Image for post
Image for post

RITSEC Fall 2018 CTF — Week 2

The third week of RITSEC’s (0-based numbering scheme) CTF has concluded. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors.

Topic

This week covered the security aspects of networking, such as port scanning, firewalls, and packet capturing. Points are earned through demonstrating proficiency with these tools in an Ubuntu virtual machine. The login is “ritsec”/“ritsec”. There is a readme.txt on the desktop stating that this user has sudo access to iptables and Wireshark.

Easy 1 — Firewalls in linux? What are those?

Linux firewalls are managed through the iptables utility. Since the sudo command is available for iptables with the ritsec user, open a terminal and run the sudo iptables -L command to list the firewall contents.

Image for post
Image for post

The note in the fifth line says that this command is “almost right”. Another way to find the flag is through the iptables files in /etc/iptables. Change directories to the folder. There are two files when listing the contents with ls, rules.v4 and rules.v6, corresponding to the IPv4 and IPv6 rules, respectively. In the interest of time and efficiency, grep for the flag in the folder.

Image for post
Image for post

The flag is RS{EASY1_ST0P_TH3_B4D_P4CKET5}. Note that quite a lot of traffic is being dropped by the firewall, which will be important in a later challenge.

Easy 2 — One of Dora’s companions, but for networking!

This is a reference to the cartoon Dora the Explorer. The tool needed is nmap, or “Network Mapper”, which is used to scan for open ports on systems, among other things. Don’t port scan a target unless you have permission from the target’s owner to do so — it is occasionally seen as an offensive tactic with the intent of doing something illegal. However, running nmap on a local virtual machine will most likely not result in any problems.

There are many types of nmap scans, but since the ritsec user does not have sudo permissions, the type of scan that will run is the Connect scan ( -st). This scan is particularly noisy and will almost certainly be logged by the target, but stealth is not a concern in a virtual machine. By default, nmap only scans the first 1,000 ports, so the flag -p- will also be appended to the command to be sure all the ports are scanned for the flag. The target in this case is the virtual PC the command will be run from, localhost.

Image for post
Image for post

There are currently four open ports on the system. Try visiting each of them in a browser. The address is localhost:[port number] to send the request to a specific port.

Image for post
Image for post

The flag is split into three pieces at localhost:445, localhost:8080, and localhost:65420. localhost:631 just happens to be a port opened by CUPS (the Common Unix Printing System), and has nothing to do with the flag. The other two pieces of the flag are not pictured for brevity, but the fully assembled flag is RS{EASY2_L00K_AT_MY_P0RT5}.

Medium 1 — I forget what port this was on… (Flag in .pcap file)

Open the provided packet capture for Medium 1 (med1.pcap) with Wireshark from the pcaps folder on the Desktop. Upon inspection, it can be determined that this packet capture is of a file transfer using the Trivial File Transfer Protocol (TFTP). The data sent is visible in the data pane at the bottom of the window, although it would be time-consuming to search all 100 packets captured manually. To view the file transferred in it’s entirety, select the first data packet sent by the source, right click, and select Follow > UDP Stream. TFTP operates over UDP on port 69.

Image for post
Image for post

Next, Wireshark will open a window with the contents of each packet capture reassembled. The file transferred happens to be the RFC (“Request for Comments”, a file published by the Internet Engineering Task Force, or IETF) for TFTP, which explains the protocol’s functions and how it is to be implemented. To find the flag in the file, simply use the Find box to search for the start of the flag.

Image for post
Image for post

The flag is RS{p0rt_numb3r5_are_h4rd}.

Medium 2 — Tay is lonely and would like to reach out.
I wasn’t able to solve this challenge in time because I did not enable the network connection for the VM — an obvious oversight for a week of networking challenges!

“Reach out” means that the VM is attempting to send traffic to an external destination. A simple and common way to “reach out” is to ping someone (as a user of a social network, such as Twitter, would). However, ICMP traffic is being dropped by the firewall as noted in Easy 1. Flush the iptables by issuing the command sudo iptables -F. The now-empty iptables can be viewed by entering sudo iptables -L.

Image for post
Image for post

To see the traffic entering and leaving on all network interfaces, open Wireshark as the root user by running sudo wireshark at a terminal. Select the all interface.

If no ICMP ping traffic is seen, ensure that the network connection is enabled in your hypervisor. If only requests are seen, make sure the connection is set to NAT. If the settings are correct, in a few minutes ICMP packets will be captured. Apply a display filter in Wireshark to show only the ICMP packets of interest by typing icmp in the display filter bar.

Image for post
Image for post

Inspect the contents of the packets by looking at the data field for each request and reply.

Image for post
Image for post

A piece of the flag is in each packet captured. The whole flag is RS{Tay_ping_1s_beST_ping}.

Hard 1 — Sponsored by NextHop! Good luck! (Flag in .pcap file)
I wasn’t able to solve this challenge because I wasn’t sure what data to inspect in the packet capture.

Image for post
Image for post

The packet capture for this challenge is very large, and therefore it is difficult to determine what data is relevant to find the flag. The hint mentioned NextHop, which is the RIT networking and systems administration club. Most of the traffic contains some reference to nexthop.network, the club’s website. However, this capture actually has an abormally large amount of identical DNS queries, which are typically only sent at the beginning of the connection to determine the server’s IP address, not consistently throughout. Apply a Wireshark display filter to display only DNS queries.

Image for post
Image for post

Inspect the identical Standard query packets more closely, as they seem to be identical and repeat. Other DNS queries are not relevant. In the data field, the last byte of each packet (74) is changing and is the only difference between each packet of this type. As the last byte is only a 0 or 1, this is a binary code.

There are too many packets and too much possibility for error to record each digit manually. Right click on one of the packets of interest and select Follow > UDP Stream. Set the encoding as Raw and copy/paste the output into a text editor.

Image for post
Image for post

In a text editor of your preference, remove all but the last digit of each string using the replace feature or a regular expression. This can be done in many other ways as well. Next, find and remove all newline characters (regex \n). The binary code is therefore:

010100100101001101111011001100010101010000110101010111110011010001001100010101110011010001011001001101010101111101000100010011100011010101111101

This translates to RS{1T5_4LW4Y5_DN5}.

In Conclusion

Some of these challenges are not difficult to solve with knowledge of networking terminology, as many of the hints are simply references to various commands. Others (such as Hard 1) are much more challenging. If you are unfamiliar with these tools, here are some good references to get started with them. Some of these topics are also covered in RIT’s Introduction to Routing and Switching, Network Services, and Systems Administration I courses which Computing Security students will take.

There will be 12 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–2 PM in GOL-2410 for the CTF and 2–4 PM in SLA-2150 for research and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store