Project Sekai - 🩸-forensics-clocks

Project Sekai

🔒 RITSEC CTF 2023 / 🩸-forensics-clocks

Clocks - 300 points

Category: Forensics Description: Time flies like an arrow; fruit flies like a banana Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 03/31/2023 4:00 PM

@afterworld wants to collaborate

no file?

ther eis

16:42

3.07 MB

o ok pcap can't look at it

16:43

bmp so weird

yeah

6 http objects

Image attachment

17:30

time related maybe

17:31

post request feed some weird data

17:33

20230330105432Z....20230406095431Z

17:33

20230330115138Z....20230406105137Z

17:34

20230330131831Z....20230406121830Z

@crazyman ai wants to collaborate

@Guesslemonger wants to collaborate

Are there ntp packets?

yes

21:38

a lot ntp/icmp

21:38

those are UDP packages? can follow the udp stream

21:40

oh network time protocol

21:40

prob related to clock

Check ntp data for some values that could be converted to flag

k lm check

22:00

there's bunch of ntp data idk if we need to combine them or sth

This is bumped to 400pts

22:37

Hint: It's just turned five o'clock somewhere. (edited)

22:37

https://ctf.ritsec.club/files/871c8b91ec439aa73ea556cbc89338a0/clocks.pcapng?token=eyJ1c2VyX2lkIjo3MTcsInRlYW1faWQiOjQ1OCwiZmlsZV9pZCI6Mjl9.ZCfDKw._GQ0ixSfn0mvan2QKxk_uSIk-Fg

@Violin wants to collaborate

They changed hint to "It's just turned five o'clock somewhere." from "It's five o'clock somewhere."

well ntp.xmt should be relevant, since utc epoch time is 1 jan 1970 05:00:00 AM in this pcap

tshark -n -T fields -e ntp.xmt -Y "ntp.xmt&&ntp.flags.mode==3&&udp.srcport!=123" -r clocks.pcapng

03:35

Dec 23, 2004 23:44:05.872438963 UTC
Mar  4, 1987 23:15:10.958595273 UTC
Aug 18, 1996 00:05:41.588633857 UTC
Jun 11, 1972 15:10:28.018312990 UTC
Mar  7, 1968 14:58:33.579062608 UTC
Mar 27, 2060 18:52:21.935272035 UTC
Feb  1, 1973 07:03:18.982603810 UTC
Sep 30, 2042 22:16:37.071605292 UTC
Mar  5, 2057 23:22:53.212412880 UTC
Jul 18, 2033 07:10:40.998325014 UTC
Nov 27, 1987 19:43:49.302626833 UTC
Jan 26, 2086 22:39:31.555254543 UTC
Jul 13, 2080 17:55:04.039475662 UTC
Jul  6, 1972 00:07:16.141103747 UTC
Oct 24, 2051 12:17:22.327669756 UTC
May 16, 2014 20:34:59.229508180 UTC
Feb  1, 2007 21:24:28.959969982 UTC
Mar 28, 2085 02:49:23.274175976 UTC
Dec 18, 2040 14:24:51.449676511 UTC
Aug  1, 2059 01:28:46.763619219 UTC
Aug 13, 1971 08:47:54.265199687 UTC
Feb 15, 1996 03:24:18.535381198 UTC
Nov  5, 2059 08:35:55.308131530 UTC
Aug  1, 2042 00:22:22.866683202 UTC
Mar  1, 2056 00:18:49.379421699 UTC
Oct  5, 2078 20:14:29.423417331 UTC
Aug  4, 2032 06:00:02.891562894 UTC
Apr 19, 1970 23:16:33.247633181 UTC
May 19, 2095 12:11:04.041060183 UTC
Feb 23, 2014 04:27:21.493322442 UTC
Jun  8, 2058 21:21:37.765458168 UTC
Mar 21, 1982 13:49:49.200849971 UTC
Apr  5, 2012 17:28:51.913962655 UTC
Aug 23, 2050 23:52:29.748676766 UTC
Nov  3, 2038 00:59:08.999323859 UTC
Dec 17, 2093 10:27:04.438568816 UTC
Nov 23, 2054 23:48:27.612645705 UTC
Jul 21, 2055 13:21:26.787390034 UTC
Jan 11, 2032 15:52:30.478089684 UTC
Sep 13, 2081 10:21:44.987970386 UTC
Mar 26, 2038 12:15:06.365245873 UTC
Dec 28, 2087 17:21:47.503531688 UTC
Aug 18, 2079 03:14:59.893558821 UTC
Jun  9, 2068 02:52:55.292493630 UTC
Jun  8, 2002 20:58:10.240499525 UTC
Nov  3, 2016 07:53:42.215014542 UTC
Sep 14, 2020 12:18:44.417132305 UTC
Dec 28, 2100 14:07:03.657252990 UTC

03:35

all dates not 31 march 2023 or 1 jan 1970 (edited)

none of them are "is just turned 5 oclock"

04:43

06:00:02 is the most likely

5 o clock is epoch time as per this pcap

04:45

it's in +5 UTC zone i guess

oh ok

04:45

so the above is all we have for data?

