13
Oct
2013

ebCTF: NET200 “Who’s there”

We found this strange website. (http://54.216.81.14/)

For this challenge we only get a website with a sum on it.

112 + 386 + 712 + 1398 + 8771 + 11982 + 15397 + 23984 = 51037

This doesn’t give us much information. How about we look at the headers.

* HTTP 1.1 or later with persistent connection, pipelining supported
HTTP/1.1 200 OK
Date: Sun, 13 Oct 2013 15:40:47 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: *knock knock*
Vary: Accept-Encoding
Content-Length: 62
Content-Type: text/html

Ah, apparently this is a portknock challenge. Let’s try to connect to the port mentioned in the sum.

$ for i in 112 386 712 1398 8771 11982 15397 23984 51037 ; do nc 54.205.107.35 $i ; done
So you are knocking me, how about I return the favor?
Repeat after me and I will open the last port...

Sounds like it is knocking back. Let’s listen with tcpdump:

# tcpdump -i eth0 'src host 54.205.107.35'
18:05:04.991184 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.8112: Flags [S], seq 0, win 8192, length 0
18:05:05.995986 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.33386: Flags [S], seq 0, win 8192, length 0
18:05:06.999028 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.14712: Flags [S], seq 0, win 8192, length 0
18:05:08.003376 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.4398: Flags [S], seq 0, win 8192, length 0
18:05:09.007594 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.1771: Flags [S], seq 0, win 8192, length 0
18:05:10.014509 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.52313: Flags [S], seq 0, win 8192, length 0
18:05:11.018315 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.25697: Flags [S], seq 0, win 8192, length 0
18:05:12.022267 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.932: Flags [S], seq 0, win 8192, length 0
18:05:13.026821 IP ec2-54-205-107-35.compute-1.amazonaws.com.1337 > xxx.xxx.xxx.xxx.22222: Flags [S], seq 0, win 8192, length 0

The sequence is [8112,33386,14712,4398,1771,52313,25697,932]. In the first sequence all ports gave back a RST, so nc only connected once to it. In this sequence some ports DROP the packets, in which case nc retries to connect to it and ruin the port knock sequence. We use the following python script for it:


#!/usr/bin/python

from scapy.all import *
conf.verb = 0

ports = [8112,33386,14712,4398,1771,52313,25697,932]
for dport in range(0, len(ports)):
ip = IP(dst="xx.xx.xx.xx")
port = 1337
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", seq=0)
send(SYN)

After running this script you can connect to port 22222 and get the following information:

[Advanced]
sequence = 234,781,983,2411,9781,14954,23112,63991
seq_timeout = 15
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 32154 -j ACCEPT
tcpflags = fin,urg,!ack
cmd_timeout = 30
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 32154 -j ACCEPT

This seems to be part of the knockd configuration. Seems to be another sequence of knocking, only this time the tcp flags fin and urg should be set. We can do that with the following script.


#!/usr/bin/python

from scapy.all import *
conf.verb = 0

ports = [234, 781, 983, 2411, 9781, 14954, 23112, 63991]
for dport in range(0, len(ports)):
ip = IP(dst="xx.xx.xx.xx")
port = 1337
SYN = ip/TCP(sport=port, dport=ports[dport], flags="FU", seq=0)
send(SYN)

After that we can connect to port 32154 and get the flag: ebCTF{32c64f2542ba4566acff750196ca2e13}

Source can be found on: https://github.com/asby/ebctf

Comments are closed.