CTFtime.org

Open Thermal Exhaust Port

by TodayMoon8357 / Starlight Defenders

Tags: forensics 

Rating: 4.5

### **Solution:**
> ![](https://media.discordapp.net/attachments/770323370741858314/770323460240310302/MetaCTF_CyberGames_2020_-_Open_Thermal_Exhaust_Port_0.JPG?width=791&height=609)  
>
>  
>
> Based on the description, we need to find all ports that the device successfully connected to.  
>
>  
>
> In the provided pcap file, we can see that there is a list of TCP Packets (with a few unnecessary DNS and ARP Requests) with 2 Unique IP addresses. If we sort the entries by Source IP Address, we see that 10.0.2.15 sends many SYN Packets to 10.0.2.6. We can establish that 10.0.2.15 must be the "client" attempting to connect to the "server" 10.0.2.6. Here is a filter we can use for that:  
>
>  
>
> `ip.src == 10.0.2.15` and/or `ip.dst == 10.0.2.6`. You can now sort the packets by Protocol when the filter is applied to see TCP Packets. 
> ![](https://media.discordapp.net/attachments/770323370741858314/770324258718220328/unknown.png?width=1022&height=609)  
>
>  
>
> Why SYN Packets though? For a TCP connection to be established, it must undergo a process called the SYN-ACK Handshake. The source sends a TCP SYN Packet, which the Destination responds with a TCP SYN-ACK Packet. The source then responds with a TCP ACK Packet, and the connection is made. For a disconnect to happen, usually the source sends a TCP RST-ACK Packet. Why is this important? This should highlight that every other RST-ACK Packet that is not sent by 10.0.2.15 is invalid and not a proper connection. Here is another filter we can add:  
>
>  
>
> `tcp.flags == 0x14` or `tcp.flags.ack == 1 && tcp.flags.reset ==1` for readable understanding  
> ![](https://media.discordapp.net/attachments/770323370741858314/770325015790092368/unknown.png)  
>
>  
>
> An alternative to the TCP Flags filters above include the ACK flags coming from 10.0.2.15. Recall that the source must send a TCP ACK Packet to establish a connection. However, ACK Flags appear in both RST-ACK and ACK Packets. Sort by Port Number to pair them up, or use the hexadecimal method to only get ACK flags:  
>
>  
>
> `tcp.flags==0x10` or `tcp.flags.ack ==1` but this will also return RST-ACK Packets  
> ![](https://media.discordapp.net/attachments/770323370741858314/770325398223061042/unknown.png)  
>
>  
>
> Only 8 entries should appear (16 if you used the other method), but there should be only 7 unique ports that were open for connections: 21, 22, 23, 53, 80, 443, and 3,128. Adding these up will return 3700, which is the flag (with MetaCTF{...} surrounding it of course).  
>
>  
>
> ![](https://media.discordapp.net/attachments/770323370741858314/770326103851532338/unknown.png)  

### **Flag:** MetaCTF{3770}

Comments