04:46

ill check later, try the other first

i think so

this seems weird

04:46

maybe some guess needed again

Guesslemonger

Dec 23, 2004 23:44:05.872438963 UTC
Mar  4, 1987 23:15:10.958595273 UTC
Aug 18, 1996 00:05:41.588633857 UTC
Jun 11, 1972 15:10:28.018312990 UTC
Mar  7, 1968 14:58:33.579062608 UTC
Mar 27, 2060 18:52:21.935272035 UTC
Feb  1, 1973 07:03:18.982603810 UTC
Sep 30, 2042 22:16:37.071605292 UTC
Mar  5, 2057 23:22:53.212412880 UTC
Jul 18, 2033 07:10:40.998325014 UTC
Nov 27, 1987 19:43:49.302626833 UTC
Jan 26, 2086 22:39:31.555254543 UTC
Jul 13, 2080 17:55:04.039475662 UTC
Jul  6, 1972 00:07:16.141103747 UTC
Oct 24, 2051 12:17:22.327669756 UTC
May 16, 2014 20:34:59.229508180 UTC
Feb  1, 2007 21:24:28.959969982 UTC
Mar 28, 2085 02:49:23.274175976 UTC
Dec 18, 2040 14:24:51.449676511 UTC
Aug  1, 2059 01:28:46.763619219 UTC
Aug 13, 1971 08:47:54.265199687 UTC
Feb 15, 1996 03:24:18.535381198 UTC
Nov  5, 2059 08:35:55.308131530 UTC
Aug  1, 2042 00:22:22.866683202 UTC
Mar  1, 2056 00:18:49.379421699 UTC
Oct  5, 2078 20:14:29.423417331 UTC
Aug  4, 2032 06:00:02.891562894 UTC
Apr 19, 1970 23:16:33.247633181 UTC
May 19, 2095 12:11:04.041060183 UTC
Feb 23, 2014 04:27:21.493322442 UTC
Jun  8, 2058 21:21:37.765458168 UTC
Mar 21, 1982 13:49:49.200849971 UTC
Apr  5, 2012 17:28:51.913962655 UTC
Aug 23, 2050 23:52:29.748676766 UTC
Nov  3, 2038 00:59:08.999323859 UTC
Dec 17, 2093 10:27:04.438568816 UTC
Nov 23, 2054 23:48:27.612645705 UTC
Jul 21, 2055 13:21:26.787390034 UTC
Jan 11, 2032 15:52:30.478089684 UTC
Sep 13, 2081 10:21:44.987970386 UTC
Mar 26, 2038 12:15:06.365245873 UTC
Dec 28, 2087 17:21:47.503531688 UTC
Aug 18, 2079 03:14:59.893558821 UTC
Jun  9, 2068 02:52:55.292493630 UTC
Jun  8, 2002 20:58:10.240499525 UTC
Nov  3, 2016 07:53:42.215014542 UTC
Sep 14, 2020 12:18:44.417132305 UTC
Dec 28, 2100 14:07:03.657252990 UTC

ntp data only has date time as data?

04:46

like no raw data?

ntp is called when you sync time between your pc and remote clock server

04:47

so only your system date is sent

04:47

and it sends correct date to set

ic

04:49

do we need to convert those times to utc+5 or sth

might be, 48 dates, so i thought binary basis even odd time, date, year etc

04:49

nothing worked

ok

04:50

ig SE time lol

04:51

ill DM admin

@hfz wants to collaborate

100% sure it's ntp

08:19

ah you guys are already on that path, nice

transmit timestamp should be the only relevant ntp field

08:27

some dates don't make sense, like the year 2100 or something

08:28

and the March 21 2023 dates are just here as some sort of noise, pretty sure the day the challenge was made

08:29

so we can probably put ip.dst != 128.138.140.44

08:32

and these are the only timestamps where it's something o'clock

Jan  1, 1970 05:00:02.000000000 UTC
Jan  1, 1970 05:00:05.000000000 UTC
Jan  1, 1970 05:00:13.000000000 UTC
Jan  1, 1970 05:00:15.000000000 UTC
Jan  1, 1970 05:00:29.000000000 UTC
Jan  1, 1970 05:00:35.000000000 UTC
Jan  1, 1970 05:00:37.000000000 UTC
Jan  1, 1970 05:00:44.000000000 UTC
Aug  4, 2032 06:00:02.891562894 UTC
Jan  1, 1970 05:00:48.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:55.000000000 UTC
Jan  1, 1970 05:00:58.000000000 UTC
Jan  1, 1970 05:00:59.000000000 UTC

