CTFtime.org / noxCTF 2018 / Chinese whispers / Writeup

## Confirm problem sentences

When I accessed this URL, a YouTube video named "Arcane Roots - Arp" was played.

Since the PCAP file is network capture data, I was convinced that I need to pay attention to ARP.

## Analysis PCAP file
Looking at the PCAP file, I could see the following.

- The IP address is DUP in ARP resolution.
- It seemed like a suspicious guy(c4:8e:8f:d0:3d:39) is working on Man-In-The-Middle(MITM) Attack using ARP forgery.
- The Attacker pretends to be the Gateway(10.0.0.138) against the Client(10.0.0.4), and pretends to be the Client against the Gateway.

After ARP forgery, TCP communications from Client to Server(54.213.229.251) is being done.

- The TCP port number of the Server is 8820, but it is unknown.
- The length of the data contained in the request packet from the Client to the Server is 1337 bytes, and the length of the data contained in the response packet is 520 bytes.
- The Attacker relays packets between the Client and the Server while forging.
- The Attacker forges only one character of a request packet data.

I extracted TCP packet data with port number 8820 from the PCAP file.
I showed "*" in the forged part.

```
Client[55434] => Attacker[8820]
Yco}-[~:HdKdB'C00qfmocoZFjZpp{t$C*|i!>qu#}x|w+1mPTOD"Z+O!YIo.H^h^%y{ei%12l4T`G3zFO-wI!+2.*@_a/qk<K~[x3A)07XZ{G\a&0^!c.[4f4NJr_8zq4E5ocY\::Ysb,?m<Ey]Tkr12ZpYYrI)H<df.nEuZ?XBKW\8feSW}pFtp7{0f"yf}~jb-=j?(]^1k(wcXRvnq(\ma$`q}S8+tIhi:SPmU'SRB3&S>x&m|LJ|,S\&|b0#!3H5x9{>Pn?yPO!&v8|s[8S|"2.Q"8L{n8RVjD\"aU|t^~`xC`XcygoC";j|EVCwb+h^#gp)zZza^@i#$i:aj)ze}k&xVsaz43&Qi#1yMq<b]3'#yJy2m9h^dPJ'wz"lMSdWTNr1H>3SLmV;$LK\M1o}TVfr;7b%HQbRS"#GfeSZ=eu<IJoF|s<;:e.oI})]e,aG+_/H%!