H2HC19 - Packetwars - P0wn Th3 H0m3

Since our first Packetwars at H2HC in 2015, it has somehow become a fun tradition. Although not having been involved in 2018, I was back this year and brought a few fun but seemingly too uggly challenges. Here is a short write up on the concepts, ideas and challenges.

I’ve been wanting to do a network based Packetwars for quite a while now and finally got the chance to do one this year and will hopefully again in the next (with a new setup). By network based I mean live access to the traffic between multiple machines via physical man in the middle. Which brings us to the first challenge.

Physical Access

In this year’s scenario, “P0wn Th3 H0m3”, the attendees had to gain access to the smart home functonality of a house and gain access to all controls. Our back story played around a hostage rescue mission in which the attendees would prepare to play a vital role by controlling alarms, lights and cameras during the final raid. Thus, the primary mission: Gain initial access by cutting a network cable and crimping on a simple 8P8P Western plug to the one side and an LSA receptable to the other side. The attendees would then have to initially sniff some packets and could gain points for collecting information.

Network Access

When both ports were up and after a certain reconnection period, a PPTP VPN between two systems would appear on the cable. The communicating systems were “locked” into a /30 IP address space and thus present the first networking challenge. The attendees had to configure the IP addresses of their physical mitm in such a way, that they also gained logical mitm.

VPN Access

While the encapsulated traffic was visible in a sniff, the client actually authenticated towards the VPN server using CHAP. This then posed the next challenge: How to break open the VPN and also become mitm here?

Luckily the authentication scheme was only enfored server side, thus a quick downgrade to PAP later a plaintext password appeared.

Protocols

Within the VPN the attendees got access to 4 core communication channels, in addition to some decoys

SCTP

For the sake of nostalgia (telco research) I decided to use SCTP as one of the protocols.

  • The core aspect of the application was a request containing “0x42” which returned a binary vector and a CRC32 - the states of the cameras in the house.
  • The decoy message “0x11” actually returns a great recipe for brownies.
  • A bunch of seemingly random messages, where each response was the original message encoded with ROT13. If the channel broke down, an alarm was triggered.

Hidden Challenge

Due to a bit of, let’s call it “external inspiration” I added a little decoy challenge, which looks as follows:

Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: TTDWSCPPOHCMYYJJWCQI
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: TOYXSWIOZTTSFTTSFFVVXGPTWWAXPRA
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: EMDRRMJYCVVMCWITWODXDOWSGSA
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: EVZPJFZWSOKIZTTSFFVVXGVROGCSFZYICGA
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: EVZWZTOGFFQIZTTSFFRMYRDRRVZEOV
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: YCHIWCYCTGNAPSOICTISCQJYWRJVAVZYD
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: DCCEGSWIHWOGSSYLTHCMYYJJEVDWQ
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: LBYEWZHCFBDZPFNIMSXSXSNTPFAINHDSYV
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: MIOAPFZCZIDRXMVVXGAHPOMPZJZJ
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: EVZLLDKMYSNWHCPPOHVOPATFCSVXSOREJT
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: YCOLZIBLEQJYWRHEEQCXSOOINGOEDMA
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: YCNSYUZRNCHTLGNMETISZHCICKJVWRNL
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: TTDWSCPPOHCMYYJJWCQIQ
Request: vib5c0b187fe309af0f4d35982fd961d7e
Response: TOYXSWIOZTTSFV

Bespoke “external inspiration” managed to crack it (Irresistible!!). Can you? If so, drop me a message :)

MQTT

The backend was running a Rabbitmq MQTT Server with a single queue, which received and forwarded switching actions as binary vectors with a CRC32. In contrast to the CRC32 in SCTP, it was here calculated over last_message + current_message, where last_message also contained it’s checksum. Thus, the responses are always based on the previous messages.

HTTPs

The target house was running an externally available web/json/api server which was regularly accessed by a remote system. When connecting to the base directory of the server, it only responded with a 404, thus it was necessary to have closer look at the requests. To break open the TLS connection, well, let me just stress how many IoT devices actually don’t validate the certificates of the remote host, or just validate the Common Name.

