= Spoke = == Challenge ==
An administrator changed the VPN configuration to IKEv1 main mode.
Try to access to intranet website.
* File Archive [[Media:7a071362b981aa2a4d97a7307054ca43.zip|7a071362b981aa2a4d97a7307054ca43]].
* MD5 Checksum: 7a071362b981aa2a4d97a7307054ca43
* Category: network
== What's inside the archive? ==
Let's have a look what's inside this archive, we have a PCAP traffic capture and some IPSec debug informations (include keys!) coming from a Fortinet device.
dec:pkts/bytes=52/4223, enc:pkts/bytes=7/948
user@kali:~/ins18/Spoke$ </pre>
== Decrypt the traffic ==
Analysing the traffic capture, we can find IPSec encrypted traffic between two endpoints 10.13.38.122 and 10.13.37.70. Fortunately, the Fortinet debug output gives us the session keys that can be used to decrypt ESP traffic directly in wireshark.
[[File:Screenshot_2018-03-24_12-29-48.png|frame|100px|none|alt=|caption Configuring ESP SAs]]
[[File:Screenshot_2018-03-24_20-58-36.png|frame|100px|none|alt=|caption Configuring IKEv1 Decryption Table]]
This packet shows us the actual target of this challenge:
<pre>24 4.503228 10.13.38.122 10.249.251.10 DNS 170 Standard query 0x6561 A intranet.gloup.adds OPT</pre>
== Crack the PSK ==
Next step is to recover the PSK, to do that we had to build a file containing necessary parameters for the <code>psk-crack</code> utility coming from the [https://github.com/royhills/ike-scan <code>ike-scan</code> project]. The format of the file can be found by [https://github.com/royhills/ike-scan/blob/692163bd7e3de4bf5e802b1e30ade38134033c44/isakmp.c#L2680 reading through the source code].
The tunnel is now up and running but we still cannot access the target server (10.249.251.10), outgoing traffic seems to be correctly sent through the IPSec tunnel but no replies are coming back.
== Setup BGP routing ==
This is where we can start to understand why this BGP session from the PCAP might actually be useful.
We're going to setup our good old friend Quagga (`apt install quagga`) as a BGP speaker to announce our own IP to the network equipment at the other end of the tunnel. All of the paramters parameters can be extracted from the PCAP: * ASN: 65515 * IBGP session, the same ASN is used on both ends * Remote peer: 10.249.252.1 * Two prefixes are being announced: ** 10.249.2.4/32 ** 10.13.38.122/32
The first IP (10.249.2.4) was received during the IPSec configuration phase.
line vty
!</pre>
== Get the flag ==
So now, connectivity toward the target network is working (10.249.251.0/24) and we can finally resolve the IP address of <code>intranet.gloup.adds</code> and connect to it to get the flag!
INS{G1v3_M3_Y0ur_PSK}
user@kali:~$ </pre>
== Wrap up ==
We actually spent quite some time on this challenge (6-7 hours) but it was worth it! It had a good mix of finding a needle in a haystack, applied cryptography and network magic but perhaps too many ways to get lost during its resolution :)