Hgame 2023 week3 - Tunnel && Tunnel Revenge Writeup(CN):

大年初三没啥事,基本上都拜完了,开始正常的工作和学习了.正好Hgame 2023的week3开了.有一个misc题.朋友跟我说蛮有意思的,我就来看看.然后顺利拿到了一血.以下是解题思路

Tunnel:

有非预期捏

直接strings | grep hgame就出了

1
2
3
4
5
crazyman@ubuntu:~/Desktop$ strings tunnel.pcapng | grep hgame
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}
hgame{ikev1_may_not_safe_aw987rtgh}

flag是–> hgame{ikev1_may_not_safe_aw987rtgh}

Tunnel Revenge:

Revenge版本给非预期的strings修了

TFTP:

首先打开流量我们可以观察到有大量的TFTP

通过导出对象可以提取出相关的TFTP内容

提取出了charon.scap文件,然后scap文件用wireshark打开发现其是sysdig Event

sysdig:

看到sysdig的话,如果做题多的同学可以联想到去年的bytectf的一个题目find_it.

https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh

可以参考一下writeup,然后安装sysdig

https://github.com/annulen/sysdig-wiki/blob/master/How-to-Install-Sysdig-for-Linux.md

可参考上述链接

我使用的方法:

1
2
3
4
5
curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | sudo apt-key add -  
curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
sudo apt-get update
sudo apt-get -y install linux-headers-$(uname -r)
sudo apt-get -y install sysdig

安装成功后我们可以配合chisels进行分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
crazyman@ubuntu:~/Desktop$ sudo sysdig -cl

Category: Application
---------------------
httplog HTTP requests log
httptop Top HTTP requests
memcachelog memcached requests log

Category: CPU Usage
-------------------
spectrogram Visualize OS latency in real time.
subsecoffset Visualize subsecond offset execution time.
topcontainers_cpu
Top containers by CPU usage
topprocs_cpu Top processes by CPU usage

Category: Errors
----------------
topcontainers_error
Top containers by number of errors
topfiles_errors Top files by number of errors
topprocs_errors top processes by number of errors

Category: I/O
-------------
echo_fds Print the data read and written by processes.
fdbytes_by I/O bytes, aggregated by an arbitrary filter field
fdcount_by FD count, aggregated by an arbitrary filter field
fdtime_by FD time group by
iobytes Sum of I/O bytes on any type of FD
iobytes_file Sum of file I/O bytes
spy_file Echo any read/write made by any process to all files. Optionall
y, you can provide the name of one file to only intercept reads
/writes to that file.
stderr Print stderr of processes
stdin Print stdin of processes
stdout Print stdout of processes
topcontainers_file
Top containers by R+W disk bytes
topfiles_bytes Top files by R+W bytes
topfiles_time Top files by time
topprocs_file Top processes by R+W disk bytes
udp_extract extract data from UDP streams to files.

Category: Logs
--------------
spy_logs Echo any write made by any process to a log file. Optionally, e
xport the events around each log message to file.
spy_syslog Print every message written to syslog. Optionally, export the e
vents around each syslog message to file.

Category: Misc
--------------
around Export to file the events around the time range where the given
filter matches.

Category: Net
-------------
iobytes_net Show total network I/O bytes
spy_ip Show the data exchanged with the given IP address
spy_port Show the data exchanged using the given IP port number
topconns Top network connections by total bytes
topcontainers_net
Top containers by network I/O
topports_server Top TCP/UDP server ports by R+W bytes
topprocs_net Top processes by network I/O

Category: Performance
---------------------
bottlenecks Slowest system calls
fileslower Trace slow file I/O
netlower Trace slow network I/0
proc_exec_time Show process execution time
scallslower Trace slow syscalls
topscalls Top system calls by number of calls
topscalls_time Top system calls by time

Category: Security
------------------
list_login_shells
List the login shell IDs
shellshock_detect
print shellshock attacks
spy_users Display interactive user activity

Category: System State
----------------------
lscontainers List the running containers
lsof List (and optionally filter) the open file descriptors.
netstat List (and optionally filter) network connections.
ps List (and optionally filter) the machine processes.

Category: Tracers
-----------------
tracers_2_statsd
Export spans duration as statds metrics.

