Phone Switch Labs CTF – Walk-Through

By Red Siege | June 26, 2024

by Douglas Berdeaux, Senior Security Consultant

CTF

redsiege.com/phoneswitch

Getting Started

Phone phreaking is the practice of exploring and hacking telephones, telephone switches, telephone test equipment, and physically exploring the telephone system’s infrastructure, such as underground tunnels and rooms, dumpsters around or near phone switch or service provider buildings, and telephone junction boxes. The hackers of the phone system are referred to as “phone phreaks.” This form of hacking was popular from the early 1960s through the mid 2000s and was carried out using telephones, various homemade hardware devices, whistles and whistling, and even social engineering. Sadly, phone phreaking days of old slowly came to a close and this type of hacking became nothing more than stories of and from legends. Phone Switch Labs capture the flag (CTF) offers younger red team members a chance to experience phone phreaking through simulation. Of the most common phone phreaking devices that we hear of today in history articles on the subject; we will see, and actually get to use, a Red Box and a Blue Box.

Red Box

Red Boxes were used by phone phreaks to bypass authorization (monetary restrictions, toll fraud). They were commonly made from simple circuits, modified Radio Shack tone dialer devices, and later MP3 players containing mp3 files of the tones. They emitted chirps of tones that mimicked the tones used by payphones to signal to the phone service provider that a coin had been placed into a payphone by the caller. These audible chirps are a harmonious mixture of two sine waves, 2200 Hz and 1700 Hz, played at the very specific timing of:

  • 66ms for a U.S. Nickel ($0.05)

  • Two bursts of 66ms with 66ms pause between for a U.S. dime ($0.10)

  • Five bursts of 33ms with 33ms pauses between for a U.S. quarter ($0.25)

The service listening on the back end that awaited these tones is called the Automated Coin Toll System (ACTS).

Blue Box

The Blue Box, in the other hand, was a device that allowed phone phreaks to communicate to the back end phone switching equipment by mimicking the audible tones put in place by Bell Labs to help with automation in mid to late the 1940s. These tones were used to control the entire phone system and were essentially the protocol language of the phone switching network. Each digit pressed was comprised of two sine wave tones played simultaneously, the sum being referred to as Multi Frequency tones (MF). This concept is not unlike the Dual Tone Multi Frequency (DTMF) tones that we hear in today’s phones when we dial a digit, albeit a different set of frequencies. The MF frequencies are, but not limited to the following:

2600 Hz

There is one more frequency that is arguably the most important. It’s the frequency sent by a subscriber’s telephone to the back end phone switch to signal that a trunk (phone line) is idle (phone is on the hook switch). This is the, somewhat infamous, 2600 Hz single frequency tone. In November of 1960, Ralph Barclay read an article published in the Bell System Technical Journal titled “Signaling Systems for Control of Telephone Switching.” This article contained enough information for Ralph to identify a few key vulnerabilities:

  • the local switch is responsible for billing the initial call

  • the frequencies of tones used to control the phone network

  • the remote switch can receive tones used to control the phone switches and equipment sent by the caller through the mouthpiece, a process called “in-band signaling.”

To Ralph in Washington state, this information meant that he could dial a free number like Directory Assistance in another state, let’s use NY for example. Once the trunk was connected (ringing) Ralph could briefly send the 2600 Hz tone through the telephone receiver’s mouthpiece to the remote switch in NY. The NY switch will think that Ralph no longer wants to talk with Directory Assistance and that he hung up. Here’s the catch: since Ralph only briefly sent the tone, the NY switch thinks that he picked the phone receiver back up. This time Ralph dials a non-free number by sending the MF tone digits of the recipient through the mouthpiece of the telephone receiver directly to the switch in NY and the NY switch happily makes the connection. All the while, the local switch responsible for billing Ralph for the call, back in WA, still thinks that he is talking to the Directory Assistance operator of NY. Ralph took this information and made the very first Blue Box.

Phone phreaking was far more than just getting free calls and meant something different to everyone. Once the details of the vulnerabilities that Ralph identified in November of 1960 spread, curious individuals essentially began designing their own Blue Boxes and carrying out unauthorized assumed breach assessments of Ma Bell’s worldwide phone network, like it was a free-for-all playground.

