The latest articles on DEV Community by f0rked (@yetanotherf0rked). https://dev.to/yetanotherf0rked https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F840996%2Fbf5a3384-e344-467e-8050-bd8b5974e7f3.png https://dev.to/yetanotherf0rked en f0rked Mon, 30 May 2022 15:20:08 +0000 https://dev.to/stack-labs/spending-spring-days-crafting-packets-at-nahamcon-2022-3nma https://dev.to/stack-labs/spending-spring-days-crafting-packets-at-nahamcon-2022-3nma <p><em>A CTF writeup of Networking challenges at NahamCon 2022</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05gftl21hx49hktmbe01.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05gftl21hx49hktmbe01.jpg" alt="why not both?" width="524" height="499"></a></p> <p>NahamCon2022 is over and we're glad we managed to finish in top 5% with our team at Stack Labs (3049 points, 195 on 4034 teams). This year, they came up with exciting Networking challenges made by <strong>@Kkevsterrr#7469</strong>. Although we didn't manage to solve these, it was a nice introduction to network analysis and packets manipulation using <strong>Scapy</strong>. </p> <p>Here's what I learned.</p> <p><strong>Challenges:</strong></p> <ul> <li> <strong>1. Contemporaneous Open</strong> - hard - 14 solves - 500 points - first blooded by <strong>StaticFlow</strong> </li> <li> <strong>2. Freaky Flag Day</strong> - hard - 9 solves - 500 points - first blooded by <strong>Maple Bacon</strong> </li> </ul> <h2> 1. Contemporaneous Open </h2> <blockquote> <p><strong>Author: @Kkevsterrr#7469</strong> <br> We want to give you the flag, we really do. just give us a TCP HTTP server to send it to, and we'll make a POST request with all the deets you need! we've just got a firewall issue on our side and we're dropping certain important packets (specifically, any inbound SYN+ACK packet is dropped). Shouldn't be a problem for a networking pro like you, though - just make a TCP server that doesn't need to send those!</p> </blockquote> <p><strong>Tools used:</strong> </p> <ul> <li> <a href="https://github.com/secdev/scapy" rel="noopener noreferrer">scapy</a> for packet manipulation</li> <li> <a href="https://tshark.dev/" rel="noopener noreferrer">tshark</a> wireshark's cli version</li> </ul> <h3> Traditional 3-way handshake </h3> <p>Let's start with some useful reminders about TCP Protocol. In a traditional TCP 3-way handshake:</p> <ol> <li>the client sends a <strong>SYN</strong> (Synchronize Sequence Number) to inform the server he wants to start a communication. The SYN signifies with what sequence number it will start the segments with.</li> <li>the server responds to the client with <strong>SYN-ACK</strong>. The ACK signifies the response of client's SYN. Meanwhile the SYN signifies with what sequence number it will start the segments with.</li> <li>Finally, the client acknowledges (<strong>ACK</strong>) the response of the server and the connection enters the ESTABLISHED state so they can start exchanging data.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5bxvxb6djx6ell4vlrlz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5bxvxb6djx6ell4vlrlz.png" alt="TCP 3-Way Handshake" width="800" height="493"></a></p> <h3> SYN-ACK get dropped by a distrustful firewall </h3> <p>In this challenge the flag is given by a POST request to a server we're supposed to create at port 80. The thing is: the client's firewall drops every inbound SYN-ACK packet. So we must find a solution to establish a connection without having to send a SYN-ACK-flagged packet.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxhih0gabpzedty44bib5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxhih0gabpzedty44bib5.jpg" alt="SYN-ACKs get dropped by client's firewall" width="800" height="518"></a></p> <p>While I was spending hours refreshing my memory about TCP/IP internals, learning the basics of scapy and exploring many ways to solve the problem (fragmenting the SYN/ACK response, attempting an <a href="https://www.auvik.com/franklyit/blog/what-is-quic-protocol/" rel="noopener noreferrer">HTTP3 over QUIC conection</a>), the solution was laying in the challenge's name.</p> <h3> TCP Simultaneous Open </h3> <p><em>Contemporaneous Open</em> is a reference to <strong>TCP's Simultaneous Open</strong> state transition. Also called "simultaneous active open on both side", it refers to an old TCP feature used to handle edge cases in TCP handshakes, as when a server and a client send a SYN to each other at the same time. This process makes it possible for two applications to send a SYN to each other to start a TCP connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fxdifzpcu2hc4sa8g81.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fxdifzpcu2hc4sa8g81.jpg" alt="TCP Simultaneous Open" width="800" height="718"></a></p> <p>When both ends send a SYN at the same time, both ends enter the SYN_SENT state. When they receive the SYN, their state changes to SYN_RCVD and they resend the SYN and acknowledge the received SYN. When they both receive the SYN and the acknowledged SYN, the connection enters the ESTABLISHED state. In such a state, both ends act as a client and server.</p> <p>So the client doesn't need a SYN/ACK answer from the server in order to complete the three-way handshake. <strong>All we need is to send a SYN and wait for the <em>client</em>'s SYN/ACK to establish the connection and start HTTP exchange.</strong> This can save us from sending a SYN/ACK packet that would be dropped by the client. We'll use Scapy to mimic a server with such a behavior.</p> <h3> Crafting with scapy </h3> <p>Before executing any Scapy scripts, we must disable the Linux Kernel's response to avoid any RST-flagged answers. Scapy operates in user space so the Kernel has no idea of what Scapy is doing.</p> <p>Using iptables, we can drop RST-flagged packets the kernel sends from port 80.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>iptables <span class="nt">-A</span> OUTPUT <span class="nt">-p</span> tcp <span class="nt">--tcp-flags</span> RST RST <span class="nt">--sport</span> 80 <span class="nt">-j</span> DROP </code></pre> </div> <p>The idea is to create a customized server that does the following:</p> <ul> <li>receive client's SYN (seq=n)</li> <li>send a SYN (seq=m)</li> <li>send a ACK (seq=m+1, ack=n+1) to acknowledge client's SYN</li> <li>client acknowledges our SYN, receives our ACK and establish session</li> </ul> <p>We'll use <strong>tshark</strong> as a complementary tool to track the incoming packets.</p> <h3> 1. First, let's get client's SYN packet. </h3> <p>Note that IP addresses have been changed to "MY_IP" and "CLIENT_IP".