Open Thermal Exhaust Port

Challenge:

Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are?

The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.

Solution:

I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF-focused script, for initial analysis:

$ /opt/zeek/bin/zeek -Cr nmap_scan.pcapng ~/Tools/ctf_pcaps.zeek 

The challenge description states that I should be looking for open ports, which I extract from the conn.log generated by Zeek’s analysis by filtering on the connection state RSTO (Connection established, originator aborted (sent a RST)):

$ cat conn.log | zeek-cut id.resp_p conn_state | grep RSTO | sort -nu
21	RSTO
22	RSTO
23	RSTO
53	RSTO
80	RSTO
443	RSTO
3128	RSTO

After summing the ports the accepted flag was, MetaCTF{3770}

Published:

Updated:

Leave a comment