Burble DN42 Ping Challenge
2022-08-21 共 23942 字Ping Challenge | burble.dn42 的解题思路
剧透警告,尽量做的时候别看
耗时三天,暑假,回校前一天上午完成(2022/8/21 10:49)。IYKYK(懂得都懂),看不懂也没关系就不是写来让你看的(
用到了CyberChef,NodeJS,最后一部分需要控制ICMP Ping data的用Windows自带的ping
做不了,但是可以用我写的几个小工具发,有关API在Icmpapi.h header,busybox可以直接发。
第一次玩这种Cyber的玩意,有点难度,好好玩,学到的许多,下次继续(听说DN42里头还有一个)
中途还对我的内部网络大改,这个挑战的信息是绑定到源IP的,所幸使用的设备IP没变。
感谢Chimon、Lan Tian提供的帮助。
有关源码已经打包上传:Burble Ping Challenge.tar(.sig),以CC0发布,Internet Archive。
最后几个Ping payload有关的,错误代码可以看Microsoft Docs,0是超时,11010是被QOS限制了重试几次就好。
fd42:4242:2601:31f0::1
§ Challenge 1
1 | Welcome to the burble.dn42 ping challenge. Ping fd42:4242:2601:31f0:1a2:a1a0:5974:166d to continue. |
fd42:4242:2601:31f0:1a2:a1a0:5974:166d
§ Challenge 2
1 | Congratulations, you have completed level 1. Challenges are dynamically generated, and the server retains state between each level. Each IP you see here is specific to you and your source IP address. Ping fd42:4242:2601:31f0:2f8:5679:c098:8f36 to continue. |
fd42:4242:2601:31f0:2f8:5679:c098:8f36
§ Challenge 3
1 | You can ping fd42:4242:2601:31f0::2 to check your current challenge level. Ping '467d:2fa3:b32f:7d3:0f13:1062:2424:24df' to continue. |
467d:2fa3:b32f:7d3:0f13:1062:2424:24df
fd42:4242:2601:31f0:3d7:f23b:3af2:d764
§ Challenge 4
1 | You can also ping fd42:4242:2601:31f0::3 to check the current challenge again. Ping 'Foxtrot Delta Four Two : Four Two Four Two : Two Six Zero One : Three One Foxtrot Zero : Four Delta One : Delta Foxtrot Seven Five : Five Delta Six Three : Six One Charlie Six ' to continue. |
fd42:4242:2601:31f0:4d1:df75:5d63:61c6
§ Challenge 5
1 | A CyberChef may come in handy when completing the challenges. Ping '..-. -.. ....- ..--- : ....- ..--- ....- ..--- : ..--- -.... ----- .---- : ...-- .---- ..-. ----- : ..... -.. ..-. : -.. -.-. -... -.-. : ...-- ..--- ----. ..-. : ...-- -.... ----. ..--- ' to continue. |
..-. -.. ....- ..---
=fd42
....- ..--- ....- ..---
=4242
..--- -.... ----- .----
=2601
...-- .---- ..-. -----
=31f0
..... -.. ..-.
=5df
-.. -.-. -... -.-.
=dcbc
...-- ..--- ----. ..-.
=329f
...-- -.... ----. ..---
=3692
fd42:4242:2601:31f0:5df:dcbc:329f:3692
§ Challenge 6
1 | Ping 'fd424242260131f006e1b47ca52f1f6d' to continue. |
fd424242260131f006e1b47ca52f1f6d
fd42:4242:2601:31f0:06e1:b47c:a52f:1f6d
§ Challenge 7
1 | Ping '11111101010000100100001001000010001001100000000100110001111100000000011110101001100011010000110101100101000011000111111001000011' to continue. |
11111101010000100100001001000010001001100000000100110001111100000000011110101001100011010000110101100101000011000111111001000011
1 | parseInt("11111101010000100100001001000010001001100000000100110001111100000000011110101001100011010000110101100101000011000111111001000011",2).toString(16) |
FD424242260131F007A98D0D650C7E43
fd42:4242:2601:31f0:07a9:8d0d:650c:7e43
§ Challenge 8
1 | Swap everything. Ping 'c2c29508a681d3f6424242fdf0310126' to continue. |
c2c29508a681d3f6424242fdf0310126
长度相同 不是映射(c->f/4) fd
42
c2c29508a681d3f6424242fd f0310126
->f0310126 c2c29508a681d3f6424242fd
f0 31 01 26 c2 c2 95 08 a6 81 d3 f6 42 42 42 fd
->fd424242f6d381a60895c2c2260131f0
fd42 4242 f6d381a60895c2c2 260131f0
->fd42 4242 2601 31f0 f6d381a60895c2c2
fd424242260131f0 f6d381a6 0895 c2c2
->fd424242260131f0 0895 c2c2 f6d381a6
§ Challenge 9
1 | UGluZyBmZDQyOjQyNDI6MjYwMTozMWYwOjkwMDoyMmUwOmYxZjA6ZjVlYyB0byBjb250aW51ZS4= |
=
Base64
Ping fd42:4242:2601:31f0:900:22e0:f1f0:f5ec to continue.
