From 0ce135d59bb45a31acd5c5ce26f2c3267078e6b4 Mon Sep 17 00:00:00 2001 From: Yan Date: Mon, 24 Feb 2025 02:17:07 -0700 Subject: [PATCH] spoof-host --- intercepting-communication/module.yml | 4 ++ .../udp-spoof-host/.init | 1 + .../udp-spoof-host/DESCRIPTION.md | 9 ++++ intercepting-communication/udp-spoof-host/run | 43 +++++++++++++++++++ 4 files changed, 57 insertions(+) create mode 120000 intercepting-communication/udp-spoof-host/.init create mode 100644 intercepting-communication/udp-spoof-host/DESCRIPTION.md create mode 100755 intercepting-communication/udp-spoof-host/run diff --git a/intercepting-communication/module.yml b/intercepting-communication/module.yml index 3b8ddc9b..303b2cae 100644 --- a/intercepting-communication/module.yml +++ b/intercepting-communication/module.yml @@ -33,6 +33,10 @@ challenges: name: UDP - id: udp-2 name: UDP 2 +- id: udp-spoof-host + name: UDP 2 + visibility: + start: "2029-11-04T13:00:00-07:00" - id: level-12 name: ARP - id: level-13 diff --git a/intercepting-communication/udp-spoof-host/.init b/intercepting-communication/udp-spoof-host/.init new file mode 120000 index 00000000..ea4ba499 --- /dev/null +++ b/intercepting-communication/udp-spoof-host/.init @@ -0,0 +1 @@ +../.init \ No newline at end of file diff --git a/intercepting-communication/udp-spoof-host/DESCRIPTION.md b/intercepting-communication/udp-spoof-host/DESCRIPTION.md new file mode 100644 index 00000000..a23198ad --- /dev/null +++ b/intercepting-communication/udp-spoof-host/DESCRIPTION.md @@ -0,0 +1,9 @@ +Though we didn't explore this for TCP, in addition to selecting the destination port, both TCP and UDP can set their _source_ port. +We'll practice that here --- you can set the source port with `s.bind` on the socket, exactly how a server does it to set their listening port. +Read the source code of `/challenge/run` to see what source port you'll need! + +---- + +**NOTE:** +You must set the source port _before_ sending data! +Otherwise, Linux will pick a random source port (the default behavior, when `bind` is not called). diff --git a/intercepting-communication/udp-spoof-host/run b/intercepting-communication/udp-spoof-host/run new file mode 100755 index 00000000..691e2a1f --- /dev/null +++ b/intercepting-communication/udp-spoof-host/run @@ -0,0 +1,43 @@ +#!/usr/bin/exec-suid --real -- /usr/bin/python -I + +import psutil +import socket +import os + +from dojjail import Host, Network + +flag = open("/flag").read() +parent_process = psutil.Process(os.getppid()) + +class ServerHost(Host): + def entrypoint(self): + server_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + server_socket.bind(("0.0.0.0", 31337)) + while True: + try: + client_message, (client_host, client_port) = server_socket.recvfrom(1024) + if client_message.strip() == b"ACTION?": + server_socket.sendto(b"NONE", (client_host, client_port)) + except ConnectionError: + continue + +class ClientHost(Host): + def entrypoint(self): + client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + client_socket.bind(("0.0.0.0", 31338)) + while True: + try: + server_socket.sendto(b"ACTION?", ("10.0.0.3", 31337)) + message, (peer_host, peer_port) = server_socket.recvfrom(1024) + if peer_port == 31337 and message.strip() == b"FLAG": + print(f"YOUR FLAG: {flag}") + except ConnectionError: + continue + +user_host = Host("ip-10-0-0-1", privileged_uid=parent_process.uids().effective) +client_host = ClientHost("ip-10-0-0-2") +server_host = ServerHost("ip-10-0-0-3") +network = Network(hosts={user_host: "10.0.0.1", client_host: "10.0.0.2", server_host: "10.0.0.3"}, subnet="10.0.0.0/24") +network.run() + +user_host.interactive(environ=parent_process.environ())