Tags: wireshark python3.8 

Rating:

Original writeup with images (https://github.com/bias0/writeups/tree/main/csaw21-constela)

Traffic Analysis

They provide a .pcap, in which we can find a lot of diffrent traffic. After inspectioning a little the conversations, I found a TCP stream with an intersting repeated hexadecimal string.

0x42416837436b6b694657567559574a735a5639755a58647a58325a6c5a5751474f675a465646524a49694268645852766257463061574e68624778350a58324e6f5a574e72583356775a4746305a584d474f77425556456b694848567a5957646c5832316... c64484a7059334e6664584e6c636c396b595852680a426a73415646524a49686431634752686447566663484a7665486c665a584a79623349474f7742554d456b69465856775a4746305a563968646d46700a62474669624755474f7742554d413d3d0aC

That resulted in a base64 message, decoded with the usual pipe of echo "base64_message" | base64 -d :

BAh7CkkiFWVuYWJsZV9uZXdzX2ZlZWQGOgZFVFRJIiBhdXRvbWF0aWNhbGx5X2NoZWNrX3VwZGF0ZXMGOwBUVEkiHHVzYWdlX21ldHJpY3NfdXNlcl9kYXRhBjsAVFRJIhd1cGRhdGVfcHJveHlfZXJyb3IGOwBUMEkiFXVwZGF0ZV9hdmFpbGFibGUGOwBUMA==

I"enable_news_feed:ETTI" automatically_check_updates;TTI"usage_metrics_user_data;TTI"update_proxy_error;T0I"update_available;T0

Unfortunatly, this led to nowhere :(.

So I returned to the .pcap in order to find something else. In the DNS messages I noticed something strange. In a lot of traces with requests to a variety of sites, I csaw (xD) some odd sites that appear one following the other, for example:

JEdQR0dBLCwzMC4wLE4sMzUuMCxXLDcs.com
MDAsLDEwMDIwLjAsZnQsLCwsKjQ3.com

Then, as before, I decoded it from base64 taking the concatenation of the two strings excpet the .com.

$GPGGA,,42.0,N,27.0,W,7,00,,10015.0,ft,,,,*47

This is a message format used for the GPS satellite location (as hinted by the challenge description) with fields as follows:

$GPGGA,123519,4807.038,N,01131.000,E,1,08,0.9,545.4,M,46.9,M,,*47

Where:

    GGA          Global Positioning System Fix Data
    123519       Fix taken at 12:35:19 UTC
    4807.038,N   Latitude 48 deg 07.038' N
    01131.000,E  Longitude 11 deg 31.000' E
    1            Fix quality: 0 = invalid
                              1 = GPS fix (SPS)
                              2 = DGPS fix
                              3 = PPS fix
                            4 = Real Time Kinematic
                            5 = Float RTK
                              6 = estimated (dead reckoning) (2.3 feature)
                            7 = Manual input mode
                            8 = Simulation mode
    08           Number of satellites being tracked
    0.9          Horizontal dilution of position
    545.4,M      Altitude, Meters, above mean sea level
    46.9,M       Height of geoid (mean sea level) above WGS84
                     ellipsoid
    (empty field) time in seconds since last DGPS update
    (empty field) DGPS station ID number
    *47          the checksum data, always begins with *```

I tried to put the coordinates in google maps but they are placed in the Atlantic Ocean with nothing to see.

After that I noticed that in the DNS streams all the times the two strings that can be concatenated appear, they have a slightly difference in the characters, meaning that there are more coordinates.

I collected all of them using a wireshark filter:

dns && (((ip.src == 127.0.0.1) && (ip.dst == 127.0.0.53))) && ((frame.len==109) || (frame.len==105)) && dns.qry.name

that takes all the frames that are coupled one after the other, without repeatin them with the dns request forwarding. Wireshark gives the possibility to export the result in a json file, in order to use it in a python exploit (export).

Exploit

In the exploit I took the values (321 locations) of longitude, latitude and altitude in order to plot them, and after a lot of different tries (even a 3D plot with all the elements, quite beautiful).Finally I maneged to get the right combiantion: Latitude and Altitude, both with a max range of 25 different elements.

The result is a square, that if shrunk a bit gives a QR CODE that returns the flag!

flag{tH3_5chw1fTy_C0n3teLat10N}

Original writeup (https://github.com/bias0/writeups/tree/main/csaw21-constela).