Swamp CTF 2018 Orcish Challenge WriteUp

Hey Guys!!

So I found this challenge a bit tiring. We get a lot of data sent through different protocols (ARP, MDNS, TCP, ICMP etc.) Going through all of them, I found the ICMP packets a bit strange. There were some malformed packets in the capture. Seeing the hex dump of the first 3 packets makes it clear that a GIF image’s characters are present at the 34th byte of the hexdump.

So we got the exploit. All that is needed now is to filter out the ICMP packets which have the source IP 10.136.255.127.

Let us see what those suspicious ICMP packets were:Screenshot from 2018-05-11 17-10-17Screenshot from 2018-05-11 17-10-27Screenshot from 2018-05-11 17-10-41

So if you notice you are able to see GIF as you observe the highlighted spots of the above images. Now here comes the part that I have to automate using scapy. Let us write a script.Screenshot from 2018-09-28 00-33-58

And we got a GIF image file which had the flag written inside it.

FLAG

So that’s how its done. Cheers!!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: