Shearwater AusCert 2016 CTF – Sheldon Writeup

This blog contains a write up of the solution I used to solve the challenge “Sheldon” from the Packet Sheriff category. We are given a PCAP file called and a message saying “knock knock”.

The PCAP contains a connection to the destination server on port TCP/54321, the target server responded with “Who’s there”. After the response the source server attempts to connect to every port beginning at TCP/1025. It began clear that the certain ports responded differently, there is something funny going on here! Attempting to actually connect to TCP/54321, the connection was closed. But when actually connecting to TCP/1111, which was one of ports that were different in the PCAP, we can a connection refused response straight away. But TCP/1112 would instead of timeout. This is very strange, but the pieces fell together and it was identified that this is a port knocking challenge.

The challenge name and description and the servers’ response were all included as abstract hints. With the challenge concept, it was simple enough to determine every single port which was required for the sequence and the final port to connect to. Below is the solution code for this challenge.

#!/usr/bin/python
import socket

plist = [9999, 8888, 7777, 6666, 5555, 4444, 3333, 2222, 1111, 54321]
host = '52.64.111.123'
data = ""

for p in plist:
	print("Attempting to connect to %s on port %s" % (host, p))
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(1.0)
		s.connect((host, p))

		data += s.recv(1024)
		data += s.recv(1024)
		data += s.recv(1024)

		s.close()

	except Exception as e:
		continue

print data

Running the above solution code, gave the following output and the challenge flag.

% python sheldon-sol.py              
Attempting to connect to 52.64.111.123 on port 9999
Attempting to connect to 52.64.111.123 on port 8888
Attempting to connect to 52.64.111.123 on port 7777
Attempting to connect to 52.64.111.123 on port 6666
Attempting to connect to 52.64.111.123 on port 5555
Attempting to connect to 52.64.111.123 on port 4444
Attempting to connect to 52.64.111.123 on port 3333
Attempting to connect to 52.64.111.123 on port 2222
Attempting to connect to 52.64.111.123 on port 1111
Attempting to connect to 52.64.111.123 on port 54321


flag{Knock_Knock_Knock_Penny}

Challenge completed.