Project Sekai - ❌-misc-a-seq-by-any-other-name

Project Sekai

🔒 UMDCTF 2023 / ❌-misc-a-seq-by-any-other-name

A Seq By Any Other Name - 500 points

Category: Misc Description: Sorry about this: our TCP server has got some of its wires crossed. I'm sure you'll figure it out though. <i>Note: there is an HTTP server listening and active at the below domain, but due to the TCP wire crossing, you will not be able to reach it with your browser. Figuring out what the server is doing wrong and how to talk to the server is part of the challenge.</i> http://a-seq-by-any-other-name.chall.lol Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 04/29/2023 10:17 AM

@rubiya wants to collaborate

@Violin wants to collaborate

@Legoclones wants to collaborate

this one looks interesting, network related

Okay the reason the web server doesn't work is because the TCP SYN packet never gets a response

13:21

I'm gonna try using different flag combinations, seq numbers, etc., playing around with TCP options until I get a response

ill try the other misc after lunch

13:24

just did crypto w utaha need some rest

1

Okay, trying with all combinations of different flags (Syn, Ack, RST, multiple, etc.) didn't give anything. Gonna play with seq nums now

there's no solve so you can also create ticket for sanity checks before someone blooded

13:39

just to save time

I'll play around a bit more, but if I get nothing I'll reach out

Tried brute forcing seq numbers 1-500, also tried switching seq and ack by setting seq to 0 and ack to 1337, but again no response

go for a sanity?

yeah

he said I should be receiving a SYN-ACK response, but I'm not

14:07

so something is wrong with the challenge

14:07

I even tried on my public server with the firewall turned off to make sure it wasn't local routing issues or whatever

14:07

still nothing

14:07

he said he'll check in 30 minutes

okay it's working now

14:39

time to get to work

letsgoo lego

14:39

u can do it

14:39

whoa

Okay, I think they just switched their seq and ack numbers

14:42

Cuz it's supposed to go

Packet 1: seq==12345 (random), ack=0 (0)
Packet 2: seq==54321 (random), ack==12346 (old seq+1)
Packet 3: seq==93847 (random), ack==54322 (old seq+1)

14:42

But instead, the second packet has seq set to old seq + 1, and ack has the new value

14:42

gonna be kinda weird in scapy since the weird ack numbers don't make it recognize the response as a response

I just gotta get the kernel to stop sending RST when receiving unknown SYN/ACK

Okay, I fixed that issue and think I got the TCP handshake to work

15:19

kinda jank but \o/

ohh I think I know what my problem is with automating responses

15:50

okay this is gonna also be jank but here we go

okay don't know why it's not working here, gonna file another ticket

whats the issue

16:33

did they hint sth

idk what the issue is

16:48

it just returns ACK/FIN without giving result

16:48

I sent pcap to chall author

ic

Note from author (for myself, future note) -

from a quick look, your GET request looks OK? you're on the right track though, check your seq and ack increments and whatnot

FINALLY GOT AN HTTP RESPONSE

18:52

sent 'GET / HTTP/1.1\r\nHost: a-seq-by-any-other-name.chall.lol\r\n\r\n' and got HTTP/1.0 405 METHOD NOT ALLOWED

18:55

Also 405 with POST

@afterworld wants to collaborate

Got 405 with GET, OPTIONS, POST, PUT, HEAD, DELETE. I get a 404 if I try like /robots.txt tho

19:10

Hmm, that's interesting. When I send a GET (the rest of the response is in another packet), but it says Allow: HEAD, OPTIONS, GET, POST.... I'm literally using GET?

19:11

Wireshark even recognizes it as a GET request

Okay almost got it

19:19

Figured out the issue

19:19

1 more step then I can blood

nice

19:20

pray!

bruhhhhhhh

so I requested /gimmedatfile.txt like it said, and it's 316000 BYTES LONG

19:22

so I think I gotta send keep alive requests now or something

19:23

but I'm determined to get this

why file is so large

19:25

not flag.txt or sth

19:25

lmao

to force you to script it lol

ah

19:25

running?

gotta modify the script a bit rn

any luck?

nah, it's so finnicky and timing is weird

20:38

working on it tho

okay getting closer

21:10

still finnicky tho

21:10

I can now successfully acknowledge the first 22 of like 500 packets

bro my script just isn't fast enough for the server

21:30

After 120 packets, it's lagging 1.5 seconds behind so the server just stops streaming...

idk how to make it faster

21:39

unless I port it over to another language

21:39

and I have no idea how to write packet-crafting code in any language other than Python

ask admin to increase timeout

yeah that's what I did

21:45

but he's kinda slow at responding

21:45

so we'll see

21:45

Think I'm gonna start looking at another forensics one

@hfz wants to collaborate

fyi this is what I have so far

2.42 KB

22:07

Problem is Python literally can't send the packets in the while loop fast enough

22:07

After 120 packets, it's 1.5 seconds behind so the web server stops transmitting

22:07

Need to send an ACK for approx 600 packets to get the full content

just finished reading through your notes

22:11

wp

can they delay to 10 seconds?

we can always spawn a VPS in the same region

yeah but still we can argue that there's delay and even if they increase to 10, it prevents ppl manually doing

Ideally, the Python would receive the packet, calculate the length, add it to the seq number, and send out, but that takes even longer. I also found that the same lengths are sent each time, so I don't need to dynamically calculate the length bc I can observe them, that's what you see in my code

where's the server? we can use vps?

