EY Brucon Challenge Write-up

16 Oct 2015

Post by Peter van Overschelde

The BruCON 0x07 edition is behind us and boy it has been a rush! Awesome people, magnificent speakers and unbelievable parties, BruCON 0x07 had it all! In the meanwhile I caught up my hours of sleep, so I thought it would be a good idea to do a small write-up of the EY BruCON challenge.

As BruCON veterans might already know, EY is one of the Diamond Sponsors of BruCON, ever since the first edition. However, in previous years, the EY promo stand was far away from being diamond. Therefore, we decided to change all that this year and in addition to having an actual pinball machine (which a lot of attendees enjoyed), we created a small challenge which was available over the BruCON network.

While we have seen large amounts of traffic (our host running the challenge was in the top 5 of systems on the BruCON network which received the most traffic), only a handful of people were able to solve the challenge.

As most participants of the challenge noticed, the system only responded to connections made on port 80. However, when trying to connect to this system using a browser, netcat or any other tool didn't reveal too much. Or did it? Well, the answer was in the packets! When looking at the network traffic flow between you and the challenge using Wireshark or a similar tool, you should have noticed something was up:

"Shouldn't you be confessing your SYNs?", a strange response to receive right? Well, this was a reference to the recently discovered "SYNful knock" implant on Cisco routers by FireEye. So, a quick visit to the FireEye Github equipped us with an nmap NSE script and a stand-alone Python-based tool. As some (most?) of you noticed, the NSE script didn't work that well (it didn't work for me as well while writing the challenge), but the Python script did.

Ok, so we sent an "implant probe" to the EY challenge, and it responded with a "positive" answer. Now what? Again, the answer was in the packets!

As you can see in the screenshot below, the EY challenge would sent a FIN packet to your system but with the source port being the same as the source port you used to connect to port 80 on the challenge. To clarify: in the screenshot above, the client used TCP port 48798 to connect to TCP port 80 on the challenge. As a result, the client received a FIN packet coming from the challenge on TCP port 48798 and destined to TCP port 48798 on the client. The contents of this packet contained the string "Thank you for confessing! Are you a righteous man?".

Blast! Another cryptic clue! Now, to give you some background on this clue; while I was creating this challenge, I was watching the movie Pulp Fiction. Being in the "divine theme" with all the SYNful knocking going on, I remembered one of my favorite scene's in the movie, where Samuel L. Jackson would quote Ezekiel 25:17 before shooting Brett to pieces. So there it was… Ezekiel 25:17… so why not spawning a service on TCP port 2517? However, in order to ensure that participants would get the SYNful knocking step first, I implemented a basic firewall routine, which would whitelist the IP-address of the client for 60 seconds when receiving an "implant probe". During this 60 seconds, the client could connect to the TCP service running on port 2517:

And there you have it: "The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he, who in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee."

Again, I would like to congratulate the participants who solved the challenge and thank everyone who "died trying". I hope you had fun trying to break the challenge and if you have any feedback, this is more than welcome!