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># server.py #! /usr/bin/python </span><span class="kn">from</span> <span class="n">scapy</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">S_ADDR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">MY_IP</span><span class="sh">"</span> <span class="n">S_PORT</span> <span class="o">=</span> <span class="mi">80</span> <span class="c1"># 1. Listen for client's SYN and get IP and port </span><span class="n">c_syn</span> <span class="o">=</span> <span class="nf">sniff</span><span class="p">(</span> <span class="nb">filter</span><span class="o">=</span><span class="sh">"</span><span class="s">tcp and port 80</span><span class="sh">"</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">prn</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span><span class="n">x</span><span class="p">.</span><span class="nf">sprintf</span><span class="p">(</span><span class="sh">"</span><span class="s">Received SYN from {IP:%IP.src%:%TCP.dport%, seq=%TCP.seq}%</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>We connect to the challenge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ nc challenge.nahamcon.com 31334 so glad you<span class="s1">'re here! i would love to give you the flag. just give me the IP address that'</span>s running an HTTP server, and I<span class="s1">'ll shoot you the flag immediately. oh one snag, we'</span>ve got some firewall issues on our side, and some important packets are getting dropped. shouldn<span class="s1">'t be a problem for you, though. &gt;&gt;&gt; MY_IP here it comes! hmm nope looks like you didn'</span>t get it... </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># server.py output Received SYN from CLIENT_IP:http, seq=510141201 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80"</span> Running as user <span class="s2">"root"</span> and group <span class="s2">"root"</span><span class="nb">.</span> This could be dangerous. Capturing on <span class="s1">'ens3'</span> 1 0.000000000 CLIENT_IP → MY_IP TCP 74 58356 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>42600 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>3977333110 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 1.015633580 CLIENT_IP → MY_IP TCP 74 <span class="o">[</span>TCP Retransmission] 58356 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>42600 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>3977334125 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 </code></pre> </div> <p>Great! We now can use the IP and port for sending our packets.</p> <h3> 2. Now let's send our SYN and acknowledge client's SYN </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># server.py # ... </span> <span class="c1"># 2. Send Syn </span><span class="n">C_ADDR</span> <span class="o">=</span> <span class="n">c_syn</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="n">IP</span><span class="p">].</span><span class="n">src</span> <span class="n">C_PORT</span> <span class="o">=</span> <span class="n">c_syn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">sport</span> <span class="n">C_SEQ</span> <span class="o">=</span> <span class="n">c_syn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">seq</span> <span class="n">S_SEQ</span> <span class="o">=</span> <span class="mi">1234</span> <span class="c1"># random number </span> <span class="n">ip</span> <span class="o">=</span> <span class="nc">IP</span><span class="p">(</span><span class="n">src</span><span class="o">=</span><span class="n">S_ADDR</span><span class="p">,</span> <span class="n">dst</span><span class="o">=</span><span class="n">C_ADDR</span><span class="p">)</span> <span class="n">tcp_syn</span> <span class="o">=</span> <span class="nc">TCP</span><span class="p">(</span> <span class="n">sport</span><span class="o">=</span><span class="n">S_PORT</span><span class="p">,</span> <span class="n">dport</span><span class="o">=</span><span class="n">C_PORT</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="sh">"</span><span class="s">S</span><span class="sh">"</span><span class="p">,</span> <span class="n">seq</span><span class="o">=</span><span class="n">S_SEQ</span><span class="p">,</span> <span class="p">)</span> <span class="n">s_syn</span> <span class="o">=</span> <span class="nf">send</span><span class="p">(</span><span class="n">ip</span><span class="o">/</span><span class="n">tcp_syn</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Send SYN with seq=</span><span class="si">{</span><span class="n">S_SEQ</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3. Send Ack </span><span class="n">S_SEQ</span><span class="o">+=</span><span class="mi">1</span> <span class="n">C_SEQ</span><span class="o">+=</span><span class="mi">1</span> <span class="n">tcp_ack</span> <span class="o">=</span> <span class="nc">TCP</span><span class="p">(</span> <span class="n">sport</span><span class="o">=</span><span class="n">S_PORT</span><span class="p">,</span> <span class="n">dport</span><span class="o">=</span><span class="n">C_PORT</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="n">seq</span><span class="o">=</span><span class="n">S_SEQ</span><span class="p">,</span> <span class="n">ack</span><span class="o">=</span><span class="n">C_SEQ</span><span class="p">,</span> <span class="p">)</span> <span class="n">s_ack</span> <span class="o">=</span> <span class="nf">send</span><span class="p">(</span><span class="n">ip</span><span class="o">/</span><span class="n">tcp_ack</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Send ACK with seq=</span><span class="si">{</span><span class="n">S_SEQ</span><span class="si">}</span><span class="s"> and ack=</span><span class="si">{</span><span class="n">C_SEQ</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Received SYN from CLIENT_IP:http, seq=3800804531 Send SYN with seq=1234 Send ACK with seq=1235 and ack=3800804532 </code></pre> </div> <p>We'll use the flag <code>-z "follow,tcp,hex,0"</code> to display the contents of the first TCP Stream (CLIENT_IP → MY_IP)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80"</span> <span class="nt">-z</span> <span class="s2">"follow,tcp,hex,0"</span> Running as user <span class="s2">"root"</span> and group <span class="s2">"root"</span><span class="nb">.