Segals Law - TAMUCTF 2018


"A man with a watch knows what time it is. A man with two watches is never sure."
- Segal's Law

The third piggy (from Brick House) isn't too happy. Maybe you can make it up to him by contributing to his open-source web app

This challenge came down to the wire. I had messed with it off and on the last few days of the CTF but never really got anywhere. I spent most of the time trying to get some sort of SSL Man-In-The-Middle going on but was ultimately unsuccessful in this endeavor. Here's how I solved it.

A Little Recon goes a long way. nmap -sP to find live addresses and then give it a -sC to find listening services. I was rewarded with .98 serving up web on port 443. Let's go check out the site.


While working on the solution for the Bricks challenge, quite a bit of attention is drawn to the catfacts git repo with all of the automated commands. A bit of digging around reveals this repo, for a CatFacts website. Going over the commits (there's only 7, worth a quick look) you can see one with the comment of "oops". Well, looky there, a cert and key! Hawt Damn, this one's gonna be easy! Or so I thought.

First order of business was to clone the repo, dig that key and cert out of the old commit and fire it up. I stood up a tap0:0 subinterface with the IP of the original server inside the VPN so see if I could just kind of "assume traffic" for it. It worked, but the client did not trust the cert.
# openssl x509 -enddate -noout -in catfacts.pem
notAfter=Nov 20 18:53:15 2017 GMT

Well, I guess that'd do it for the client not trusting it.

This was the part where I wasted a few hours off and on trying several different methods to get sslstrip, sslsplit, ssldksdlkaslkjjasdlkj;asdffflkjsl;kjasdlkjasdflkj going with no success.

On one of those attempts I noticed some port 123 UDP traffic on wireshark on that tap0 network. very….interesting… That's some NTP, baby! What are the odds that the client is using NTP as its timing source? Well, in this CTF, those odds were very great. Now I've got a plan. ARP poison the client on two fronts, "Hey Buddy, I'm the web server, here's this cert that expires like 8 months ago, you should totally handshake me, bro. as well as "Yo, playa, I be the NTP Server. Your clock is mad wrong, yo. It's totally, like, Feb 2017, I promise, for real…."

I was running pretty low on time at this point, with less than an hour left on the CTF I snagged the code from this gist. I had to make a couple little changes, like setting the "router" to my tap0:1 sub (the one matching the actual NTP server) and setting the year to 2017.

So, in order. create two sub-interfaces off of the tap0 int. One IP matching that of the web server and one IP matching that of the NTP server. Fire off the NTP spoof script and wait for it to start getting hits. Fire up the flask app using the old key and cert and a few seconds later, kablammo, we gots hits. From this point I made a modification to the flask app to print out the submitted username and password so I could use them to log in to the "real site".


flag: gigem{we_have_to_go_back!}
No Comments Yet