Skip to content

YlmzCmlttn

Cemalettin Yılmaz Blog

Menu
  • Home
  • About Me
  • Projects
    • Iot-AR
    • Magnifi-AR
    • Smarthome-IOS
    • Others
  • Categories
    • Articles
    • Augmented Reality
    • Capture The Flag
      • Google CTF
        • 2018
    • Embedded Systems
    • IoT
    • Logisim
    • My Essays
    • Nvidia Jetson
      • Jetson TX1
    • Operating Systems
      • Kali
      • Raspbian
      • Ubuntu
    • Personal
    • Programming
      • Arduino
      • C
      • C#
      • Css
      • Html
      • Js
      • Matlab
      • Node.js
      • Python
      • Swift
      • VHDL
    • Projects
      • Embedded Systems
      • Electric
      • IoT
      • IoT-AR
      • Logisim
      • Magnifi-AR
      • Pose Estimation
    • Raspberry Pi
    • Xilinx
    • Others
Menu

Satellite | Google CTF 2019

Posted on June 29, 2019June 29, 2019 by Yılmaz Cemalettin

Google CTF 2019

Satellite

Placing your ship in range of the Osmiums, you begin to receive signals. Hoping that you are not detected, because it’s too late now, you figure that it may be worth finding out what these signals mean and what information might be “borrowed” from them. Can you hear me Captain Tim? Floating in your tin can there? Your tin can has a wire to ground control? Find something to do that isn’t staring at the Blue Planet.

You can find my all CTF solution in here

When I download attachent, I saw 2 file. One of them README.pdf and other is ELF 64-bit LSB executable file

1
2
3
./init_sat
Hello Operator. Ready to connect to a satellite?
Enter the name of the satellite to connect to or 'exit' to quit

When execute init_sat, programs ask to satellite name. You can find the satellite name in README.pdf

osmium

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
./init_sat
Hello Operator. Ready to connect to a satellite?
Enter the name of the satellite to connect to or 'exit' to quit
osmium
Establishing secure connection to osmium
satellite...
Welcome. Enter (a) to display config data, (b) to erase all data or (c) to disconnect
 
a
Username: brewtoot password: ********************
166.00 IS-19 2019/05/09 00:00:00
Swath 640km
Revisit capacity twice daily,
anywhere Resolution panchromatic: 30cm multispectral: 1.2m
Daily acquisition capacity: 220,000km²
Remaining config data written to:
https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E

When I check the remaining config data in;

https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E

I saw that text;

VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg==

It looks like hash code. I checked hash type with using hash checker. It is BASE64 strings.

When I decode BASE64 strings

1
2
3
echo VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg== | base64 --decode
Username: wireshark-rocks
Password: start-sniffing!

It means we must to sniff programs with wireshark. But we must to find server IP adress. We can use strace for that;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
strace -f -e trace=network ./init_sat
strace: Process 3863 attached
strace: Process 3864 attached
strace: Process 3865 attached
strace: Process 3866 attached
strace: Process 3867 attached
Hello Operator. Ready to connect to a satellite?
Enter the name of the satellite to connect to or 'exit' to quit
osmium
Establishing secure connection to osmium
satellite...
[pid  3862] socket(PF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP <unfinished ...>
[pid  3867] socket(PF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP <unfinished ...>
[pid  3862] <... socket resumed> )      = 3
[pid  3867] <... socket resumed> )      = 5
[pid  3862] setsockopt(3, SOL_SOCKET, SO_BROADCAST, [1], 4 <unfinished ...>
[pid  3867] setsockopt(5, SOL_SOCKET, SO_BROADCAST, [1], 4 <unfinished ...>
[pid  3862] <... setsockopt resumed> )  = 0
[pid  3867] <... setsockopt resumed> )  = 0
[pid  3862] connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16 <unfinished ...>
[pid  3867] connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16 <unfinished ...>
[pid  3862] <... connect resumed> )     = 0
[pid  3867] <... connect resumed> )     = 0
[pid  3862] getsockname(3,  <unfinished ...>
[pid  3867] getsockname(5,  <unfinished ...>
[pid  3862] <... getsockname resumed> {sa_family=AF_INET, sin_port=htons(54237), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0
[pid  3867] <... getsockname resumed> {sa_family=AF_INET, sin_port=htons(51848), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0
[pid  3862] getpeername(3,  <unfinished ...>
[pid  3867] getpeername(5,  <unfinished ...>
[pid  3862] <... getpeername resumed> {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, [16]) = 0
[pid  3867] <... getpeername resumed> {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, [16]) = 0
strace: Process 3882 attached
[pid  3862] socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
[pid  3862] setsockopt(3, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0
[pid  3862] connect(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr("34.76.101.29")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid  3882] getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
[pid  3882] getpeername(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr("34.76.101.29")}, [16]) = 0
[pid  3882] getsockname(3, {sa_family=AF_INET, sin_port=htons(48178), sin_addr=inet_addr("10.1.10.6")}, [16]) = 0
[pid  3882] setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[pid  3882] setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid  3882] setsockopt(3, SOL_TCP, TCP_KEEPINTVL, [15], 4) = 0
[pid  3882] setsockopt(3, SOL_TCP, TCP_KEEPIDLE, [15], 4) = 0

