If we copy the first packet and send to the sever, we got a new response with a different publickey!
This clearly shows that the server is using a special protocol to interact with client.
Now, our goal is to figure out how is the protocol looks like.
1 2 3 4
from pwn import * io = connect("3.93.213.98",9855,typ="udp") io.send(bytes.fromhex("000c01000001000000000000097075626c69636b65790000100001")) print(io.recv())
1 2 3
$ python xxx.py [+] Opening connection to 3.93.213.98 on port 9855: Done b'\x00\x0c\x81\x80\x00\x01\x00\x02\x00\x00\x00\x00\tpublickey\x00\x00\x10\x00\x01\xc0\x0c\x00\x10\x00\x01\x00\x00\x137\x00\xff\xfe-----BEGIN RSA PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyljjH5MViK9eDX3TYlO8\nCei+rVufA+lrsw36gv/Ntv34PBXebZBC8BSwy/t0jMHnn7+9fY0zum9sMwV7A7R9\n3RWt5WppeqPyhuFNlM8DoGN5RLjTVLLKvSG2df5c8IktfDpjdrgUYDOiMMN7ANVE\nyIK+Nt+RBoGK2fkKk3NljlmmXKKP\xc0\x0c\x00\x10\x00\x01\x00\x00\x137\x00\xce\xcdU2yQZX6uHgMPXk1QSvXRsPcdWG255dBhVXK/\nrB2vAMOsD2QDMiUEa5KFgDxoBT3CH1H2nPCcXGux2j+gCpxyzzSdWrdxw64xmcGm\nrYWyC/lEygNDYc82JQJatHJSeDmz1TeA6LoY29QnKzSfrOZNvRxaB9NbbY7s9zRS\nJwIDAQAB\n-----END RSA PUBLIC KEY-----\n'
Further analyze the packet, we found all the packet follows a similar structure.
1 2
header + sequence num + next sequence num + magic data + [length + data + ending] * n 4 bytes + 2 bytes + 2 bytes + 4 bytes + [1 byte + n byte + 5 byte] * n
Note that the max length for a single message is 0xfe(254), if our data is more than 254 bytes, we need seperate data into 254 bytes chunks.
Here is the packet (9 bytes) client send to the server