{"id":1143,"date":"2011-05-13T11:41:52","date_gmt":"2011-05-13T08:41:52","guid":{"rendered":"http:\/\/www.void.gr\/kargig\/blog\/?p=1143"},"modified":"2011-05-13T12:39:58","modified_gmt":"2011-05-13T09:39:58","slug":"fosswar-2011-how-we-did-it","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2011\/05\/13\/fosswar-2011-how-we-did-it\/","title":{"rendered":"Fosswar 2011 – How we did it"},"content":{"rendered":"

Intro<\/strong>
\nAs said in my previous post about Fosscomm 2011<\/a>, during the conference there was a wargame consisting of 5 challenges. We played in a team consisting mainly of the following members: manji\/manjiki<\/a>, trelo_mpifteki<\/a>, mickflemm and me. Along with us was maisk<\/a> mainly acting as our manager (!!) shouting at us when we did something he did not like. He was of course a great help (sometimes :P).<\/p>\n

Few words about the team<\/strong>
\nAs most people who regularly read this blog already know, I consider myself a sysadmin even though I currently work at a company that produces Linux based xDSL routers where I do most of the things required about networking and system interaction like QoS, VoIP, IPv6, firewall, etc. My coding is confined among the realms of scripting languages. Manji is also a sysadmin who has lately started to mess with VoIP. Trelo_mpifteki is mostly a java developer and so is maisk. mickflemm is a coder and a very good one, frequently messing with Linux kernel’s wireless driver support. Obviously, we are certainly not the typical wargame players…<\/p>\n

The challenges<\/strong>
\nBe sure to download the challenges from: http:\/\/patras.fosscomm.gr\/fosswar\/<\/a><\/p>\n

As soon as the wargame was on we split the challenges among us. Since mickflemm was the only coder he started to mess with challenge number 5 (reverse engineering). Me and trelo_mpifteki started to look at challenge number 1 (networking) while manji started poking at challenge number 3 (networking).<\/p>\n

Challenge 1<\/em><\/strong>:
\nType: Networking
\nPlayers: kargig, trelo_mpifteki
\nThe first challenge said just this:<\/p>\n

Connect to the elite port and find the secret message.<\/p><\/blockquote>\n

Everyone knows that elite = 31337
\nSo we just did a nc X.Y.Z.W 31337<\/code> (where X.Y.Z.W is the IP address of the server) and the following message appeared:<\/p>\n

IP protocol = 1
\nTimestamp
\nid = 1337
\nseq = 0xCAFE
\norig = 0xDEAD<\/p><\/blockquote>\n

As it is easily understood one must create a packet, the problem is what kind of packet. And then was when I did a huge mistake stalling my team for more than 10 mins by insisting that Protocol 1 is IP. So we started trying to create an IP packet using scapy<\/a>. Obviously we hit lots of problems because IP’s header clearly misses most of the above options, especially timestamp. Our next idea was to create a TCP packet in order to embed some of the options. This also lead to a dead end. The I looked again at my \/etc\/protocols file and I saw that Protocol 1 is ICMP. Timestamp<\/a> is type 13, code 0 and the rest are just options. So our solution was this:
\n

