SMTP Challenge – Web 6 (Medium): National Cyber League (NCL) 2015 Post-Season

For a total of 300-points and using Node.js; this challenge required submitting a line-by-line solution via telnet or [ netcat / ncat / nc ].

The difficulty in this challenge came form having to craft the email in a very particular way which the server was expecting. For example: used the wrong syntax[1], improper use of case in the command(s) or spacing. Simply put, without the proper solution – the flag would not display.

Kudos to all who conqueror this challenge!

Question:

  • Connect to the smtp server at sb1.cyberskyline.com:3060 and send an email to daniel@hacker.test from the address, user4928@hacker.test, with a title saying you have the latest exploit and he will open it, allowing you to unlock the flag.
  • This SMTP server does not follow protocol exactly, but close enough.
  • What is the flag you receive from sending the spoofed email?

Code:

HELO HACKER.TEST
MAIL FROM:<user4928@hacker.test>
RCPT TO:<daniel@hacker.test>
DATA
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
QUIT

Answer/Solution:

Telnet:

$ telnet sb1.cyberskyline.com 3060
Trying 104.236.16.36...
Connected to sb1.cyberskyline.com.
Escape character is '^]'.
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing
Connection closed by foreign host.

Netcat:

$ ncat sb1.cyberskyline.com 3060
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing

Reference:
[1] https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example

December 12, 2015 0 Comments

No comments yet.

Leave a Reply