Wednesday, October 17, 2012

hackyou CTF: Networking 300

This one was a bit harder than the other two networking challenges purely because it had no directions. I got the pcap file from the tinyurl link in the 100 level challenge and started examining the file. There are TONS of files to mess with, so I ran NetworkMiner on the pcap and got all sorts of data out of it. The interesting one, however, was ctf.exe.

After some examination of the disassembly, I determined that this was a symmetric key encryption algorithm in which the message was just XORed with the key. The key was constructed by XORing 8 bytes that the server sends at the beginning of the interaction with the string "_hackme_". This creates an 8 byte key which we XOR in a vigenere type encryption along the length of the string we want to send. The request we want to send is 'FlagRequest:omkesey' concatenated with 4 bytes that the server sends, a null byte, and an underscore (the beginning of _hackme_ which is next on the stack). Once we encrypt it, we send it to the server and receive 50 bytes. We then decrypt the flag in the same fashion as we encrypted our request and out pops the answer - "Hire_m3_mister_U". The script below implements the functionality of ctf.exe.
import socket
s = socket.socket()
s.connect(('159.253.22.174',3137))
data = s.recv(17)
key = s.recv(8)
linefeed = s.recv(2)
extra = s.recv(4)

hack = '_hackme_'
# These lines create the xor key for later use
newkey = ''
for i in range(len(key)):
        newkey += chr(ord(key[i]) ^ ord(hack[i]))

# This is the string we will encrypt
request = 'FlagRequest:omkesey'+extra+'\x00_'
# And now we encrypt it
answer = ''
for i in range(len(request)):
        answer += chr(ord(request[i]) ^ ord(newkey[i%8]))
answer += 'hackme_'
# Send the encrypted string
s.sendall(answer)

# Receive the response (this is encrypted)
ans = s.recv(50)
# Decrypt this with the same key we encrypted with
newans = ''
for i in range(0, len(ans)):
        newans += chr(ord(newkey[i%8]) ^ ord(ans[i]))
# Print the winning key
print newans
-- suntzu_II

No comments:

Post a Comment