Blog Post

Threat Hunter Olympics: Solution #4

This is Part 4 of our series solving the puzzles from the 2018 Awake Threat Hunter Olympics challenges. For those of you that missed them here are the solutions for puzzle 1, puzzle 2 and puzzle 3.

Event #4: Teamwork Makes the Dream Work

Adrian and his friend Julia were really excited to go to the championship ice hockey game this year, but they ran into a bit of a snag. While they both got seats for some of the preliminary matches, only Julia was able to secure a spot at the championship. Fortunately for Adrian, Julia has a laptop with TeamViewer installed, and was able to get permission to stream the game to her friend. Adrian was really excited when he connected to Julia’s laptop just in time to view the game, but a few moments later the connection dropped. For this challenge, you’ll need to figure out Adrian’s TeamViewer ID so they can reconnect and not miss a moment of the action!

This puzzle revisited a favorite subject of ours—remote access programs. In this puzzle we explicitly called out TeamViewer as the program in use, and the challenge was to get hands on with the protocol and explore its network footprint. While we didn’t provide any additional hints in the challenge itself, a quick perusal around our blog would’ve brought you to a post written late last year focusing directly on TeamViewer.

Within that post, the basic TeamViewer script used as the starting point is shared, and the application’s network communications are verbosely discussed. That discussion directly explains the particular scenario presented in the challenge—a CMD_REQUESTCONNECT—in detail.

wireshark pcap analysis puzzle 4 teamviewer command format

Once the Lua script is imported into your Wireshark instance, it’s just a matter of finding the appropriate command and understanding which ID would correspond to Adrian’s (545265069).

wireshark pcap analysis puzzle 4 decoding teamviewer traffic with LUA

What if you had Awake?

Well its kind of like a hole in one! But since its so related to Part 5 we will cover it in our next post.

David Pearson
David Pearson

Principal Threat Researcher