Google CTF 2019
Satellite
Placing your ship in range of the Osmiums, you begin to receive signals. Hoping that you are not detected, because it’s too late now, you figure that it may be worth finding out what these signals mean and what information might be “borrowed” from them. Can you hear me Captain Tim? Floating in your tin can there? Your tin can has a wire to ground control? Find something to do that isn’t staring at the Blue Planet.
You can find my all CTF solution in here
When I download attachent, I saw 2 file. One of them README.pdf and other is ELF 64-bit LSB executable file
1 2 3 |
./init_sat Hello Operator. Ready to connect to a satellite? Enter the name of the satellite to connect to or 'exit' to quit |
When execute init_sat, programs ask to satellite name. You can find the satellite name in README.pdf
osmium
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
./init_sat Hello Operator. Ready to connect to a satellite? Enter the name of the satellite to connect to or 'exit' to quit osmium Establishing secure connection to osmium satellite... Welcome. Enter (a) to display config data, (b) to erase all data or (c) to disconnect a Username: brewtoot password: ******************** 166.00 IS-19 2019/05/09 00:00:00 Swath 640km Revisit capacity twice daily, anywhere Resolution panchromatic: 30cm multispectral: 1.2m Daily acquisition capacity: 220,000km² Remaining config data written to: https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E |
When I check the remaining config data in;
https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E
I saw that text;
VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg==
It looks like hash code. I checked hash type with using hash checker. It is BASE64 strings.
When I decode BASE64 strings
1 2 3 |
echo VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg== | base64 --decode Username: wireshark-rocks Password: start-sniffing! |
It means we must to sniff programs with wireshark. But we must to find server IP adress. We can use strace for that;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
strace -f -e trace=network ./init_sat strace: Process 3863 attached strace: Process 3864 attached strace: Process 3865 attached strace: Process 3866 attached strace: Process 3867 attached Hello Operator. Ready to connect to a satellite? Enter the name of the satellite to connect to or 'exit' to quit osmium Establishing secure connection to osmium satellite... [pid 3862] socket(PF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP <unfinished ...> [pid 3867] socket(PF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP <unfinished ...> [pid 3862] <... socket resumed> ) = 3 [pid 3867] <... socket resumed> ) = 5 [pid 3862] setsockopt(3, SOL_SOCKET, SO_BROADCAST, [1], 4 <unfinished ...> [pid 3867] setsockopt(5, SOL_SOCKET, SO_BROADCAST, [1], 4 <unfinished ...> [pid 3862] <... setsockopt resumed> ) = 0 [pid 3867] <... setsockopt resumed> ) = 0 [pid 3862] connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16 <unfinished ...> [pid 3867] connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16 <unfinished ...> [pid 3862] <... connect resumed> ) = 0 [pid 3867] <... connect resumed> ) = 0 [pid 3862] getsockname(3, <unfinished ...> [pid 3867] getsockname(5, <unfinished ...> [pid 3862] <... getsockname resumed> {sa_family=AF_INET, sin_port=htons(54237), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0 [pid 3867] <... getsockname resumed> {sa_family=AF_INET, sin_port=htons(51848), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0 [pid 3862] getpeername(3, <unfinished ...> [pid 3867] getpeername(5, <unfinished ...> [pid 3862] <... getpeername resumed> {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, [16]) = 0 [pid 3867] <... getpeername resumed> {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, [16]) = 0 strace: Process 3882 attached [pid 3862] socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 [pid 3862] setsockopt(3, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0 [pid 3862] connect(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr("34.76.101.29")}, 16) = -1 EINPROGRESS (Operation now in progress) [pid 3882] getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 [pid 3882] getpeername(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr("34.76.101.29")}, [16]) = 0 [pid 3882] getsockname(3, {sa_family=AF_INET, sin_port=htons(48178), sin_addr=inet_addr("10.1.10.6")}, [16]) = 0 [pid 3882] setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0 [pid 3882] setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 [pid 3882] setsockopt(3, SOL_TCP, TCP_KEEPINTVL, [15], 4) = 0 [pid 3882] setsockopt(3, SOL_TCP, TCP_KEEPIDLE, [15], 4) = 0 |
I founded
[pid 3862] connect(3, {sa_family=AF_INET, sin_port=htons(1337), sin_addr=inet_addr(“34.76.101.29”)}, 16) = -1 EINPROGRESS (Operation now in progress)
So we can use Wireshark
You can see the password: CTF{4efcc72090af28fd33a2118985541f92e793477f}
Flag: CTF{4efcc72090af28fd33a2118985541f92e793477f}
Second Way:
Also you can use the diassembler for the find adress of the server. In this case; I will use Binary Ninja
You can see the address: satellite.ctfcompetition.com:1337
1 2 3 4 5 |
netcat satellite.ctfcompetition.com 1337 Welcome. Enter (a) to display config data, (b) to erase all data or (c) to disconnect a Username: brewtoot password: CTF{4efcc72090af28fd33a2118985541f92e793477f} 166.00 IS-19 2019/05/09 00:00:00 Swath 640km Revisit capacity twice daily, anywhere Resolution panchromatic: 30cm multispectral: 1.2m Daily acquisition capacity: 220,000km² Remaining config data written to: https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E |
Flag: CTF{4efcc72090af28fd33a2118985541f92e793477f}