CTF Walk-Through Write Up

The Phone Switch Labs CTF will allow you to perform the following phone phreaking techniques right from the comfort of your computer:

  • Red Boxing

  • Blue Boxing

  • Dumpster Diving

  • Unauthorized Phone Test Equipment Access

  • War dialing

 

Enumeration

As we begin, we are only provided a domain name. When we port scan the domain name, we see two open ports: 2600 with HTTP and 412 with SSH. When we navigate port 2600 using a web browser, we see a message board written by the phone company, Phone Switch Labs. Next, we will perform enumeration against the web server using a tool like Wfuzz but first we will compile our own word list unique to the target. We can create the word list using any web scraping tool, such as CeWL. Finally, we enumerate files and folders on the server using this new word list. We need to perform the enumeration recursively and use various file extensions. And since we identified the Phone Switch Labs server as an Apache2 server, we will try PHP first.

Once this task is completed, we should have identified the following URLs:

  • /payphone

  • /payphone/payphone.php

  • /dumpster

If we browse to the /dumpster URL, we should see a list of PDF files. These files are security documents that were discarded by the phone company and contain information on how to use Red Boxes and Blue Boxes to circumvent authorization and hack the phone company network. Read these carefully to understand how to operate the two boxes. We also see that one of the files that contains a list of phone numbers, as shown in Figure 1 below. Congratulations if this was your first time dumpster diving for telephone manuals and documents.

Figure 1. List of Phone Numbers

 

The list of phone numbers is vital because we now have targets to approach. To access the numbers, we need to find a phone and luckily, we already enumerated the payphone/payphone.php URL. When browsing to this URL, we are presented with a payphone as shown in Figure 2. In the figure, I have pointed out that there are two phone phreaking boxes available to us, the Blue Box on the left side and the Red Box on the right side.

 

Figure 2. Phone Switch Labs’ Payphone Interface

Red Boxing

If we dial any non toll free numbers, we will be asked to pay money. Luckily, we should have enough information from dumpster diving to know that we can simply press the star * button on the Red Box to input a nickel. This was an actual hurdle for phone phreaks who did not have programmable tone dialers from Radio Shack. We would replace the crystal in our tone dialer’s circuit board with a 6.5536 MHz oscillator and this would change the star tones to ACTS nickel tones. So, yeah, we had to press that button over and over until ACTS was happy. Congratulations if this was your first time committing toll fraud ;).

 

DATU Access

One of the numbers listed is a Direct Access Test Unit (DATU) which is a network and operating support system device. When dialed, the DATU terminates at the device located in the central office switch and presents the CTF player a list of menu options. One of the options will display base64 text that we can decoded to identify a password as shown in Figure 2 below. This is encoded because in the real world we heard scrambled voices if the subscriber line were in use. Now we have a technician’s password, so let’s try to find a technician’s username to test the SSH service we discovered on port 412.

 

Figure 2. DATU Audio Monitor Produced Garbled Sound, When Decoded We See Credentials

 

Blue Boxing

To obtain a username we will need to use the Blue Box to seize a trunk and dial inward operator numbers using MF tones. If we look closely at the “Lineman’s Handy Directory” PDF file we should have enough information to deduce that the Livengood, AK switch may be vulnerable to our Blue Box. All we have to do next is dial any 1-907-295-XXXX phone number and send the 2600 Hz tone down the line using the Blue Box once the line starts ringing. Fun fact, I actually wrote some JavaScript that allows testers to use the microphone of their computer with a real blue box or Cap’n Crunch Bo’sun whistle to seize the trunk as show in the demonstration in Video 1 below:

 

We will see on the menu (or hear, depending on your browser settings) a message displaying that the trunk has been “seized” and awaiting input. Here’s where the Blue Box comes in. Dial the numbers listed on the Lineman’s Handy Directory sheet using the Blue Box until we identify the username of jeredm. We now have credentials to SSH to the Phone Switch Labs server on port 412 and will observe the user.flag file in Jered’s home directory as shown in Figure 3. Congratulations if this was your first time Blue Boxing.