可以先将echo_fds搞出来看看有什么东西

1
sudo sysdig -r charon.scap -A -c echo_fds

可以将内容保存到一个文件中再进行分析

首先我们可以搜到一些命令行的历史记录/root/.zsh_history

其中第一,二部分是一些环境的安装以及安装sysdig

可以搜索一下文件名定位到一些比较关键的地方

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------ Read 1.30KB from   /root/.zsh_history (zsh)

y_logs -w 233.scap
: 1674489646:0;systemctl start ipsec
: 1674489657:0;systemctl stop ipsec
: 1674489659:0;nano /etc/ipsec.conf
: 1674489672:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489696:0;systemctl start ipsec
: 1674489725:0;systemctl stop ipsec
: 1674489793:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674489796:0;systemctl start ipsec
: 1674489814:0;nc -ulvvp 3939
: 1674489894:0;nano /etc/ipsec.conf
: 1674489968:0;systemctl restart ipsec
: 1674489972:0;nc -ulvvp 3939
: 1674490131:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490142:0;systemctl stop ipsec
: 1674490155:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap
: 1674490160:0;systemctl start ipsec
: 1674490234:0;mv 233.scap0 ipsec.scap
: 1674490246:0;mv ipsec.scap charon.scap
: 1674490254:0;atftp 192.168.138.128
: 1674490293:0;ip xfrm stat
: 1674490298:0;systemctl stop ipsec
: 1674490456:0;md5sum charon.scap
: 1674490459:0;md5sum charon_asd.scap
: 1674490505:0;sysdig -r charon_asd.scap -c spy_logs > a.txt
: 1674492979:0;ifconfig
: 1674492985:0;ifconfig enp2s1 up
: 1674492988:0;dhclient
: 1674492990:0;ifconfig
: 1674493027:0;systemctl stop ipsec
: 1674493029:0;nano /etc/ipsec.conf
: 1674493072:0;systemctl start ipsec
: 1674493232:0;nc -ulvvp 3939
: 1674493542:0;systemctl stop ipsec
: 1674493562:0;sysdig -C 100 -W 1 -c spy_logs -w 233.scap

比较关键的一些信息sysdig -r charon_asd.scap -c spy_logs,nc -ulvvp 3939,nano /etc/ipsec.conf

然后我们可以得知接受的端口是3939 然后可以用sysdig的spy_logs来进行数据的提取,还有一个文件ipsec.conf,我们先搜搜这个文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------ Read 847B from   /etc/ipsec.conf (starter)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start

#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn test
authby=secret
auto=start
keyexchange=ikev1
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
left=192.168.138.132
right=192.168.138.128
type=transport
leftprotoport=17/3939
rightprotoport=17/3939

可以看到最后的部分是:

1
2
3
4
5
6
7
8
9
10
11
conn test
authby=secret
auto=start
keyexchange=ikev1
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
left=192.168.138.132
right=192.168.138.128
type=transport
leftprotoport=17/3939
rightprotoport=17/3939

同时我们可以用命令提取spy_logs

1
sysdig -r charon.scap -c spy_logs

再将其保存到文件里进行分析

然后我们可以看到keyexchange=ikev1以及流量包里的ISAKMPESP协议后经过搜索可以发现这篇文章
https://celaldogan2010.medium.com/decrypting-ipsec-protocols-isakmp-and-esp-with-wireshark-d484a5a93991

通过阅读博文发现其完全符合我们目前所知的所有情况,其主要使用了IPSec协议(具体是用了Strongswan的进行实现),/etc/ipsec.conf 是Strongswan的相关配置,通过对其的配置我们也可以找到/etc/strongswan.conf,不过我们找不到charon.log/etc/ipsec.secrets

/etc/strongswan.conf内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
------ Read 369B from   /etc/strongswan.conf (starter)

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
syslog {
identifier = charon
default = 4
auth {
default = 4
ike = 4
}
}
plugins {
include strongswan.d/charon/*.conf
}
}

不过用处没有那么大,只是用来串联题目的路径

由于IPSec是由ISAKMP和ESP组成,我们先解密ISAKMP部分

ISAKMP:

