Rootme Patched Transmission
Root-me
ETHERNET Patched Transmission
Frame reconstitution
We got a couple of frames our goal is to find the lost information.
>>> INGRESS >>>
0x0000: 0050 569e 7bf9 0050 569e 7bfb 8100 0185
0x0010: 86dd 6000 0000 0040 3a40 2002 c000 0203
0x0020: 0000 0000 0000 0000 7331 2002 c000 0203
0x0030: 0000 0000 0000 0000 dead 8000 0af0 0792
0x0040: 0001 146d a451 0000 0000 d020 0300 0000
0x0050: 0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
0x0060: 452e 4f52 4720 524f 4f54 2d4d 452e 4f52
0x0070: 4720 524f 4f54 2d4d 452e
>>> INGRESS >>>
0x0000: 0050 569e 7bf7 0050 569e 7bf9 8100 0186
0x0010: 86dd 6000 0000 0040 3a40 2002 c000 0203
0x0020: 0000 0000 0000 0000 b00b 2002 c000 0203
0x0030: 0000 0000 0000 0000 fada 8000 0af0 0792
0x0040: 0001 146d a451 0000 0000 d020 0300 0000
0x0050: 0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
0x0060: 452e 4f52 4720 524f 4f54 2d4d 452e 4f52
0x0070: 4720 524f 4f54 2d4d 452e
>>> INGRESS >>>
0x0000: 0050 569e 7bfe 0050 569e 7bf7 8100 0186
0x0010: 86dd 6000 0000 0040 3a40 2002 c000 0203
0x0020: 0000 0000 0000 0000 7331 2002 c000 0203
0x0030: 0000 0000 0000 0000 b00b 8000 c760 0795
0x0040: 0001 906d a451 0000 0000 8fac 0b00 0000
0x0050: 0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
0x0060: 452e 4f52 4720 524f 4f54 2d4d 452e 4f52
0x0070: 4720 524f 4f54 2d4d 452e
<<< EGRESS <<<
0x0000: 0050 569e 7b?? 0050 569e 7b?? ???? 0186
0x0010: 86dd 6000 0000 0040 ??40 2002 c000 0203
0x0020: 0000 0000 0000 0000 ???? 2002 c000 0203
0x0030: 0000 0000 0000 0000 ???? ??00 09f0 0792
0x0040: 0001 146d a451 0000 0000 d020 0300 0000
0x0050: 0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
0x0060: 452e 4f52 4720 524f 4f54 2d4d 452e 4f52
0x0070: 4720 524f 4f54 2d4d 452e
These are 4 frames. We need to decode them.
The following website allows you us to decode the packets and see what’s inside it.
The format of the packet will be
0050 569e 7bf9 0050 569e 7bfb 8100 0185
86dd 6000 0000 0040 3a40 2002 c000 0203
0000 0000 0000 0000 7331 2002 c000 0203
0000 0000 0000 0000 dead 8000 0af0 0792
0001 146d a451 0000 0000 d020 0300 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e
0050 569e 7bf7 0050 569e 7bf9 8100 0186
86dd 6000 0000 0040 3a40 2002 c000 0203
0000 0000 0000 0000 b00b 2002 c000 0203
0000 0000 0000 0000 fada 8000 0af0 0792
0001 146d a451 0000 0000 d020 0300 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e
0050 569e 7bfe 0050 569e 7bf7 8100 0186
86dd 6000 0000 0040 3a40 2002 c000 0203
0000 0000 0000 0000 7331 2002 c000 0203
0000 0000 0000 0000 b00b 8000 c760 0795
0001 906d a451 0000 0000 8fac 0b00 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e
0050 569e 7b?? 0050 569e 7b?? ???? 0186
86dd 6000 0000 0040 ??40 2002 c000 0203
0000 0000 0000 0000 ???? 2002 c000 0203
0000 0000 0000 0000 ???? ??00 09f0 0792
0001 146d a451 0000 0000 d020 0300 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e
This gives us this.
We need to find the missing bytes in the 4th packet.
We need to understand of the structure of a ethernet packet.
Ethernet packet
So slicing the data will allow us understand what is going on.
So i decided to the a single packet and put it in a single line.
cat frame
0050 569e 7bfe 0050 569e 7bf7 8100 0186
86dd 6000 0000 0040 3a40 2002 c000 0203
0000 0000 0000 0000 7331 2002 c000 0203
0000 0000 0000 0000 b00b 8000 c760 0795
0001 906d a451 0000 0000 8fac 0b00 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e
I’ll put it in a single line and without any space.
cat frame | tr -d " " | tr -d "\n" > single_line_packet
So i wrote a single script to slice the header.
It looks like this
line=$(cat single_line_packet)
#Mac first 6 characters
src_mac=$(echo $line| cut -c1-12)
dst_mac=$(echo $line| cut -c13-24)
TPID=$(echo $line| cut -c25-28)
TCI=$(echo $line| cut -c29-32)
type_id=$(echo $line| cut -c33-36)
echo "Character count: $count"
echo "SourceMac: $src_mac"
echo "DstMac: $dst_mac"
echo "Type: $type_id"
echo "TCI: $TCI"
echo "Type: $type_id"
The result is
SourceMac: 0050569e7bf9
DstMac: 0050569e7bfb
Type: 86dd
TCI: 0185
Type: 86dd
To the type is 86dd. If we look up a the ethertype we end up with the procotol IPV6.
So the next part will contain the ipv6 header.
This is how the header looks like.
Version (4 bits)
Traffic Class (6+2 bits)
Flow Label (20 bits)
Payload Length (16 bits)
Next Header (8 bits)
Hop Limit (8 bits)
Source Address (128 bits)
Destination Address (128 bits)
Another script to slice it.
line=$(cat single_line_packet)
# Format for IPv6
version=$(echo $line | cut -c37-44)
payload_len=$(echo $line | cut -c45-48)
next_header=$(echo $line | cut -c49-50)
hop_limit=$(echo $line | cut -c51-52)
src_adr=$(echo $line | cut -c53-84)
dst_adr=$(echo $line | cut -c85-116)
The result is
Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000dead
The next header is 3a, a google search lead us to know that 3a is the extension header for ICMPv6
Another header to slice.
This is the format of the header
Type (8 bits)
Code (8 bits)
Checksum (16 bits)
Message Body (32 bits)
More cutting.
line=$(cat single_line_packet)
type_icmpv6=$(echo $line | cut -c117-118)
code=$(echo $line | cut -c119-120)
checksum=$(echo $line | cut -c121-124)
mbody=$(echo $line | cut -c125-132)
The result looks like this
Type= 80
Code= 00
Checksum= 0af0
Messagebody= 07920001
Type=80(128 in decimal) means ICMP Request
This is the last field that we need for this challenge. If we look at the broken packet, the last unknown character are in the header part of the ICMPv6.
<<< EGRESS <<<
0x0000: 0050 569e 7b?? 0050 569e 7b?? ???? 0186
0x0010: 86dd 6000 0000 0040 ??40 2002 c000 0203
0x0020: 0000 0000 0000 0000 ???? 2002 c000 0203
0x0030: 0000 0000 0000 0000 ???? ??00 09f0 0792
0x0040: 0001 146d a451 0000 0000 d020 0300 0000
0x0050: 0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
0x0060: 452e 4f52 4720 524f 4f54 2d4d 452e 4f52
0x0070: 4720 524f 4f54 2d4d 452e
Patching the packet
We now have the tools to get the information from all the packets.
After running the script on them with he the following information.
# Packet 1
SourceMac: 0050569e7bfb
DstMac: 0050569e7bf9
TPID: 8100
TCI: 0185
Type: 86dd
Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000dead
Type= 80
Code= 00
Checksum= 0af0
mbody= 07920001
$ Packet 2
SourceMac: 0050569e7bf9
DstMac: 0050569e7bf7
TPID: 8100
TCI: 0186
Type: 86dd
Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c00002030000000000000000b00b
Dst address : 2002c00002030000000000000000fada
Type= 80
Code= 00
Checksum= 0af0
mbody= 07920001
# Packet 3
SourceMac: 0050569e7bf7
DstMac: 0050569e7bfe
TPID: 8100
TCI: 0186
Type: 86dd
Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000b00b
Type= 80
Code= 00
Checksum= c760
mbody= 07950001
# Packet 4
SourceMac: 0050569e7b??
DstMac: 0050569e7b??
TPID: ????
TCI: 0186
Type: 86dd
Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: ??
Hop Limit: 40
Src address : 2002c00002030000000000000000????
Dst address : 2002c00002030000000000000000????
Type= ??
Code= 00
Checksum= 09f0
mbody= 07920001
So the fields that are missing the last 2 bytes of the source and destination mac. The TPIP (VLAN), the next header field, the last 4 bytes of src and dst addresses and the type.
We also know this is ipv6 using icmpv6. It looks like a ping request followed by a ping reply.
We can confirmed that by looking at the first packet and looking a the type field.
The type is 80 (this is hex). So 0x80 is 128 in decimal. The code 128 means Echo Request.
https://tools.ietf.org/html/rfc4443
We can guess that the first bytes that are missing are from the source mac replying.