For this challenge we have a PCAP network dump. After some initial analysis we recognized that it recorded some interaction with wildwildweb.fluxfingers.net on port 1420 using the DBus protocol.

Using python we can quite easily build a script that connects to the same service and interacts with it

import dbus
host = "tcp:host=wildwildweb.fluxfingers.net,port=1420"
bus = dbus.bus.BusConnection(host)
p = bus.get_object('test.test123.Server', '/Server')
server_iface=dbus.Interface(p, dbus_interface='test.test123.Server')
print server_iface.dbus_start()

…and we got the same message as in the network dump:

dbus

From the network dump and the dbus interface we know that we can use the following methods:

  • dbus_genrnd(id)
  • dbus_authc(id, msg, iv, tag)
  • dbus_auths(id, msg)
  • dbus_time(id)
  • dbus_list(id)
  • dbus_put(id, filename, text)
  • dbus_get(id, filename)
  • dbus_start()

Unfortunately only some can be used without authentication :( so let’s try to authenticate:

  • With dbus_auths(id, msg) we can send a message (base64 encoded) and get it signed. We get back the base64 encoding of the IV and the tag (i.e.: the signature).
  • We need to send back any message with a valid tag and IV, but we don’t know much about how the signature is produced. Furthermore there are some restrictions:
    • We cannot send back the same signed message we received, the service returns “Authentication: 0”
    • The message not only needs to be different, it also needs to be of a different block length

Let’s look at Wikipedia, how CBC-MAC works:

570px-CBC-MAC_structure_(en).svg

My first try was to get a first message signed, then set the message to (first_message xor IV) and IV to all zeros: in this way we have a different message with the same valid signature that we previously obtained. However the second restriction does not allow it.

Luckily we can use a similar approach to get a different and longer message with the same signature of the initial one:

M = initial_msg || (initial_msg xor IV xor tag)

In this way at the second step of the chain we end up with:

E(tag xor (initial_msg xor IV xor tag)) = E(initial_msg xor IV) = tag

After the authentication process we can just request the list of files and get secret.txt that contains the flag. This script automates it all.

fox