Objective 8: Network Traffic Forensics

In objective eight we need to find the name of the song described in the document sent from Holly Evergreen to Alabaster Snowball.

If we have completed Python Escape from LA Cranberry Pi terminal challenge by SugarPlum Mary, then we can get this hint.
“Yay, you did it! You escaped from the Python!
As a token of my gratitude, I would like to share a rumour I had heard about Santa’s new web-based packet analyser – Packalyzer (https://packalyzer.kringlecastle.com/).
Another elf told me that Packalyzer was rushed and deployed with development code sitting in the web root.
He found this out by looking at HTML comments left behind and was able to grab the server-side source code.
There was suspicious-looking development code using environment variables to store SSL keys and open up directories.
This elf then told me that manipulating values in the URL gave back weird and descriptive errors.
I’m hoping these errors can’t be used to compromise SSL on the website and steal logins.
On an unrelated note, have you seen the HTTP2 talk at KringleCon by the Chrises? I never knew HTTP2 was so different!”

Also, two hints link1 and link2.

So, let’s jump into this! Heading too https://packalyzer.kringlecastle.com/ we can see this website.

We have a login screen and a register link, let’s first register an account (before trying anything else, i.e. password spraying?)

So let’s try to login with the account created now, it worked! Now we can see this screen.

Let’s try and sniff some traffic and see what we get?

Well. I guess that has worked, and if we go to “Captures” we even have a .pcap file, let’s open it in Wireshark and see what we get here.

In Wireshark, this is what we can see here, so there are some encrypted captured packets. I bet there is an SSL key somewhere on the website to decrypt.

Going back to Packalyzer let’s see what files we can find here, using view-source within firefox we can view the HTML of the page.
Also, we can find this line of code.

…. Now, need to find the app.js file!

Well, I guess they haven’t made it easy to find for us.

let’s, do some more digging within the HTML page, and we can see this line of code.

So they keep all .js files in /pub/, which means.

Ummm, nope. Hang on.

Ah, here we go!

So the app.js is here (https://packalyzer.kringlecastle.com:80/pub/app.js)
And we can see this line of text “const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )” That’s what we need a key to decrypt the encypted captured packets!
However, where is the key kept?

Scrolling down within the app.js file source code, we can see this line of code.

load_envs ()
creates each process.env as a subdirectory within this websites root folder!

So, this means for us we should be able to access this folder “DEV” at (https://packalyzer.kringlecastle.com/DEV/)

Cool! But we stil don’t have that damm Key! Grrr, But do you remember eariler in this line “const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )”
Let’s try and goto (https://packalyzer.kringlecastle.com/SSLKEYLOGFILE/) and see what we get now?

Sweet! Now we know the name of the Key which we can find in /DEV/ so going too (https://packalyzer.kringlecastle.com/DEV/packalyzer_clientrandom_ssl.log) We can see our SSL key! Wooop!

Now let’s copy all of this (yes, all of this!) save it as key.txt

Next, let’s go back into Wireshark and load in that key.txt (Note, if you have closed Wireshark or no longer have the .pcap file, do another sniff in packalyzer)
To add the key.txt within Wireshark (first load the .pcap file) and then go to Edit – Preferences – Protocols – SSL and load the key.txt

Using the set Key, we have told Wireshark to use; the encrypted captured packets decrypt for us to view, using the filter “http2.data.data” we find what encrypted in a better view.

Interesting. Now we can decrypt the encrypted packets were able to see login’s that were made to packalyzer, earlier in this guide you could see we were not admin, I wonder if one of the users here is an admin?
We can see the name “alabaster”, and as we know Alabaster is Santa’s right-hand ma… Elf. So let’s try his login? (Sorry Alabaster!) “alabaster:[email protected]

Moreover, we’re now an admin! (Sorry again Alabaster!)

Also, if we look at the Captures tab, we can see one has already done, I wonder what super secret is here?

Opening the file “super_secret_packet_capture.pcap” we can see it’s SMTP traffic, in Wireshark let’s select one and “Follow – TCP Stream”, and it seems we have an email, could this be the code to unlock the piano door?

There is also an attachment within this email, let’s copy the whole BASE64 told from start to end.

So let’s save it to a file, we don’t know what sort of data this is it could be an mp3, pdf, doc, txt? So we save it without any extension.

Moreover, we can use Linux’s built-in BASE64 command line to decode the file (https://linux.die.net/man/1/base64)
Command: “base64 -d file > newfile” we can use the “file” to see what sort of file it is.

So it’s a PDF file!

Moreover, within the PDF file, we can find the following text “We’ve just taken Mary Had a Little Lamb from Bb to A!” So our answer is “Mary Had a Little Lamb.”

Could this be the door code to the piano lock?. Find out Soon.
(Spoiler: It’s not)


Leave a Comment

Your email address will not be published. Required fields are marked *