~@CJQ;xf-m%-p1i>]08|q'0Fv#t}sk/o;rK0Z[H=s++YTwM}0'[0RUakiV+)$MXNrrz=xa@kG/d.fjUJA*~XF|=aw_NRRE(s6/]~=Oms~,N+$?saK4?,<ME9x`}8\rkk{7&K1*y#SDIm;+k_i2NwT&T&.b$8'>%QLfx<'qw{s@RK9Gy{=#}5A+uChy-hxw`:![z.k?tWlZI]xDNJk'Oyv."qQ9L<pw}+fAoyZjJ{aAh$1GD}@G)b}r'srSIom&ib/C=`kpts628s=Q66_Q<Dj[~vcxw.jBXiH_#}@b>7,!w/'=87|2xlr!Z\me0>[&z1qzSm.*o\NbuFo>UPH]r9)'_[84t[N:N[6Ui}g'eDm2[;)]1<DM!9'7y%_885D&j8DQ9VC0UF'dg;RA6zcqXe0/|238623>UFPkMKoM|H~8PS8'eeTl_j,l`n*UC3n0A_k~g8"j0l'3"ef78:p2>F/SNof8p`Qf"tI/s8]J}(v)\5Vf}.k3<k5.}*C9;<g{oL2\[vW2d=,,nhN4Jeqx=ug~Fb:[KY}KsOd7;nH2[_iK=JvQFlqq*Nujc=l:FF#O|CN0#>x)u%J|WsEd#}W(gsM;]01;Sg`[b9TDtZ}Iv=#tIB0p!Tianx]Ns}BK6j(i^n$=N<nFxzZhqO?8&C!Oq21[)?[T&lIYj$yzC{e!it[">{H\xp$zK.2yo{GPCs&7Raw-jqVXfb=r%S!hE^n-n'^mPFm3/qsx"1"H'znJ2rnPD^iyv"Q3G:t?-<w8E1W(SlwJQG0v)/:-*?=z-{2Cs>uFJ-rA&-S-xu#iN"6ciq$""axVl3BLu7W[+FufM6&y4C"V&Z.}S<OJX/r|bNay=?Z$OEv`Cl/_Haeje4h\z9Jj4yn9;
Attacker[55434] => Router(Server)[8820]
Yco}-[~:HdKdB'C00qfmocoZFjZpp{t$C*|i!>qu#}x|w+1mPTOD"Z+O!YIo.H^h^%y{ei%12l4T`G3zFO-wI!+2.*@_a/qk<K~[x3A)07XZ{G\a&0^!c.[4f4NJr_8zq4E5ocY\::Ysb,?m<Ey]Tkr12ZpYYrI)H<df.nEuZ?XBKW\8feSW}pFtp7{0f"yf}~jb-=j?(]^1k(wcXRvnq(\ma$`q}S8+tIhi:SPmU'SRB3&S>x&m|LJ|,S\&|b0#!3H5x9{>Pn?yPO!&v8|s[8S|"2.Q"8L{n8RVjD\"aU|t^~`xC`XcygoC";j|EVCwb+h^#gp)zZza^@i#$i:aj)ze}k&xVsaz43&Qi#1yMq<b]3'#yJy2m9n^dPJ'wz"lMSdWTNr1H>3SLmV;$LK\M1o}TVfr;7b%HQbRS"#GfeSZ=eu<IJoF|s<;:e.oI})]e,aG+_/H%!~@CJQ;xf-m%-p1i>]08|q'0Fv#t}sk/o;rK0Z[H=s++YTwM}0'[0RUakiV+)$MXNrrz=xa@kG/d.fjUJA*~XF|=aw_NRRE(s6/]~=Oms~,N+$?saK4?,<ME9x`}8\rkk{7&K1*y#SDIm;+k_i2NwT&T&.b$8'>%QLfx<'qw{s@RK9Gy{=#}5A+uChy-hxw`:![z.k?tWlZI]xDNJk'Oyv."qQ9L<pw}+fAoyZjJ{aAh$1GD}@G)b}r'srSIom&ib/C=`kpts628s=Q66_Q<Dj[~vcxw.jBXiH_#}@b>7,!w/'=87|2xlr!Z\me0>[&z1qzSm.*o\NbuFo>UPH]r9)'_[84t[N:N[6Ui}g'eDm2[;)]1<DM!9'7y%_885D&j8DQ9VC0UF'dg;RA6zcqXe0/|238623>UFPkMKoM|H~8PS8'eeTl_j,l`n*UC3n0A_k~g8"j0l'3"ef78:p2>F/SNof8p`Qf"tI/s8]J}(v)\5Vf}.k3<k5.