[TGHACK] s2s messaging - 포렌식 / Wireshark

 

네트워크 패킷 포렌식 문제

 

문제 설명을 읽어보면 배끼리 통신하는걸 가로챘다고한다. 

 

여기서 메세지를 찾아낼 수 있냐고 물어본다.

 

s2s.pcapng 패킷파일이 하나 주어진다.

 

 

Wireshark 프로그램을 이용하면 pcapng 파일을 열어볼 수 있다.

 

조금 살펴보니 초반에는 딱히 의미있는 패킷이 보이지 않는 것 같다.

 

 

조금 내리다가 보니 수상한 패킷을 하나 발견했는데

 

프로토콜이 MQTT 라고 되어있다.

 

MQTT는 Message Queuing Telemetry Transport 의 약자로 TCP 기반으로 동작하는 메세징 프로토콜이다.

 

보통 아두이노 같은 임베디드/IoT 장치에서 통신을 위해서 사용한다고 한다.

 

 

해당 패킷을 조금 더 자세히 보기 위해서

 

우클릭 - Follow - TCP Stream을 눌러준다.

 

 

그럼 이런 창이 하나 뜬다.

 

전송한 TCP 패킷 전체를 모아서 보여주는데, 

 

중간에 눈에 띄는 부분이 있다.

 

data : 뒤에 인코딩된 값이 들어있는게 보이는데

 

+, / 같은 기호들이 포함되어 있는걸로 보아 base64 인듯 하다.

 