</span> This could be dangerous. Capturing on <span class="s1">'ens3'</span> 1 0.000000000 CLIENT_IP → MY_IP TCP 74 34206 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>42600 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>3979143134 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 0.009865804 MY_IP → CLIENT_IP TCP 54 80 → 34206 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>8192 <span class="nv">Len</span><span class="o">=</span>0 3 0.012471996 MY_IP → CLIENT_IP TCP 54 80 → 34206 <span class="o">[</span>ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>8192 <span class="nv">Len</span><span class="o">=</span>0 4 0.114386572 CLIENT_IP → MY_IP TCP 74 <span class="o">[</span>TCP Retransmission] 34206 → 80 <span class="o">[</span>SYN, ACK] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>42600 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>3979143248 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 5 0.115899112 CLIENT_IP → MY_IP TCP 268 POST / HTTP/1.1 <span class="o">[</span>TCP segment of a reassembled PDU] 6 0.115899266 CLIENT_IP → MY_IP HTTP 104 POST / HTTP/1.1 <span class="o">(</span>application/x-www-form-urlencoded<span class="o">)</span> 7 0.319132750 CLIENT_IP → MY_IP TCP 318 <span class="o">[</span>TCP Retransmission] 34206 → 80 <span class="o">[</span>PSH, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>333 <span class="nv">Len</span><span class="o">=</span>264 8 0.727116985 CLIENT_IP → MY_IP TCP 318 <span class="o">[</span>TCP Retransmission] 34206 → 80 <span class="o">[</span>PSH, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>333 <span class="nv">Len</span><span class="o">=</span>264 9 1.551128826 CLIENT_IP → MY_IP TCP 318 <span class="o">[</span>TCP Retransmission] 34206 → 80 <span class="o">[</span>PSH, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>333 <span class="nv">Len</span><span class="o">=</span>264 10 3.119495767 CLIENT_IP → MY_IP TCP 54 34206 → 80 <span class="o">[</span>FIN, ACK] <span class="nv">Seq</span><span class="o">=</span>265 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>333 <span class="nv">Len</span><span class="o">=</span>0 11 3.215170188 CLIENT_IP → MY_IP TCP 318 <span class="o">[</span>TCP Retransmission] 34206 → 80 <span class="o">[</span>FIN, PSH, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>333 <span class="nv">Len</span><span class="o">=</span>264 ^C11 packets captured <span class="o">===================================================================</span> Follow: tcp,hex Filter: tcp.stream eq 0 Node 0: CLIENT_IP:34206 Node 1: MY_IP:80 00000000 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d POST / H TTP/1.1. 00000010 0a 48 6f 73 74 3a 20 ■ ■ ■ ■ ■ ■ ■ ■ ■ .Host: ■ ■■■■■■■■ 00000020 ■ ■ ■ ■ 0d 0a 55 73 65 72 2d 41 67 65 6e 74 ■■■■..Us er-Agent 00000030 3a 20 70 79 74 68 6f 6e 2d 72 65 71 75 65 73 74 : python <span class="nt">-request</span> 00000040 73 2f 32 2e 32 37 2e 31 0d 0a 41 63 63 65 70 74 s/2.27.1 ..Accept 00000050 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c <span class="nt">-Encodin</span> g: <span class="nb">gzip</span>, 00000060 20 64 65 66 6c 61 74 65 0d 0a 41 63 63 65 70 74 deflate ..Accept 00000070 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e 65 63 74 69 6f : <span class="k">*</span>/<span class="k">*</span>..C onnectio 00000080 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 n: keep- alive..C 00000090 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 ontent-L ength: 5 000000A0 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 0..Conte nt-Type: 000000B0 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 applica tion/x-w 000000C0 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 ww-form- urlencod 000000D0 65 64 0d 0a 0d 0a ed.... 000000D6 66 6c 61 67 3d 66 6c 61 67 25 37 42 36 61 63 66 <span class="nv">flag</span><span class="o">=</span>fla g%7B6acf 000000E6 64 66 63 39 33 36 39 65 61 64 66 64 62 39 34 33 dfc9369e adfdb943 000000F6 39 62 30 61 63 33 39 36 39 37 31 31 25 37 44 25 9b0ac396 9711%7D% 00000106 30 41 0A <span class="o">===================================================================</span> </code></pre> </div> <p>And so we get this lovely flag:<br> <code>flag{6acfdfc9369eadfdb9439b0ac3969711}</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr7w42b850dzzi1xtft0.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr7w42b850dzzi1xtft0.gif" alt="Yaaay!" width="480" height="400"></a></p> <h3> Improvements </h3> <p>A much more elegant solution would be to act like a real HTTP server by acquitting each client's packet, answering the POST request and then gracefully ending the connection when the client sends a FIN.</p> <p>Check out <strong><a href="https://gist.github.com/nneonneo/1b371ac9da8703eda9c3a9b26d61a483" rel="noopener noreferrer">nneonneo</a></strong>'s solution that implements this feature in addition to using an asynchronous sniffer that pushes incoming packets to a queue, making client's packets easier to iterate on. Also he uses many helper functions to track, filter and incoming and outcoming packets. I would definitely use these as a template for next challenges. Clean and smooth.</p> <p>In the next part, we'll cover the <strong>Freaky Flag Day</strong> challenge. I hope you enjoy poetry and TCP flags.</p> <h2> 2. Freaky Flag Day </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98agqmlixu0we6mfjptf.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98agqmlixu0we6mfjptf.jpg" alt="Is this a FIN?" width="556" height="500"></a></p> <blockquote> <p><strong>Author: @Kkevsterrr#7469</strong><br><br> Our TCP flags have decided that they'd like to change places today; all you need to do is reach the HTTP server! <br><br> Roses are red, and SYNs are FINs too.<br><br> RST+ACKs are now SYN+ACKs for you.<br><br> ACKs are now Es, and what else have we done?<br><br> PSH+ACKs are FIN+SYNs just for the fun. <br><br> Hint: If you want to run this challenge from your home or a VM, make sure you are not behind a NAT that could eat your unexpected packets.<br><br> Interact with this challenge at: <a href="http://SERVER_IP" rel="noopener noreferrer">http://SERVER_IP</a></p> </blockquote> <p><strong>Tools used:</strong> </p> <ul> <li> <a href="https://github.com/secdev/scapy" rel="noopener noreferrer">scapy</a> for packet manipulation</li> <li> <a href="https://tshark.dev/" rel="noopener noreferrer">tshark</a> wireshark's cli version</li> <li> <a href="https://curl.se/" rel="noopener noreferrer">curl</a> for the http client</li> <li> <a href="https://github.com/oremanj/python-netfilterqueue" rel="noopener noreferrer">nfqueue</a> to intercept packets queued by the kernel packet filter</li> </ul> <p>So after defeating a suspicious client that drops every incoming SYN/ACK packet, our next challenger a server that swaps the flags of every request (both inbound and outbound).</p> <p>Want to establish a session? The server understands that you want to finish it.<br> Want to acknowledge that a packet is successfully received? The server understands that you're under a network congestion. Nonsense.</p> <p>The goal is to reach the server correctly. Thus we must speak his language. The flags mapping is the following:</p> <p>S ⇔ F</p> <p>RA ⇔ SA</p> <p>A ⇔ E</p> <p>PA ⇔ FS</p> <h3> Preliminary tests </h3> <p>Let's try to connect to the server using <strong>curl</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl <span class="nt">--local-port</span> 44444 http://SERVER_IP </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 MY_IP → SERVER_IP TCP 74 44444 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>1756025715 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 1.021102385 MY_IP → SERVER_IP TCP 74 <span class="o">[</span>TCP Retransmission] 44444 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>1756026736 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 </code></pre> </div> <p>As expected, nothing happens as the SYN flag is interpreted as a FYN flag on server-side.