}*C9;<g{oL2\[vW2d=,,nhN4Jeqx=ug~Fb:[KY}KsOd7;nH2[_iK=JvQFlqq*Nujc=l:FF#O|CN0#>x)u%J|WsEd#}W(gsM;]01;Sg`[b9TDtZ}Iv=#tIB0p!Tianx]Ns}BK6j(i^n$=N<nFxzZhqO?8&C!Oq21[)?[T&lIYj$yzC{e!it[">{H\xp$zK.2yo{GPCs&7Raw-jqVXfb=r%S!hE^n-n'^mPFm3/qsx"1"H'znJ2rnPD^iyv"Q3G:t?-<w8E1W(SlwJQG0v)/:-*?=z-{2Cs>uFJ-rA&-S-xu#iN"6ciq$""axVl3BLu7W[+FufM6&y4C"V&Z.}S<OJX/r|bNay=?Z$OEv`Cl/_Haeje4h\z9Jj4yn9;
*
Router(Server)[8820] => Attacker[55434]
You are Yco}-[~:HdKdB'C00qfmocoZFjZpp{t$C*|i!>qu#}x|w+1mPTOD"Z+O!YIo.H^h^%y{ei%12l4T`G3zFO-wI!+2.*@_a/qk<K~[x3A)07XZ{G\a&0^!c.[4f4NJr_8zq4E5ocY\::Ysb,?m<Ey]Tkr12ZpYYrI)H<df.nEuZ?XBKW\8feSW}pFtp7{0f"yf}~jb-=j?(]^1k(wcXRvnq(\ma$`q}S8+tIhi:SPmU'SRB3&S>x&m|LJ|,S\&|b0#!3H5x9{>Pn?yPO!&v8|s[8S|"2.Q"8L{n8RVjD\"aU|t^~`xC`XcygoC";j|EVCwb+h^#gp)zZza^@i#$i:aj)ze}k&xVsaz43&Qi#1yMq<b]3'#yJy2m9h^dPJ'wz"lMSdWTNr1H>3SLmV;$LK\M1o}TVfr;7b%HQbRS"#GfeSZ=eu<IJoF|s<;:e.oI})]e,aG+_/H%!~@CJQ;xf-m%-p1i>]08|q'0Fv#t}sk/o;rK0Z[H=s++YTwM}0'[0RU
Attacker[8820] => Client[55434]
You are Yco}-[~:HdKdB'C00qfmocoZFjZpp{t$C*|i!>qu#}x|w+1mPTOD"Z+O!YIo.H^h^%y{ei%12l4T`G3zFO-wI!+2.*@_a/qk<K~[x3A)07XZ{G\a&0^!c.[4f4NJr_8zq4E5ocY\::Ysb,?m<Ey]Tkr12ZpYYrI)H<df.nEuZ?XBKW\8feSW}pFtp7{0f"yf}~jb-=j?(]^1k(wcXRvnq(\ma$`q}S8+tIhi:SPmU'SRB3&S>x&m|LJ|,S\&|b0#!3H5x9{>Pn?yPO!&v8|s[8S|"2.Q"8L{n8RVjD\"aU|t^~`xC`XcygoC";j|EVCwb+h^#gp)zZza^@i#$i:aj)ze}k&xVsaz43&Qi#1yMq<b]3'#yJy2m9h^dPJ'wz"lMSdWTNr1H>3SLmV;$LK\M1o}TVfr;7b%HQbRS"#GfeSZ=eu<IJoF|s<;:e.oI})]e,aG+_/H%!~@CJQ;xf-m%-p1i>]08|q'0Fv#t}sk/o;rK0Z[H=s++YTwM}0'[0RU
Client[55435] => Attacker[8820]
