From 983d4582a437e0cff05c8c9223e9b3783b9cbea2 Mon Sep 17 00:00:00 2001 From: Yan Date: Mon, 24 Feb 2025 02:48:50 -0700 Subject: [PATCH] spoof --- intercepting-communication/module.yml | 2 + .../udp-spoof-host-3/.init | 1 + .../udp-spoof-host-3/DESCRIPTION.md | 13 ++++++ .../udp-spoof-host-3/run | 46 +++++++++++++++++++ 4 files changed, 62 insertions(+) create mode 120000 intercepting-communication/udp-spoof-host-3/.init create mode 100644 intercepting-communication/udp-spoof-host-3/DESCRIPTION.md create mode 100755 intercepting-communication/udp-spoof-host-3/run diff --git a/intercepting-communication/module.yml b/intercepting-communication/module.yml index 45a7704d..c5ebcd86 100644 --- a/intercepting-communication/module.yml +++ b/intercepting-communication/module.yml @@ -37,6 +37,8 @@ challenges: name: UDP Spoofing 1 - id: udp-spoof-host-2 name: UDP Spoofing 2 +- id: udp-spoof-host-3 + name: UDP Spoofing 3 - id: level-12 name: ARP - id: level-13 diff --git a/intercepting-communication/udp-spoof-host-3/.init b/intercepting-communication/udp-spoof-host-3/.init new file mode 120000 index 00000000..ea4ba499 --- /dev/null +++ b/intercepting-communication/udp-spoof-host-3/.init @@ -0,0 +1 @@ +../.init \ No newline at end of file diff --git a/intercepting-communication/udp-spoof-host-3/DESCRIPTION.md b/intercepting-communication/udp-spoof-host-3/DESCRIPTION.md new file mode 100644 index 00000000..130b51be --- /dev/null +++ b/intercepting-communication/udp-spoof-host-3/DESCRIPTION.md @@ -0,0 +1,13 @@ +Of course, the previous spoofing worked because you know the source port that the client was using, and were thus able to forge the server's response. +This was, in fact, at the core of a [very famous vulnerability](https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=0c1e863b6698808b724def8793d7cba023494808) in the [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) that facilitates the translation of host names like `https://pwn.college` to the appropriate IP addresses. +The vulnerability allowed attackers to forge responses from DNS servers and redirect victims to IP addresses of their choice! + +The fix for that vulnerability was to randomize the source port that DNS requests go out from. +Likewise, this challenge no longer binds the source port to 31338. +Can you still force the response? + +---- + +**HINT:** +The source port is only set once per socket, whether at bind time or at the first `sendto`. +What do you do when there's a fixed number that you don't know? diff --git a/intercepting-communication/udp-spoof-host-3/run b/intercepting-communication/udp-spoof-host-3/run new file mode 100755 index 00000000..ae71a913 --- /dev/null +++ b/intercepting-communication/udp-spoof-host-3/run @@ -0,0 +1,46 @@ +#!/usr/bin/exec-suid --real -- /usr/bin/python -I + +import psutil +import socket +import time +import os + +from dojjail import Host, Network + +flag = open("/flag").read() +parent_process = psutil.Process(os.getppid()) + +class ServerHost(Host): + def entrypoint(self): + server_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + server_socket.bind(("0.0.0.0", 31337)) + while True: + try: + client_message, (client_host, client_port) = server_socket.recvfrom(1024) + if client_message.strip() == b"ACTION?": + server_socket.sendto(b"NONE", (client_host, client_port)) + except ConnectionError: + continue + +class ClientHost(Host): + def entrypoint(self): + client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + while True: + try: + client_socket.sendto(b"ACTION?", ("10.0.0.3", 31337)) + message, (peer_host, peer_port) = client_socket.recvfrom(1024) + if peer_port == 31337 and message.startswith(b"FLAG"): + _, flag_host, flag_port = message.strip().split(b":") + client_socket.sendto(flag.encode(), (flag_host, int(flag_port))) + + time.sleep(1) + except (ConnectionError, ValueError): + continue + +user_host = Host("ip-10-0-0-1", privileged_uid=parent_process.uids().effective) +client_host = ClientHost("ip-10-0-0-2") +server_host = ServerHost("ip-10-0-0-3") +network = Network(hosts={user_host: "10.0.0.1", client_host: "10.0.0.2", server_host: "10.0.0.3"}, subnet="10.0.0.0/24") +network.run() + +user_host.interactive(environ=parent_process.environ())