DEV Community

Nucu Labs
Nucu Labs

Posted on

1

FlareOn6 - Challenge 4: Write-Up

#security #ctf

Hello,

In this article I will present you my solution for the fourth challenge of flareon6.

The tools I used to solve this challenge were:

  • Kali Linux
  • DnsChef
  • Wireshark
  • Python
  • Ghidra

I opened the binary in Kali and I got a nice chess game going on for me, when I made the first move the AI resigned. I opened up the provided pcap file in Wireshark and saw a lot of DNS traffic. Since Malware often uses DNS to do certain actions and if a server is not found it stops operating, I've figured it out that I have to fake the DNS, lucky I got all the traffic I needed in the pcap file.

Since copy pasting 80 lines of Wireshark lines would be painfully slow, I took some time to install pyshark and wrote a small Python program to parse the pcap and output the traffic in a format that dnschef would like.

import pyshark

def main():
    print("gimme da pcap")
    cap = pyshark.FileCapture('./capture.pcap')
    for packet in cap:
        if packet.ip.dst == "192.168.122.1":
            print("{}={}".format(packet.dns.qry_name, packet.dns.a))

if __name__ == '__main__':
    main()
Enter fullscreen mode Exit fullscreen mode

After that I redirected the output of the script to fakehosts.txt added an [A] section header in the file and I've ran dnschef with the following command:

dnschef --fakens=ns1.game-of-thrones.flare-on.com --file=fakehosts.txt -i 0.0.0.0
Enter fullscreen mode Exit fullscreen mode

And that didn't work, I forgot to go to the network manager and set my DNS server to localhost, after that was done I opened up the program, picked up a random move from the list and it magically worked, the AI responded to my move! Hurray!

Alt Text

I thought this is it, I solved the challenge, now to make the next move and... the AI resigned. It looked like I had to do the moves in a certain order, I couldn't do them randomly or in the order that I wanted to do them.

But, It took me some time to realise that. I even looked at the source code in Ghidra to see what I was doing wrong:

Alt Text

--

One night, when I had some extra time. I sat down with the list of available moves and I started manually brute forcing the moves until I got the right combination and the flag! It took me about one to two hours, luckly I knew a bit chess otherwise wouldn't have finished it that fast.

Alt Text

Thank you for reading!

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Neon
 Promoted

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →

Read next

vikasbanage profile image

AWS EBS Encryption Simplified : Protecting Your Cloud Data Effectively

vikasbanage -

leo_scott_357f10236fabe00 profile image

How to Make a Product Secure: A Developer's Perspective

Leo Scott -

xmanhugo profile image

Don’t make security an afterthought when designing APIs

xmanhugo -

pentest_testing_corp profile image

Prevent Directory Traversal in Laravel: Expert Guide

Pentest Testing Corp -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay