D-CTF 2015: MISC-350 Emotional Roller Coaster

Are you a good listener? Expect us!

This time you’re the target. :-)

Ok, I started tcpdump on my VPN tunnel interface (all CTF gates are available only through openvpn tunnel) and tooked a waiting position.

18:49:16.639534 IP (tos 0x0, ttl 63, id 6960, offset 0, flags [DF], proto UDP (17), length 64)
    10.20.0.1.56581 > 10.20.14.237.53: [udp sum ok] 24723+ MX? dctfu3792.1337.def. (36)
18:49:16.639686 IP (tos 0x0, ttl 64, id 29941, offset 0, flags [none], proto UDP (17), length 92)
    10.20.14.237.53 > 10.20.0.1.56581: [udp sum ok] 24723* q: MX? dctfu3792.1337.def. 1/0/0 dctfu3792.1337.def. MX 10.20.14.237. 10 (64)

Looks like someone is trying to use us as DNS server… Okaay, let’s set our ip as mail server (MX) in dnsmasq:

dnsmasq.conf

mx-host=dctfu3792.1337.def,10.20.14.237,100

Then restart dnsmasq, launch nc on smtp (25) port and get back to tcpdump.
Ta-daaaam:

10.20.0.1.36200 > 10.20.14.237.25: Flags [S], cksum 0x2074 (correct), seq 2422406009, win 29200, options [mss 1369,sackOK,TS val 20805670 ecr 0,nop,wscale 7], length 0
18:50:48.022220 IP (tos 0x0, ttl 64, id 1784, offset 0, flags [DF], proto TCP (6), length 64)

Someone is wanted to communicate us via SMTP. Why not? Simulating “SMTP” protocol manually :)
Legend: S – server, C – client.

S: 220 mail.company.tld ESMTP is glad to see you!
C: EHLO dns
S: 250 domain name should be qualified
C: MAIL FROM:<root@dns.def.camp>
S: 250
C: RCPT TO:<[email protected].def>
S: 250
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: Received: by dns (Postfix, from userid 0)
		id 9961A4D6F; Sat,  3 Oct 2015 17:50:48 +0200 (CEST)
	Date: Sat, 3 Oct 2015 17:50:48 +0200
	From: MISC 500 <misc500@dctf.def.camp>
	To: [email protected].def
	Subject: Almost there!
	Message-ID: <20151003155048.GA338@dns.def.camp>
	MIME-Version: 1.0
	Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS"
	Content-Disposition: inline
	User-Agent: Mutt/1.5.21 (2010-09-15)
 
 
	--qMm9M+Fa2AknHoGS
	Content-Type: text/plain; charset=us-ascii
	Content-Disposition: inline
 
	Almost...
 
	--qMm9M+Fa2AknHoGS
	Content-Type: application/vnd.tcpdump.pcap
	Content-Disposition: attachment; filename="ftps.pcap"
	Content-Transfer-Encoding: base64
 
	1MOyoQIABAAAAAAAAAAAAP//AAABAAAAPyMPVt4oCABKAAAASgAAAAAWPu6kewAWPuiCCggA
...

We received ftpfs.pcap file. This is a traffic dump file. I opened it in wireshark and saw that this is a dump of samba dialogue. I exported SMB object (File->Export Objects -> SMB/SMB2).

➜  ls
alien.gif
angel.gif
angry.gif
applause.gif
april.gif
atwitsend.gif
battingeyelashes.gif
...

It’s a zipfile with.. what? emotions… aaa.. “Emotional Roller Coaster” :) I opened random gif and saw the following:

  <tiff:Model>gAAAAAAAAAEAD9QQAAAABzb2wvVVQFAAPdEA9WdXgLAAEE6AMAAAToAwAAUEsBAh4</tiff:Model>

Looks like it’s base64 encoded data. Then I noticed that these gifs have near modification dates. I tried to fetch all exif data from these gifs in order of their modification:

➜  ls -tr | xargs exiftool | grep 'Camera Model Name' | awk '{print $5}' | base64 -D >b.tmp && file b.tmp
b.tmp: Zip archive data, at least v1.0 to extract

➜  unzip b.tmp
Archive:  b.tmp
   creating: sol/
 extracting: sol/flag
  inflating: junk
  inflating: junk (copy)
  inflating: junk (3rd copy)
  inflating: junk (4th copy)
  inflating: junk (5th copy)
  inflating: junk (6th copy)
  inflating: junk (7th copy)
  inflating: junk (8th copy)
  inflating: junk (9th copy)
  inflating: junk (10th copy)
  inflating: junk (11th copy)
  inflating: junk (12th copy)
  inflating: junk (another copy)

➜  cat sol/flag
DCTF{e4045481e906132b24c173c5ee52cd1e}

Gotcha :)
Flag: DCTF{e4045481e906132b24c173c5ee52cd1e}.