CTFtime.org

Ping Pong

by vicallan57 / F03v3ryY0ung

Rating: 5.0

Tool

open pingpong.pcap with wireshark, we can see many icmp packets and some of it's payload start with hanc/hans, so we can google it.

Tool Project: http://code.gerade.org/hans/

Tool Source Code: https://github.com/friedrich/hans

Tool Usage: ./hans -c server_address -p password

we know server_address is pingpong.pwn.institute, now we need get the password

Auth

read client.cpp and auth.cpp, it shows that hans will recieve a challenge, and will commit a challenge_response while sha1(pass+challenge) == challenge_response

        enum Type
        {
            TYPE_RESET_CONNECTION = 1,
            TYPE_CONNECTION_REQUEST = 2,
            TYPE_CHALLENGE = 3,
            TYPE_CHALLENGE_RESPONSE = 4,
            TYPE_CONNECTION_ACCEPT = 5,
            TYPE_CHALLENGE_ERROR = 6,
            TYPE_DATA = 7,
            TYPE_POLL = 8,
            TYPE_SERVER_FULL = 9
        };

As definision in work.h, challenge is after hans\x03

68616e7303b657e2f2f9fa56a04a0efa538451c4dd548b1b43

And challenge_response is after hans\x04

68616e63041b313c515e48ec5bdcb46b4b6e7e9c33adce3e4b

Crack it with hashcat

hashcat -a 0 -m 110 1b313c515e48ec5bdcb46b4b6e7e9c33adce3e4b:b657e2f2f9fa56a04a0efa538451c4dd548b1b43 --hex-salt 10-million-password-list-top-100000.txt

After 10 seconds. we got password trustno1, Now we can connect server with ./hans -c pingpong.pwn.institute -p trustno1

ICMP Tunnel

We can see biggest packet in pingpong.pcap, payload is hanc\x07\x45\x00\x00\x54......,

0000   de 2e 40 5d d0 25 d6 d5 c8 65 38 4a 08 00 45 00   ..@].%...e8J..E.
0010   00 75 65 39 40 00 36 01 52 98 bc 16 3e 45 0a 12   .ue9@.6.R...>E..
0020   88 49 08 00 ae f5 39 88 31 bd 68 61 6e 63 07 45   .I....9.1.hanc.E
0030   00 00 54 d4 02 40 00 40 01 c1 4e c0 a8 12 06 c0   ..T..@.@..N.....
0040   a8 12 01 08 00 93 88 00 12 00 01 2a 6b 6a 5f 00   ...........*kj_.
0050   00 00 00 5d 86 09 00 00 00 00 00 70 6c 65 61 73   ...].......pleas
0060   65 67 69 76 65 6d 65 66 6c 61 67 70 6c 65 61 73   egivemeflagpleas
0070   65 67 69 76 65 6d 65 66 6c 61 67 70 6c 65 61 73   egivemeflagpleas
0080   65 67 69                                          egi

With definision in worker.h, 0x07 is data.

from \x45\x00 to the end is another layer 3 packet . protocol is \x01 (ICMP), src ip is \xc0\xa8\x12\x06(192.168.18.6), dst ip is \xc0\xa8\x12\x01(192.168.18.1)

ICMP type is echo request. ICMP data is pleasegivemeflag

Get Flag

So after connect with server. we need ping 192.168.18.1 with hex payload of pleasegivemeflag, we can get response of flag.

ping 192.168.18.1 -p 706c65617365676976656d65666c6167

Use tcpdump -i tun0 -Xnne, we can see flag

BCTF{sup_dawg_we_put_ICMP_into_your_ICMP}

Comments