fd42:4242:2601:31f0:900:22e0:f1f0:f5ec
§ Challenge 10 = Checkpoint
§ Challenge 11
1 | Well done, you have reached the first checkpoint. Checkpoints are fixed IPs that will reset your progress at any time. Note that checkpoints are specific to your source IP address. Ping fd42:4242:2601:31f0:be6:4d7:42a0:9c9f to continue. |
Ping ::2 got 11
§ Challenge 12
1 | The next set of challenges are all related to encryption. This IP address here is simply encrypted, but requires no key ?! MzD0Zwb0ZwDlBwV2ZQR6ZmSzZQcwMQD6LGDlMGcvL2V4BzMxZN== |
MzD0Zwb0ZwDlBwV2ZQR6ZmSzZQcwMQD6LGDlMGcvL2V4BzMxZN==
1 | var enc = "MzD0Zwb0ZwDlBwV2ZQR6ZmSzZQcwMQD6LGDlMGcvL2V4BzMxZN==" |
fd42:4242:2601:31f0:cd4:a42e:bcb8:fd0
§ Challenge 13
1 | Either A or B, but not both: 539519e3c849093c9235c0f8b4e8c621 aed75ba1ee4838cc9f9649c991799820 |
Either A or B, but not both
539519e3c849093c9235c0f8b4e8c621
aed75ba1ee4838cc9f9649c991799820
XOR(0x539519e3c849093c9235c0f8b4e8c621, 0xaed75ba1ee4838cc9f9649c991799820) = fd 42 42 42 26 01 31 f0 0d a3 89 31 25 91 5e 01
1 | (0xaed75ba1ee4838cc9f9649c991799820n ^ 0x539519e3c849093c9235c0f8b4e8c621n).toString(16) = 'fd424242260131f00da3893125915e01' |
fd42:4242:2601:31f0:0da3:8931:2591:5e01
§ Challenge 14
1 | The challenges so far have been too simple, a more Advanced Encryption Standard is required: 0349f977bc7b3dd620eab4d41390a13b 47b3c7bb0b388c33d10088365379ce35 11ec1b0d5e9f20785f56636af70fbb54 |
Advanced Encryption Standard
= AES
Key = 0349f977bc7b3dd620eab4d41390a13b
IV = 47b3c7bb0b388c33d10088365379ce35
Encrypted = 11ec1b0d5e9f20785f56636af70fbb54
Mode = CFB
Decrypted = fd424242260131f00ee433c479b85e98
fd42:4242:2601:31f0:0ee4:33c4:79b8:5e98
§ Challenge 15
1 | This time the key is in plain sight.. 7165d0e0c4c105c4de8e7ea85a6ef4fb e7da0d7a50946d590f8ebd5bde61c4b7 |
\sin plain sight.
(" in plain sight.", 16, 128 bits, 20696e20706c61696e2073696768742e
)
in plain sight..
(16, 128 bits, 696e20706c61696e2073696768742e2e
, thanks to @Chimon)
7165d0e0c4c105c4de8e7ea85a6ef4fb
(16 bytes, 128 bits)
e7da0d7a50946d590f8ebd5bde61c4b7
(16 bytes, 128 bits)
- Blowfish/DES: 64 bits key
- Triple DES: 192 bits key
- Vigenère Decode/Bifid Cipher Decode: only letter key
- AES-128/RC2/RC4
- AES-128
- 16 bytes key
- 16 bytes IV
- AES-128
Key = 696e20706c61696e2073696768742e2e
IV = 7165d0e0c4c105c4de8e7ea85a6ef4fb
Encrypted = e7da0d7a50946d590f8ebd5bde61c4b7
Mode = OFB
Decrypted = fd424242260131f00f9505d3437332c9
fd42:4242:2601:31f0:0f95:05d3:4373:32c9
§ Challenge 16
1 | Cryptoanalysis required: 327777775b36662545055d7fa47ad1da |
327777775b36662545055d7fa47ad1da
32 77 77 77 5b 36 66 25 45 05 5d 7f a4 7a d1 da
32 chars, 128 bits
reversable, not hashing, same size = mapping
fd42:4242:2601:31f0
to AxBC:BCBC:CxDE:xEAD
to xxABABAB
424242
to n(n-2)n(n-2)n(n-2)
fd424242
= xxAAAAAA
= 32777777
Src | Dst | Src | Dst |
---|---|---|---|
fd | 32 | 01 | 36 |
42 | 77 | 31 | 66 |
26 | 5b | f0 | 25 |
fd - 32 = cb(byte overflow) fd + 35 = 32
36 - 01 = 35
66 - 31 = 35
dst = src + 35
src = dst - 35
45 05 5d 7f a4 7a d1 da
= 10d0:284a:6f45:9ca5
fd42:4242:2601:31f0:10d0:284a:6f45:9ca5
§ Challenge 19
1 | I forgot the last two bytes of the IP ! I did manage to checksum the address first though: fd42:4242:2601:31f0:1300:d2a9:7f78:0 / SHA256:8bd1cd77f57fd1a55e48575a258477fc32d752d88ed9a146ca4213737d18acd9 |
