Thursday, May 27, 2010

Defcon 18 CTF quals writeup - Packet 200

Packet Madness 200 was a simple TCP server speaking an uncommon language (at least now).

Description: These folks speak a different language. Join their site and translate the key for us.

We open this file in Wireshark, we see a TCP stream so first thing we do is right-click & "follow TCP stream" to see in a single window contents of the TCP stream.


Well, nothing interesting in ASCII, we see radio buttons under so we click, especially on this EBCDIC thing. We don't know what it is, we never looked for it, but we click. And surprise: plain text!


We can read the following stream:
For help at any time enter: ?
cmd : 
a - new user
l - login
n - news
m - maintenance
q - quit
? - print this message
cmd : a
New user id: marsddtek
New user password: ilovesheep
Again: ilovesh33p
Passwords do not match
cmd : a
New user id: mars.ddtek
New user password: ilovesh33p
Again: ilovesh33p
Welcome mars.ddtek, we hope you enjoy our bbs
You may now login
cmd : l
User: administrator
Password: password
Invalid user
cmd : l
User: admin
Password: pass
Invalid user
cmd : l
User: root
Password: root
Invalid user
cmd : m
Please log in to use maintenance mode
cmd : n
Please log in to read the news
cmd : l
User: mars.ddtek
Password: ilovesh33p
Welcome back mars.ddtek
cmd : m
Insufficient privileges
cmd : l
User: Admin
Password: admin
Invalid user
cmd : l
User: Admin
Password: 12345
Invalid user
cmd : 
a - new user
l - login
n - news
m - maintenance
q - quit
? - print this message
cmd : q

After a quick look at Wikipedia, we just learned something: EBCDIC - Extended Binary Coded Decimal Interchange Code - is a code to represent characters just like ASCII - American Standard Code for Information Interchange - except that it has been created by IBM, it is not really practical (non-linear a-z for instance), and they lost - it's not the standard.

Ok, so we have a TCP stream EBCDIC-encoded. We have the IP address and TCP port of the server (192.41.96.121:8686), we can try to connect to it but we have to speak and read in this EBCDIC dialect. How? Two solutions.

First solution, we create our own network client in Python using sockets and thanks to codecs we are able to encode and decode EBCDIC. It gives this:
#!/usr/bin/env python
import codecs, sys, socket, time

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.41.96.121', 8686))

while 1:
print s.recv(1024).decode('EBCDIC-CP-BE')
s.send(sys.stdin.readline().encode('EBCDIC-CP-BE'))
time.sleep(0.5)

s.close()

Second solution, we are as smart as Scott Wolchok: we use netcat for the network part, dd for translation - because yes, it speaks fluently ASCII and EBCDIC - and eventually we use pipes to make everything work. It gives us a very nice client in one single line of shell:
$ dd conv=ebcdic bs=1 | nc 192.41.96.121 8686 | dd conv=ascii bs=1

Once connected to the server, we look at what we already noticed in the capture file:
  • we can see help,
  • register with a username and a password,
  • log in (by the way, accounts do not stay from one session to another)
  • from there see the news,
  • but we can't access the maintenance mode.
After registering and logging in, let's see the news:
cmd : n
5/21/2010 - Defcon qualifiers are underway.
5/18/2010 - It's Bob Randolph's birthday today, wish him well if you see him
5/16/2010 - It's IBM old timer's night at the bowling alley. The key thing to remember at these things is that: once upon a time IBM ruled the world
4/29/2001 - First post! w00t!

Recalling the description join their site and translate the key for us, we realize that translate is for EBCDIC and that now we have to find the key. In the news it mentions the key thing [...] is that so we try once upon a time IBM ruled the world and it is CORRECT!


Ok I lied, it did not happened like that because of the crappy java scoreboard. I chose the challenge, send the flag, but received a WRONG. So I told myself: of course, it was too obvious, what were you thinking? I go back to the network client and think I must have these privileges to get the maintenance access. I tried many things, including some hacking with the username inspired from Trivia 200 of the 2009 quals. But no luck, I give up. Several hours later a Nibbles teammate read my notes on the collaborative space and sends the flag which did not work for me.

It leads me to criticize this java applet scoreboard. It was not the first time it trapped us, yes maybe we were just misusing it, after all it's easy: you just have to click on time on a challenge, if it did not work (challenge is in yellow and description updated), you should try again, possibly by clicking on another challenge and back. Anyway, what is good to hear is that we were not the only ones to get trapped. Seriously, why a java applet scoreboard... if it is for some kind of security I don't get it because reversing it was trivial. Anyway I recognize the hard work of ddtek for these quals and do not blame them for anything, after all it is part of the game, I sucked. :)

3 comments:

  1. haha if you guys didn't sign in 10 people per one user name this would not happen on scoreboard, next time read directions for registration :)

    ReplyDelete
  2. Damn it, you're right :) shame on us.
    Yet, I was using my own account under my nickname but indeed shared with the scoreboard robot.. bad idea, I should have created another account.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete