Latest articles:

Insomni Hack 2015(Lost In Memories) writeup

aus der Kategorie Hacking

Begin

In the pcap included in this challenge we see icmp packages that are sent to 10.13.37.161. Only some packages receive a reply. An important fact is that the TTL changes and depending on the TTL a reply is send or not. It seems that a certain pattern of TTLs need to be send to retrieve the flag. The following code was used to brute force the repley:
#!/bin/bash
counter="73"
BREAKER=0
TIMEOUT=50

while [ $BREAKER -eq 0 ] ; do 
    echo $counter
    for i in $(seq 63 125)
    do
        for j in $counter
        do 
            fping -H $j 10.13.37.161 -t $TIMEOUT -c 1 > /dev/null
        done
        echo $i
        fping -H $i 10.13.37.161 $TIMEOUT -c 1  > /dev/null
        if [ $? -eq 0 ]
        then
            break
        fi

        if [ $i -eq 125 ]
        then
            $BREAKER=1
        fi
    done
done
The TTL of the package with a reply yields a range of ASCII character which can be finaly translated to INS{ttl_leak_is_trendy_this_year}

hzgf. am 23. Maerz 2014