</p> <p>Now let's use scapy and send a FIN-flagged with a random sequence number segment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#! /usr/bin/python </span><span class="kn">from</span> <span class="n">scapy</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">C_ADDR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">MY_IP</span><span class="sh">"</span> <span class="n">C_PORT</span> <span class="o">=</span> <span class="mi">44444</span> <span class="n">S_ADDR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SERVER_IP</span><span class="sh">"</span> <span class="n">S_PORT</span> <span class="o">=</span> <span class="mi">80</span> <span class="n">C_SEQ</span> <span class="o">=</span> <span class="mi">1234</span> <span class="c1"># random </span> <span class="n">ip</span> <span class="o">=</span> <span class="nc">IP</span><span class="p">(</span><span class="n">src</span><span class="o">=</span><span class="n">C_ADDR</span><span class="p">,</span> <span class="n">dst</span><span class="o">=</span><span class="n">S_ADDR</span><span class="p">)</span> <span class="n">tcp</span> <span class="o">=</span> <span class="nc">TCP</span><span class="p">(</span> <span class="n">sport</span><span class="o">=</span><span class="n">C_PORT</span><span class="p">,</span> <span class="n">dport</span><span class="o">=</span><span class="n">S_PORT</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="sh">"</span><span class="s">F</span><span class="sh">"</span><span class="p">,</span> <span class="n">seq</span><span class="o">=</span><span class="n">C_SEQ</span><span class="p">,</span> <span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="nf">send</span><span class="p">(</span><span class="n">ip</span><span class="o">/</span><span class="n">tcp</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 MY_IP → SERVER_IP TCP 54 44444 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>8192 <span class="nv">Len</span><span class="o">=</span>0 2 0.144079153 SERVER_IP → MY_IP TCP 58 80 → 44444 <span class="o">[</span>RST, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>65320 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 </code></pre> </div> <p>The server understands "SYN" and sends us RST-ACK (which is SYN-ACK). So now he must be waiting for a a ECN (which is an ACK)... And so on. You got it.</p> <h3> Packet interception and modification with scapy and nfqueue </h3> <p>We could rewrite an HTTP client with scapy using the modified flags. But it is a long and tedious task as we must craft every request with scapy. A less painful solution would be to have a layer that intercepts every packet and just update the flags before sending/accepting them. And that's where <strong>nfqueue</strong> can help us.</p> <p>Using a standard http client like <strong>curl</strong>, intercept all the incoming and outcoming packages with <strong>nfqueue</strong>, pass them to our <strong>scapy</strong> script that will change the flags accordingly and then send the modified packets to their destination.</p> <p><strong>Netfilter Queue is an iptables target which gives the decision on packets to the userspace</strong>. It is part of the Netfilter project that also provides iptables and nftables. It is commonly used as a proxy or for Man in the Middle attacks.</p> <p>To intercept packets with nfqueue you must set firewall's chain rules accordingly. In this situation we want to intercept:</p> <ul> <li>incoming packets from SERVER_IP (INPUT chain)</li> <li>outgoing packets to SERVER_IP (OUTPUT chain)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiicb6ut7a2luhu333c7y.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiicb6ut7a2luhu333c7y.jpg" alt="Intercepting packets with nfqueue" width="800" height="578"></a></p> <p>Let's try this.</p> <h3> 1. Let's set nfqueue </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/python3 </span><span class="kn">from</span> <span class="n">netfilterqueue</span> <span class="kn">import</span> <span class="n">NetfilterQueue</span> <span class="kn">from</span> <span class="n">scapy</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">S_ADDR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SERVER_IP</span><span class="sh">"</span> <span class="c1"># Update iptables rules </span><span class="n">output_rule</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">iptables -A OUTPUT --destination </span><span class="si">{</span><span class="n">S_ADDR</span><span class="si">}</span><span class="s"> -j NFQUEUE</span><span class="sh">"</span> <span class="n">input_rule</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">iptables -A INPUT --source </span><span class="si">{</span><span class="n">S_ADDR</span><span class="si">}</span><span class="s"> -j NFQUEUE</span><span class="sh">"</span> <span class="n">flush_rules</span> <span class="o">=</span> <span class="sh">"</span><span class="s">iptables -F OUTPUT &amp;&amp; iptables -F INPUT</span><span class="sh">"</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">input_rule</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">output_rule</span><span class="p">)</span> <span class="k">def</span> <span class="nf">callback</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">):</span> <span class="c1"># Get a scapy object from raw packet </span> <span class="n">p</span> <span class="o">=</span> <span class="nc">IP</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">.</span><span class="nf">get_payload</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="nf">show</span><span class="p">())</span> <span class="c1"># Tell nfqueue to accept the packet </span> <span class="n">raw_pkt</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="c1"># Init nfqueue </span><span class="n">q</span> <span class="o">=</span> <span class="nc">NetfilterQueue</span><span class="p">()</span> <span class="n">q</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">callback</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">q</span><span class="p">.</span><span class="nf">run</span><span class="p">()</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="n">q</span><span class="p">.</span><span class="nf">unbind</span><span class="p">()</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">flush_rules</span><span class="p">)</span> </code></pre> </div> <p>First we update iptables rules to intercept the interesting packets to nfqueue. Then we init nfqueue and bind the queue number 0 to our callback function. We use the same queue for both incoming and outgoing packets.</p> <p>In our callback function, we get a raw packet. To manipulate it, we create a scapy IP layer with the packet's payload as an argument. We print it and finally we accept the packet. If we interrupt the process (with Ctrl+C) then we unbind the queue and flush the iptables rules.