Advent Calendar of Advanced Cyber Fun 2018 Write-Up

Introduction

There was an advent calendar on http://xmas.rip/ that had a little network riddle every day:

The riddles are very fun. I solved all except for the one on day 22.

Here are my solutions.

1/TCP

Day 1:

Connect to port 1 using ncat and the -C option to send proper CRLF linebreaks. Sadly, the service does not support the HELP command that would output all services:

Start the wishlist service using the wishlist command:

2/TCP

Day 2:

This service is vulnerable against Heartbleed:

3/SCTP

Day 3:

Create a local TCP socket on port 1234 that forwards the traffic to xmas.rip on port 3 via sctp:

Connect to the local socket:

This can also be used in the browser:

Configuring that port 3 is the HTTP protocol in SCTP:

Dissected HTTP in SCTP traffic in Wireshark:

The ncat tool from the nmap project does also directly support SCTP:

4/TCP

Day 4:

Port 4 is closed:

The PCAP shows that santa first connected to xmas.rip on port 443 and was also not able to access port 4. After sending some SYN packets to port 42, 23, 16, 15 and 8, he was able to access port 4:

This is called port knocking.

Doing the same:

The port is now open:

Accessing the service:

5/TCP

Day 5:

Visiting the page with a browser:

When the TLS connection is established, the server tells the client, that a client certificate can be sent and which algorithms are supported. The message No client certificate CA names sent indicates that the server accepts client certificates but does not tell the client from which CA they must be issued. It could be issued by any arbitrary CA.

This can also be seen in the TLS handshake in Wireshark:

Generating a certificate with the common name set to christmas:

Connecting to the server:

Done.

6/TCP

Day 6:

Connecting to port 6:

Notthing happens.

Connecting to port 666 when port 6 is still connected:

Now, in the TCP connection on port 6, a calculation appears:

This has to be calculated quickly and sent to the connection on port 666, otherwise, the task failed:

This can be done by a small script that creates a socket to both ports, reads the calculation from port 6 and sends the answer to port 666 until no calculation is sent anymore:

#!/usr/bin/env bash

host="xmas.rip"
echo "[*] Connecting to $host on port 6..."
exec 3<> /dev/tcp/$host/6
sleep 0.5

echo "[*] Connecting to $host on port 666..."
exec 4<> /dev/tcp/$host/666
sleep 0.5

IFS=''
while read -u 3 "task"
do
  if [[ "$task" =~ ^[0-9] ]]
  then
    echo "[*] Task: $task"
    echo "[*] Solving and sending task to port 666..."
    bc -lq <<< "$task" | cut -d. -f1 >&4
  else
    echo "$task"
  fi
  sleep 0.5
done <&3

echo "[*] Finished."

Executing the script works:

7/TCP

Day 7:

The OPTIONS request shows that there is a XMAS HTTP method:

Using the XMAS method to connect:

8/TCP

Day 8:

When a connection is established, the server tells that I should use another cipher:

Curl supports various ciphers: https://curl.haxx.se/docs/ssl-ciphers.html.

Connecting to the cerver using the ECDHE-RSA-CHACHA20-POLY1305 cipher:

The cipher selection can be seen in Wireshark:

9/TCP

Day 9:

Connecting to the port shows nothing interesting:

Analyzing the eBPF code:

#include
#include
#include

#define ETH_HLEN 14

/*eBPF program.
  Filter Packets
  return  0 -> DROP the packet
  return -1 -> KEEP the packet and return it to user space (userspace can read it from the socket_fd )
*/
int filter(struct __sk_buff *skb) {

        u8 *cursor = 0;

        struct ethernet_t *ethernet = cursor_advance(cursor, sizeof(*ethernet));
        if (!(ethernet->type == 0x0800)) {
                goto DROP;
        }

        struct ip_t *ip = cursor_advance(cursor, sizeof(*ip));

