CTFtime.org

Ping Pong

by vicallan57 / F03v3ryY0ung

Rating: 5.0

# Tool
open **pingpong.pcap** with wireshark, we can see many icmp packets and some of it's payload start with hanc/hans, so we can google it.

> Tool Project: http://code.gerade.org/hans/
>
> Tool Source Code: https://github.com/friedrich/hans
>
> Tool Usage: ./hans -c server_address -p password

we know server_address is **pingpong.pwn.institute**, now we need get the password
# Auth
read client.cpp and auth.cpp, it shows that hans will recieve a challenge, and will commit a challenge_response while sha1(pass+challenge) == challenge_response

```
enum Type
{
TYPE_RESET_CONNECTION = 1,
TYPE_CONNECTION_REQUEST = 2,
TYPE_CHALLENGE = 3,
TYPE_CHALLENGE_RESPONSE = 4,
TYPE_CONNECTION_ACCEPT = 5,
TYPE_CHALLENGE_ERROR = 6,
TYPE_DATA = 7,
TYPE_POLL = 8,
TYPE_SERVER_FULL = 9
};
```

As definision in work.h, challenge is after hans\x03

68616e7303**b657e2f2f9fa56a04a0efa538451c4dd548b1b43**

And challenge_response is after hans\x04

68616e6304**1b313c515e48ec5bdcb46b4b6e7e9c33adce3e4b**

Crack it with hashcat

**hashcat -a 0 -m 110 1b313c515e48ec5bdcb46b4b6e7e9c33adce3e4b:b657e2f2f9fa56a04a0efa538451c4dd548b1b43 --hex-salt 10-million-password-list-top-100000.txt**

After 10 seconds. we got password **trustno1**, Now we can connect server with **./hans -c pingpong.pwn.institute -p trustno1**
# ICMP Tunnel
We can see biggest packet in pingpong.pcap, payload is **hanc\x07\x45\x00\x00\x54......**,

```
0000 de 2e 40 5d d0 25 d6 d5 c8 65 38 4a 08 00 45 00 ..@].%...e8J..E.
0010 00 75 65 39 40 00 36 01 52 98 bc 16 3e 45 0a 12 [email protected]...>E..
0020 88 49 08 00 ae f5 39 88 31 bd 68 61 6e 63 07 45 .I....9.1.hanc.E
0030 00 00 54 d4 02 40 00 40 01 c1 4e c0 a8 12 06 c0 ..T..@[email protected].....
0040 a8 12 01 08 00 93 88 00 12 00 01 2a 6b 6a 5f 00 ...........*kj_.
0050 00 00 00 5d 86 09 00 00 00 00 00 70 6c 65 61 73 ...].......pleas
0060 65 67 69 76 65 6d 65 66 6c 61 67 70 6c 65 61 73 egivemeflagpleas
0070 65 67 69 76 65 6d 65 66 6c 61 67 70 6c 65 61 73 egivemeflagpleas
0080 65 67 69 egi
```

With definision in worker.h, 0x07 is data.

from \x45\x00 to the end is another layer 3 packet . protocol is \x01 (ICMP), src ip is \xc0\xa8\x12\x06(192.168.18.6), dst ip is \xc0\xa8\x12\x01(192.168.18.1)

ICMP type is echo request. ICMP data is pleasegivemeflag
# Get Flag
So after connect with server. we need ping 192.168.18.1 with hex payload of pleasegivemeflag, we can get response of flag.

**ping 192.168.18.1 -p 706c65617365676976656d65666c6167**

Use tcpdump -i tun0 -Xnne, we can see flag

**BCTF{sup_dawg_we_put_ICMP_into_your_ICMP}**

Comments