DEV Community

Nucu Labs
Nucu Labs

Posted on

FlareOn6 - Challenge 4: Write-Up

#security #ctf

Hello,

In this article I will present you my solution for the fourth challenge of flareon6.

The tools I used to solve this challenge were:

  • Kali Linux
  • DnsChef
  • Wireshark
  • Python
  • Ghidra

I opened the binary in Kali and I got a nice chess game going on for me, when I made the first move the AI resigned. I opened up the provided pcap file in Wireshark and saw a lot of DNS traffic. Since Malware often uses DNS to do certain actions and if a server is not found it stops operating, I've figured it out that I have to fake the DNS, lucky I got all the traffic I needed in the pcap file.

Since copy pasting 80 lines of Wireshark lines would be painfully slow, I took some time to install pyshark and wrote a small Python program to parse the pcap and output the traffic in a format that dnschef would like.

import pyshark

def main():
    print("gimme da pcap")
    cap = pyshark.FileCapture('./capture.pcap')
    for packet in cap:
        if packet.ip.dst == "192.168.122.1":
            print("{}={}".format(packet.dns.qry_name, packet.dns.a))

if __name__ == '__main__':
    main()
Enter fullscreen mode Exit fullscreen mode

After that I redirected the output of the script to fakehosts.txt added an [A] section header in the file and I've ran dnschef with the following command:

dnschef --fakens=ns1.game-of-thrones.flare-on.com --file=fakehosts.txt -i 0.0.0.0
Enter fullscreen mode Exit fullscreen mode

And that didn't work, I forgot to go to the network manager and set my DNS server to localhost, after that was done I opened up the program, picked up a random move from the list and it magically worked, the AI responded to my move! Hurray!

Alt Text

I thought this is it, I solved the challenge, now to make the next move and... the AI resigned. It looked like I had to do the moves in a certain order, I couldn't do them randomly or in the order that I wanted to do them.

But, It took me some time to realise that. I even looked at the source code in Ghidra to see what I was doing wrong:

Alt Text

--

One night, when I had some extra time. I sat down with the list of available moves and I started manually brute forcing the moves until I got the right combination and the flag! It took me about one to two hours, luckly I knew a bit chess otherwise wouldn't have finished it that fast.

Alt Text

Thank you for reading!

Top comments (0)

Read next

leandro_nnz profile image

Bringing Security to the Forefront of DevOps: The Power of Threat Intelligence Integration

Leandro Nuñez -

mochafreddo profile image

Understanding Cross-Site Scripting (XSS)

Geoffrey Kim -

sainsec profile image

Broken Access Control (IDOR)

Hussain -

ccoveille profile image

How to generate a secure and robust SSH key in 2024

Christophe Colombier -