Error Reporting Protocol (net)

PUBLISHED ON 16/02/2020 — EDITED ON 01/04/2020 — 247CTF, INFOSEC

Intro

This is my write-up of a Networking challenge Error Reporting Protocol on the CTF site 247CTF.com.

Instructions

Can you identify the flag hidden within the error messages of this ICMP traffic?

Howto

There is a whole world of data hiding inside ICMP traffic, there are even solutions to push whole internet access via ICMP traffic.

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Data

Open the tcpdump in Wireshark. We can se “JFIF” in the data part of the responses, so we assume JPEG image.

Delete the first entry, as that is the request, we need only the responses from server and save it back.

It is time to parse the tcpdump, remove the header and only output the data part, you can use modified script from here:

import dpkt

input=file("error_reporting.pcap", "rb")

# We are going to extract all ICMP payloads and concatenate them in one file,
# and see what happens:
output=open("output.jpg", "w")

pcap=dpkt.pcap.Reader(input)

for ts, buf in pcap:
    eth=dpkt.ethernet.Ethernet(buf)
    if (eth.type != 2048): # 2048 is the code for IPv4
        continue


    ip=eth.data
    icmp=ip.data

# The parsed packets in the dpkt.pcap.Reader contains two members: "ts" and "buf".
# The member "ts" is just the timestamp which lived in the packet when captured
# by Wireshark; it is the clock when captured this packet. The member "buf" holds
# the real packet data captured by capture tool, it's the raw traffic data.
    if (ip.p==dpkt.ip.IP_PROTO_ICMP) and len(icmp.data.data)>0:
        try:
            print icmp.data.data
            output.write(icmp.data.data)
        except:
            print 'Error extracting ICMP payload data from this packet.'
        continue

input.close()
output.close()
$ open output.jpg

Bingo!

See Also