Hgame 2023 week3 - Tunnel && Tunnel Revenge Writeup(EN):

There is nothing to do on the third day of the Lunar New Year. I basically finished worshiping and started normal work and study. Hgame 2023 week3 just started. There is a misc question. A friend told me that it is very interesting, so I will take a look. Then I successfully got the first blood. The following is the idea of solving the problem

Tunnel:

Unexpected pinch

Direct strings | grep hgame will come out

1
2
3
4
5
crazyman@ubuntu:~/Desktop$ strings tunnel.pcapng | grep hgame
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}

flag–> hgame{ikev1_may_not_safe_aw987rtgh}

Tunnel Revenge:

Revenge version fixed for unexpected strings

TFTP:

First open traffic we can observe that there is a large amount of TFTP

Related TFTP content can be extracted by exporting objects

Extracted the charon.scap file, then opened the scap file with wireshark and found that it was a sysdig Event

sysdig:

If you see sysdig, if you have a lot of questions, you can think of a question about bytectf last year –> find_it.

https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh

You can refer to writeup, and then install sysdig

https://github.com/annulen/sysdig-wiki/blob/master/How-to-Install-Sysdig-for-Linux.md

You can refer to the above link

The method I use:

1
2
3
4
5
curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | sudo apt-key add -  
curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list  
sudo apt-get update
sudo apt-get -y install linux-headers-$(uname -r)
sudo apt-get -y install sysdig

After the installation is successful, we can cooperate with chisels for analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
crazyman@ubuntu:~/Desktop$ sudo sysdig -cl

Category: Application
---------------------
httplog         HTTP requests log
httptop         Top HTTP requests
memcachelog     memcached requests log

Category: CPU Usage
-------------------
spectrogram     Visualize OS latency in real time.
subsecoffset    Visualize subsecond offset execution time.
topcontainers_cpu
                Top containers by CPU usage
topprocs_cpu    Top processes by CPU usage

Category: Errors
----------------
topcontainers_error
                Top containers by number of errors
topfiles_errors Top files by number of errors
topprocs_errors top processes by number of errors

Category: I/O
-------------
echo_fds        Print the data read and written by processes.
fdbytes_by      I/O bytes, aggregated by an arbitrary filter field
fdcount_by      FD count, aggregated by an arbitrary filter field
fdtime_by       FD time group by
iobytes         Sum of I/O bytes on any type of FD
iobytes_file    Sum of file I/O bytes
spy_file        Echo any read/write made by any process to all files. Optionall
                y, you can provide the name of one file to only intercept reads
                /writes to that file.
stderr          Print stderr of processes
stdin           Print stdin of processes
stdout          Print stdout of processes
topcontainers_file
                Top containers by R+W disk bytes
topfiles_bytes  Top files by R+W bytes
topfiles_time   Top files by time
topprocs_file   Top processes by R+W disk bytes
udp_extract     extract data from UDP streams to files.

Category: Logs
--------------
spy_logs        Echo any write made by any process to a log file. Optionally, e
                xport the events around each log message to file.
spy_syslog      Print every message written to syslog. Optionally, export the e
                vents around each syslog message to file.

Category: Misc
--------------
around          Export to file the events around the time range where the given
                 filter matches.

Category: Net
-------------
iobytes_net     Show total network I/O bytes
spy_ip          Show the data exchanged with the given IP address
spy_port        Show the data exchanged using the given IP port number
topconns        Top network connections by total bytes
topcontainers_net
                Top containers by network I/O
topports_server Top TCP/UDP server ports by R+W bytes
topprocs_net    Top processes by network I/O

Category: Performance
---------------------
bottlenecks     Slowest system calls
fileslower      Trace slow file I/O
netlower        Trace slow network I/0
proc_exec_time  Show process execution time
scallslower     Trace slow syscalls
topscalls       Top system calls by number of calls
topscalls_time  Top system calls by time

Category: Security
------------------
list_login_shells
                List the login shell IDs
shellshock_detect
                print shellshock attacks
spy_users       Display interactive user activity

Category: System State
----------------------
lscontainers    List the running containers
lsof            List (and optionally filter) the open file descriptors.
netstat         List (and optionally filter) network connections.
ps              List (and optionally filter) the machine processes.