I founded

[pid 3862] connect(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr(“34.76.101.29”)}, 16) = -1 EINPROGRESS (Operation now in progress)

So we can use Wireshark

You can see the password: CTF{4efcc72090af28fd33a2118985541f92e793477f}

Flag: CTF{4efcc72090af28fd33a2118985541f92e793477f}​

Second Way:

Also you can use the diassembler for the find adress of the server. In this case; I will use Binary Ninja

You can see the address: satellite.ctfcompetition.com:1337

1
2
3
4
5
netcat satellite.ctfcompetition.com 1337
Welcome. Enter (a) to display config data, (b) to erase all data or (c) to disconnect
 
a
Username: brewtoot password: CTF{4efcc72090af28fd33a2118985541f92e793477f} 166.00 IS-19 2019/05/09 00:00:00 Swath 640km Revisit capacity twice daily, anywhere Resolution panchromatic: 30cm multispectral: 1.2m Daily acquisition capacity: 220,000km² Remaining config data written to: https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E

Flag: CTF{4efcc72090af28fd33a2118985541f92e793477f}

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

My Motto

“Learn to share, Share to learn”

LinkedIn Badge

Cemalettin Yılmaz

Ads

Archives

Categories

  • Articles (1)
  • Augmented Reality (3)
  • Capture The Flag (23)
    • Google CTF (22)
      • 2018 (13)
      • 2019 (9)
    • PicoCTF (1)
      • 2019 (1)
  • Embedded Systems (3)
  • IoT (3)
  • Logisim (1)
  • My Essays (3)
  • Nvidia Jetson (5)
    • Xavier (5)
  • Operating Systems (24)
    • Kali (3)
    • Raspbian (2)
    • Ubuntu (21)
  • Others (1)
  • Personal (1)
  • Programming (44)
    • Arduino (4)
    • C (10)
    • C# (4)
    • C++ (5)
    • Css (1)
    • CUDA (6)
    • Html (1)
    • Js (2)
    • Libraries (5)
      • OpenCV (3)
      • OpenGL (2)
    • Matlab (14)
    • Node.js (5)
    • Python (6)
    • Swift (3)
  • Programs (4)
    • Tools (4)
  • Projects (21)
    • Books Solutions (8)
    • Electric (2)
    • Embedded Systems (2)
    • Energy Harvesting (1)
    • IoT (2)
    • IoT-AR (1)
    • Logisim (1)
    • Magnifi-AR (3)
    • Pose Estimation (3)
    • Smarthome-Ios (1)
  • Raspberry Pi (3)
  • Uncategorized (2)
  • YZlib (1)

Recent Posts

  • atof stof stod problems with local floating point separator in C/C++
  • Pico CTF 2019 Answers
  • YZlib: Personal C++ Library
  • Drive to target | Google CTF 2019
  • FriendSpaceBookPlusAllAccessRedPremium | Google CTF 2019

Recent Comments

  • AbaShelha on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Peter on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on 16-Bit CPU on Logisim
  • Jenny on 16-Bit CPU on Logisim
  • MOON on 16-Bit CPU on Logisim
  • anti on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • hunkerjr on STOP GAN | Google CTF 2019
  • Shaq on 16-Bit CPU on Logisim
  • NURUL AFIQAH MOHD HASBULLAH on 16-Bit CPU on Logisim

Linkedln

© 2022 YlmzCmlttn | Powered by Superbs Personal Blog theme