Figure 3. Initial Foothold and User Flag Obtained

 

War Dialing

War dialing is a form of brute force in which a phone phreak would dial every number in a range in search of interesting numbers. The next step should be obvious: privilege escalation. The jeredm account is the only account allowed to SSH to the Phone Switch Labs server. If we check the /etc/passwd file, we see multiple non-standard user’s including:

  • Jeredm

  • Linesman

  • SwitchOperator

We will also see that Jeredm has no sudo access to the server. At this point, we can upload LinPEAS and check for privilege escalation files and permissions of interest. But, if we closely review the numbers listed under “MF Calls Livengood Switch” in the Lineman’s Handy Directory, we will observe one that is labeled “LG LINEMAN’S FORGOT PASSWORD” with three missing digits denoted with question marks. So, let’s try to brute force/war dial three digits using a tool like Wfuzz.

Let’s begin by making a list of numbers in the format of XXX that range from 000 to 999 and use it with Wfuzz to obtain the forgot password number as the example shows in Figure 4.

Figure 4. Generating a Word list and War Dialing

We see a new number not listed on our Handy Lineman’s Directory as outlined in the screenshot. If we call into the Livengood switch, seize the trunk and Blue Box that number, we will see a base64-encoded string that contains the password for Linesman, shown in Figure 5. Congratulations if this was your first time war dialing.

Figure 5. Obtaining Linesman’s Linux Password

 

Privilege Escalation

With the foothold as Jeredm and the Linesman’s password we can use the su command to gain access to Linesman and test what kind of Sudo access we have which results in /etc/init.d/switch. We also see a notes.txt file that contains information to assist us in exploiting the switch service binary file. In Jeredm’s home directory, edit the switch.conf file’s USER value to “switchoperator” as outlined in Figure 6:

Figure 6. Editing Jeredm’s Switch.conf File

 

Now we can run the /etc/init.d/switch restart command as Linesman to get dropped to a SwitchOperator user shell. SwitchOperator has permissions to read all of the web application files located in default Apache2 web root path of /var/www/html. One of these files contains an MD5 hash of the password for SwitchOperator. We can either crack this MD5 hash using rockyou.txt or use an online MD5 cracking site to get the plaintext password.

If we execute sudo -l with this new password as SwitchOperator, we see that we now have access to become root using the following command: sudo su. The root.flag file is located in the /root directory.

 

Hanging It Up

Phone Switch Labs is my very first official CTF that I designed for an employer. I decided early on in the brainstorming process to fill it chock-full of Easter eggs and make it entry-level difficulty to ensure that more people in, or interest in, cybersecurity would be exposed to Phone Phreaking history and concepts through real-world simulation of the techniques and tools used by the legends that came before us. It’s not my first phone phreaking simulation, BTW.  Phone Phreaking has always been a truly fascinating subject to me and one of the few reasons why I am in cybersecurity today. Every now and again, I find myself going back to phone phreaking media, like old issues of 2600 and Blacklist 411, Evan Doorbell’s Phone Tapes, archived Binary Revolution forum posts, old recordings of Doug TV and Default Radio, and even Bell Labs Technical Journals when I need a boost of nostalgia and inspiration. Phone Switch Labs is my thank you and love letter to one of the most intriguing eras of hacking.


About Douglas Berdeaux, Senior Security Consultant

Douglas was a manager of a Red Team for a consulting company and has performed penetration testing for clients with high security maturity on internal networks, internal and externally facing web applications, and desktop applications. Douglas was a full-stack enterprise-class web developer for close to a decade building, securing, and testing the security of business-critical web and mobile applications. He has taught cybersecurity as an adjunct professor for Duquesne University and has published multiple books and articles about penetration testing, hardware hacking, and programming.

Certifications:

OSWP, OSCP

Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

By Red Siege | July 8, 2024

by Mike Saunders, Principal Security Consultant This blog is the fourth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]

Learn More
Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

Adventures in Shellcode Obfuscation! Part 3: Encryption

By Red Siege | July 1, 2024

By Mike Saunders, Principal Security Consultant   This blog is the third in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]

Learn More
Adventures in Shellcode Obfuscation! Part 3: Encryption

Adventures in Shellcode Obfuscation! Part 2: Hail Caesar!

By Red Siege | June 24, 2024

by Mike Saunders, Principal Security Consultant This blog is the second in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]

Learn More
Adventures in Shellcode Obfuscation! Part 2: Hail Caesar!

Find Out What’s Next

Stay in the loop with our upcoming events.