5w)aj2N[e=v[E-DT>94$]~J`jtjwMX&Xxel#s&Tlugo^I&x`>/EOB[Tc#{;od?}MQ4Ka6<JK/e|DNWbMAlOT]6X8}a>V/$i,>EO]]~JPtMy.qh]t[n.[.0ve2Q'Nt,zlw6{he4-D"\5}8VHxErDmO.)R~X;@:n*2nRZBN+B2tSm1I@/M-(bpHI63$R5m;@1V3k1i&W_~Z+&n.0LNI/\9{'34glF27Q,@3^s4xTFj"*_)ZDaKH|6.{h`ri9$[=_~.VmS@$pmnJJNuhs)~I&BGd.N(7he|ki%nQq@-Z`HrhlwKOGq?7p/o-rxH>J'}<4bq"Y&v#3IYPnA]q(v6wkG5GiL]01WDJL8,gG2<DjX"6>RyzeK;gZl#ImNHrZ/lxC2o*~y7rZXA^IO<(`!5?h@+"?XyZ9JjBgB!_'2S&O:P>[QxSloH0]<&4f^'M6}uqj070Nwtd(%9<u.9B{O%O0"wi5&lG2bWWF_b\.!1$dbpWw?p1C$YAPSxQ8ZN.=Cbj/Qs~GB@'NDtvu0>)ePQ6r$w-[D;T%r}ob#.MeZUU>1+,mErl}9"-thvdpNU9$Yb5M?&7Z<3<GN6noM:1e_RJk%k!V;-vmq&9TU>eXU3[?_)P'u!M-RzRpt#a$:ceXCK`Be.+ukr._O22c{L;VXop5,zpV%sH^r"gj4LF/C^]K{OY,I1Q%nc$yhdl1G=uBu!XzDXl2*h;yY<wMf`(y}3{-XNxRv@PPh{Zj_V#,W;1m};LA|gsB7(UhH/|,ZfyGY:]*|KF'g8T'X-ypu0ur@l8SP'<(C}KQ(v/"4-x!"3$A"HD.#n"E=]lKL|-Gb"!0qRF&np/\Sc(=x3BWScP1xJqC,8D48Ft~cI4?|GD_aTY][$\L~#(K#q`NvSwr5v;C$Wh/V"&^!ik@k]mP!Ez__2huOjo;2,M#|AZ"@cx}As9K1j5^9^Lx]j.]e7n;J>G;KShqC?X+Zc-+Lv:;7c^TZB_40?x|[9WM}P/+Js3C4`]Zf#.ty$Ho4#5k]frL=J5+I\o'91y:FfggeB^,9\6c3YUzVYASlqTHHfPNc#rti^pTO*KLr<`ewu>^;z)YD9gL`8b'$rD[5\7/Mid~V9^E<}jA$Ic6csX3'+-HSz%xb=msod<#RmA^)ojN30:d.7h0n#['rK0s@<|vpgx0'('Fexu94n*n:?2l-:zhq*kmu]WrsE\aSs,ogU4WrJ%23A>wR}[Qs6fZxi.sz7i'{(Y#x]O'&w@E]W%NM/?5f3|x9F\%O}HzqjnZi!,88Vbm){;7k)!zwT^n4u*~"CAdPP&J)ZeR=@bj3^(]&6Q0{K7*,$0~8wxvFhMOe$"~WeV=Iet
Attacker[55435] => Router(Server)[8820]
5w)aj2N[e=v[E-DT>94$]~J`jtjwMX&Xxel#s&Tlugo^I&x`>/EOB[Tc#{;od?}MQ4Ka6<JK/e|DNWbMAlOT]6X8}a>V/$i,>EO]]~JPtMy.qh]t[n.[.0ve2Q'Nt,zlw6{he4-D"\5}8VHxErDmO.)R~X;@:n*2nRZBN+B2tSm1I@/M-(bpHI63$R5m;@1V3k1i&W_~Z+&n.0LNI/\9{'34glF27Q,@3^s4xTFj"*_)ZDaKH|6.{h`ri9$[=_~.VmS@$pmnJJNuhs)~I&BGd.N(7he|ki%nQq@-Z`HrhlwKOGq?7p/o-rxH>J'}<4bq"Y&v#3IYPnA]q(v6wkG5GiL]01WDJL8,gG2<DjX"6>RyzeK;gZl#ImNHrZ/lxC2o*~y7rZXA^IO<(`!5?h@+"?XyZ9JjBgB!_'2S&O:P>[QxSloH0]<&4f^'M6}uqj070Nwtd(%9<u.9B{O%O0"wi5&lG2bWWF_b\.!1$dbpWw?p1C$YAPSxQ8ZN.=Cbj/Qs~GB@'NDtvu0>)ePQ6r$w-[D;T%r}ob#.MeZUU>1+,mErl}9"-thvdpNU9$Yb5M?&7Z<3<GN6noM:1e_RJk%k!V;-vmq&9TU>eXU3[?_)P'u!M-RzRpt#a$:ceXCK`Be.