22:13

its in US right, so in theory ur close

Ip - 34.136.198.150

22:13

Iowa? Google IP

yes, gcp

I'm in Utah, so only like 2/3 states away

did they set timeout to 1.5s explicitly?

admin also hasn't responded

22:15

don't know, but don't think so

22:15

prolly flask default

did you send him script

no just described it

if the web server supports the Range header, we could download chunk by chunk

22:16

but unlikely

ooooh hmm

HTTP_GET = b' GET

22:18

what's the spaces for?

The web server is looking for the start of the HTTP request at a fixed index of the packet (0x43 I think). My TCP packets don't have the optional TCP attributes that normally put the start of the HTTP request at that offset, so instead of trying to figure out how to add the optional attributes, I just added 12 spaces to get the right offset and it worked (edited)

oh I see

hfz

but unlikely

No, it doesn't look like flask supports the Range header by default

22:20

since I'm seeing all sorts of code that adds the functionality to it

rip someone solved it

00:00

prob they wont increase timeout

Gosh dang it

00:03

Idk what to change to speed up with out completely rewriting in another language

did admin reply?

Nope

00:09

Probably in bed tbh

@unpickled admin bot wants to collaborate

Legoclones

The web server is looking for the start of the HTTP request at a fixed index of the packet (0x43 I think). My TCP packets don't have the optional TCP attributes that normally put the start of the HTTP request at that offset, so instead of trying to figure out how to add the optional attributes, I just added 12 spaces to get the right offset and it worked (edited)

ok i havent read anything ngl but uh you can literally do printf <packet data> | nc <eeeeeee>

01:27

i think

Legoclones

fyi this is what I have so far

can someone rerun this? my wsl cant

01:29

see several solves were around that time maybe server is refreshed or sth

sure

and i gotta sleep and be back tmr after few mins (edited)

gimme a minute to pip install scapy

01:32

what i got.....

12.03 KB

01:32

idt that was intended

01:35

(sry for ghost ping legoclones that was an accident)

sahuang

can someone rerun this? my wsl cant

idt it worked, unless its not smthng runnable on macs lmao

yeah

i have a ubuntu vm i can just

01:36

connect to

01:36

rq

01:38

nvm

01:38

ok im installing an ubuntu vm

unpickled admin bot

what i got.....

this looks more than 150 packets

Legoclones

After 120 packets, it's 1.5 seconds behind so the web server stops transmitting

i mean 120

01:39

server is made faster or sth?

01:39

not sure

Okay admin responded

06:41

That's what he said

06:42

Bro it's not loading

06:42

Image attachment

06:42

But this is the most important thing he said - The reason you're getting the same sizes is likely because you've got scapy's default window size as well- things will be faster if you increase that a bunch

06:47

Also, before you run the script, you need to make an iptables rule so that you don't send an RST packet on ports 10200-10300 on unexpected SYN/ACK packets

sahuang

can someone rerun this? my wsl cant

I ran on WSL, you just have to install scapy and run the as sudo

06:49

So if you change the default window size to be much bigger, you may be able to require less packets

06:49

I don't have my computer with me so I won't be able to do it today

06:50

But you'll also have to redo the array of lengths

Legoclones

Also, before you run the script, you need to make an iptables rule so that you don't send an RST packet on ports 10200-10300 on unexpected SYN/ACK packets

The command is sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST --sport 64321 -j DROP, but replace 64321 with the port number and do in a loop

unpickled admin bot

what i got.....

Yes, that's intended. I was too lazy to set a condition to exit the while loop so it just runs while true

06:55

ALSO most important part - you have to have Wireshark running at the same time to capture all the responses, that way you can read the flag

06:56

I think those are all the caveats with running it, feel free to ask questions throughout the day, I'll have my phone with me

sahuang

this looks more than 150 packets

You want to receive more than 120 packets from the server, you'll end up sending all of them on your side but not receiving all

ok so rip ig

Yeah sorry I can't finish

its ok

09:46

our expectation is to get one of 2 miscs

09:46

so its fine ig

@Guesslemonger wants to collaborate

13:43

@jayden wants to collaborate

im trying to install netfilterqueue but im getting shitty error

14:29

k fixed lul

ig my wsl acting up

Exported 168 message(s)