iVBORw0KGgoAAAANSUhEUgAABTkAAAA7CAIAAAA/5RmbAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABqoSURBVHhe7Z3rYeu4roWnrhSUelJNmnEx51ISJYAkiAdJyd436/s1Y4F4LICyGHsn//0PAAAAAAAAAAAAnwTO6gAAAAAAAAAAwGeBszoAAAAAAAAAAPBZ4KwOAAAAAAAAAAB8FjirAwAAAAAAAAAAnwXO6gAAAAAAAAAAwGeBszoAAAAAAAAAAPBZ4KwOAAAAAAAAAAB8FjirAwAAAAAAAAAAnwXO6gAAAAAAAAAAwGeBszoAAAAAAAAAAPBZ4KwOAAAAAAAAAAB8Fjirx3j9/nx//Xfy/ZtfBgAAAAAAAADwx/j9zkfD//77+v75feWXl4CzegTWiZ2vn6XNAAAAAAAAS7me3r5+nviM5fVwvL/OKwn+9UUfpH2lw9KnPp5jNhT+YW1ePzR/Oys/zcVZ3Q9rRLoPbKz9uQkAAAAAAFgLfdIiPUG/ri9Mfq15wGaPi/j+5d00h6SDT/0wDbOh8PA+Xcrrdz8Y0o+MFk5gPqt3Rt2Fnc3r9ycJzH/mlUj/+719S8BXymv78jmTILE5cK/f2Z2UaQSckEZ1xcvU++2GkOFTLdqTQ+PnCmeLsnUiLm/JG0MLFC1avslHSni+19vPnbNFy5bwGtGXbFUNqL1T+R8d6tpNR57IPU6ReGazL7pRLL0VnDmVGvq6u0jScR66IQDwCahngGIzLnk+YB5XP2+AEursznY/PrS/5ba5AMyGwsP79BYozXUjmM/q1bDH6Cu2PQwwaXvsD1x5SYP6QLHjet4qetySUrAkvTRq1F+mHjnyddi09zikH1TJOKSReGPolrr7Pnk9DJfwfK/JQCVtp0FxFm1VBah9Ifj3lcYR7opz5ezILmY2+8IbxaJbwYK3tnlJJ7l7RAH4IGjchXeh4rYw+S51wDwu8Qd6sPtYcZ98/X7qjQuzofDwPr0HynNZkrd9rv6iD558iI/x7scZXRCfG+MgcTlpCl6mHuXpezYz7R0GrtQH5u2NoRsolxOfvhYzJbyj1/m6zYA8bu/DDYXaHMl/1JF045ovR3Ix17uFN4q2jrD6a97apiWd5+4RBeCDoHGX9iPdC43nQC/s5rrGIZChvv4zdynMhsLD+/QeWJqrhtL69+rs7TygDBvFg/xdRZ50/kJ6NthpIrCCDwf59XSl+H3sG930ymS+uJv911HkCztKjeTGL0RUvehdx7Q3DFh+yaL4CCg1K2kTL/nijaFriliZBTtorgRDnwbTfsagzHcnqPuSraoBtUuYf+Yq5IdcfH9P16tBixPB3s2sbSm8ZUIFrXprS0xJugIlgSUjCsAHQeP+yCizOwW2zo38izpjNhQe3qc3cVWx7M39jrM6W5P4sr5Btz0UHKZthM1V30H53CRrUtjIJfB8+8KSI/8ERdUje1+DTXvVgEvTjbd3x5dNyRtDV1Am2299yP857Xi2hGd7vWFHLDZLYM43Nu9zW1UDatdw/+yD3oAb8vD9u6CcLjO9m+17BSt56FZA6zem3tqmJF2DncDciALwQbDN/8Qgs72DjXMj/6LOmA2Fh/fpTVxVLHtzX35Wr9/dnXluywaKYunJCbJ0FPfcTa9M8uSfoKh6ZO/TwrRXDaLZxXhj6BKKlUL55sHDbAmqPgKm/bxBoti+S1vD9BrwzFZD7Z3C/8BY05JtxZJyOtDS5/teQt6Ss7BmRbeSB6cM2zIxwISka/AkUBS9oAUAvIli998P2znYNzfyL+qM2VB4eJ/exFXFsjf31Wd1Zv/IE4gRj11Ws+FPJJ06ycQ/QePq+bQz7TUDVrMvWow3hi6gPPYWODrtYrqER3u944