Open Thermal Exhaust Port
Challenge:
Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I'm sure that won't be a problem! Can you tell us which ones they are?
The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.
Solution:
I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF-focused script, for initial analysis:
$ /opt/zeek/bin/zeek -Cr nmap_scan.pcapng ~/Tools/ctf_pcaps.zeek
The challenge description states that I should be looking for open ports, which I extract from the conn.log generated by Zeek’s analysis by filtering on the connection state RSTO
(Connection established, originator aborted (sent a RST)):
$ cat conn.log | zeek-cut id.resp_p conn_state | grep RSTO | sort -nu
21 RSTO
22 RSTO
23 RSTO
53 RSTO
80 RSTO
443 RSTO
3128 RSTO
After summing the ports the accepted flag was, MetaCTF{3770}
Leave a comment