08:32

the 5 o'clock one doesn't seem too relevant even though it's closer to the hint

08:35

ntp && icmp shows packets with 5 o'clock

actually only the 5 o'clock stuff seems relevant

08:47

it's odd that they all have 0 milliseconds

the data above?

but there's only 17 packets like that

sahuang

the data above?

yes, apart from the Aug 4

hfz

and these are the only timestamps where it's something o'clock

Jan  1, 1970 05:00:02.000000000 UTC
Jan  1, 1970 05:00:05.000000000 UTC
Jan  1, 1970 05:00:13.000000000 UTC
Jan  1, 1970 05:00:15.000000000 UTC
Jan  1, 1970 05:00:29.000000000 UTC
Jan  1, 1970 05:00:35.000000000 UTC
Jan  1, 1970 05:00:37.000000000 UTC
Jan  1, 1970 05:00:44.000000000 UTC
Aug  4, 2032 06:00:02.891562894 UTC
Jan  1, 1970 05:00:48.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:55.000000000 UTC
Jan  1, 1970 05:00:58.000000000 UTC
Jan  1, 1970 05:00:59.000000000 UTC

how did you get this

filter ntp && icmp will give you those packets

admin said we can do a quick summary of what we have and send him to confirm if we on right track

08:48

maybe send me sth?

tshark -r clocks.pcapng -Y "ntp && icmp" -T fields -e ntp.xmt

sahuang

admin said we can do a quick summary of what we have and send him to confirm if we on right track

yes

08:48

who's the admin?

EightPheo sth

08:48

he knew solution

08:48

but yeah what i tell him?

seems offline

its ok

08:49

he is messaging me lol

ah lol

just let me know

tell him we're pretty sure it has to do with those 17 packets:

$ tshark -r clocks.pcapng -Y "ntp && icmp" -T fields -e ntp.xmt
Jan  1, 1970 05:00:02.000000000 UTC
Jan  1, 1970 05:00:05.000000000 UTC
Jan  1, 1970 05:00:13.000000000 UTC
Jan  1, 1970 05:00:15.000000000 UTC
Jan  1, 1970 05:00:29.000000000 UTC
Jan  1, 1970 05:00:35.000000000 UTC
Jan  1, 1970 05:00:37.000000000 UTC
Jan  1, 1970 05:00:44.000000000 UTC
Jan  1, 1970 05:00:48.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:55.000000000 UTC
Jan  1, 1970 05:00:58.000000000 UTC
Jan  1, 1970 05:00:59.000000000 UTC
Jan  1, 1970 05:01:01.000000000 UTC
Jan  1, 1970 05:01:04.000000000 UTC
Jan  1, 1970 05:01:07.000000000 UTC

08:49

The exfiltrated data might not be in the timestamps tho

08:50

it could be in the: UDP checksum IP header checksum or IP header identification

08:51

>>> print([hex(i) for i in ip_sums])
['0x10de', '0xc00', '0xb83', '0x66e', '0x43a', '0x10f', '0xf99c', '0xe420', '0xd8d0', '0xd20f', '0xcfcc', '0xcba9', '0xcb24', '0xc4b4', '0xbe48', '0xbbc9', '0xb830']

>>> print([hex(i) for i in ip_id])
['0x24d4', '0x29b2', '0x2a2f', '0x2f44', '0x3178', '0x34a3', '0x3c15', '0x5191', '0x5ce1', '0x63a2', '0x65e5', '0x6a08', '0x6a8d', '0x70fd', '0x7769', '0x79e8', '0x7d81']

>>> print([hex(i) for i in udp_sums])
['0xecf2', '0xece6', '0xecc7', '0xecbe', '0xec87', '0xec70', '0xec65', '0xec4b', '0xec3b', '0xec30', '0xec2a', '0xec1e', '0xec14', '0xec0c', '0xec05', '0xebfc', '0xebee']

(edited)

thats too much, we need ask him what to do next after getting 17 packages

08:51

like to confirm sth

maybe just send all the progress and see what he says

08:52

maybe he'll say to continue looking at the checksums

08:52

oh wait

08:52

maybe the difference between the timestamps?

08:52

did GM try that?