+ukr._O22c{L;VXop5,zpV%sH^r"gj4LF/C^]K{OY,I1Q%nc$yhdl1G=uBu!XzDXl2*h;yY<wMf`(y}3{-XNxRv@PPh{Zj_V#,W;1m};LAogsB7(UhH/|,ZfyGY:]*|KF'g8T'X-ypu0ur@l8SP'<(C}KQ(v/"4-x!"3$A"HD.#n"E=]lKL|-Gb"!0qRF&np/\Sc(=x3BWScP1xJqC,8D48Ft~cI4?|GD_aTY][$\L~#(K#q`NvSwr5v;C$Wh/V"&^!ik@k]mP!Ez__2huOjo;2,M#|AZ"@cx}As9K1j5^9^Lx]j.]e7n;J>G;KShqC?X+Zc-+Lv:;7c^TZB_40?x|[9WM}P/+Js3C4`]Zf#.ty$Ho4#5k]frL=J5+I\o'91y:FfggeB^,9\6c3YUzVYASlqTHHfPNc#rti^pTO*KLr<`ewu>^;z)YD9gL`8b'$rD[5\7/Mid~V9^E<}jA$Ic6csX3'+-HSz%xb=msod<#RmA^)ojN30:d.7h0n#['rK0s@<|vpgx0'('Fexu94n*n:?2l-:zhq*kmu]WrsE\aSs,ogU4WrJ%23A>wR}[Qs6fZxi.sz7i'{(Y#x]O'&w@E]W%NM/?5f3|x9F\%O}HzqjnZi!,88Vbm){;7k)!zwT^n4u*~"CAdPP&J)ZeR=@bj3^(]&6Q0{K7*,$0~8wxvFhMOe$"~WeV=Iet
*
Router(Server)[8820] => Attacker[55435]
You are 5w)aj2N[e=v[E-DT>94$]~J`jtjwMX&Xxel#s&Tlugo^I&x`>/EOB[Tc#{;od?}MQ4Ka6<JK/e|DNWbMAlOT]6X8}a>V/$i,>EO]]~JPtMy.qh]t[n.[.0ve2Q'Nt,zlw6{he4-D"\5}8VHxErDmO.)R~X;@:n*2nRZBN+B2tSm1I@/M-(bpHI63$R5m;@1V3k1i&W_~Z+&n.0LNI/\9{'34glF27Q,@3^s4xTFj"*_)ZDaKH|6.{h`ri9$[=_~.VmS@$pmnJJNuhs)~I&BGd.N(7he|ki%nQq@-Z`HrhlwKOGq?7p/o-rxH>J'}<4bq"Y&v#3IYPnA]q(v6wkG5GiL]01WDJL8,gG2<DjX"6>RyzeK;gZl#ImNHrZ/lxC2o*~y7rZXA^IO<(`!5?h@+"?XyZ9JjBgB!_'2S&O:P>[QxSloH0]<&4f^'M6}uqj070Nwtd(%9<u.9B{O%O0"wi5&lG2bWWF_b\.!1$dbpWw?p1C$YAPSxQ8ZN.=Cbj/Qs
Attacker[8820] => Client[55435]
You are 5w)aj2N[e=v[E-DT>94$]~J`jtjwMX&Xxel#s&Tlugo^I&x`>/EOB[Tc#{;od?}MQ4Ka6<JK/e|DNWbMAlOT]6X8}a>V/$i,>EO]]~JPtMy.qh]t[n.[.0ve2Q'Nt,zlw6{he4-D"\5}8VHxErDmO.)R~X;@:n*2nRZBN+B2tSm1I@/M-(bpHI63$R5m;@1V3k1i&W_~Z+&n.0LNI/\9{'34glF27Q,@3^s4xTFj"*_)ZDaKH|6.{h`ri9$[=_~.VmS@$pmnJJNuhs)~I&BGd.N(7he|ki%nQq@-Z`HrhlwKOGq?7p/o-rxH>J'}<4bq"Y&v#3IYPnA]q(v6wkG5GiL]01WDJL8,gG2<DjX"6>RyzeK;gZl#ImNHrZ/lxC2o*~y7rZXA^IO<(`!5?h@+"?XyZ9JjBgB!_'2S&O:P>[QxSloH0]<&4f^'M6}uqj070Nwtd(%9

Chinese whispers

Comments

Sign in with