UDP

The house and the backend systems had an out-off-band style keep-alive communication. The backend regularly asked the house if everything was ok, if it was (all other data channels were running), the house gave an ok. Here is an excerpt for some tinkering

S2C: I.\\nThe H
S2C: orror in Clay.\\n\\nTh
S2C: e most merci
S2C: ful thin
S2C: g in the world, I th
S2C: ink, is
S2C: the inabilit
S2C: y of t
S2C: he human min
S2C: d to correla
S2C: te all its contents.
S2C:  We liv
S2C: e on a placid isl
S2C: and of ignorance in
S2C:  the midst o
S2C: f black seas o
S2C: f infinity, and
S2C:  it was not mea
S2C: nt that we s
S2C: hould v
S2C: oyage
S2C: far. The scien
S2C: ces, each st
S2C: raining in i
S2C: ts own direction, h
S2C: ave hitherto harmed
S2C: us little; but some
S2C: day the piec
S2C: ing together o
S2C: f dissoc
S2C: iated knowledge wi
S2C: ll open up s
S2C: uch terrif
S2C: ying vist
S2C: as of reality, and o
S2C: f our frightful pos
S2C: ition th
S2C: erein,
S2C:  that we sha
S2C: ll either go mad from the
C2S:  revelation or fl
C2S: ee from t
C2S: he deadly ligh
C2S: t into the peace an
C2S: d safety of
C2S: a new dark
C2S:  age.\\nTheoso
C2S: phists ha
C2S: ve gu
C2S: essed at
C2S:  the awesome
C2S:  grandeur of the cos
C2S: mic cycle wher
C2S: ein ou
C2S: r world an
C2S: d human race f
C2S: orm transient inc
C2S: idents. They
C2S:  have hinted
C2S:  at strang
C2S: e surv
C2S: ivals in ter
C2S: ms which wou
C2S: ld freeze
C2S:  the blood if no
C2S: t masked by
C2S: a bland optimism. Bu
C2S: t it is not fr
C2S: om them that
C2S:  there came
C2S: the singl
C2S: e glimpse
C2S:  of forbidden ae
C2S: ons which
C2S: chills me wh
C2S: en I th
C2S: ink of
C2S:  it and madd
C2S: ens me when I dr
C2S: eam of
C2S:  it. That gl
C2S: impse, l
C2S: ike all drea
C2S: d glimpses of truth, flas
S2C: hed ou
S2C: t from an acciden
S2C: tal piecing
S2C: togeth
S2C: er of separate
S2C: d things
S2C: —in this c
S2C: ase an old
S2C:  newspaper i
S2C: tem and the
S2C: notes of a dead pro
S2C: fessor. I
S2C: hope that no o
S2C: ne else will acco
S2C: mplish this
S2C: piecing out; certai
S2C: nly, if I live, I s
S2C: hall never kno
S2C: wingly suppl
S2C: y a link
S2C:  in s
S2C: o hideous a chain
S2C: . I think th
S2C: at the profe
S2C: ssor, too, intended
S2C:  to keep silent
S2C:  regarding the part
S2C: he knew, and
S2C:  that he would have
S2C: destroyed
S2C:  his notes had not s
S2C: udden death
S2C: seize
S2C: d him. \\nM
S2C: y knowledge of the
S2C: thing began in th
S2C: e winter
S2C: of 1926–
S2C: 27 with the
S2C: death of my grand-uncle G
C2S: eorge Gammell Ange
C2S: ll, Pro
C2S: fessor Emeritu
C2S: s of Semitic Lang
C2S: uages in Bro
C2S: wn Uni
C2S: versity, Pro
C2S: vidence,
C2S:  Rhod
C2S: e Island.
C2S:  Professor A
C2S: ngell was widely kno
C2S: wn as an authorit
C2S: y on anc
C2S: ient i
C2S: nscriptions, a
C2S: nd had frequently
C2S: been resorte
C2S: d to by the
C2S: heads o
C2S: f promin
C2S: ent museums;
C2S:  so that his
C2S:  pass
C2S: ing at the age
C2S:  of ninety-t
C2S: wo may be recalled
C2S:  by many. Locall
C2S: y, interest
C2S: was intensif
C2S: ied by
C2S:  the obsc
C2S: urity of the ca
C2S: use of de
C2S: ath. The pro
C2S: fessor h
C2S: ad been st
C2S: ricken whils
C2S: t returning fro
C2S: m the
C2S: Newport boat
C2S: ; fall
C2S: ing suddenly
C2S: , as witnesses said, afte

Aftermath - Packetwars X-Treme Edition

Due to a little Brazilian style planning we weren’t able to run a single 3-4h Packetwars with all attending teams at once. Thus we made the call for an X-Treme session. Three approximately 60 minute long sessions in which a group of teams was allowed to access the battle space. While the first challenge was still the physical crimping, the teams could simply collect points for extracting details from the sniffed traffic.

What I hadn’t anticipated for, was that crimping was seemingly by far harder than expected and basically cost most of the teams the whole hour. Eventually only three teams actually managed to correctly crimp their cables.

Next year, we’ll be back with a more flexible setup (better at scaling), a full-length Packetwars and I suppose an extra speed crimping challenge! Might actually also add a speed soldering challenge, just for fun :P

Also we will have to make sure that the one and only Packet Master comes back next year! Give a shout out to @AngusBlitter to make it harder for him to resist!