1 | for(var n = 0; n < 65536; n ++) { |
1 | Found 1803 |
fd42:4242:2601:31f0:1300:d2a9:7f78:1803
§ Challenge 20 = Checkpoint
1 | Well done, you have reached the next checkpoint. You can use this address to restart from this level at any time. Ping fd42:4242:2601:31f0:14a2:133:bb0a:213b to continue. |
§ Challenge 21
1 | The next level requires a payload size appropriate for this decentralised network: fd42:4242:2601:31f0:159f:e67e:2ff:e2b6 |
Size 0: Incorrect packet: 0
Wireshark filter: icmpv6 && icmpv6.type == 129
Fuzzed, found correct packet size 42.
this decentralised network
= DN42
= 42
§ Challenge 22
1 | IP packet size, int((rev(IP))*100): fd42:4242:2601:31f0:16eb:f338:669d:810d |
int((rev(IP))*100)
fd42:4242:2601:31f0:16eb:f338:669d:810d
int()
: size not matching
from upper: too big for ICMP pingfrom lower
IP
:
fd42:4242:2601:31f0:16eb:f338:669d:810d
Internet Protocol
int((rev(IP))*100)
= int( ( rev(IP) ) * 100 )
= 600
IP header = 40 bytes
ICMP header = 8 bytes
ICMP ping data size = int((rev(IP))*100)
- 48
MTU ~= 1500
Max IPv6 Frame Size = 1368 bytes
Fuzzed, got correct ICMP data size 266
rev(IP)
= reverse(IP)
= PI
= 3.14
§ Challenge 24
1 | Make it just in time: fd42:4242:2601:31f0:18e0:82a8:4195:e5a4 |
0 -> Incorrect packet: 122
1 -> Incorrect packet: 122
122 -> Incorrect packet: 122.....................................................................................................
123 -> Incorrect packet: 122......................................................................................................
124 -> Incorrect packet: 122.......................................................................................................
122
= 0x7a
= 'z'
Fuzzed, all incorrect.
Not related to data size
Found after a tracert, its about TTL.
Make the TTL of the packet which arrived at the remote server is 0.
tracert
(traceroute
) finish it quickly.
§ Challenge 25
1 | Arrive early, with plenty of time to spare: fd42:4242:2601:31f0:19c9:f419:d01e:2a89 |
fd42:4242:2601:31f0:19c9:f419:d01e:2a89
§ Challenge 26
1 | Single byte payload, you know the number by now: fd42:4242:2601:31f0:1ae7:1959:c3e1:4dcb |
fd42:4242:2601:31f0:1ae7:1959:c3e1:4dcb
Single byte payload
Ping with one byte: Incorrect packet: 1/97
97
= 'a'
= default payload on Windows
Fuzzed, value = 42
§ Challenge 27
1 | The payload should be the first rule of dn42: fd42:4242:2601:31f0:1b94:654f:fc67:a476 |
fd42:4242:2601:31f0:1b94:654f:fc67:a476
Search in Bing, got howto/networksettings (dn42.dev).
The first rule of dn42: Always disable
rp_filter
.
Always disable rp_filter.
After tries, found correct payload rp_filter
.
§ Challenge 28
1 | Use the source Luke: fd10:78d4:da31:0:5cce:353e:83bb:ec4c -> fd42:4242:2601:31f0:1cb0:8168:d0fa:677f |
fd10:78d4:da31:0:5cce:353e:83bb:ec4c
fd42:4242:2601:31f0:1cb0:8168:d0fa:677f
Use the given address to ping.
§ Challenge 29
1 | Now return back to your original src IP. Ping fd42:4242:2601:31f0:1d00:cfe5:fb89:ebb9 to continue |
fd42:4242:2601:31f0:1d00:cfe5:fb89:ebb9
1 | Congratulations ! You have completed the ping challenge. I hope you had fun along the way and, of course, please let me know any issues or feedback. burble. |
§ 本页历史
- 2028.8.21:First Finish!