13-04-writeup-network.adoc

March Network Challenge Write-Up

EXPLOITATION

• Inspect network.pcap

• Realize that the client is using rare option 90 in his DHCP request with values that wireshark cannot parse

• Spoof the MAC Address (just in case)

  sudo ifconfig eth0 hw ether 00:1c:25:b6:22:c8

Hard way

• Implement custom DHCP client in scapy. But we are lazier than this.

Easy way

• Edit /etc/dhclient.conf. Add on top the following lines:

  # the hack
  option auth code 90 = string;
  send auth = "PopTheShell";

• Kill dhclient (on Ubuntu it will restarted automatically)

• Go browser some weird site like kittenwars.com

• Be redirected

• Get the Flag

• …​

• Profit!