含了一段 Base64 数据，于是再对这一段 Base64 解码

推测这实际上就是题目所说的访问日志数据

因此现在的目标就是先将 Data 中的数据提取出来，将其经过 Base64 解码得到 Json 数据，再提取出 Json 数据中 msg 对应的值并对其进行 Base64 解码操作，最后从这段访问日志数据中提取出开头的 IP 地址并对其进行分析

bash

1tshark -r network_traffic.pcap -T fields -e _ws.col.Info > output.txt

先把 Data 中的数据提取出来放到 output.txt 中

text

165794a74633263694f694a50564546315431526a6455317155586c4d616b6b3054464e4264456c4763336450517a6c4c57566330646b317151586c4f56473935545770764d5535366233704f6555467954555242643031474d47644a62454a51565446525a3077794d576868567a5232597a4a5761474e74546d394d626b4a7659304e4353565a47556c464d656b563154564e4a5a3031715158644a52456c36543052425a306c704d476c4a5130704f596a4e7763474a486547684d656c563154554e4262316b794f58526a523059775956644b6331705563326455566b354b556c4e424e5578715154644a526d5277596d3153646d517a545764556246466e546d6b3065453935516c566a62577872576c63314d4578365658564e553274705132633950534973496e5235634755694f694a4d623263745247463059534a39

此时 output.txt 中有若干行像上面这样的十六进制数据，要先将它们转成字符并保存到 output_ascii.txt 中

python

1import os2 3input_file_path = "output.txt"4output_file_path = "output_ascii.txt"5 6try:7    with open(input_file_path, "r", encoding="utf-8") as input_file, \8         open(output_file_path, "w", encoding="utf-8") as output_file:9 10        for line in input_file:11            hex_data = line.strip()12 13            try:14                byte_data = bytes.fromhex(hex_data)15                ascii_data = byte_data.decode("ascii")16 17                output_file.write(ascii_data + "\n")18            except ValueError as ve:19                print(f"无法解析十六进制数据: {hex_data}. 错误: {ve}")20            except UnicodeDecodeError as ude:21                print(f"无法将字节解码为ASCII: {hex_data}. 错误: {ude}")22 23except Exception as e:24    print(f"发生错误: {e}")

得到的 output_ascii.txt 有若干行形如下面的 Base64 数据

text

1eyJtc2ciOiJPVEF1T1RjdU1qUXlMakk0TFNBdElGc3dPQzlLWVc0dk1qQXlOVG95TWpvMU56b3pOeUFyTURBd01GMGdJbEJQVTFRZ0wyMWhhVzR2YzJWaGNtTm9MbkJvY0NCSVZGUlFMekV1TVNJZ01qQXdJREl6T0RBZ0lpMGlJQ0pOYjNwcGJHeGhMelV1TUNBb1kyOXRjR0YwYVdKc1pUc2dUVk5KUlNBNUxqQTdJRmRwYm1SdmQzTWdUbFFnTmk0eE95QlVjbWxrWlc1MEx6VXVNU2tpQ2c9PSIsInR5cGUiOiJMb2ctRGF0YSJ9

接着 Base64 解码得到 Json 数据

python

1import os2import base643 4input_file_path = "output_ascii.txt"5output_file_path = "output_json.txt"6 7try:8    with open(input_file_path, "r", encoding="utf-8") as input_file, \9         open(output_file_path, "w", encoding="utf-8") as output_file:10        11        for line in input_file:12            base64_data = line.strip()13            14            try:15                decoded_bytes = base64.b64decode(base64_data)16                decoded_text = decoded_bytes.decode("utf-8")17 18                output_file.write(decoded_text + "\n")19            except base64.binascii.Error as b64_err:20                print(f"无法解码Base64数据: {base64_data}. 错误: {b64_err}")21            except UnicodeDecodeError as ude:22                print(f"无法将字节解码为UTF-8: {base64_data}. 错误: {ude}")23 24except Exception as e:25    print(f"发生错误: {e}")

