PicoCTF - Torrent Analyze
Background
What are seeds, peers and leechers in Torrents’ language? 慎選peer,是加速BT下載的王道!
- seed個數:seed(即一般所說的「種子」)意指擁有完整檔案的BT參與者,是主要的檔案提供者。seed越多,可用的BT分享頻寬就越多,速度當然就快。
- seed與peer的比例:雖然peer(指尚未取得完整檔案的BT參與者)可同時自seed與其他peer下載檔案,但peer間會彼此競爭,以爭取有限的BT下載頻寬。因此,peer個數越多,分配後的BT分享頻寬就越少,速度自然就受影響。
教你該如何使用bt的info hash特徵碼,下載BT之torrent種子檔
Description & Hint
SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that were downloaded? The file name will be the flag, like picoCTF{filename}. Hint 1: Download and open the file with a packet analyzer like Wireshark. Hint 2: You may want to enable BitTorrent protocol (BT-DHT, etc.) on Wireshark. Analyze -> Enabled Protocols Hint 3: Try to understand peers, leechers and seeds. Article Hint 4: The file name ends with
.iso
Recon
這是非常有趣的題目,不過完全沒有用過bittorrent或是info hash相關的背景知識,所以看了1的WP覺得學到很多
- 簡單來說,這支pcap紀錄了利用bittorrent下載/上傳的流量,而我們要找出他下載/上傳的file name為何,有趣的地方是利用bittorrent這種P2P的方式,一定會自帶一個file的info hash,驗明正身,所以我們只要找到BT-UDP protocol中,有夾帶info-hash的packet出來,再丟到網路上查詢就可以了
- Set Filter as
bt-dht contains "info_hash"設定filter後,就可以看到每一個bt-dht protocol packets都含有info_hash的keys,不過其中有很多不同的info hash所以要一個一個試很麻煩就寫了一個script dump出來,最後只有8個,不過如果把全部packet不管有沒有重複全部print出來的話,很明顯最後一個e2467cbf021192c241367b892230dc1e05c0580e是最多的,那這個應該就是答案,因為.iso通常都很大,所以下載的packets數量應該是比較多的
Exploit
import pyshark
capture = pyshark.FileCapture('PicoCTF/Misc/Torrent Analyze/torrent.pcap', display_filter='bt-dht contains "info_hash"')
info_hashs = []
for pkt in capture:
info_hash = pkt.layers[3].get_field_by_showname('info_hash').showname_value
if info_hash not in info_hashs:
print(info_hash)
info_hashs.append(info_hash)
1 |
|
Info Hash: e2467cbf021192c241367b892230dc1e05c0580e
File Name: ubuntu-19.10-desktop-amd64.iso
Flag: picoCTF{ubuntu-19.10-desktop-amd64.iso}
