Points: 300

Tags: dns pwn superfish exploit 

Poll rating:

Given IP:PORT and binary file.


ActionRatingAuthor team
Read writeup
Plaid Parliament of Pwning
Read writeup
You need to authenticate and join a team to post writeups craSH – March 2, 2015, 10:41 p.m.

@BalalaikaCr3w - you probably know this by now but in your writeup you say you never got an HTTP request for the spoofed yandex.ru - that's because you let dnsmasq forward the actual DNS response to the CTF host :) You needed to spoof the response to be an IP of your own, which it then makes the request to. Then you'd have gotten the full HTTP request including the HTTP header X-Manufacturer header to point you towards using the Superfish cert.

From your DNSmasq logs:
dnsmasq: reply yandex.ru is

Otherwise, awesome write-up! Thanks.

Dor1s – March 4, 2015, 2:31 p.m.

Thanks a lot for comment, but surely we did this, lol. Even now I can show you the config where yandex.ru is spoofed by our IP, but later this string was commented out because there was no any incoming connection and was not the following DNS query for my.bank. So it is why there in writeup dnsmasq reply on yandex.ru query with actual IP and then spoof only my.bank address.

I do not exclude that we did anything wrong while were trying to spoof yandex.ru, but anyway infrastructure was not stable enough, you know, and there were lags in this and other tasks.

Btw, when I discussed challenge with other participants after CTF's end, I've heard that some of them have not received DNS queries after renewing DHCP leases.

craSH – March 5, 2015, 2:25 a.m.

@BalalaikaCr3w Ah, interesting! We were able to make it perform the DNS query against us and respond with our own IP.