offknock — UMDCTF

Description

No organizer description was preserved in the local task files.

We are given a Python service that accepts a length-prefixed DNS packet over TCP, forwards the raw packet to a local UDP dnslib resolver, and returns the DNS response. The goal is to make the resolver return the TXT record containing the flag.

Analysis

The important behavior is in dns_server.py:

if '\x04flag\x06market\x03polȳ'.encode('utf8') in handler.request[0][12:30]:
    reply.add_answer(RR("flag.market.polȳ", QTYPE.TXT, rdata=TXT(flag)))

There are two different interpretations of the same bytes:

1. The service performs a raw byte check on handler.request[0][12:30].
2. dnslib parses the same bytes as a DNS name.

That mismatch is exploitable because the final character in polȳ is not ASCII. UTF-8 encodes ȳ as c8 b3, and in DNS name parsing any byte with the top two bits set (11xxxxxx) starts a compression pointer. So c8 b3 is interpreted as a pointer to absolute offset 0x08b3.

This means the qname bytes can satisfy the raw substring check:

04 66 6c 61 67 06 6d 61 72 6b 65 74 03 70 6f 6c c8 b3

while the DNS parser reads them as:

• label flag
• label market
• label pol
• compression pointer to offset 0x08b3

To keep the query valid, the pointer target must contain a valid DNS label sequence. The simplest choice is a zero byte, which represents the root label. So we pad the packet until absolute offset 0x08b3 and place 00 there. Then the compressed qname parses successfully, the raw byte check passes, and the resolver returns the TXT answer.

The remaining fields are normal DNS question fields:

• QTYPE = TXT (16), because the server rejects any other query type.
• QCLASS = IN (1).

Solution

...