图中出现了一些报错，具体来说是有几条数据出现了损坏，我手动把它们补全了，得到的 output_json.txt 有若干行形如下面的 Base64 数据

json

1{"msg":"OTAuOTcuMjQyLjI4LSAtIFswOC9KYW4vMjAyNToyMjo1NzozNyArMDAwMF0gIlBPU1QgL21haW4vc2VhcmNoLnBocCBIVFRQLzEuMSIgMjAwIDIzODAgIi0iICJNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSA5LjA7IFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzUuMSkiCg==","type":"Log-Data"}

再读取出 msg 所对应的值并保存到 output_final.txt中

python

1import os2import base643import json4 5input_file_path = "output_json.txt"6output_file_path = "output_final.txt"7 8try:9    with open(input_file_path, "r", encoding="utf-8") as input_file, \10         open(output_file_path, "w", encoding="utf-8") as output_file:11        12        for line in input_file:13            json_data = line.strip()14 15            if not json_data:16                continue17            18            try:19                data = json.loads(json_data)20                21                # 如果解析成功，提取 msg 字段22                if "msg" not in data:23                    print(f"缺少 'msg' 字段: {json_data}")24                    continue25                26                base64_msg = data["msg"]27                28            except json.JSONDecodeError:29                # 如果解析失败，尝试修复 JSON 格式30                try:31                    # 修复 JSON 格式：在行前添加 {"msg":"32                    repaired_json_data = '{"msg":"' + json_data33                    data = json.loads(repaired_json_data)34                    35                    # 提取 msg 字段36                    base64_msg = data["msg"]37                except json.JSONDecodeError as jde:38                    print(f"无法解析或修复 JSON 数据: {json_data}. 错误: {jde}")39                    continue40            41            try:42                # Base64 解码 msg 字段43                decoded_bytes = base64.b64decode(base64_msg)44                45                # 将字节对象解码为字符串（假设是 UTF-8 编码）46                decoded_text = decoded_bytes.decode("utf-8")47                48                # 写入到输出文件49                output_file.write(decoded_text + "\n")50            except base64.binascii.Error as b64_err:51                print(f"无法解码 Base64 数据: {base64_msg}. 错误: {b64_err}")52            except UnicodeDecodeError as ude:53                print(f"无法将字节解码为 UTF-8: {base64_msg}. 错误: {ude}")54 55except Exception as e:56    print(f"发生错误: {e}")

虽然这次也有一些报错但我懒得管了，因为数据量足够大，少了这几条不会对统计的结果造成影响

最后再将这些 IP 地址提取出来，按照出现次数从高到低排序

python

1import re2from collections import Counter3 4input_file_path = "output_final.txt"5output_file_path = "sorted_ips_by_count.txt"6 7# 匹配 IP 地址8ip_pattern = re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b")9 10ip_counter = Counter()11 12try:13    with open(input_file_path, "r", encoding="utf-8") as input_file:14        for line in input_file:15            log_line = line.strip()16            if not log_line:17                continue18            19            # 提取 IP 地址20            match = ip_pattern.search(log_line)21            if match:22                ip_address = match.group(0)23                ip_counter[ip_address] += 124 25    sorted_ips = sorted(ip_counter.items(), key=lambda x: x[1], reverse=True)26 27    with open(output_file_path, "w", encoding="utf-8") as output_file:28        for ip, count in sorted_ips:29            output_file.write(f"{ip} ({count} times)\n")30 31except Exception as e:32    print(f"发生错误: {e}")

得到了一个经过排序的 sorted_ips_by_count.txt，前面几条内容如下

text

135.127.46.111 (67 times)2199.250.217.171 (6 times)3181.73.51.10 (5 times)4159.242.64.164 (5 times)5196.133.63.166 (5 times)

35.127.46.111 的出现次数远超其他的出现次数，显然答案就是 35.127.46.111

flag

🚩flag{475ed6d7f74f586fb265f52eb42039b6}