</p> <p><strong>Important:</strong> check your INPUT and OUTPUT chain rules before flushing it as it flushes everything.</p> <p>Let's see if it works.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl http://SERVER_IP <span class="nt">--local-port</span> 44444 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Script output ###[ IP ]### version= 4 ihl= 5 tos= 0x0 len= 60 id= 60025 flags= DF frag= 0 ttl= 64 proto= tcp chksum= 0xa981 src= SERVER_IP dst= CLIENT_IP \options\ ###[ TCP ]### sport= 44444 dport= http seq= 1190907934 ack= 0 dataofs= 10 reserved= 0 flags= S window= 64240 chksum= 0xfaf1 urgptr= 0 options= [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (2004053730, 0)), ('NOP', None), ('WScale', 7)] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 CLIENT_IP → SERVER_IP TCP 74 44444 → 80 <span class="o">[</span>SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>2004025682 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 </code></pre> </div> <p>Great! Curl tries to initiate the session with the server using a SYN-flagged packet. When the packet reaches the <code>raw_pkt.accept()</code> instruction, it is sent to the client and we can notice it in <strong>tshark</strong>'s output.</p> <h3> 2. Changing the flag </h3> <p>In our callback function, let's try changing the packet's flag with 'F' and see what happens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">callback</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">):</span> <span class="c1"># Get a scapy object from raw packet </span> <span class="n">p</span> <span class="o">=</span> <span class="nc">IP</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">.</span><span class="nf">get_payload</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="nf">show</span><span class="p">())</span> <span class="c1"># Set S flag to F flag </span> <span class="k">if</span> <span class="n">p</span><span class="p">.</span><span class="nf">haslayer</span><span class="p">(</span><span class="n">TCP</span><span class="p">):</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span> <span class="o">=</span> <span class="sh">"</span><span class="s">S</span><span class="sh">"</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span> <span class="o">=</span> <span class="sh">"</span><span class="s">F</span><span class="sh">"</span> <span class="c1"># Update raw packet and then accept it </span> <span class="n">raw_pkt</span><span class="p">.</span><span class="nf">set_payload</span><span class="p">(</span><span class="nf">bytes</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="n">raw_pkt</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 CLIENT_IP → SERVER_IP TCP 74 44444 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>2005103907 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 1.005513362 CLIENT_IP → SERVER_IP TCP 74 <span class="o">[</span>TCP Retransmission] 44444 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>8222720 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>2005104912 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 </code></pre> </div> <p>Something is wrong, we send a FIN but get no answer... Oh right! checksums, of course. Let's update checksums accordingly.</p> <h3> 3. Update checksums </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Set S flag to F flag </span> <span class="k">if</span> <span class="n">p</span><span class="p">.</span><span class="nf">haslayer</span><span class="p">(</span><span class="n">TCP</span><span class="p">):</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span> <span class="o">=</span> <span class="sh">"</span><span class="s">S</span><span class="sh">"</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span> <span class="o">=</span> <span class="sh">"</span><span class="s">F</span><span class="sh">"</span> <span class="c1"># Update checksums </span> <span class="k">del</span> <span class="n">p</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">chksum</span> <span class="k">del</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">chksum</span> <span class="n">p</span><span class="p">.</span><span class="nf">show2</span><span class="p">()</span> </code></pre> </div> <p>I use the function <code>show2()</code> that recalculate checksums if they are none. This is functional but loud as it also prints the packet. I didn't find any other solution that does it quietly.</p> <p>Let's try now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 CLIENT_IP → SERVER_IP TCP 74 44444 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>2005448037 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 0.154677103 SERVER_IP → CLIENT_IP TCP 74 80 → 44444 <span class="o">[</span>RST, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>64768 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>1006897750 <span class="nv">TSecr</span><span class="o">=</span>2005448037 <span class="nv">WS</span><span class="o">=</span>128 </code></pre> </div> <p>Yes! The server answers us back with a RST-ACK. But our curl client still doesn't understand what he means by that. Let's map all the flags accordingly now.</p> <h3> 4. Map all the flags (final code) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/python3 </span><span class="kn">from</span> <span class="n">netfilterqueue</span> <span class="kn">import</span> <span class="n">NetfilterQueue</span> <span class="kn">from</span> <span class="n">scapy</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">S_ADDR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SERVER_IP</span><span class="sh">"</span> <span class="c1"># Update iptables rules to intercept incoming and outcoming packets from/to S_ADDR </span><span class="n">output_rule</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">iptables -A OUTPUT --destination </span><span class="si">{</span><span class="n">S_ADDR</span><span class="si">}</span><span class="s"> -j NFQUEUE</span><span class="sh">"</span> <span class="n">input_rule</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">iptables -A INPUT --source </span><span class="si">{</span><span class="n">S_ADDR</span><span class="si">}</span><span class="s"> -j NFQUEUE</span><span class="sh">"</span> <span class="n">flush_rules</span> <span class="o">=</span> <span class="sh">"</span><span class="s">iptables -F OUTPUT &amp;&amp; iptables -F INPUT</span><span class="sh">"</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">input_rule</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">output_rule</span><span class="p">)</span> <span class="c1"># Dictionary with flag mapping </span><span class="n">fd</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">S</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">F</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">RA</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">SA</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">E</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PA</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">FS</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># Append the inverted dictionnary </span><span class="n">fd</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nf">dict</span><span class="p">((</span><span class="n">v</span><span class="p">,</span><span class="n">k</span><span class="p">)</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span><span class="n">v</span> <span class="ow">in</span> <span class="n">fd</span><span class="p">.