Category: Tracers
-----------------
tracers_2_statsd
                Export spans duration as statds metrics.

You can get echo_fds first to see what is there

1
sudo sysdig -r charon.scap -A -c echo_fds

Output can be saved to a file for further analysis

First, we can find some command line history /root/.zsh_history

The first and second parts are the installation of some environments and the installation of sysdig

You can search for the file name to locate some key places

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------ Read 1.30KB from   /root/.zsh_history (zsh)

y_logs -w 233.scap
: 1674489646:0;systemctl start ipsec
: 1674489657:0;systemctl stop ipsec
: 1674489659:0;nano /etc/ipsec.conf
: 1674489672:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489696:0;systemctl start ipsec
: 1674489725:0;systemctl stop ipsec
: 1674489793:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489796:0;systemctl start ipsec
: 1674489814:0;nc -ulvvp 3939
: 1674489894:0;nano /etc/ipsec.conf
: 1674489968:0;systemctl restart ipsec
: 1674489972:0;nc -ulvvp 3939
: 1674490131:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490142:0;systemctl stop ipsec
: 1674490155:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490160:0;systemctl start ipsec
: 1674490234:0;mv 233.scap0 ipsec.scap
: 1674490246:0;mv ipsec.scap charon.scap
: 1674490254:0;atftp 192.168.138.128
: 1674490293:0;ip xfrm stat
: 1674490298:0;systemctl stop ipsec
: 1674490456:0;md5sum charon.scap
: 1674490459:0;md5sum charon_asd.scap
: 1674490505:0;sysdig -r charon_asd.scap -c spy_logs > a.txt
: 1674492979:0;ifconfig
: 1674492985:0;ifconfig enp2s1 up
: 1674492988:0;dhclient
: 1674492990:0;ifconfig
: 1674493027:0;systemctl stop ipsec
: 1674493029:0;nano /etc/ipsec.conf
: 1674493072:0;systemctl start ipsec
: 1674493232:0;nc -ulvvp 3939
: 1674493542:0;systemctl stop ipsec
: 1674493562:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap

Some key information sysdig -r charon_asd.scap -c spy_logs,nc -ulvvp 3939,nano /etc/ipsec.conf

Then we can know that the accepted port is 3939 and then we can use sysdig’s spy_logs to extract data, there is also a file ipsec.conf, let’s search for this file first

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------ Read 847B from   /etc/ipsec.conf (starter)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start
conn test
    authby=secret
    auto=start
    keyexchange=ikev1
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    left=192.168.138.132
    right=192.168.138.128
    type=transport
    leftprotoport=17/3939
    rightprotoport=17/3939

You can see that the last part is:

1
2
3
4
5
6
7
8
9
10
11
conn test
    authby=secret
    auto=start
    keyexchange=ikev1
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    left=192.168.138.132
    right=192.168.138.128
    type=transport
    leftprotoport=17/3939
    rightprotoport=17/3939

At the same time we can extract spy_logs with the command

1
sysdig -r charon.scap -c spy_logs

Save it to a file for analysis

Then we can see keyexchange=ikev1 and the ISAKMP and ESP protocols in the traffic packet. After searching, we can find this article

https://celaldogan2010.medium.com/decrypting-ipsec-protocols-isakmp-and-esp-with-wireshark-d484a5a93991

By reading the blog post, I found that it is fully in line with all the situations we know so far. It mainly uses the IPSec protocol (specifically, it is implemented by Strongswan). /etc/ipsec.conf is the relevant configuration of Strongswan. Through its Configuration We can also find /etc/strongswan.conf, but we can’t find charon.log and /etc/ipsec.secrets

/etc/strongswan.conf content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
------ Read 369B from   /etc/strongswan.conf (starter)