        if (ip->nextp != 0x06) {
                goto DROP;
        }

        u32  tcp_header_length = 0;
        u32  ip_header_length = 0;
        u32  payload_offset = 0;
        u32  payload_length = 0;

        ip_header_length = ip->hlen << 2;

        if (ip_header_length < sizeof(*ip)) {
                goto DROP;
        }

    void *_ = cursor_advance(cursor, (ip_header_length-sizeof(*ip)));

        struct tcp_t *tcp = cursor_advance(cursor, sizeof(*tcp));

        tcp_header_length = tcp->offset << 2;

        payload_offset = ETH_HLEN + ip_header_length + tcp_header_length;
        payload_length = ip->tlen - ip_header_length - tcp_header_length;

        if(payload_length < 7) {
                goto DROP;
        }

        unsigned long p[8];
        int i = 0;
        for (i = 0; i < 8; i++) {
                p[i] = load_byte(skb , payload_offset + i);
        }

        if ((p[2] == 'A') && (p[5] == '0') && (p[0] == 'X') && (p[3] == 'S') && (p[1] == 'M') && (p[4] == '2') && (p[7] == '8') && (p[6] == '1')) {
                goto KEEP;
        }

        goto DROP;

        //keep the packet and send it to userspace retruning -1
        KEEP:
        return -1;

        //drop the packet returning 0
        DROP:
        return 0;
}

The following requirement shave to be met.

The ethernet payload has to be IPv4:

The transport protocol has to be TCP:

Tha array shows, that the payload has to be XMAS2018:

p[0] == 'X'
p[1] == 'M'
p[2] == 'A'
p[3] == 'S'
p[4] == '2'
p[5] == '0'
p[6] == '1'
p[7] == '8'

Sending a TCP packet via IPv4 with the payload XMAS2018:

The challenge description says, that this challenge is not possible via IPv6. However, it was possible:

Also Wireshark shows that this was transmitted via IPv6:

There might be some NAT from IPv6 to IPv4 or something like this and the eBPF filter is applied after the NAT. But I have no clue :).

10/TCP

Day 10:

Analyzing the PCAP file shows which data are sent to the server:

This data can be explorted (right click, copy as escaped string) and then sent again to the server without implementing a .NET remoting client:

11/TCP

Day 11:

It’s not possible to SSH into the server because of no matching cipher:

The server does only support the none encryption algorithm:

This cipher is not implemented in the OpenSSH client:

A patch file was provided by xmas.rip:

Therefore, we have to build an OpenSSH version using this patch to support the NULL cipher.

Download, compile and install zlib:

Download, compile and install openssl:

Download OpenSSH version 6.8p1:

Download and apply the provided patch for supporting the NONE cipher:

Compile OpenSSH:

It’s now possible to connect using the none cipher:

12/TCP

Day 12:

Using TLS 1.3 to connect to the server:

TLS 1.3 in Wireshark:

13/TCP

Day 13:

It’s not possible to connect to the port:

The following example scapy source code was provided:

The reserved=15 option sets all reserved flags to 1:

Performing a 3-way TCP handshake with scapy and setting all reserved flags to 1:

#!/usr/bin/env python3

from scapy.all import *

ip=IP(dst="51.75.68.227", flags=4)
TCP_SYN=TCP(sport=1500, reserved=15, dport=13, flags="S", seq=100)
TCP_SYNACK=sr1(ip/TCP_SYN)

my_ack = TCP_SYNACK.seq + 1
TCP_ACK=TCP(sport=1500, dport=13, flags="A", seq=101, ack=my_ack)
send(ip/TCP_ACK)

my_payload="gugus"
TCP_PUSH=TCP(sport=1500, dport=13, flags="PA", seq=102, ack=my_ack)
response=sr1(ip/TCP_PUSH/my_payload)

print(response)

When this script is executed, the reserved bits are set to 1:

But the handshake was not successful. The system sends a TCP RST packet back when the SYN-ACK was received:

This is because the OS received the SYN-ACK packet and does not know what to do with it (because not the OS but our scapy script performed the initial handshake request). The following iptables rule drops the packet so that the system does not send an RST packet back:

Execute the script again:

The data in wireshark:

14/TCP

Day 14:

Connecting via TCP and performing an HTTP request:

Adding SSL:

15/TCP

Day 15:

Using a simple WebSocket page from https://github.com/ethicalhack3r/scripts/blob/master/WebSockets.html.

It’s not possible to directly connect to the port 15:

Forwarding the local port 80 to port 15 on xmas.rip using socat:

Now it works:

16/TCP

Day16:

Connect to the port:

There is some binary code after the string “Your first Challenge is”:

A valid answer has to be given:

Installing Unicorn (a lightweight multi-platform, multi-architecture CPU emulator framework):

Download the code sample:

Delete some code that is not needed and adding some code that connects to the server, executes the bytecode and sends back the result:

#!/usr/bin/env python

from __future__ import print_function
from unicorn import *
from unicorn.x86_const import *
import socket
import re

def main():
    host = 'xmas.rip'
    port = 16

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    while True:
        data = s.recv(1024)
        print(data)
        data = s.recv(1024)
        print(data)
        if "code" not in data and "EAX" not in data:
            exit()
        result = re.search("is(.*)\n\n\nYour", data)
        x86code = result.group(1)
        print("Code: :" + x86code)

        emulated = emulate_code(x86code)
        print("EAX Register:" + str(emulated))
        s.send(str(emulated))

        continue

def emulate_code(x86code):
    # memory address where emulation starts
    ADDRESS = 0x1000000

    print("Emulate i386 code" + x86code)
    try:
        # Initialize emulator in X86-32bit mode
        mu = Uc(UC_ARCH_X86, UC_MODE_32)

        # map 2MB memory for this emulation
        mu.mem_map(ADDRESS, 2 * 1024 * 1024)

        # write machine code to be emulated to memory
        mu.mem_write(ADDRESS, x86code)

        # initialize machine register EAX
        mu.reg_write(UC_X86_REG_EAX, 0x0000)

        # emulate code in infinite time & unlimited instructions
        mu.emu_start(ADDRESS, ADDRESS + len(x86code))

        r_eax = mu.reg_read(UC_X86_REG_EAX)
        return int(r_eax)

    except UcError as e:
        print("ERROR: %s" % e)

if __name__ == '__main__':
    main()

Execute the script:

TCP stream in wireshark (the dots in the ASCII dump represent non-printable characters):

17/TCP

Day 17:

This challenge is about an authentication protocol for TLS:

Curl supports SRP:

No server certificate is sent to the client in the server hello TLS message:

The client tells the server that he likes to do SRP by choosing appropriate cipher suites. The username is also sent in the client hello to the server:

18/UDP

Day 18:

The message has to be correctly formatted:

A message according to RFC 1312 (https://tools.ietf.org/html/rfc1312 h) has to be created:

Parts of the message:

revision
recipient + nullbyte
recipterm + nullbyte
message + nullbyte
sender + nullbyte
senderterm + nullbyte
cookie + nullbyte
signature + nullbyte

Example from the RFC:

Building such a message and send it to the server:

Now, we have to calculate the signature. The following script was created:

#!/usr/bin/env python3

import socket
import hashlib

def main():
    host = "51.75.68.227"
    port = 18
    myip = "178.194.102.109"

    revision = "B"
    recipient = "santa"
    recipterm = ""
    message = "secret"
    sender = "santa"
    senderterm = "x"
    cookie = "1"
    signature = ""

    signature = generate_signature(myip, sender)

    data = revision \
            + recipient + '\x00' \
            + recipterm + '\x00' \
            + message + '\x00' \
            + sender + '\x00' \
            + senderterm + '\x00' \
            + cookie + '\x00' \
            + signature + '\x00'

    print("Message: " + data)