</span><span class="nf">items</span><span class="p">()))</span> <span class="c1"># Helper function to set the flags accordingly </span><span class="k">def</span> <span class="nf">set_flags</span><span class="p">(</span><span class="n">flags</span><span class="p">):</span> <span class="k">return</span> <span class="n">fd</span><span class="p">[</span><span class="n">flags</span><span class="p">]</span> <span class="k">if</span> <span class="n">flags</span> <span class="ow">in</span> <span class="n">fd</span> <span class="k">else</span> <span class="n">flags</span> <span class="c1"># Callback function that modifies our packets before sending them </span><span class="k">def</span> <span class="nf">callback</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">):</span> <span class="c1"># Get a scapy raw packet that we can modify </span> <span class="n">p</span> <span class="o">=</span> <span class="nc">IP</span><span class="p">(</span><span class="n">raw_pkt</span><span class="p">.</span><span class="nf">get_payload</span><span class="p">())</span> <span class="c1"># Set flags accordingly </span> <span class="k">if</span> <span class="n">p</span><span class="p">.</span><span class="nf">haslayer</span><span class="p">(</span><span class="n">TCP</span><span class="p">):</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span> <span class="o">=</span> <span class="nf">set_flags</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span><span class="p">))</span> <span class="c1"># Calculate new chksums </span> <span class="k">del</span> <span class="n">p</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">chksum</span> <span class="k">del</span> <span class="n">p</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">chksum</span> <span class="n">p</span><span class="p">.</span><span class="nf">show2</span><span class="p">()</span> <span class="c1"># Update </span> <span class="n">raw_pkt</span><span class="p">.</span><span class="nf">set_payload</span><span class="p">(</span><span class="nf">bytes</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="c1"># Now we tell nfqueue to accept the modified packet </span> <span class="n">raw_pkt</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="c1"># Init nfqueue </span><span class="n">q</span> <span class="o">=</span> <span class="nc">NetfilterQueue</span><span class="p">()</span> <span class="n">q</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">callback</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">q</span><span class="p">.</span><span class="nf">run</span><span class="p">()</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="n">q</span><span class="p">.</span><span class="nf">unbind</span><span class="p">()</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">flush_rules</span><span class="p">)</span> </code></pre> </div> <p>We use a dictionary to map all the flags. And then we use the <code>Dict.update()</code> method to add the same tuples but with the keys and values swaped. (e.g. <code>"S":"F"</code> adds <code>"F":"S"</code>).</p> <p>Let's try our new code now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl http://SERVER_IP <span class="nt">--local-port</span> 44444 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!doctype html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>FreakyFlagday<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>It's freakyflagday and you've made it so far! Well done. All you've gotta do is download the text file from '/gimmedafile.txt' and it'll send you a big important file with the flag at the very end.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 MY_IP → SERVER_IP TCP 74 44444 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>1784676225 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 0.145262609 SERVER_IP → MY_IP TCP 74 80 → 44444 <span class="o">[</span>RST, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>64768 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>786145437 <span class="nv">TSecr</span><span class="o">=</span>1784676225 <span class="nv">WS</span><span class="o">=</span>128 3 0.160854317 MY_IP → SERVER_IP TCP 66 44444 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>64256 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784676385 <span class="nv">TSecr</span><span class="o">=</span>786145437 4 0.170014574 MY_IP → SERVER_IP HTTP 144 <span class="o">[</span>TCP Port numbers reused] GET / HTTP/1.1 5 0.287621647 SERVER_IP → MY_IP TCP 66 80 → 44444 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>786145607 <span class="nv">TSecr</span><span class="o">=</span>1784676385 6 0.290354873 SERVER_IP → MY_IP HTTP 220 <span class="o">[</span>TCP Port numbers reused] HTTP/1.1 200 OK 7 0.311377282 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44444 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>78 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784676535 <span class="nv">TSecr</span><span class="o">=</span>786145609 8 0.426628596 SERVER_IP → MY_IP TCP 376 <span class="o">[</span>TCP Port numbers reused] 80 → 44444 <span class="o">[</span>FIN, SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>310 <span class="nv">TSval</span><span class="o">=</span>786145748 <span class="nv">TSecr</span><span class="o">=</span>1784676535 9 0.444996568 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44444 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>78 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784676668 <span class="nv">TSecr</span><span class="o">=</span>786145748 10 0.449897000 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP ACKed unseen segment] <span class="o">[</span>TCP Retransmission] 44444 → 80 <span class="o">[</span>FIN, ACK] <span class="nv">Seq</span><span class="o">=</span>78 <span class="nv">Ack</span><span class="o">=</span>465 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784676669 <span class="nv">TSecr</span><span class="o">=</span>786145748 11 0.562439239 SERVER_IP → MY_IP TCP 66 <span class="o">[</span>TCP Retransmission] 80 → 44444 <span class="o">[</span>FIN, ACK] <span class="nv">Seq</span><span class="o">=</span>310 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>786145885 <span class="nv">TSecr</span><span class="o">=</span>1784676669 12 0.583268378 