SIGINT CTF: PROtocol

The PROtocol challenge gave an IP Address and a port to connect to and no other information. So the first thing to do is whip out nc and try to connect. After connecting, it immediately replied "not tcp." So I added the flag that said to do UDP and the program replied "not udp." So it must be a weird protocol then. I am a regular reader of http://www.reddit.com/r/netsec, and several days ago, I remembered reading about reverse shells over SCTP and so ran the command

ncat --sctp 188.40.147.103 1024

The program spit back a rather long string that was mostly hex, one underscore, and a couple of capital letters. From previous challenges, I knew that the keys looked like SIGINT_abcdef and so I determined that the string was the flag scrambled up. But how was it scrambled up? I examined the traffic in wireshark and noticed that the Sequence Numbers were all 0 for the data. It turns out that SCTP doesn't necessarily have to have Sequence Numbers associated with data, at which point the data will reassemble itself on the other side of the transmission in the order it arrives instead of the order it was sent. However, all of the pieces of data DID have numbered SIDs, which correlated to position within the flag string. It was just a matter of extracting the SIDs without having to do it by hand. So I went back to my friend tshark and had some fun.

tshark -i tun0 -R "sctp" -Tfields -e "sctp.data_sid"

After I ran this command, I ran the ncat again so I had the data and the SIDs in the same order. Then I just ran them through the below python script and voila!

'''
PROtocol exploit - suntzu_II
'''

scrambled = '2f0981d9Na071752ecGcfcd4c2I41b998c275a3a61df20fa48c0098b3f22cb3ddedd56c5eac026Td85b1335334S975f9eabdd_dI5a6'
order = '0x0050,0x0019,0x004c,0x0065,0x0059,0x0043,0x0049,0x0008,0x0004,0x0053,0x0055,0x002e,0x001a,0x0057,0x0068,0x0027,0x003b,0x001b,0x0002,0x0054,0x0063,0x0069,0x003e,0x002a,0x0040,0x000b,0x0003,0x0056,0x0009,0x0033,0x0032,0x0041,0x0046,0x0015,0x003f,0x003c,0x004d,0x0029,0x0022,0x0042,0x005f,0x001e,0x005c,0x0021,0x0066,0x005b,0x003d,0x0047,0x0062,0x000c,0x003a,0x005e,0x0031,0x000d,0x0036,0x004a,0x0034,0x0067,0x0026,0x0035,0x0020,0x004e,0x0018,0x0028,0x004f,0x001c,0x0045,0x002b,0x0058,0x0011,0x001f,0x0023,0x005d,0x0024,0x0013,0x0017,0x0039,0x001d,0x0005,0x0014,0x0048,0x002f,0x0025,0x002d,0x0064,0x0060,0x0038,0x0016,0x000a,0x000e,0x0000,0x002c,0x0052,0x0044,0x0010,0x0051,0x0012,0x004b,0x005a,0x0037,0x006a,0x0006,0x0007,0x0001,0x0061,0x000f,0x0030'

intsOrder = []
for i in order.split(','):
    index = int(i[2:],16)
    intsOrder.append(index)

unscrambled = ''
for i in xrange(len(intsOrder)):
    unscrambled += scrambled[intsOrder.index(i)]

print unscrambled

The flag was SIGINT_d9132894af6ecdc303f1ce61ccf35ab22da4d9175609b328d52ce7fd2c9a15d8a8dba05bd297ac04758b0de06354f392f5cd.

- suntzu_II