Tags: networking

Rating:

# Satellite (networking)

Let's go ahead and unzip the program and see what we're dealing with. I'll first unzip it using unzip and then find out what kinds of files I'm dealing with using file. It looks like I'm dealing with a PDF file as well, so I'll go ahead and open that up with a PDF viewer.

It looks like we have an ELF binary. Let's go ahead and make it executable like we did last time: by using chmod to change the mode and by passing +x to specify that we want to make it executable. Then, we'll run it and see how it behaves by feeding it some input.

Let's go ahead and enter the name of our satellite which, based on the level description, should be "Osmium." I gotta admit that my first time doing this level, I just very quickly glanced over the description and didn't realize that the satellite name was Osmium, and was pretty frustrated pretty quickly. After typing in the correct satellite name, the program will try to establish a secure connection to the server.

If you're having trouble establishing a secure connection after specifying the target satellite, make sure that your network isn't blocking the server. As I'm writing this, I'm connected to my college Wi-Fi network, which unfortunately (for some reason) blocks it. Running ltrace on the program finds that the server in question is satellite.ctfcompetition.com. Make sure that this address isn't blocked by your network administrator. I ended up using a mobile hotspot to work around this.

Upon entering the correct satellite name, we're prompted for some actions. Let's go ahead and have the data be printed.

Looks like we have a username and password, but the password is censored out. We're also given a URL: https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E. Let's go ahead and open that up in a web browser.

Looks like a Base 64 encoded string. We can decode this using our terminal by echoing the encoded string and then piping it into the base64 utility, passing the -d switch to specify that we want to decode.

A hint! Looks like we need to start sniffing the data being transmitted over the network. Let's go ahead and start up Wireshark, applying a filter for our own IP address as both a target source or target destination, and then use the program again and observe the traffic.

If you don't know your own internal IP address, you can run hostname -i to retrieve it.

After we started up Wireshark, we ran through the program again and we had a look at the traffic being transmitted between our program and the server in question. We find the password in the conversation from the server to our program after we requested the satellite's data.


0000 10 0b a9 73 33 70 00 37 6d 3f d7 89 08 00 45 00 ...s3p.7m?....E.
0010 01 9f ec dc 40 00 2f 06 ea 0e 22 4c 65 1d c0 a8 [email protected]/..."Le...
0020 2b 5c 05 39 c3 50 0c 2f 6c bb 8c f5 ef 52 80 18 +\.9.P./l....R..
0030 00 dc 38 28 00 00 01 01 08 0a 68 bb 14 bf f4 48 ..8(......h....H
0040 10 63 55 73 65 72 6e 61 6d 65 3a 20 62 72 65 77 .cUsername: brew
0050 74 6f 6f 74 20 70 61 73 73 77 6f 72 64 3a 20 43 toot password: C
0060 54 46 7b 34 65 66 63 63 37 32 30 39 30 61 66 32 TF{4efcc72090af2
0070 38 66 64 33 33 61 32 31 31 38 39 38 35 35 34 31 8fd33a2118985541
0080 66 39 32 65 37 39 33 34 37 37 66 7d 09 31 36 36 f92e793477f}.166
0090 2e 30 30 20 49 53 2d 31 39 20 32 30 31 39 2f 30 .00 IS-19 2019/0
00a0 35 2f 30 39 20 30 30 3a 30 30 3a 30 30 09 53 77 5/09 00:00:00.Sw
00b0 61 74 68 20 36 34 30 6b 6d 09 52 65 76 69 73 69 ath 640km.Revisi
00c0 74 20 63 61 70 61 63 69 74 79 20 74 77 69 63 65 t capacity twice
00d0 20 64 61 69 6c 79 2c 20 61 6e 79 77 68 65 72 65 daily, anywhere
00e0 20 52 65 73 6f 6c 75 74 69 6f 6e 20 70 61 6e 63 Resolution panc
00f0 68 72 6f 6d 61 74 69 63 3a 20 33 30 63 6d 20 6d hromatic: 30cm m
0100 75 6c 74 69 73 70 65 63 74 72 61 6c 3a 20 31 2e ultispectral: 1.
0110 32 6d 09 44 61 69 6c 79 20 61 63 71 75 69 73 69 2m.Daily acquisi
0120 74 69 6f 6e 20 63 61 70 61 63 69 74 79 3a 20 32 tion capacity: 2
0130 32 30 2c 30 30 30 6b 6d c2 b2 09 52 65 6d 61 69 20,000km...Remai
0140 6e 69 6e 67 20 63 6f 6e 66 69 67 20 64 61 74 61 ning config data
0150 20 77 72 69 74 74 65 6e 20 74 6f 3a 20 68 74 74 written to: htt
0160 70 73 3a 2f 2f 64 6f 63 73 2e 67 6f 6f 67 6c 65 ps://docs.google
0170 2e 63 6f 6d 2f 64 6f 63 75 6d 65 6e 74 2f 64 2f .com/document/d/
0180 31 34 65 59 50 6c 75 44 5f 70 69 33 38 32 34 47 14eYPluD_pi3824G
0190 41 46 61 6e 53 32 39 74 57 64 54 63 4b 78 50 5f AFanS29tWdTcKxP_
01a0 58 55 78 78 37 65 33 30 33 2d 33 45 0a XUxx7e303-3E.


## Flag


CTF{4efcc72090af28fd33a2118985541f92e793477f}


# Next Stop