MY_IP → SERVER_IP TCP 66 44444 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>79 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784676807 <span class="nv">TSecr</span><span class="o">=</span>786145885 </code></pre> </div> <p>Seems like it worked pretty well. The flag seems to be in this <code>gimmedafile.txt</code> file. Let's try and get the file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl http://SERVER_IP/gimmedafile.txt <span class="nt">--local-port</span> 44445 Voluptatem ipsum <span class="o">[</span>...39404 characters...] dolor ut. flag<span class="o">{</span>e2960da061a85fbcabb0670e4ddb9e93<span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ <span class="nb">sudo </span>tshark <span class="nt">-f</span> <span class="s2">"tcp port 80 and host SERVER_IP"</span> 1 0.000000000 MY_IP → SERVER_IP TCP 74 44445 → 80 <span class="o">[</span>FIN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>64240 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1460 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>1784824675 <span class="nv">TSecr</span><span class="o">=</span>0 <span class="nv">WS</span><span class="o">=</span>128 2 0.142799620 SERVER_IP → MY_IP TCP 74 80 → 44445 <span class="o">[</span>RST, ACK] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Ack</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>64768 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">MSS</span><span class="o">=</span>1420 <span class="nv">SACK_PERM</span><span class="o">=</span>1 <span class="nv">TSval</span><span class="o">=</span>786293873 <span class="nv">TSecr</span><span class="o">=</span>1784824675 <span class="nv">WS</span><span class="o">=</span>128 3 0.159637964 MY_IP → SERVER_IP TCP 66 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>2 <span class="nv">Win</span><span class="o">=</span>64256 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784824834 <span class="nv">TSecr</span><span class="o">=</span>786293873 4 0.165712720 MY_IP → SERVER_IP HTTP 159 <span class="o">[</span>TCP Port numbers reused] GET /gimmedafile.txt HTTP/1.1 5 0.278158205 SERVER_IP → MY_IP TCP 66 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>786294039 <span class="nv">TSecr</span><span class="o">=</span>1784824834 6 0.281436371 SERVER_IP → MY_IP HTTP 227 <span class="o">[</span>TCP Port numbers reused] HTTP/1.1 200 OK 7 0.286101671 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>161 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294048 <span class="nv">TSecr</span><span class="o">=</span>1784824834 8 0.290101742 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>1569 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294052 <span class="nv">TSecr</span><span class="o">=</span>1784824834 9 0.293428900 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>2977 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294056 <span class="nv">TSecr</span><span class="o">=</span>1784824834 10 0.300100620 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>4385 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294060 <span class="nv">TSecr</span><span class="o">=</span>1784824834 11 0.303058929 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>5793 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294060 <span class="nv">TSecr</span><span class="o">=</span>1784824834 12 0.305803295 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>7201 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294061 <span class="nv">TSecr</span><span class="o">=</span>1784824834 13 0.308359956 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>8609 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294061 <span class="nv">TSecr</span><span class="o">=</span>1784824834 14 0.311371415 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>10017 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294067 <span class="nv">TSecr</span><span class="o">=</span>1784824834 15 0.314342631 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>11425 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294070 <span class="nv">TSecr</span><span class="o">=</span>1784824834 16 0.317448713 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784824974 <span class="nv">TSecr</span><span class="o">=</span>786294043 17 0.322497523 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784824980 <span class="nv">TSecr</span><span class="o">=</span>786294048 18 0.345296346 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784824986 <span class="nv">TSecr</span><span class="o">=</span>786294052 19 0.363030999 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784824992 <span class="nv">TSecr</span><span class="o">=</span>786294056 20 0.374327694 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825009 <span class="nv">TSecr</span><span class="o">=</span>786294060 21 0.379388653 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825014 <span class="nv">TSecr</span><span class="o">=</span>786294060 22 0.384474051 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825020 <span class="nv">TSecr</span><span class="o">=</span>786294061 23 0.389563243 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825031 <span class="nv">TSecr</span><span class="o">=</span>786294061 24 0.395089952 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825038 <span class="nv">TSecr</span><span class="o">=</span>786294067 25 0.400325803 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825049 <span class="nv">TSecr</span><span class="o">=</span>786294070 26 0.429292547 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>12833 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294190 <span class="nv">TSecr</span><span class="o">=</span>1784824974 27 0.432396491 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>14241 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294190 <span class="nv">TSecr</span><span class="o">=</span>1784824974 28 0.435011224 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>15649 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294195 <span class="nv">TSecr</span><span class="o">=</span>1784824980 29 0.437501469 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>17057 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294195 <span class="nv">TSecr</span><span class="o">=</span>1784824980 30 0.455718674 SERVER_IP → MY_IP TCP 1276 <span class="o">[</span>TCP Port numbers reused] 80 → 44445 <span class="o">[</span>FIN, SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1210 <span class="nv">TSval</span><span class="o">=</span>786294218 <span class="nv">TSecr</span><span class="o">=</span>1784824986 31 0.459562289 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>1210 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294222 <span class="nv">TSecr</span><span class="o">=</span>1784824986 32 0.473141161 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825125 <span class="nv">TSecr</span><span class="o">=</span>786294190 33 0.473160024 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>2618 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294235 <span class="nv">TSecr</span><span class="o">=</span>1784824992 34 0.476471278 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>4026 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294235 <span class="nv">TSecr</span><span class="o">=</span>1784824992 35 0.478176107 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825133 <span class="nv">TSecr</span><span class="o">=</span>786294190 36 0.483052912 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>5434 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294246 <span class="nv">TSecr</span><span class="o">=</span>1784825009 37 0.489734170 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825140 <span class="nv">TSecr</span><span class="o">=</span>786294195 38 0.490446940 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>6842 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294246 <span class="nv">TSecr</span><span class="o">=</span>1784825009 39 0.495628297 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>8250 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294252 <span class="nv">TSecr</span><span class="o">=</span>1784825014 40 0.498457646 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>9658 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294252 <span class="nv">TSecr</span><span class="o">=</span>1784825014 41 0.502477260 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825148 <span class="nv">TSecr</span><span class="o">=</span>786294195 42 0.503250048 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>11066 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294256 <span class="nv">TSecr</span><span class="o">=</span>1784825020 43 0.508097290 SERVER_IP → MY_IP TCP 1474 80 → 44445 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>12474 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>1408 <span class="nv">TSval</span><span class="o">=</span>786294261 <span class="nv">TSecr</span><span class="o">=</span>1784825031 44 0.529693000 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825165 <span class="nv">TSecr</span><span class="o">=</span>786294218 45 0.547629433 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825177 <span class="nv">TSecr</span><span class="o">=</span>786294222 46 0.569959311 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825198 <span class="nv">TSecr</span><span class="o">=</span>786294235 47 0.574834351 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825216 <span class="nv">TSecr</span><span class="o">=</span>786294246 48 0.582698364 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825234 <span class="nv">TSecr</span><span class="o">=</span>786294252 49 0.590039492 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>497 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825245 <span class="nv">TSecr</span><span class="o">=</span>786294256 50 0.640226149 SERVER_IP → MY_IP TCP 651 <span class="o">[</span>TCP Port numbers reused] 80 → 44445 <span class="o">[</span>FIN, SYN] <span class="nv">Seq</span><span class="o">=</span>0 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>585 <span class="nv">TSval</span><span class="o">=</span>786294402 <span class="nv">TSecr</span><span class="o">=</span>1784825165 51 0.663333652 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP Keep-Alive] 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825334 <span class="nv">TSecr</span><span class="o">=</span>786294402 52 0.669714648 MY_IP → SERVER_IP TCP 66 <span class="o">[</span>TCP ACKed unseen segment] <span class="o">[</span>TCP Retransmission] 44445 → 80 <span class="o">[</span>FIN, ACK] <span class="nv">Seq</span><span class="o">=</span>93 <span class="nv">Ack</span><span class="o">=</span>32933 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825335 <span class="nv">TSecr</span><span class="o">=</span>786294402 53 0.776541498 SERVER_IP → MY_IP TCP 66 <span class="o">[</span>TCP Retransmission] 80 → 44445 <span class="o">[</span>FIN, ACK] <span class="nv">Seq</span><span class="o">=</span>585 <span class="nv">Ack</span><span class="o">=</span>1 <span class="nv">Win</span><span class="o">=</span>506 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>786294541 <span class="nv">TSecr</span><span class="o">=</span>1784825335 54 0.793113070 MY_IP → SERVER_IP TCP 66 44445 → 80 <span class="o">[</span>ECN] <span class="nv">Seq</span><span class="o">=</span>94 <span class="nv">Win</span><span class="o">=</span>501 <span class="nv">Len</span><span class="o">=</span>0 <span class="nv">TSval</span><span class="o">=</span>1784825466 <span class="nv">TSecr</span><span class="o">=</span>786294541 </code></pre> </div> <p>And voilà! Here's the second flag: <code>flag{e2960da061a85fbcabb0670e4ddb9e93}</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff99v43ptb9b94ybkjbh7.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff99v43ptb9b94ybkjbh7.gif" alt="So excited" width="250" height="303"></a></p> <p>I hope you enjoyed this introduction to packets manipulation. I would like to thank <strong>nneonneo</strong> and <strong>Kkevsterrr</strong> for their explanations. Join <a href="https://discord.gg/ysndAm8" rel="noopener noreferrer">Nahamsec on Discord</a> to reach them out.<br> Until next time!</p> <h3> Further Lectures </h3> <ul> <li><a href="http://ttcplinux.sourceforge.net/documents/one/tcpstate/tcpstate.html#:~:text=Simultaneous%20Open,active%20open%20on%20both%20sides%22." rel="noopener noreferrer">TCP State Transitions - T/TCP (Transaction TCP) for Linux</a></li> <li><a href="https://users.cs.northwestern.edu/~agupta/cs340/project2/TCPIP_State_Transition_Diagram.pdf" rel="noopener noreferrer">TCP/IP State Transition Diagram (RFC793)</a></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc793" rel="noopener noreferrer">RFC-793 on ietf.org</a></li> <li><a href="http://www.tcpipguide.com/index.htm" rel="noopener noreferrer">The TCP/IP Guide</a></li> <li><a href="https://byt3bl33d3r.github.io/using-nfqueue-with-python-the-right-way.html" rel="noopener noreferrer">Using nfqueue with python</a></li> <li><a href="https://scapy.readthedocs.io/" rel="noopener noreferrer">Scapy docs</a></li> <li><a href="https://stackoverflow.com/questions/5953371/how-to-calculate-a-packet-checksum-without-sending-it" rel="noopener noreferrer">About calculating checksums with Scapy on Stack Overflow</a></li> <li><a href="https://github.com/oremanj/python-netfilterqueue" rel="noopener noreferrer">python-netfilterqueue on Github</a></li> <li><a href="https://www.netfilter.org/" rel="noopener noreferrer">Netfilter project</a></li> <li><a href="https://www.keycdn.com/support/tcp-flags" rel="noopener noreferrer">TCP Flags on KeyCDN</a></li> </ul> ctf security networking hacking