Hgame 2023 week3 - Tunnel && Tunnel Revenge Writeup(CN):

大年初三没啥事,基本上都拜完了,开始正常的工作和学习了.正好Hgame 2023的week3开了.有一个misc题.朋友跟我说蛮有意思的,我就来看看.然后顺利拿到了一血.以下是解题思路

Tunnel:

有非预期捏

直接strings | grep hgame就出了

crazyman@ubuntu:~/Desktop$ strings tunnel.pcapng | grep hgame
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}

flag是–> hgame{ikev1_may_not_safe_aw987rtgh}

Tunnel Revenge：

Revenge版本给非预期的strings修了

TFTP:

首先打开流量我们可以观察到有大量的TFTP

通过导出对象可以提取出相关的TFTP内容

提取出了charon.scap文件,然后scap文件用wireshark打开发现其是sysdig Event

sysdig:

看到sysdig的话,如果做题多的同学可以联想到去年的bytectf的一个题目find_it.

https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh

可以参考一下writeup,然后安装sysdig

https://github.com/annulen/sysdig-wiki/blob/master/How-to-Install-Sysdig-for-Linux.md

可参考上述链接

我使用的方法:

curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | sudo apt-key add -  
curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list  
sudo apt-get update
sudo apt-get -y install linux-headers-$(uname -r)
sudo apt-get -y install sysdig

安装成功后我们可以配合chisels进行分析

crazyman@ubuntu:~/Desktop$ sudo sysdig -cl

Category: Application
---------------------
httplog         HTTP requests log
httptop         Top HTTP requests
memcachelog     memcached requests log

Category: CPU Usage
-------------------
spectrogram     Visualize OS latency in real time.
subsecoffset    Visualize subsecond offset execution time.
topcontainers_cpu
                Top containers by CPU usage
topprocs_cpu    Top processes by CPU usage

Category: Errors
----------------
topcontainers_error
                Top containers by number of errors
topfiles_errors Top files by number of errors
topprocs_errors top processes by number of errors

Category: I/O
-------------
echo_fds        Print the data read and written by processes.
fdbytes_by      I/O bytes, aggregated by an arbitrary filter field
fdcount_by      FD count, aggregated by an arbitrary filter field
fdtime_by       FD time group by
iobytes         Sum of I/O bytes on any type of FD
iobytes_file    Sum of file I/O bytes
spy_file        Echo any read/write made by any process to all files. Optionall
                y, you can provide the name of one file to only intercept reads
                /writes to that file.
stderr          Print stderr of processes
stdin           Print stdin of processes
stdout          Print stdout of processes
topcontainers_file
                Top containers by R+W disk bytes
topfiles_bytes  Top files by R+W bytes
topfiles_time   Top files by time
topprocs_file   Top processes by R+W disk bytes
udp_extract     extract data from UDP streams to files.

Category: Logs
--------------
spy_logs        Echo any write made by any process to a log file. Optionally, e
                xport the events around each log message to file.
spy_syslog      Print every message written to syslog. Optionally, export the e
                vents around each syslog message to file.

Category: Misc
--------------
around          Export to file the events around the time range where the given
                 filter matches.

Category: Net
-------------
iobytes_net     Show total network I/O bytes
spy_ip          Show the data exchanged with the given IP address
spy_port        Show the data exchanged using the given IP port number
topconns        Top network connections by total bytes
topcontainers_net
                Top containers by network I/O
topports_server Top TCP/UDP server ports by R+W bytes
topprocs_net    Top processes by network I/O

Category: Performance
---------------------
bottlenecks     Slowest system calls
fileslower      Trace slow file I/O
netlower        Trace slow network I/0
proc_exec_time  Show process execution time
scallslower     Trace slow syscalls
topscalls       Top system calls by number of calls
topscalls_time  Top system calls by time

Category: Security
------------------
list_login_shells
                List the login shell IDs
shellshock_detect
                print shellshock attacks
spy_users       Display interactive user activity

Category: System State
----------------------
lscontainers    List the running containers
lsof            List (and optionally filter) the open file descriptors.
netstat         List (and optionally filter) network connections.
ps              List (and optionally filter) the machine processes.