tIVoOF9WCOw56hdkPpPywQLdjtF5UjMdO76b4XUA0jtwLWqhXJzEi6CF8CrO435QnAAqrtfzfs9vJIvL/Kv6gzZkPh4X16E1cVy940157V+dPPM+/rekR21UjHfiAhX/4JiqnH7X3qmfaaAZfuhk3xxtAMFikHWhR72s2jvd7xRbytN9yxr2QCajfU/mMVkvURdVE5EjO9WzmMzFd2FfHObaMKdBiXNBP9Q4Q1vgT6Kr1OB18/+fXtS/+X9df1ck3+B/3kdzMuf8tFDYt1GdX/pv7wkS+qiAkYGRQ53F5vB9Zyc2KpvR1TIa0tL1NEmgh17q74oi7DYqrUvymCj4SuB8mlRG4Ey1OTLxe095uK6x/IqCH7hJIhta/r49snEQlOrNsI/K7UobdBhsd+3cRKszHVjuGiLsTWmL0Z1eQIlq0SvNiZfdrm08QK6CpoKiDfBFmazg5YLD2rM2OH9RL0kHTVEqz/QHJCFv7SQuol/PkemPaqAcvuhna9MTQh3hPNVruYLUHVR8C0nzfYWSRPy5RgU4sTvtqJeTF9EcfVbvzTC7Ynss2mi8oRYYmFezeztmTuVrAuD2JC0h2e01BSvgT6ItGV/XV29sgIbtPjT23FSc9RciZVLM2NeoqtHohbuhk8W28P1nStTJ6smFZ6CM1XZbTEmGstB0pVshoRU2XrbF5acxTjzadTVN99QpRYc8iuxkudSWbPZXj7bOiz0xucxRuh0E/mvrHfFZqZ2Go21HaYTqeKSjx8S7x1n1b5KNIYY65k2SB6uqrwT4XByrM6U9E2XgMPKUyF2tYSVqgsbjUFLiLqbZC9r8GmvW7A0ksG7n+A6eONoS/kAVg0p5Ml6Pq0mPbzBjusLF9iTvStasLSSuuhtuCf+dLHmlpxxVxUjgxLLC2P9W5mLWfuVrDollEyI+lGIc1IVr4EWJjKjFThv5yQUbvlMm58fR+Uj4qpy9mewWPVblo69bQLv3by/1x0xHyy3i79dhSw0I2ZmLuEqUPPYofCWA11ialj1rRpn//TyEe6XLrfPrDcoT622SoO2aUtMUVDkalkJrbPhusI01RUh1ywEbYD5kFevZNf2qk/djVH5KSTBtdwcmKZHt8/M+1YWNTJIV7+n4tVmpj5zu1Tls+POap9Xcsszx1WuzuU6vwk43LhnwqDhWd13nXLdhVc0zZmIHmevSzuiPaRBDbI3hfEtDcMeMs20tgtOzW/MfQJi1HKH+2LzFwJT/faGZEXNaFNC9N8yDHULhH8M29alWRGVmvK6THTu7m+nzAvA7cCnsO6TTElaYKlPpaWKwGl9ro1CfppyvadyvJpmZuT3UnxQUZbjRCrHIXqgxCpIvIhDFFany8mZD2erLcPy7PfNha7MiqL2IWg6/v3cPOlHTECc6ElTolKVkExdYqtsLk5s24K2jHyaS731UykVFOI1mXPoWPQVGaTuYhun9oL1/mMfFDF58sWboRMT+eSOvW5sT8ZnVjBVSmnqx0LiiIPj9wSb96nYj5lnDKMPDAsy7pqvr7TlMzlRDcLsPCsrlR4E0Vj2vTYZTsh7kuqdEj6gHo7zD5IJyty2EtbCPlFu22CN4bOUEubDFjoSD8bJkoQljoZ7bVpkOBZuUbWibFVfUBthuTfdcejhSxkoBydXhnCevdmn1l7MHkr8NjEmZX0kX+vzpOsEyk2dULNwjGbmkkTS+p/YSTIlooRHkkvrBSbHG6sV8ExjV3PRQm9LVQZ5VcJdr07mwnKU7IqgiQiClTwGZXcpCNDGcvIp75MlyJJyg6tXE2mk9kZ3T4XneDHWaZYy7z2MnaY9GGLpb7uVJWZWYiuiuuJofYdtK4G2rGkqNTTx26Jd+/TRJOPoAtPQ3chxTevZ8hsYk4KHj2r10KWJFmznROz9RTOIZdWKfsBU0j4gHo7vKIYnbRceXfaom1hB28MfaAmwJQOdbRltITne20alKVEt6MGL3ZKb6h9IvrnPjseaR03CJSjo9Qx2ruNmbVGdayyTu0Ok05+GfmtbYGkc6iybBgjalwuYMW6RqTOqIjV61NpFteNrZYWP1mvBstDXtatwx7kA15pa9h1X0LBZsXUcRVVhDPyqS/TpcEunQ55EhFXnOlkvCo1IvlGuubOjbDDcu4FWD72iYAELYWr+XZMFGXBVksVRzS5fZ8miuW9EyU3ak0oTXO5Lid3FJVdYt1ZXRdghzkTMSKUcGeyZiwjx4zKlaZTOvvSRPTHCX71DiyB+nQKJIeGAvwbTAXSD6ZcvDH0jhGfSe0YDoOREp7vtWKwfwWpqCA46Sq81HmxofZOxz8rVHLK7onF5UA5OkYlM5t9eK1RHCtNLv6mt7ZFko6j6OIaUYcuJ0YLLrp2vcGtCeQkoKf5ZL0qLBEjzzJNimaG00ydvSAXktVcoxjuotz5NJdpZaBLtUNecMBNw5JkeihdYTqrLkq82Q5VtWOXxjK3nGumijZR1rZjpigTvTEBTdxZkKHkUZfOJyyzalO5wveypNWWmlyd9JQydZ6563P1jmmRuoAVgcGCOTQ1RU2I6bO2iF9TMQiot0P2joQTpn3QYedp2JdMxRtDbwSkGQ9SEishqE+kILtig0WCHPCwCx3/dbV7CbC47T2nm3WgnLF0C2Y2e3xtoLaOBTNY+Na2VNIRWFkGcoKsaOPtzW3ZNXR7MJupobfkyXp12LI20a5PdVUFs20ycyZNYkpWTicm/qLG8+FieH6quFM4ZN/MHBjLgvlk8msi3TzdHgrcq8bcb5grmcETY+/B7crTjqmiTCgDKY5fE3/C4/vUnY9WlB4+QTFM5RP8h94e+z7v//fqgQgnrCHaIm5mumbGLPsiUrrizTATrY3sfQqa9lGHB81nKv7WEG8MnXBEJ5NQhibOEqL6mPYBA4Uv/e97RHFu1XH+rNrdBOQ72U4/6fl6B5jZ7P61jszJRLaxrndgy1bM5HJYfn2UEWWTZvSNC3j+DmgZ6mnp0h1LGf+K1+v39/fnJwfeoZGS1j5Zr4FSZT9LYx5LFGOnDuRBsvKLqTPSlHg+7OrB/gsz9PGqlxxMFXswl4yeADMsB4vUi9yt2BTdsxEcpSmT3KIYuzW0WdmOuaJKbrwl+i0pW8lQ9+OMQiHaoiwX/kKSLVM+Edk5LQvP6qwGuwgiEGGHhzGKj7hmbmunL/4rDwKVxWsje19XTfuoQ8b2MJzX7oQKT7wxtDM4GY2E0LFLiOpj2gcMGo4/PWG834cJbNU5/qLa/QR6tzL2eiPQfL2jzGx2z1pX4rxZghM+yIH8mNfhzO6EV13hGlFtoEqUSF1Kl0OxRMvOFzMqpJY8Wa9Jr8x+kuyKY+AUa6cOlKFk5RdTx2o3MZlPfbM56J+SuUP6M1SJqXIzM8l4VSosmYPI3Yp5cxPUxyotlrli7dfQxO9qSTss64dviW5LyVCP6MyHQkhFFalWM8CuWXUUsteOBlh4Vue2tvFFJEIplWnPjM2BNtIg2R1b4yJUW4LsfVFM+6jDCpZ/pKU7bwzN9khie+yUyQY7wRAe9BKi+pj28wZLiW3VefRw0drnxYxGjKL45/NPSqhvY+8th5wngqOir110K+BB/PmxVdKiWyX1MJuAOlEFRZNcpIebvPZgJFZblXzEkZAUebJeGxaDrVVyZJcc/VasnTpQgpKVX0wdWQaJFfnIpxrxSbx0yP7PJb+H4WQ0SKUiS+Ygkj3rjpPwRrBKi2WuWPs1NPG7WtIOzfoNt0S3pWSoR3Tm01H1hHnZOL8RUupkVGEGCbPyrF5UaFqfBCIw0814akRrLGHJV0D4iHobVhI1pn3