Swamp CTF 2018 Orcish Challenge WriteUp

Hey Guys!!

So I found this challenge a bit tiring. We get a lot of data sent through different protocols (ARP, MDNS, TCP, ICMP etc.) Going through all of them, I found the ICMP packets a bit strange. There were some malformed packets in the capture. Seeing the hex dump of the first 3 packets makes it clear that a GIF image’s characters are present at the 34th byte of the hexdump.

So we got the exploit. All that is needed now is to filter out the ICMP packets which have the source IP

Let us see what those suspicious ICMP packets were:Screenshot from 2018-05-11 17-10-17Screenshot from 2018-05-11 17-10-27Screenshot from 2018-05-11 17-10-41

So if you notice you are able to see GIF as you observe the highlighted spots of the above images. Now here comes the part that I have to automate using scapy. Let us write a script.

from scapy.all import *

r = rdpcap("data.pcap")

list1 = []

for i in range(0, len(r)):
    if ICMP in r[i]:
        if "ICMP" in r[i][ICMP].summary(): #getting the correct packets by filtering w.r.t source IP
        	d = str(r[i])
        	list1.append(d[34]) # 34th byte in every packet has GIF file code
f = open('FLAG.gif', 'w')

And we got a GIF image file which had the flag written inside it.


So that’s how its done. Cheers!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: