Nittaku 3 Star Premium
[Network]
Nittaku 3 Star Premium
I found some weird data while monitoring my network, but I didn't catch it all. See if you can make sense of it.
- Download: utctf2020_nittaku.pcap
Recon
Inpsecting the pcap, we see some Base64 traffic in ping replies. If we extract this we get a crippled gz file:
$ tshark -r utctf2020_nittaku.pcap \
-Y 'icmp.type == 0' \
-T fields -e data |
tr -d '\n' | \
xxd -r -p | \
tr -d '\n' | \
base64 -d > file.gz
$ file file.gz
file.gz: gzip compressed data, was "flag.png"
$ gunzip file.gz
gunzip: file.gz: unexpected end of file
gunzip: file.gz: uncompress failed
It looks like this file is not complete, it was possible to extract a criplled PNG file:
Solution
We can create ICMP packets ourselves, and download the flag file in chunks. The following Python script creates & sends ICMP packets, it also increases the sequence number each iteration (chunk specifier).
First start a packet dump: sudo tcpdump -n icmp -w foo.pcap
Run script as root:
import socket
import struct
from time import sleep
for i in range(1, 32):
p = bytes.fromhex("0800e4c71337") + \
struct.pack(">H", i) + \
bytes.fromhex("00000000000000000000000000000"
"00000000000000000000000000000"
"00000000000000000000000000000"
"000000000")
s = socket.socket(socket.AF_INET, socket.SOCK_RAW,
socket.getprotobyname('icmp'))
s.sendto(p, ('3.88.183.122', 1))
data = s.recvfrom(1000000)
sleep(0.5)
We can then extract data from foo.pcap:
tshark -r foo.pcap \
-Y 'icmp.type == 0' \
-T fields -e data | \
tr -d '\n' | \
xxd -r -p | \
tr -d '\n' | \
base64 -d > file.gz
zcat file.gz > flag.png
Flag
utflag{p1Ng@b13_f1aG$}