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
syslog {
identifier = charon
default = 4
auth {
default = 4
ike = 4
}
}
plugins {
include strongswan.d/charon/*.conf
}
}

However, it is not so useful, it is only used to connect the path of the topic

Since IPSec is composed of ISAKMP and ESP, we first decrypt the ISAKMP part

ISAKMP:

Through Step 4 Acquiring ICOOKIE (Initiator SPI) and the encryption key from log file (charon.log) for ISAKMP of this article, we first decrypt ISAKMP

Search checkout in echo_fds and get Initiator’s COOKIE –> 620270aca82ca7ad

Search encryption key in spy_logs to get Encryption key –> 99EF15AC696A5CC9442E8A8A54038674

Then import wireshark, edit-preferences-Protocols-ISAKMP-IKEv1 Decryption Table

Fill in the Initiator’s COOKIE and Encryption key mentioned above

Before importing:

After importing:

It can be found that it has been successfully parsed

However, there is still no flag, and we found that we have not decrypted ESP, so we need to decrypt ESP for subsequent steps

ESP:

Through the Step 5 Acquiring authentication, encryption keys and algorithms for ESP of the article, we know that if we need to decrypt the ESP protocol, we need to find SPI, authentication and encryption keys and its encryption verification method

SPI can pass traffic to get it’s 0xcefea138

Search 0xcefea138 in spy_logs to locate the relevant log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] CHILD_SA test{1} state change: CREATED => INSTALLING
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   using AES_CBC for encryption
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   using HMAC_SHA1_96 for integrity
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] initiator SA seed => 69 bytes @ 0x7f86fe2faa20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 03 47 74 5E 89 A4 B4 A2 68 5F A7 9A B2 56 8D 43  .Gt^....h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD  .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D  We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27  ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   64: 23 FC 0D 58 A0                                   #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] responder SA seed => 69 bytes @ 0x7f86fe2fa9d0
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 03 CE FE A1 38 A4 B4 A2 68 5F A7 9A B2 56 8D 43  ....8...h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD  .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D  We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27  ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   64: 23 FC 0D 58 A0                                   #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption initiator key => 16 bytes @ 0x7f86d0002750
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 86 1C 6A AC 7A C8 CC A9 FD 5A EC 0A 2C 14 0B 77  ..j.z....Z..,..w
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption responder key => 16 bytes @ 0x7f86d0002e20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: C2 A6 38 0A 10 4C 87 C1 99 93 14 0D A5 97 45 1F  ..8..L........E.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity initiator key => 20 bytes @ 0x7f86d0002d20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 20 31 7D CB 96 4A 34 CC 2F 95 52 BD 51 4A 93 EA   1}..J4./.R.QJ..
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: 17 F5 CE 68                                      ...h
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity responder key => 20 bytes @ 0x7f86d0002e40
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 37 D1 43 12 55 CC E7 A6 A5 3C 8E 1C 11 3C 3E C0  7.C.U....<...<>.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: 45 00 72 87                                      E.r.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] adding inbound ESP SA
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   SPI 0xcefea138, src 192.168.138.128 dst 192.168.138.132

Through the above information, we can know the src ip –> 192.168.138.128,dst ip –> 192.168.138.132,Encryption –> AES_CBC,Authentication –> HMAC_SHA1_96.Encryption Key –> C2A6380A104C87C19993140DA597451F,Authentication Key –> 37D1431255CCE7A6A53C8E1C113C3EC045007287

Import it into Wireshark Edit-Preferences-Protocols-ESP

tickAttempt to detect/ decode encrypted ESP payloads

After importing, you can see that it has been decrypted

get the flag –> hgame{ikev1_m4y_n0t_5af3_3kogsr9w5k}

tips: Generally only two combinations between Encryption Key and Authentication Key–>861C6AAC7AC8CCA9FD5AEC0A2C140B77 20317DCB964A34CC2F9552BD514A93EA17F5CE68and C2A6380A104C87C19993140DA597451F 37D1431255CCE7A6A53C8E1C113C3EC045007287Try both and you’ll know which one to choose.