Threat Hunter Olympics: Solution #5
Event #5: Soohorang Looks to the Future
The Winter Olympics are a wonderful display of athletic prowess and teamwork, and nobody is prouder than Pyeongchang 2018’s mascot Soohorang! Of course, all good things must come to an end. Soohorang knows it will soon be time to pass the torch on to Beijing at a date already set in four years! Let’s take a moment to reminisce about the games and dream about what the future has in store!
Soohorang Looks to the Future was a lot of fun to create. Despite the challenge description being a mere paragraph in length, it is chock full of hints to help you along the path. Since the size of the PCAP is reasonably small (but still too large to explore completely manually), the first thing I do to get my bearings is look at the DNS requests that are happening. Pretty quickly, it becomes clear that there is a lot of traffic associated with Pyeongchang, the Olympics in general and the upcoming Beijing 2022 Olympics.
Given that the hints in the puzzle description mention all these things, this is a good place to start. By looking around these sessions (within the larger PCAP), it’s clear to see that a fair amount of communication is occurring with the current Olympics pages; however, that traffic is encrypted. Continuing through the list of interesting DNS queries and associated communications, we come across HTTP traffic to the Beijing 2022 Winter Olympics.
Because we now know that this data is in plaintext, we can check out the HTTP requests directly. Doing so shows that there were a lot of visits to the various Olympics years.
Looking at the sessions in the PCAP, we see that these are all tightly coupled and seem to be incremental in order by date.
Interestingly, soon after the HTTP traffic, there is a flurry of SMB activity between the source computer and another local system. Turning attention to that shows that the user authenticating is soohorang!
Digging deeper into the SMB traffic shows that this is definitely relevant, as there are a number of HTML files related to the Olympics that are being saved to and viewed from soohorang’s share.
However, upon careful analysis, there is one file that is not an HTML file, despite the same naming scheme as the others:
Since Wireshark is smart enough to recognize files transferred via SMB, the next step is to extract these files and figure out why the curling file has a .7z extension!
Analysis via the OS X built-in file command show that it is, in fact, a 7-zip archive file. However, attempting to extract it shows that we need a password.
Thinking back to how we’ve gotten here, we have focused on traffic associated with the Winter Olympics—and specifically the hints (and the traffic itself) have led us to more and more recent games. At this point, we also know that the next Winter Olympics are of interest to Soohorang, especially thanks to the hints in the challenge description. Did you find it a little specific that we mentioned “at a date already set in four years?” Looking for a date four years from now (via Wireshark’s find capability) turns up some promising info:
That date, when entered in the form mmddyyyy (02042022) is the password for the 7-zip archive! Opening it in any browser will show the following message:
From there, putting all of the pieces together will give us the entry point to the final puzzle!
As the message above implies though, there is yet another obstacle to cross. Fortunately, there are clues within the message. Going back to the original puzzle (Basically Amazing) and pulling the credentials used as the answer (sschmirler:U0V49NE39SOLJ6I4) will authenticate you to the final challenge directory.
Awake to the Rescue
Teamwork Makes the Dream Work and Soohorang Looks to the Future were actually both created on the same device, and the Awake platform was intelligent enough to stitch them together. Below we see Awake’s EntityIQ identifies the authentication that happens by user soohorang on the device named desktop-3rvcgp2, which we needed for the latter challenge. Additionally, Awake found the existence of TeamViewer to be notable for this device, and directly pulled out the ID we needed to solve the former challenge!
When we zoom back out to a view of multiple devices, we can see that the most notable artifacts associated with this device are actually the SMB communications.
From there, it’s one click to pivot into the activities and dig into the content of each packet. While we had to dig a little deeper to find the final answer, we quickly find that the 7-zip file differs from the others.
Stay tuned for the sixth and final challenge from the 2018 Awake Threat Hunter Olympics, which will be posted here soon.
Principal Threat Researcher
Dig Deeper with These Resources
Real World Incidents Detected and Stopped by Awake
Organizations across industries use Awake every day to identify and stop modern threats from both internal and…
EMA Top 3 Report and Decision Guide for Security Analytics
This Enterprise Management Associates (EMA) report identifies the leading priorities organizations face with resolving challenges and meeting…