Category: Tracers
-----------------
tracers_2_statsd
                Export spans duration as statds metrics.

可以先将echo_fds搞出来看看有什么东西

1	sudo sysdig -r charon.scap -A -c echo_fds

可以将内容保存到一个文件中再进行分析

首先我们可以搜到一些命令行的历史记录/root/.zsh_history

其中第一,二部分是一些环境的安装以及安装sysdig

可以搜索一下文件名定位到一些比较关键的地方

[31m------ Read 1.30KB from  [31m /root/.zsh_history (zsh)

y_logs -w 233.scap
: 1674489646:0;systemctl start ipsec
: 1674489657:0;systemctl stop ipsec
: 1674489659:0;nano /etc/ipsec.conf
: 1674489672:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489696:0;systemctl start ipsec
: 1674489725:0;systemctl stop ipsec
: 1674489793:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489796:0;systemctl start ipsec
: 1674489814:0;nc -ulvvp 3939
: 1674489894:0;nano /etc/ipsec.conf
: 1674489968:0;systemctl restart ipsec
: 1674489972:0;nc -ulvvp 3939
: 1674490131:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490142:0;systemctl stop ipsec
: 1674490155:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490160:0;systemctl start ipsec
: 1674490234:0;mv 233.scap0 ipsec.scap
: 1674490246:0;mv ipsec.scap charon.scap
: 1674490254:0;atftp 192.168.138.128
: 1674490293:0;ip xfrm stat
: 1674490298:0;systemctl stop ipsec
: 1674490456:0;md5sum charon.scap
: 1674490459:0;md5sum charon_asd.scap
: 1674490505:0;sysdig -r charon_asd.scap -c spy_logs > a.txt
: 1674492979:0;ifconfig
: 1674492985:0;ifconfig enp2s1 up
: 1674492988:0;dhclient
: 1674492990:0;ifconfig
: 1674493027:0;systemctl stop ipsec
: 1674493029:0;nano /etc/ipsec.conf
: 1674493072:0;systemctl start ipsec
: 1674493232:0;nc -ulvvp 3939
: 1674493542:0;systemctl stop ipsec
: 1674493562:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap

比较关键的一些信息sysdig -r charon_asd.scap -c spy_logs,nc -ulvvp 3939,nano /etc/ipsec.conf

然后我们可以得知接受的端口是3939 然后可以用sysdig的spy_logs来进行数据的提取,还有一个文件ipsec.conf,我们先搜搜这个文件

[31m------ Read 847B from  [31m /etc/ipsec.conf (starter)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start
conn test
    authby=secret
    auto=start
    keyexchange=ikev1
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    left=192.168.138.132
    right=192.168.138.128
    type=transport
    leftprotoport=17/3939
    rightprotoport=17/3939

可以看到最后的部分是:

conn test
    authby=secret
    auto=start
    keyexchange=ikev1
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    left=192.168.138.132
    right=192.168.138.128
    type=transport
    leftprotoport=17/3939
    rightprotoport=17/3939

同时我们可以用命令提取spy_logs

1	sysdig -r charon.scap -c spy_logs

再将其保存到文件里进行分析

然后我们可以看到keyexchange=ikev1以及流量包里的ISAKMP和ESP协议后经过搜索可以发现这篇文章
https://celaldogan2010.medium.com/decrypting-ipsec-protocols-isakmp-and-esp-with-wireshark-d484a5a93991

通过阅读博文发现其完全符合我们目前所知的所有情况,其主要使用了IPSec协议(具体是用了Strongswan的进行实现),/etc/ipsec.conf 是Strongswan的相关配置,通过对其的配置我们也可以找到/etc/strongswan.conf,不过我们找不到charon.log 和 /etc/ipsec.secrets

/etc/strongswan.conf内容:

[31m------ Read 369B from  [31m /etc/strongswan.conf (starter)

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
syslog {
identifier = charon
default = 4
auth {
default = 4
ike = 4
}
}
plugins {
include strongswan.d/charon/*.conf
}
}

