"You went and got it knockedup." The challenge presented the user with the server binary and the server which listening for a specific series of port knocks. If you reversed it correctly and knocked on the ports in the right sequence, a rule for you IP was added to their firewall. You could then netcat to a specific port on the server to get the flag.
Knock on the right ports in the right way and get the flag! For the solution you had to write a client to authenticate with the server.
(Python scripts to get the flag from the remote server and the binary of the server to RE linked at the bottom.)
1) Reverse engineer the binary to get the connection type (udp), the port numbers and the order to knock, and a time interval to knock in.
2) Knock at 188.8.131.52 on the ports 13102, 18264, and 18282 over UDP quick enough to pass the time check.
3) This adds your IP to the IP Tables, allowing you to netcat to port 10785.
4) Once your IP is added, netcat to port 10785 to get the flag.
5) Reverse further and find more ports: 31717, 35314, 39979, 15148, and 14661 to knock at over udp.
6) This adds an IP rule to the IP Tables on the server, allowing you to netcat to 184.108.40.206 on port 9889.
7) Connecting to port 9889 brings up a fake 'shell', enter tirer to get the binary for the next challenge.
/bin/bash -c "/sbin/iptables -I KNOCKEDUPD 1 -s %IP% -p tcp --dport 10785 -j ACCEPT" /bin/bash -c " sbin/iptables -I KNOCKEDUPD 1 58 -s %IP% -p tcp --dport 9889 -j ACCEPT"
for local testing, you can run the server with a knock.conf file in the same directory the command line flags to run the server locally: "--interface" *your network device (lo, eth0, etc)* "--conf" *your conf file*
The important function is the callback function (sub_40375d) which is executed when knocks are received. Reversing this function lets you know what the server is looking for. You can also find this function by looking for system() calls.
reverse this callback function
This was the important function which checked the ports, their sequence, and the time interval between knocks.
realize that the server is checking for the specific 3 ports found in strings and waiting for knocks over udp at these ports with a very small time seperation
reKNOCK sophia$ python defconquals2015_knockedupd_client.py ports:13102 18264 18282 delay: 0 reKNOCK sophia$ nc 220.127.116.11 10785 The flag is: 'Kn0ck kn0ck, Wh0 it is?'
SERVER (Patched out Timer)
Of the two sets of ports to knock at, we tried the larger set first and got to the tirer interface.
We wasted time fuzzing this before realizing we had started on the 400pt PWN challenge that was linked to this one :P