IrisCTF 2025: Inferno Barrier

Task:

Sees a firewall policy.

"Whoa. This is worthless!"

Solution:

We have to receive and send packets in a network simulator. We can receive the first packet by turning promiscuous mode on with prom on and then running the recv command. This gives the following text message once decoded from Base64:

Announcement: error: no announcement configured.
Run 'select (generic|date|time|flag)' to configure.

To send a packet back with the message select flag we need to swap around the ports and IP values, and then change the length in the packet. For example, if we have the packet in hex:

45 00 {00 81} 00 01 00 00 40 11 F7 0C [C0 A8 01 0A] [C0 A8 01 04] (11 C1) (28 67) {00 6D} 9C D4 41 6E 6E 6F 75 6E 63 65 6D 65 6E 74 3A 20 65 72 72 6F 72 3A 20 6E 6F 20 61 6E 6E 6F 75 6E 63 65 6D 65 6E 74 20 63 6F 6E 66 69 67 75 72 65 64 2E 0A 52 75 6E 20 27 73 65 6C 65 63 74 20 28 67 65 6E 65 72 69 63 7C 64 61 74 65 7C 74 69 6D 65 7C 66 6C 61 67 29 27 20 74 6F 20 63 6F 6E 66 69 67 75 72 65 2E 0A

{} - Length values
[] - IPs
() - Ports

We can construct a new packet (as hex):

45 00 00 27 00 01 00 00 40 11 00 00 C0 A8 01 04 C0 A8 01 0A 28 67 11 C1 00 13 00 00 73 65 6C 65 63 74 20 66 6C 61 67

In Base64:

RQAAJwABAABAEQAAwKgBBMCoAQooZxHBABMAAHNlbGVjdCBmbGFn

Exit promiscuous mode with prom off and run emit with the new Base64 encoded packet, then go back into promiscuous mode with prom on and run recv, and you will get this:

RQAAYQABAABAEfcswKgBCsCoAQQRwShnAE0Ys0Fubm91bmNlbWVudDogaXJpc2N0Znt1ZHBfMXBfc3AwMGZpbmdfaXNfdHIxdmlhbF9idXRfdW4xZGlyM2N0MTBuYWx9Cg==

Just decode this, and you will get the flag.

P.S: A lot of the swapping might not be needed? This solution worked for me, at least. Also I nulled out the checksum parts, which somehow worked too?

Flag:

irisctf{udp_1p_sp00fing_is_tr1vial_but_un1dir3ct10nal}

Resources:

https://hpd.gasmi.net/ (Packet analysis tool)