Begin
In the pcap included in this challenge we see icmp packages that are sent to 10.13.37.161. Only some packages receive a reply. An important fact is that the TTL changes and depending on the TTL a reply is send or not. It seems that a certain pattern of TTLs need to be send to retrieve the flag. The following code was used to brute force the reply:
#!/bin/bash
counter="73"
BREAKER=0
TIMEOUT=50
while [ $BREAKER -eq 0 ] ; do
echo $counter
for i in $(seq 63 125)
do
for j in $counter
do
fping -H $j 10.13.37.161 -t $TIMEOUT -c 1 > /dev/null
done
echo $i
fping -H $i 10.13.37.161 $TIMEOUT -c 1 > /dev/null
if [ $? -eq 0 ]
then
break
fi
if [ $i -eq 125 ]
then
$BREAKER=1
fi
done
done
The TTL of the package with a reply yields a range of ASCII character which can be finaly translated to
INS{ttl_leak_is_trendy_this_year} hzgf. am 23. Maerz 2014