UYQOrIOjhfaGrnebEPbABtBKi+pj28wYLYZW7tuoKWMw/oLbqny5ec63n8+5yWMJh/8raVbeCW97abpbUZjYBpoqhiaGEA3csZqhOQ3oA+33Vn0LqijxZrwMpCKUoFBDKSjF26kAeJCu/mDr+ohbm0/7qxXZR45BlunTHDyXTgxmWOVL2kdz93RnGLC2Ug2IcmhCdle2YKor5TxE+45ZIlpKhHtGZj1pUoYmM5wdKehkDrDyrF9buHe2NUPz4x/n0z3wb6dhZkIVfem9tJ2TvU8+0jzpsYHMb9PC20I6tJuJvqxuthOd7Pd0RLyNbdQF/S23dP13Nc22k8+5yxu8z2tqFtwImqDvDpgklN0tqM5sAk9e4efote7g99EVnV3r16oo8Wa+HtlSKK+XvEOCCVdDYOqujcJLVKom0REvW51N8d6yOLjjk5nNVC0STkWFOSsPuBZVVXVYwQ7DMnxh7D0vbMVGUwwuZSBZ+TTRlSyii5FKP6MxHK+q6tv3gYvvmyuUxWfv/7SJlYgjjZu1ZnZubLcm4IrAWeP1u8GVq+iyJnvcR7YPqMfuodh37qMMGhzAd3hWa9dyxzD0hQ2glRPUx7ecNljC4VRfwt9Q2/NPl7Tprijzl7y6nTDe/6KS7dumtgEXx5siWSKrfLKnNbALmVBHTtXpjMc2rSEY3dvQ0n6zXRZ0Q/b8YlZkHCmhNnTqQC8kqIKaOp687t+TTXyZeYS/eMBrBZASYmFV2PPOAQOTwro1glhbJXBsmr4YOvK6Y3UQ7ukVp1Z7oDQxo4gm2Q4aSnR7RmY9S1HXJqsfg8rNs7hef1YsFCceHanYEPpbByvnS/kpu1a2SjPxNjKpH9r4yTfuowxpWQNTBm0KzXrqW+SZkDLWEqD6m/bzBPFzN+6LI/DG1Lf98I7B/kN25D725HPIed99du/pWwAIl5t/a7pXUwWwCTDDz7c3QwsR5Z2FhaiNPtbrNk/X6KDOi/+tUyEXsi5DghkL6juK4B9GoTH0CX1G35UNaVMt6Dpl4ehMG8CSjRWW5NUbcRUAhx6zMYTeOZz4x9nYgNzyQrx1NyBVFkX9PDpJNQBNfwoUykks9ojOfflHkwKrH4AqhNifC8rN6sWTD+rvkRoSidwNl82zk5eZ0HIw0Maoe2fsqNe0Vg+2S+GtILtQvVZm8JzRb51zG2++PNF8CXfZFNe3nDSaZ3ap9tsyhdonpv2hHppvKfeVsC0d7N7OWZexN2bwV8GCJybc2uhyU9OT6+yTK31XTmE2A6WW/vXHt/O+gF/U0m/1pDIxuqLN08GS9TnhK9MuP+u20StwwdbA2SnJQNkuqPySmSjEa0t1iMp/tSner68sy1RWur5iLwnwyO2Jbjb4XPjp35ePX3RXB794I/aKJJWPvCeRkRTsWFMUuyhUt1cScnwX3DWc+VJauiSyqi8tPrzVhbjirV03Zyd/zZ0mn/9n+kF9h2EawRsVBmcz25Edu6l+kqZVIfvxCRNUje1+xpn3fgMkiNaf+DaP+mk/eEpoJ7h4XPiDeRQtKeLDXmWjEGEz61f6htoDtnw/2QT+T28qZ6d1U3ylhf8ZcMXmRoKmQWUrthpmsYRXKASxmE2BiOMKX0nV+BJOk29raXm2FP3ycZklyS3CuV+2/eUyUFHmyXi+iLko3K3su4Z5NObc9T93akodKyA1JrZiYOsVOSEmTmM1NYieWz+l93+j5tZ3X66cYqfxyRiuw0C+0+eaTuQhun0Slcz071z/tLSsqY3dGfXwjaDpfVPU3qXvG3hXIh6MdRUJyvPmiHr4l3rtPN5z5UCJtUVJvNva/F3Pw/f1T7b6WK4Q8TAPcclZPiLdsg6aonmp9RF2cbgxNyYtfiKh62ghJmPZ9g4i2vmQq3hE6qneGLXPGW1CC