通过这篇文章的Step 4 Acquiring ICOOKIE (Initiator SPI) and the encryption key from log file (charon.log) for ISAKMP我们先去解密ISAKMP

echo_fds里搜索checkout 拿到 Initiator’s COOKIE –> 620270aca82ca7ad

spy_logs里搜索encryption key拿到 Encryption key –> 99EF15AC696A5CC9442E8A8A54038674

之后导入wireshark,编辑-首选项-Protocols-ISAKMP-IKEv1 Decryption Table

将上文所提到的Initiator’s COOKIE和Encryption key填入

导入之前:

导入之后:

可以发现已经可以成功解析

不过还是没有flag,发现我们还没有解密ESP,所以下一步我们需要解密ESP来进行后续的步骤

ESP:

通过文章的Step 5 Acquiring authentication, encryption keys and algorithms for ESP我们知道如果需要解密ESP协议需要先找到SPI,authentication and encryption keys以及其加密验证方式

SPI可以通过流量以获得其是0xcefea138

spy_logs里搜索0xcefea138可以定位到相关的log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] CHILD_SA test{1} state change: CREATED => INSTALLING
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] using AES_CBC for encryption
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] using HMAC_SHA1_96 for integrity
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] initiator SA seed => 69 bytes @ 0x7f86fe2faa20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: 03 47 74 5E 89 A4 B4 A2 68 5F A7 9A B2 56 8D 43 .Gt^....h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27 ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 64: 23 FC 0D 58 A0 #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] responder SA seed => 69 bytes @ 0x7f86fe2fa9d0
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: 03 CE FE A1 38 A4 B4 A2 68 5F A7 9A B2 56 8D 43 ....8...h_...V.C
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 16: AA 70 32 8A D1 B5 E2 26 C0 63 7A C7 B4 B6 BC DD .p2....&.cz.....
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 32: 57 65 07 76 08 9E FC B8 5F EE B1 1F D9 A1 62 8D We.v...._.....b.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 48: 87 BB FF 75 A0 1A 96 35 42 80 63 99 95 D9 04 27 ...u...5B.c....'
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 64: 23 FC 0D 58 A0 #..X.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption initiator key => 16 bytes @ 0x7f86d0002750
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: 86 1C 6A AC 7A C8 CC A9 FD 5A EC 0A 2C 14 0B 77 ..j.z....Z..,..w
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] encryption responder key => 16 bytes @ 0x7f86d0002e20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: C2 A6 38 0A 10 4C 87 C1 99 93 14 0D A5 97 45 1F ..8..L........E.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity initiator key => 20 bytes @ 0x7f86d0002d20
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: 20 31 7D CB 96 4A 34 CC 2F 95 52 BD 51 4A 93 EA 1}..J4./.R.QJ..
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 16: 17 F5 CE 68 ...h
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] integrity responder key => 20 bytes @ 0x7f86d0002e40
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 0: 37 D1 43 12 55 CC E7 A6 A5 3C 8E 1C 11 3C 3E C0 7.C.U....<...<>.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] 16: 45 00 72 87 E.r.
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] adding inbound ESP SA
rs:main /var/log/auth.log Jan 24 01:06:05 debian charon: 13[CHD] SPI 0xcefea138, src 192.168.138.128 dst 192.168.138.132

通过上述的这些信息,查阅资料阅读我们能知道其src ip –> 192.168.138.128,dst ip –> 192.168.138.132,Encryption –> AES_CBC,Authentication –> HMAC_SHA1_96.Encryption Key –> C2A6380A104C87C19993140DA597451F,Authentication Key –> 37D1431255CCE7A6A53C8E1C113C3EC045007287

将其导入Wireshark 编辑-首选项-Protocols-ESP

勾选Attempt to detect/ decode encrypted ESP payloads

导入后可以看到这里已被解密

拿到flag –> hgame{ikev1_m4y_n0t_5af3_3kogsr9w5k}

tips:关于Encryption KeyAuthentication Key一般只有两种组合861C6AAC7AC8CCA9FD5AEC0A2C140B77 20317DCB964A34CC2F9552BD514A93EA17F5CE68C2A6380A104C87C19993140DA597451F 37D1431255CCE7A6A53C8E1C113C3EC045007287二者尝试一下就知道应该选用哪个了