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(data.encode(), (host,port))

    data, addr = sock.recvfrom(1024)
    print (str(data, "utf-8"))

def generate_signature(addr, sender):
    source_ip = addr
    blake = hashlib.blake2b(digest_size=18)
    blake.update(source_ip.encode())
    blake.update(sender.encode())
    blake.update(b'XMAS2018')
    return blake.hexdigest()

if __name__ == '__main__':
    main()

The message was accepted:

19/TCP

Day 19:

Connect to the port and save the output in a file:

The file is an image:

Display the image:

Sending back the number from the image ( 65817752) reveals the secret:

20/TCP

Day 20:

In DNS over HTTPS, the DNS request can be provided base64 encoded in the GET request:

The encoded data itself is a DNS payload as it would be for a normal DNS request (DNS on-the-wire format):

Creating such a message ( TXT record of xmas) using scapy and sending it to the server (using HTTP/2 and TLS):

#!/usr/bin/env python3

from scapy.all import *
from hyper import HTTPConnection

query = base64.b64encode(bytes(DNS(qd=DNSQR(qname="xmas", qtype="TXT")))).decode("utf-8")
print("Binary query: " + query)
conn = HTTPConnection(host='xmas.rip', port=20, secure=True)
conn.request('GET', '/dns-query?dns=' + query)
resp = conn.get_response().read()
print("Binary response: " + str(resp))
print("Parsed response:")
test = DNS(resp)
test.show()

The secret can be seen in the DNS resposne:

21/UDP

Day 21:

I did not solve this task. I had some problems setting up the go environment.

22/TCP

Day 22:

When a connection to the port is established, a message says to which service you have to connect and which data you have to send. This is different every time and you don’t have much time:

Bash script for solving this task:

#!/usr/bin/env bash

host="51.75.68.227"

main(){
  echo "[*] Connecting to $host on port 22..."
  exec 3<> /dev/tcp/$host/22

  IFS=''
  while read -u 3 "task"
  do
    if [[ "$task" =~ ^protocol ]]
    then
      echo
      echo "[*] Task: $task"

      IFS=" " read x x protocol x x port x x x magicstring <<< "$task"
      protocol=${protocol/,/}
      port=${port/,/}
      magicstring=${magicstring/,/}
      echo "Protocol: $protocol"
      echo "Port: $port"
      echo "String: $magicstring"

      send_string "$protocol" "$port" "$magicstring"
    else
      echo "$task"
    fi
  done <&3
  echo "[*] Finished."
}

send_string(){
  protocol="$1"
  port="$2"
  magicstring="$3"

  case $protocol in
  "tcp")
    echo "[*] TCP..."
    echo "$magicstring" | ncat -v "$host" "$port"
    ;;
  "udp")
    echo "[*] UDP..."
    echo "$magicstring" | ncat -v --udp "$host" "$port"
    ;;
  "sctp")
    echo "[*] SCTP..."
    echo "$magicstring" | ncat -v --sctp "$host" "$port"
    ;;
  esac
}

main

Execute the script:

Wireshark:

23/TCP

Creating an ethernet tunnel over SSH:

A new TAP ethernet device is created:

Bring up the new layer 2 tunnel interface:

Configure the device using DHCP:

In the DHCP ACK message the secret was revealed in a DHCP option:

24/TCP

Day 24:

The page shows the secret letter by letter. But the secret can be printed in the JavaScript console:

Conclusion

This advent calendar was very fun! I hope there will be one next year again! :)

Introduction#

1/TCP#

2/TCP#

3/SCTP#

4/TCP#

5/TCP#

6/TCP#

7/TCP#

8/TCP#

9/TCP#

10/TCP#

11/TCP#

12/TCP#

13/TCP#

14/TCP#

15/TCP#

16/TCP#

17/TCP#

18/UDP#

19/TCP#

20/TCP#

21/UDP#

22/TCP#

23/TCP#

24/TCP#

Conclusion#

Comments