no

ok

08:53

let me try smth

he didnt send me list of 5 oclock ones

then ask author

Guesslemonger

Dec 23, 2004 23:44:05.872438963 UTC
Mar  4, 1987 23:15:10.958595273 UTC
Aug 18, 1996 00:05:41.588633857 UTC
Jun 11, 1972 15:10:28.018312990 UTC
Mar  7, 1968 14:58:33.579062608 UTC
Mar 27, 2060 18:52:21.935272035 UTC
Feb  1, 1973 07:03:18.982603810 UTC
Sep 30, 2042 22:16:37.071605292 UTC
Mar  5, 2057 23:22:53.212412880 UTC
Jul 18, 2033 07:10:40.998325014 UTC
Nov 27, 1987 19:43:49.302626833 UTC
Jan 26, 2086 22:39:31.555254543 UTC
Jul 13, 2080 17:55:04.039475662 UTC
Jul  6, 1972 00:07:16.141103747 UTC
Oct 24, 2051 12:17:22.327669756 UTC
May 16, 2014 20:34:59.229508180 UTC
Feb  1, 2007 21:24:28.959969982 UTC
Mar 28, 2085 02:49:23.274175976 UTC
Dec 18, 2040 14:24:51.449676511 UTC
Aug  1, 2059 01:28:46.763619219 UTC
Aug 13, 1971 08:47:54.265199687 UTC
Feb 15, 1996 03:24:18.535381198 UTC
Nov  5, 2059 08:35:55.308131530 UTC
Aug  1, 2042 00:22:22.866683202 UTC
Mar  1, 2056 00:18:49.379421699 UTC
Oct  5, 2078 20:14:29.423417331 UTC
Aug  4, 2032 06:00:02.891562894 UTC
Apr 19, 1970 23:16:33.247633181 UTC
May 19, 2095 12:11:04.041060183 UTC
Feb 23, 2014 04:27:21.493322442 UTC
Jun  8, 2058 21:21:37.765458168 UTC
Mar 21, 1982 13:49:49.200849971 UTC
Apr  5, 2012 17:28:51.913962655 UTC
Aug 23, 2050 23:52:29.748676766 UTC
Nov  3, 2038 00:59:08.999323859 UTC
Dec 17, 2093 10:27:04.438568816 UTC
Nov 23, 2054 23:48:27.612645705 UTC
Jul 21, 2055 13:21:26.787390034 UTC
Jan 11, 2032 15:52:30.478089684 UTC
Sep 13, 2081 10:21:44.987970386 UTC
Mar 26, 2038 12:15:06.365245873 UTC
Dec 28, 2087 17:21:47.503531688 UTC
Aug 18, 2079 03:14:59.893558821 UTC
Jun  9, 2068 02:52:55.292493630 UTC
Jun  8, 2002 20:58:10.240499525 UTC
Nov  3, 2016 07:53:42.215014542 UTC
Sep 14, 2020 12:18:44.417132305 UTC
Dec 28, 2100 14:07:03.657252990 UTC

this was what BM got, seems differemt

can you ask if flag is in flag format?

08:56

or just some ASCII uppercase

08:57

those are the differences between each consecutive timestamp: [3, 8, 2, 14, 6, 2, 7, 4, 3, 0, 4, 3, 1, 2, 3, 3]

08:57

tried to convert to ASCII uppercase, didn't give something meaningful

08:57

but it looks like the right way

08:57

because timestamps have 0 ms, so probably crafted by hand

hfz

tell him we're pretty sure it has to do with those 17 packets:

$ tshark -r clocks.pcapng -Y "ntp && icmp" -T fields -e ntp.xmt
Jan  1, 1970 05:00:02.000000000 UTC
Jan  1, 1970 05:00:05.000000000 UTC
Jan  1, 1970 05:00:13.000000000 UTC
Jan  1, 1970 05:00:15.000000000 UTC
Jan  1, 1970 05:00:29.000000000 UTC
Jan  1, 1970 05:00:35.000000000 UTC
Jan  1, 1970 05:00:37.000000000 UTC
Jan  1, 1970 05:00:44.000000000 UTC
Jan  1, 1970 05:00:48.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:51.000000000 UTC
Jan  1, 1970 05:00:55.000000000 UTC
Jan  1, 1970 05:00:58.000000000 UTC
Jan  1, 1970 05:00:59.000000000 UTC
Jan  1, 1970 05:01:01.000000000 UTC
Jan  1, 1970 05:01:04.000000000 UTC
Jan  1, 1970 05:01:07.000000000 UTC

are these sorted or by packat time order

by packet order

ic

it converts to DICOGCHEDAEDBCDD

08:58

not meaningful tho

yeah i asked

08:59

they are in increasing order by natural because ntp is time based

08:59

so it may or may not be right path i think

yes, ofc they're increasing

09:00

but the difference between 2 subsequent timestamps is important I think

09:00

it can be controlled

i sent him that we found those 17 packats

09:01

he said Youre missing some data

so definitely right track

the packet 5oclock yeah

09:02

but if you used tshart how come missing data

maybe he's referring to other fields

09:02

because there are 4

09:02

reference time, origin time, receive time and transmit time

09:02

I only used transmit time

09:02

but they're kinda close

09:03

also, is flag in flag format or just uppercase?

Image attachment

09:04

so kinda confirmed?