2bsK037eYIKIIAeBHKC2gMc/2ewoeyJQjgMWaKZ3M2tZvotvBUve2jZGJT0p1keKPCEHvVp1WH984QXl8tNPIr9w0CTEYqVHJaMB6ak1Lyuo5ml75tr/FA979fpvSZEn6/XTjJGVm3fuOioemHszHSYvE8lRWEwVu6ak8GUUy6cuVWif5FIvsHAa6P58MsPbZ6MOL9Osv3Mj6DoT02PvDeSAXLFd0kWJNltU1c/bb4l37tMNZz6UhjhvlSpdkqrdab1CxCe6w11n9Z3tqcZfdFuR3diGTpLW85Umeob65xciqp4xQg2mvWbg6k56x/UkIvCG0FG5L9hC786aLsHsXYVpP28wAVPQS6RFULvB5Z+MEprggXIcFJFmeje8lqV7y63AldiO/Na2MS7pQbE+VuUBORgb0eiD2sZL+vykpUmoiqU8Tam1pLZls5a9U6dfycuT9Qao5siRmvwpFsfz5tvX8nicIrmklEbEVFFamz/Bu4SK5rPt9nxNQn56NAsc3L8rkmH/W2NOojHRvcm5bSP4B2ly7P2BTMjV3g11dK12zO5lbZzuuCXeuE/d+ajvfGWC+QdK3Xf7XpgrRHyiO5hn9av2pGN+LUqapjROdbXbC/tXCfqVpBnOxm60Bm1TXT1hbSloGTDK7eUjqh7ZizfcBtKnY+9wKHZn741TmA7Ph6YOpVtMfs0J254+5U/GS3i+19GIERZv1Q5Qm/D5Z3tCf8O2vLE3QRuptTObPbz2qVuBmNiWWUrNrGtaUmra2PPA7IjSpg8+HBzfzxRUy98uFJJhYp1SHE7yi/v6VIajjmrdOUjHtTOMpMiT9UYo7r3+ed+SKoS4pHDnkwor6mJKJq685PvBoJgabWuLfKi5+RWGmU9uYjba0MVyFMiGemyi8uINI5l122ejHeh9cpjWMndsBK6zZ/2WQindkbwZfeHEXq7Ik9AOU05iuKiDKngR/Y5bYhuPFzuxT5359N/52EZJLmTx9uyzTdeKJSJ7CWOd1cEJNdH/bggAAACAKYTDBji5ngshDhDB9gHAxn0nZRtKPozjrP5G1osPAAAAAB0cNrqYj43gz4PtA4AJbRPzTkqnetE04MkLzupucFYHAAAAngaHjR44qgMTbB8ATPzbxDiqM0/L9hvO6m5IfbwlAgAAAM+Aw0YHemjEcwnoge0DgA27m6aN0rmdvvhvn7OO6utuyjir+2H3u6/jbxv0mgkAAACAJeCwIcMeLqEL6IHtA4ADtlEO9t97eJL+J7+cqTdTOsbvdvny0p+f4qwegf/UZQM/yAYAAABuBYcNCf5kCVlAF2wfAHx4/7qg8KfwmpP+ys2Gs3qM8tf147YHAAAA3MrgHwf6/w2Jgo8NgAa2DwAB9r8uuH2OXh2+94/Z+38Kj32aG/qbex5wVgcAAAAAAAAAAD4LnNUBAAAAAAAAAIDPAmd1AAAAAAAAAADgs8BZHQAAAAAAAAAA+CxwVgcAAAAAAAAAAD4LnNUBAAAAAAAAAIDPAmd1AAAAAAAAAADgs8BZHQAAAAAAAAAA+CxwVgcAAAAAAAAAAD4LnNUBAAAAAAAAAIBP4n//+z8ELqgvrQH+IAAAAABJRU5ErkJggg==

 

해당 값을 복사해서 Cyberchef(https://gchq.github.io/CyberChef/)로 가져가 디코딩 해본다.

 

 

base64로 디코딩해보면 맨 앞에 PNG 라는 글자가 보인다.

 

PNG 파일이 인코딩 되어서 전송되고 있었던 것이다.

 

오른쪽 중간에 있는 저장 버튼을 누르면 파일로 저장이 가능하다.

 

 

저장 버튼을 누르면 알림창이 뜨면서 파일이름을 정해주라고 하는데

 

PNG 파일로 입력해준다.

 

 

저장된 PNG 파일을 열어보면 플래그를 확인할 수 있다.