hack.lu CTF 2019 Writeup

URL: https://fluxfingersforfuture.fluxfingers.net/challenges/

以下は、チャレンジ一覧です。

実は、解けてないですが、なんとなく方向性はあってる気がするのでWriteup残しておきます。

[Misc]: Futuristic Communication

Challenge

Communication in the future is a big thing. With the rising amount of data in the internet new handshake techniques are required. Here is my implementation, where I can identify who did request which resources.

Remark: The remote host in the PCAPs is not the host you have to connect to.

Note: Because we use network protocols in a very futuristic way, you should check your network setup like firewall or router if you have problems solving this challenge. Maybe it’s easier for you to use a cloud provider.

Announcements for Futuristic Communication
(Published on 2019-10-23 02:08:22)
Because we use network protocols in a very futuristic way, you should check your network setup like firewall or router if you have problems solving this challenge. Maybe it’s easier for you to use a cloud provider.

(Published on 2019-10-22 16:56:08)
Due to high load the server may sometimes have difficulty keeping up with processing identifiers which may cause the package to be dropped. Please insert a delay of about 1-2 seconds before sending a package containing an identifier to ensure those packages will be processed.

Attachments:

• futuristic_communication.pcapng

Welcome to handshake in future!
Your personal identifier is: 051733e3-ec47-4518-9ff9-9ec90af9b27b
Waiting for identification, on TCP port 13792
Identification successful. Waiting for further instructions.
Expecting handshake, on TCP port 38462, with sequence number 2339380618
Connection setup noticed. Your Commands:
synchronize
privileged
flag

All your TCP flags should be SYN flags.
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
synchronize... success
Check if the connection is synchronized.
Connection synchronized. Entering privileged mode.
flag{only-to-show-now-comes-flag}

“tcp.port==13792” でフィルターすると、受け取った personal identifier を SYNパケットにくっつけて送っているのが見えます。

これを見る限り、SYNを送った後にまずRSTが返り、その後SYN/ACKが返ってくるように見えます。

とりあえず、ここまでの処理をScapyを使って書きました。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#!/usr/bin/env python
# -*- coding:utf-8 -*-
from pwn import *
from scapy.all import *

host, port = '31.22.123.60', 1337
s = remote(host, port)
msg = s.recvline()
msg = s.recvline()
id = re.findall(r"Your personal identifier is: (.*)\n", msg)[0]
# print id

msg = s.recvline()
port = int(re.findall(r"Waiting for identification, on TCP port (.*)\n", msg)[0])
# print port

srcport = 37614
pkt=IP(dst="31.22.123.60")/TCP(dport=port, sport=srcport)/id
send(pkt)

msg = s.recvuntil("with sequence number")
port = int(re.findall(r"Expecting handshake, on TCP port (.*), ", msg)[0])
print port

msg = s.recvuntil("\n")
seqnum  = msg.strip()
print seqnum
pkt=IP(dst="31.22.123.60")/TCP(flags='S',dport=port,sport=srcport,seq=int(seqnum))
sleep(2)
ans=sr(pkt)
sleep(1)
## This fails with "Invalid packet. Exiting" error...

以下、Follow TCP Streamです。

Welcome to handshake in future!
Your personal identifier is: ae08b500-d644-47fa-9c7e-23acbd82d00f
Waiting for identification, on TCP port 20428
Identification successful. Waiting for further instructions.
Expecting handshake, on TCP port 54538, with sequence number 728714096
Invalid packet. Exiting     <==これ

Mac OSだと、pfctlでやるみたいです。