09:04

17 records are correct

09:04

other fields

I see

09:05

so all fields are relevant it seems

09:07

>>> m_xmt
[3, 8, 2, 14, 6, 2, 7, 4, 3, 0, 4, 3, 1, 2, 3, 3]
>>> m_rec
[3, 8, 2, 14, 6, 3, 6, 4, 3, 1, 3, 3, 2, 1, 3, 3]
>>> m_org
[3, 7, 3, 13, 6, 3, 6, 4, 3, 2, 3, 2, 2, 2, 2, 4]
>>> m_reftime
[3, 8, 2, 14, 5, 3, 7, 4, 2, 3, 2, 2, 3, 2, 1, 4]

09:07

pretty close to each other

09:08

>>> "".join(chr(65+i) for i in m_xmt)
'DICOGCHEDAEDBCDD'
>>> "".join(chr(65+i) for i in m_reftime)
'DICOFDHECDCCDCBE'
>>> "".join(chr(65+i) for i in m_org)
'DHDNGDGEDCDCCCCE'
>>> "".join(chr(65+i) for i in m_rec)
'DICOGDGEDBDDCBDD'

09:08

peepoo

i think flag is in format

09:10

Image attachment

I see

09:10

so probably not 65+i

09:10

hmm

the heck

Image attachment

09:18

what numbers are we expected to use with time intervals

wdym?

idk

09:19

just as he said

sahuang

what numbers are we expected to use with time intervals

that was his message?

no

09:20

i meant if we need to use time intervals what else number can we get besides the ones you sent which wont be used

can't think of any

@Guesslemonger any idea?

09:23

he said "Try just one packet"

meaning with 1 packet, we are able to get 1 character of the flag

09:23

I guess

yeah

so if we just simplify the problem to looking at the first packet

right i think so

and figure how to turn it into R, should be good

so no need to find RS like pattern across maybe

09:25

can you send me the four numbers in one packet

09:26

he said it is related to time interval, but we only can look at one packet first, does it mean we need to look at diff between the 4 numbers in one packet instead of between packets? (edited)

I think so

do you have some numbers for first pck

yeah, one sec

09:27

00:00    00:01    00:01    00:02
00:03    00:04    00:04    00:05
00:11    00:11    00:12    00:13
00:13    00:14    00:14    00:15
00:27    00:27    00:28    00:29
00:32    00:33    00:34    00:35
00:35    00:36    00:37    00:37
00:42    00:42    00:43    00:44
00:46    00:46    00:47    00:48
00:48    00:49    00:50    00:51
00:51    00:51    00:51    00:51
00:53    00:54    00:54    00:55
00:55    00:56    00:57    00:58
00:58    00:58    00:59    00:59
01:00    01:00    01:00    01:01
01:01    01:02    01:03    01:04
01:05    01:06    01:06    01:07

09:27

each line is a packet

hm

1st column: reftime 2nd column: origin 3rd: receive time 4rth: transmit time

09:28

maybe we should convert to seconds to make it easier to see

09:31

0  1  1  2
3  4  4  5
11 11 12 13
13 14 14 15
27 27 28 29
32 33 34 35
35 36 37 37
42 42 43 44
46 46 47 48
48 49 50 51
51 51 51 51
53 54 54 55
55 56 57 58
58 58 59 59
60 60 60 61
61 62 63 64
65 66 66 67

i sent him its just 4 numbers for one packet, e.g. first packet is 0,1,1,2 and second is 3,4,4,5. Doesnt make much sense how to convert to RS.. he said you are really close

09:34

the fuck

lool

ah wait

09:34

what if

09:34

increase is bit 1, same is bit 0

09:34

concat

09:35

sth like that

09:35

that looks promosing

09:35

like 60 60 60 61 is 001

across a single packet?

might need to concat later

but, one packet should yield a character, no?

09:35

or not necessarily?

idk, just guessing

he confirmed that the interval is related, right?

what is R in binary?

09:36

he said time interval is related

09:36

thats why i had the guess

01 01 00 10

09:37

if we do time intervals in one packet, we'll only have 3 numbers

09:37

maybe octal?

09:37

idk

09:37

can't be octal

09:37

oh wait

09:37

maybe octal

what octal

09:38

0112?

09:38

64+8+2

-> 101

ah

which is 65 in octal

09:38

A

09:38

not R tho

yeah

09:38

what is 74

09:39

ok J

09:39

not it

09:40

i have an idea

09:40

pretty sure its the binary thimg

octals give: [65, 65, 9, 65, 9, 73, 72, 9, 9, 73, 0, 65, 73, 8, 1, 73, 65]

some end of packet is the same as beginning of next packet

there's 9, can't be octal

can you send me the binary string

09:41

0 1 1 2 3 4 4 5 11 ... gives 10111011...