不过用处没有那么大,只是用来串联题目的路径

由于IPSec是由ISAKMP和ESP组成,我们先解密ISAKMP部分

ISAKMP:

通过这篇文章的Step 4 Acquiring ICOOKIE (Initiator SPI) and the encryption key from log file (charon.log) for ISAKMP我们先去解密ISAKMP

在echo_fds里搜索checkout 拿到 Initiator’s COOKIE –> 620270aca82ca7ad

在spy_logs里搜索encryption key拿到 Encryption key –> 99EF15AC696A5CC9442E8A8A54038674

之后导入wireshark,编辑-首选项-Protocols-ISAKMP-IKEv1 Decryption Table

将上文所提到的Initiator’s COOKIE和Encryption key填入

导入之前:

导入之后:

可以发现已经可以成功解析

不过还是没有flag,发现我们还没有解密ESP,所以下一步我们需要解密ESP来进行后续的步骤

ESP:

通过文章的Step 5 Acquiring authentication, encryption keys and algorithms for ESP我们知道如果需要解密ESP协议需要先找到SPI,authentication and encryption keys以及其加密验证方式

SPI可以通过流量以获得其是0xcefea138

在spy_logs里搜索0xcefea138可以定位到相关的log:

rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] CHILD_SA test{1} state change: CREATED => INSTALLING
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   using AES_CBC for encryption
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   using HMAC_SHA1_96 for integrity
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] initiator SA seed => 69 bytes @ 0x7f86fe2faa20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 03 47 74 5E 89 A4 B4 A2 68 5F A7 9A B2 56 8D 43  .Gt^....h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD  .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D  We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27  ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   64: 23 FC 0D 58 A0                                   #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] responder SA seed => 69 bytes @ 0x7f86fe2fa9d0
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 03 CE FE A1 38 A4 B4 A2 68 5F A7 9A B2 56 8D 43  ....8...h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD  .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D  We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27  ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   64: 23 FC 0D 58 A0                                   #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption initiator key => 16 bytes @ 0x7f86d0002750
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 86 1C 6A AC 7A C8 CC A9 FD 5A EC 0A 2C 14 0B 77  ..j.z....Z..,..w
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption responder key => 16 bytes @ 0x7f86d0002e20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: C2 A6 38 0A 10 4C 87 C1 99 93 14 0D A5 97 45 1F  ..8..L........E.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity initiator key => 20 bytes @ 0x7f86d0002d20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 20 31 7D CB 96 4A 34 CC 2F 95 52 BD 51 4A 93 EA   1}..J4./.R.QJ..
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: 17 F5 CE 68                                      ...h
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity responder key => 20 bytes @ 0x7f86d0002e40
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]    0: 37 D1 43 12 55 CC E7 A6 A5 3C 8E 1C 11 3C 3E C0  7.C.U....<...<>.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   16: 45 00 72 87                                      E.r.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] adding inbound ESP SA
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD]   SPI 0xcefea138, src 192.168.138.128 dst 192.168.138.132

通过上述的这些信息,查阅资料阅读我们能知道其src ip –> 192.168.138.128,dst ip –> 192.168.138.132,Encryption –> AES_CBC,Authentication –> HMAC_SHA1_96.Encryption Key –> C2A6380A104C87C19993140DA597451F,Authentication Key –> 37D1431255CCE7A6A53C8E1C113C3EC045007287

将其导入Wireshark 编辑-首选项-Protocols-ESP

勾选Attempt to detect/ decode encrypted ESP payloads

导入后可以看到这里已被解密

拿到flag –> hgame{ikev1_m4y_n0t_5af3_3kogsr9w5k}

tips:关于Encryption Key和Authentication Key一般只有两种组合861C6AAC7AC8CCA9FD5AEC0A2C140B77 20317DCB964A34CC2F9552BD514A93EA17F5CE68和C2A6380A104C87C19993140DA597451F 37D1431255CCE7A6A53C8E1C113C3EC045007287二者尝试一下就知道应该选用哪个了