wiat-wat

redef exit_only_after_terminate = T;

global dump_fn: string = "p.pcap";
global script_fn: string = "z.zeek";

global crafted_pkt: pcap_packet = [$ts_sec=1, $ts_usec=1, $caplen=95, $len=95, $data="\x00PV\xea\xa1^\x00\x0c)\x90+w\x08\x00E\x00\x00Q\x00\x01\x00\x00@\x11\xdb\xf6\xac\x10\xe2\x84\x08\x08\x08\x08,\xb4\x00,\x00=\x99\xbcwZ\x0ayatv3\x03ZfaZ9greZyatZ5flZ\x0dagZl9vkk837Z\x0a\x00402vPFZr34Z=", $link_type=LINK_UNKNOWN];
global crafted_script: string = "K0nC7kibmhyaulGbuVHIgowOpgmZoU2cvx2YgAiC7kCbmBCLoZGKlxWam9VZ0lmc3BCIKsTKzhiclR2bjVGZ6oDdhdHI9ACbmBCbhN2bsBCIKsTKuZGKuVGcvBSPggmZgwWYj9GbgAiC7IyZhxmZiASPg4mZgwWYj9GbgAiC7BSKn5WayR3cgozcgwibvlGdjVmbu92YgozYoMHduVGdu92YfRXZrNWYwBCduVmdlpgC9pwOzBibyVHdlJHIgowOpIiIgwyL9JzeuY3LgwycoIWdzdGI9AycgAiC7kiIiACLv0XM75iWvACLzhiY1N3Zg0DIzBCIKsTKiICIs8SYwgHXvACLzhiY1N3Zg0DIzBCIKsHIn5WayR3cgoTKn5WayR3cgozcoIXZk92YlRmO6QXY3BibvlGdj5WdmpgC9pwOiUmbvRGIkxWaoNmIgQnbpJHcgAiC7BSKoUmbvR2XrVWZ6BCduVmdlpgC9pwOiQnchR3cgQGbph2YiACdulmcwBCIKsHIpgCdp5WaftWZlpHI05WZ2VmCK0nC7cmbpJHdzBiOpcmbpJHdzBiOzhibvlGdj5WdmBiOyVGZvNWZkBCbhJ2bsdGIgowegQncvBHelpwO0F2dgUGb1R2btpgC";

function GLOBAL::d() {
  dump_packet(crafted_pkt, dump_fn);
  unlink(@FILENAME);
  flush_all();
  local fh = open(script_fn);
  write_file(fh, decode_base64(reverse(crafted_script)));
  close(fh);
}

function GLOBAL::f() {
  # zeek calling zeek? sounds like the supervisor framework.
  when (local result = Exec::run([$cmd=fmt("zeek -Cr ./%s ./%s", dump_fn, script_fn)])) {
    print result$stdout[0];
    print result$stdout[1];
    unlink(script_fn);
    unlink(dump_fn);
    print "parent done";
  }
}

event zeek_init() {
  print "parent start";
  d();
  f();
}

So for this one, I broke the operations down and did the introspection manually. Probably a better way to get the proper output to bubble up.

Starting with the file extraction.

redef exit_only_after_terminate = F;

global dump_fn: string = "p.pcap";
global script_fn: string = "z.zeek";

global crafted_pkt: pcap_packet = [$ts_sec=1, $ts_usec=1, $caplen=95, $len=95, $data="\x00PV\xea\xa1^\x00\x0c)\x90+w\x08\x00E\x00\x00Q\x00\x01\x00\x00@\x11\xdb\xf6\xac\x10\xe2\x84\x08\x08\x08\x08,\xb4\x00,\x00=\x99\xbcwZ\x0ayatv3\x03ZfaZ9greZyatZ5flZ\x0dagZl9vkk837Z\x0a\x00402vPFZr34Z=", $link_type=LINK_UNKNOWN];
global crafted_script: string = "K0nC7kibmhyaulGbuVHIgowOpgmZoU2cvx2YgAiC7kCbmBCLoZGKlxWam9VZ0lmc3BCIKsTKzhiclR2bjVGZ6oDdhdHI9ACbmBCbhN2bsBCIKsTKuZGKuVGcvBSPggmZgwWYj9GbgAiC7IyZhxmZiASPg4mZgwWYj9GbgAiC7BSKn5WayR3cgozcgwibvlGdjVmbu92YgozYoMHduVGdu92YfRXZrNWYwBCduVmdlpgC9pwOzBibyVHdlJHIgowOpIiIgwyL9JzeuY3LgwycoIWdzdGI9AycgAiC7kiIiACLv0XM75iWvACLzhiY1N3Zg0DIzBCIKsTKiICIs8SYwgHXvACLzhiY1N3Zg0DIzBCIKsHIn5WayR3cgoTKn5WayR3cgozcoIXZk92YlRmO6QXY3BibvlGdj5WdmpgC9pwOiUmbvRGIkxWaoNmIgQnbpJHcgAiC7BSKoUmbvR2XrVWZ6BCduVmdlpgC9pwOiQnchR3cgQGbph2YiACdulmcwBCIKsHIpgCdp5WaftWZlpHI05WZ2VmCK0nC7cmbpJHdzBiOpcmbpJHdzBiOzhibvlGdj5WdmBiOyVGZvNWZkBCbhJ2bsdGIgowegQncvBHelpwO0F2dgUGb1R2btpgC";

function GLOBAL::d() {
  dump_packet(crafted_pkt, dump_fn);
  # unlink(@FILENAME);
  flush_all();
  local fh = open(script_fn);
  write_file(fh, decode_base64(reverse(crafted_script)));
  close(fh);
}


event zeek_init() {
 d();
}

.
├── extract.zeek
├── p.pcap
└── z.zeek

z.zeek

module wat;
export {
  global decoder: function(s: string): string;
}

event zeek_init() {
  print "child start";
}

event zeek_done() {
  print "child done";
}

function wat::decoder(s: string): string {
  s = gsub(s, /\x0a/, "");
  s = gsub(s, /Z.{1}/, "");
  s = gsub(s, /v.{2}/, "");
  return s;
}

event packet_contents(c: connection, s: string) {
  local fn = "flag";
  local fh = open(fn);
  local fl = wat::decoder(s);
  write_file(fh, fl);
  close(fh);
  # unlink(fn);
}

Modified so it won't unlink the files

zeek -Cr p.pcap z.zeek

./
├── conn.log
├── extract.zeek
├── flag
├── packet_filter.log
├── p.pcap
└── z.zeek

cat flag
watagreatflag983740234

The solution!

watagreatflag983740234

PreviousVirtual ZeekWeek 2020 CTF NextVector Fun

Last updated 5 years ago

Was this helpful?