['101', '101', '011', '101', '011', '111', '110', '011', '011', '111', '000', '101', '111', '010', '001', '111', '101']

no

09:41

also cross packet

09:42

get me the whole string

each element in for 1 packet

row 1 to row 2 gives another 1

09:42

ok ill actually get up and do it myself

1011101101101011011111101101011101101110000110101110010100101111101

09:45

1111101 -> }

hmm

R}

09:46

but whats 1011101

]

yeah weird

weird

length is 67 so its a bit off

if he can confirm that flag is 17 chars long

he cant

it will be easier I think

he wont confirm if each packet gives a character in flag

let's just assume it's 17 chars then

idk i wont assume that because im using binary bits to do that

09:47

but you can try get R from 0112

RS{some_flag_test}

09:48

is 18 chars

and S from 3445

so pretty sure flag won't be smaller

09:50

also

09:50

using our difference logic

09:50

['101', '101', '011', '101', '011', '111', '110', '011', '011', '111', '000', '101', '111', '010', '001', '111', '101']

09:50

you notice that 1st and 2nd are the same

09:50

can't be

yeah

09:51

thats why i said include cross packet

hmm

still not correct, so sth is missing

09:51

how did you get the above data?

09:51

might double check just to make sure

09:52

because im not sure if it's coincidence that last diffs are "1111101"

for each row, I did: [row[1] - row[0], row[2] - row[1], row[3] - row[2]]

ah i mean where is 0112 from

hfz

00:00    00:01    00:01    00:02
00:03    00:04    00:04    00:05
00:11    00:11    00:12    00:13
00:13    00:14    00:14    00:15
00:27    00:27    00:28    00:29
00:32    00:33    00:34    00:35
00:35    00:36    00:37    00:37
00:42    00:42    00:43    00:44
00:46    00:46    00:47    00:48
00:48    00:49    00:50    00:51
00:51    00:51    00:51    00:51
00:53    00:54    00:54    00:55
00:55    00:56    00:57    00:58
00:58    00:58    00:59    00:59
01:00    01:00    01:00    01:01
01:01    01:02    01:03    01:04
01:05    01:06    01:06    01:07

so this one

09:53

from pcsap

ah

09:53

yes, from pcap

09:53

then converted to seconds

the order you listed here is exactly whats listed on pcap?

yes

ic

09:53

just want to make sure numbers are correct

"I can't give you any more info without giving away the challenge"

yeah

09:56

thats what i got

probably each packet is the character then

09:56

he doesn't wanna say much about it

09:56

since confirming that hypothesis will make things simpler

09:58

so far we have:

- only 17 packets are relevant in the challenge (`ntp && icmp` filter)
- each ntp packet has 4 timestamps
- author confirmed it has to do with the interval between timestamps in some way
- flag is in the flag format RS{...}

09:59

Reference timestamp
This is the local time at which the system clock was last set or corrected, in 64-bit NTP timestamp format.

Originate timestamp
This is the local time at which the request departed the client for the server, in 64-bit NTP timestamp format.

Receive timestamp
This is the local time at which the request arrived at the server, in 64-bit NTP timestamp format.

Transmit timestamp
This is the local time at which the reply departed the server for the client, in 64-bit NTP timestamp format.

(edited)

10:00

we need something multiple of 8 from those packets (edited)

i tend to this we need to convert to bits because the number difference is large, first one is 0112 last row is 6x

unless it's not binary base

sahuang

i tend to this we need to convert to bits because the number difference is large, first one is 0112 last row is 6x

yeah

10:02

if each packet yields 3 bits, that 3*17 = 51

yeah 51 for 3 bits, 67 for cross packet included

we need a multiple of 8

EightPheonix43 — Today at 10:19 AM if 3 isnt divisable, try 4

10:20

packets dont exist in a vaccum

10:20

thats what i meant right, cross packet counts

10:20

@hfz

if 3 isnt divisable, try 4

10:20

what did he mean?

he said "if 3 isnt divisable, try 4" and "packets dont exist in a vaccum"

10:21

which i would guess it means cross packet counts

10:21

so 0 1 1 2 3 -> 4 here

10:21

0 1 1 2 3 3 4 4 5 11 11 11 12 13 13 13 14 14 15 xxx

what did he mean by 4 and 3

10:22

i'm confused

ah

10:22

i missed context

10:22

sahuang — Today at 10:17 AM dang, we tried so much none works, mainly because 17x3 isnt even divisible by 4, cant get any letter out. would there be any hint to this

10:23

so i think he meant we do 17x4?

maybe yeah

cuz 17x4 is divisible by 4

but how would being divisible by 4 help

10:23

we need 7 or 8, no?

so each 4 corresponds to one letter somehow

10:23

idk

hmm

10:23

maybe base 4 in this case

i didnt ask about 8

because 3333 in base 4 is 255

10:24

so with 4 digits you can represent all characters

oh

R is 1102 in base 4

hmm

first line we had is 0112, scrambled maybe?

10:25

what about the other lines

but S is 1103

10:27

sahuang — Today at 10:26 AM
i think we already tried that, if you mean cross packet also counts, so 0 1 1 2 3 here has 4 intervals.
and yeah we tried both 4 (base 4) and 8 (as binary) none works
are we on right track though?
EightPheonix43 — Today at 10:27 AM
the first packet starts at 0 because there was nothing before
you are on the right track

10:28

oh so like add a 0 before?