>>> packet_2= IP(dst='X.Y.Z.W')\/ICMP(type=13, id=1337, seq=0xcafe, ts_ori=0xdead)\n>>> send(packet_2)<\/code2><\/pre><\/p>\n
Using Wireshark we captured the response packet which looked like this (this setup is on my box atm):<\/p>\n
\"\"<\/a><\/p>\n
One can see the message: feedadeadface<\/strong> in it.<\/p>\n
Hint:<\/em>
\nIf you need to compile listenicmp.c yourself you have to do something like this:
\n
 # aptitude install libpcap-dev\n# gcc -o listenicmp listenicmp.c -lpcap<\/code2><\/pre><\/p>\n
Challenge 2<\/em><\/strong>:
\nType: Steganography
\nPlayers: kargig,trelo_mpifteki,maisk
\nFor this challenge the organizers gave us a hint what we needed to find was close to the end of the image.jpg and after “BAADF00D”.
\n
# hd image.jpg | tail -n 4\n000152a0  d4 4d 77 22 b9 9a 68 ba  ad f0 0d 78 9c 0b c9 c8  |.Mw"..h....x....|\n000152b0  2c 56 00 a2 44 85 e2 d4  e4 a2 d4 12 85 dc d4 e2  |,V..D...........|\n000152c0  e2 c4 f4 54 3d 00 72 da  08 ef                    |...T=.r...|\n000152ca\n<\/code2><\/pre><\/p>\n
so we found “ba ad f0 0d” and the next characters were “78 9c”. We googled those and came up with the result that it was the magic of zlib compression. So what we had to do was get the rest of the file after “ba ad f0 0d” and then uncompress that. To get the rest of the file we found the size of the file and subtracted the bytes (31) that were of interest to us:
\n
# du -b image.jpg\n86730  image.jpg\n# split -b 86699 image.jpg koko\n# mv kokoab final\n<\/code2><\/pre><\/p>\n
Then we run python to decompress “final” file.
\n
>>> import zlib\n>>> ourfile=file('final')\n>>> ourfile\n<open file 'final', mode 'r' at 0xb7473020>\n>>> chunk=ourfile.read()\n>>> chunk\n'x\\x9c\\x0b\\xc9\\xc8,V\\x00\\xa2D\\x85\\xe2\\xd4\\xe4\\xa2\\xd4\\x12\\x85\\xdc\\xd4\\xe2\\xe2\\xc4\\xf4T=\\x00r\\xda\\x08\\xef'\n>>> zlib.decompress(chunk)\n'This is a secret message.'\n<\/code2><\/pre><\/p>\n
Challenge 3<\/em><\/strong>:
\nType: Networking
\nPlayers: manji,maisk,kargig<\/p>\n
While me and trelo_mpifteki were trying to solve challenges 1 and 2, manji was looking into challenge 3 pcap file for weird things. Once again we were given a hint that we needed to look at strange headers. Finding strange headers in a 800+ kb pcap file is not an easy task though. At a point manji was looking for very big sequence numbers…and then we got another hint, that we shouldn’t look at those big numbers at all. When me and trelo_mpifteki finished the other two challenges we started looking at Wireshark.
\nWe applied the following filter:
\n(ip.host == 64.22.109.100) && ((tcp.seq == 0) || (tcp.seq ==1))<\/code>
\nAnd the we had the following results in front of us:
\n\"\"<\/a><\/p>\n
Since we knew that the message was sent to “64.22.109.100” we needed to look at packets originating from “192.168.1.3”. The first thing I noticed were packets with strange TTLs, they were going up and down..so I made a guess that the secret message could be hidden there. Transforming those TTL values to ASCII was a dead end. Then we started to look closer at every packet that 192.168.1.3 sent to 64.22.109.100 and we grouped them by destination port. There was clearly something going on with destination port 58900. A careful eye will also notice that packets towards port 58900 don’t have an MSS set while others mostly do. So, we expanded our filter with packets that also had destination port 58900:
\n((ip.host == 64.22.109.100) && ((tcp.seq == 0) || (tcp.seq ==1))) && (tcp.dstport == 58900)<\/code>
\nand came up with this:
\n\"\"<\/a><\/p>\n
If you look closely at the selected packet from Wireshark, you’ll see that the sequence number while set to 0 (zero) contains the letter ‘r’ inside it. The next packet contained the letter ‘o’ and the next one the letter ‘t’. Writing all these letters down we had this sequence:<\/p>\n
r
\no
\nt   <\/p>\n
q
\nr
\nn
\nq
\no
\nr
\nr
\ns\n <\/p><\/blockquote>\n
That was a rot13 encrypted message! with google’s help we found a rot13 decryptor. The decrypted message was:
\nD E A D B E E F <\/strong><\/p>\n
That’s it! we had 3 out of 5 while no other team had more than 2. So we had wooooon! Congrats to everyone on our team!<\/p>\n","protected":false},"excerpt":{"rendered":"
Intro As said in my previous post about Fosscomm 2011, during the conference there was a wargame consisting of 5 challenges. We played in a team consisting mainly of the following members: manji\/manjiki, trelo_mpifteki, mickflemm and me. Along with us was maisk mainly acting as our manager (!!) shouting at us when we did something […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[6,1,5,3,8,4],"tags":[79,360,364,369,368,371,374,372,375,599,376,367,370,365,373,363,366],"class_list":["post-1143","post","type-post","status-publish","format-standard","hentry","category-encryption","category-general","category-internet","category-linux","category-networking","category-privacy","tag-fosscomm","tag-fosscomm-2011","tag-fosswar","tag-hd","tag-hexdump","tag-icmp","tag-maisk","tag-manji","tag-mickflemm","tag-networking","tag-rot13","tag-scapy","tag-split","tag-steganography","tag-trelo_mpifteki","tag-wargame","tag-wireshark"],"aioseo_notices":[],"views":11845,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=1143"}],"version-history":[{"count":23,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1143\/revisions"}],"predecessor-version":[{"id":1170,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1143\/revisions\/1170"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=1143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=1143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=1143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}