10:28

0101 1101

10:28

still not R

10:29

wait what about reverse order

10:29

1010 and 1011 seems differ by 1

10:29

well but others dont match

10:29

but he confirmed we on right track so cross packet definitely counts

10:30

but it counts as next packet's first instead of first packet's last i guess

bruh 300 messages

1

the guessing game here is intense

10:30

why don't you join us hahah

ok so only 1970 packets important

0 0  1  1  2
2 3  4  4  5
5 11 11 12 13
13 13 14 14 15
15 27 27 28 29
29 32 33 34 35
35 35 36 37 37
37 42 42 43 44
44 46 46 47 48
48 48 49 50 51
51 51 51 51 51
51 53 54 54 55
55 55 56 57 58
58 58 58 59 59
59 60 60 60 61
61 61 62 63 64
64 65 66 66 67

Guesslemonger

ok so only 1970 packets important

17 packets only

10:31

yeah

10:31

year 1970 (edited)

wireshark filter?

after put last number to beginning of first

Guesslemonger

wireshark filter?

icmp && ntp

read message history

10:31

cuz there are many hints in between i sent

hfz

so far we have:

- only 17 packets are relevant in the challenge (`ntp && icmp` filter)
- each ntp packet has 4 timestamps
- author confirmed it has to do with the interval between timestamps in some way
- flag is in the flag format RS{...}

just need from here

ok i see

hfz

0  1  1  2
3  4  4  5
11 11 12 13
13 14 14 15
27 27 28 29
32 33 34 35
35 36 37 37
42 42 43 44
46 46 47 48
48 49 50 51
51 51 51 51
53 54 54 55
55 56 57 58
58 58 59 59
60 60 60 61
61 62 63 64
65 66 66 67

and here's the list

10:32

and there're hints we got

sahuang

sahuang — Today at 10:26 AM
i think we already tried that, if you mean cross packet also counts, so 0 1 1 2 3 here has 4 intervals.
and yeah we tried both 4 (base 4) and 8 (as binary) none works
are we on right track though?
EightPheonix43 — Today at 10:27 AM
the first packet starts at 0 because there was nothing before
you are on the right track

but from this hint i think we need to prepend 0

sahuang

0 0  1  1  2
2 3  4  4  5
5 11 11 12 13
13 13 14 14 15
15 27 27 28 29
29 32 33 34 35
35 35 36 37 37
37 42 42 43 44
44 46 46 47 48
48 48 49 50 51
51 51 51 51 51
51 53 54 54 55
55 55 56 57 58
58 58 58 59 59
59 60 60 60 61
61 61 62 63 64
64 65 66 66 67

so sth like this maybe

"packets don't exist in a vaccum" is the most cryptic hint I've ever seen

10:36

wth did he mean

cross packet

sahuang

sahuang — Today at 10:26 AM
i think we already tried that, if you mean cross packet also counts, so 0 1 1 2 3 here has 4 intervals.
and yeah we tried both 4 (base 4) and 8 (as binary) none works
are we on right track though?
EightPheonix43 — Today at 10:27 AM
the first packet starts at 0 because there was nothing before
you are on the right track

i said "if you mean cross packet also counts" and he said on right track

10:37

lol wtf 3 solves on the misc??

10:37

is it becoming easy or what

aw wtf

10:38

time between solves is small

try morse code

10:40

lmao

10:40

idk just guess

sahuang

cross packet

cross packet

10:40

and what he said before don't match

10:40

"look at one packet at a time"

10:40

or something like that

well last difference in binary forms }

yeah

10:41

but first few dont match

maybe luck

the string is 0101 1101 1011 0101 1011 1111 0110 1011 1011 0111 0000 1101 0111 0010 1001 0111 1101 btw

it jumps more than 1 across packets few times

right

10:42

15->27 is weird

wait, we might be missing packets in between

oh

no way it jumps this high

hmm

ah

10:42

that could be

sahuang

he said Youre missing some data

.

10:43

maybe it was what he meant?

make sense

10:43

the diff should only be 0 or 1

10:43

in that way it matched binary string

10:44

ah thats why

10:44

R} matched

ntp.reftime == "1970-01-01 05:00:07Z"

10:44

there are more packets

oh

10:44

there are like 49 packets

LOL

10:44

ic

that filter was bad

should be solved then

yeah I guess

ye

10:45

just do diff incl. cross packet then bin to string (edited)

10:45

@Guesslemonger check the last misc tgt?

10:48

this chall really gave me the hamxor from last yr's flashback

udp.srcport == 123 && udp.dstport == 123 && frame.len == 90 && ip.src == 129.21.1.111

10:48

correct filter

10:48

solve now

yeah i think hfz can do it

10:48

this from last year btw, similar spirit

Image attachment

Guesslemonger

udp.srcport == 123 && udp.dstport == 123 && frame.len == 90 && ip.src == 129.21.1.111

you're missing the packets with ICMP with this filter, no?

10:49

should be 49 packets

10:49

the filter gives 32

not needed probably, it deals with ntp only (edited)

yeah it hinted ntp right

10:49

also you can check the difference there with 32

10:50

32 is divisible by 2 so

00:00    00:01    00:01    00:02
00:00    00:01    00:01    00:02
00:02    00:02    00:03    00:03
00:03    00:04    00:04    00:05
00:03    00:04    00:04    00:05
00:05    00:05    00:06    00:07
00:07    00:08    00:09    00:10
00:11    00:11    00:12    00:13
00:11    00:11    00:12    00:13
00:13    00:14    00:14    00:15
00:13    00:14    00:14    00:15
00:15    00:16    00:16    00:16
00:16    00:17    00:18    00:18
00:19    00:19    00:19    00:20
00:20    00:21    00:22    00:22
00:23    00:24    00:24    00:25
00:25    00:25    00:26    00:27
00:27    00:27    00:28    00:29
00:27    00:27    00:28    00:29
00:29    00:30    00:30    00:31
00:32    00:33    00:34    00:35
00:32    00:33    00:34    00:35
00:35    00:36    00:37    00:37
00:35    00:36    00:37    00:37
00:38    00:38    00:39    00:40
00:40    00:40    00:41    00:42
00:42    00:42    00:43    00:44
00:42    00:42    00:43    00:44
00:44    00:44    00:45    00:46
00:46    00:46    00:47    00:48
00:46    00:46    00:47    00:48
00:48    00:49    00:50    00:51
00:48    00:49    00:50    00:51
00:51    00:51    00:51    00:51
00:51    00:51    00:51    00:51
00:51    00:52    00:53    00:53
00:53    00:54    00:54    00:55
00:53    00:54    00:54    00:55
00:55    00:56    00:57    00:58
00:55    00:56    00:57    00:58
00:58    00:58    00:59    00:59
00:58    00:58    00:59    00:59
00:59    00:59    01:00    01:00
01:00    01:00    01:00    01:01
01:00    01:00    01:00    01:01
01:01    01:02    01:03    01:04
01:01    01:02    01:03    01:04
01:05    01:06    01:06    01:07
01:05    01:06    01:06    01:07

16 char flag

this is from all 49 packets

10:50

Ah

there are dups

ICMP are duplicates

10:50

I see

yes

10:50

solvable from here, flag it xd

yes my filter is correct

10:51

first char is R

yes

10:51

ends in R} too

10:51

should be it

10:51

nice job

10:51

SE + guessing game

are you doing difference between timestamps or?

10:52

the same way we've been doing?

im not doing it

10:52

i can finish if you want

10:53

yeah

[0, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 5, 5, 5, 6, 7, 7, 8, 9, 10, 11, 11, 12, 13, 13, 14, 14, 15, 15, 16, 16, 16, 16, 17, 18, 18, 19, 19, 19, 20, 20, 21, 22, 22, 23, 24, 24, 25, 25, 25, 26, 27, 27, 27, 28, 29, 29, 30, 30, 31, 32, 33, 34, 35, 35, 36, 37, 37, 38, 38, 39, 40, 40, 40, 41, 42, 42, 42, 43, 44, 44, 44, 45, 46, 46, 46, 47, 48, 48, 49, 50, 51, 51, 51, 51, 51, 51, 52, 53, 53, 53, 54, 54, 55, 55, 56, 57, 58, 58, 58, 59, 59, 59, 59, 60, 60, 60, 60, 60, 61, 61, 62, 63, 64, 65, 66, 66, 67]

10:53

those are the numbers, 128 in total

10:53

32*4

Guesslemonger

first char is R

how did you get R?

0 1 0 1 0 0 1 0

10:54

consecutive difference

sahuang

used /ctf submit

Well done, you got first blood!

01010010010100110111101101010100011010010110110100110011010111110110101100110011001100110111000001100101011100100010000101111101

gg wp

you need to prepend a 0

10:55

as hinted by admin lol

Ahh

10:55

that's why I couldn't get it lol

yes

10:55

lol flashback from 2022

10:56

hamxor took me 10 hours or so

10:56

and also with admin SE

10:56

idk why misc one has 3 solve this only 1 so far

10:57

interesting

we have better guessers ig

10:58

misc one can be solved with some googling maybe

we failed to guess bitmap one first when there're 8 solves

sahuang

we failed to guess bitmap one first when there're 8 solves

lol

but yeah let me check

"best" guesser

️ (edited)

2

i think id solve 2022's faster if ur there lol, me eana and hfz spent whole day + my next morning

1

Guesslemonger

"best" guesser

️ (edited)

the name speaks for itself

Exported 459 message(s)