By Troy Kent
Threat Researcher
Drumroll for the Threat Hunter Olympics please …

Here it is, the moment you’ve all been waiting for—the medal ceremony and a recap of our 2018 Awake Threat Hunter Olympics! We hope you enjoyed solving the challenges as much as we did making them!

As you know, there were five initial puzzles—one for each Olympic ring—that mixed Olympics trivia and concepts with some serious network analytics. The challenges were meant to increase in difficulty as you moved along, and we more or less saw that based on time to solve and number of hints needed. Once the five independent puzzles were solved, there was a hidden sixth puzzle! While nobody solved that puzzle in its entirety, there were a couple of participants who got very close.

With that, the podium:

  1. John Lampe
  2. Andy Hagar
  3. Ryan Nelson

Congratulations to all competitors, and especially to the winners!

But of course, you want to know the answers, right? Fortunately, our team has carved out a bit of time to provide a thorough write-up of each challenge. We will do these one at a time over the space of the next few weeks, starting with the first puzzle today. Check it out and feel free to send us any questions!

Event #1: Basically Amazing

One of our favorite events in the Winter Olympics is the Bonspiel. There’s nothing more exhilarating than watching delivery after delivery, hoping no one burns a rock while they hurry hard shooting for that eight-ender! I got so excited after watching a hammer slide across the sheet and stop on the button that last time I tried to rush the rink; unfortunately, they told me I was not authorized. If you find someone who is, then you’ve solved this challenge. So, strap on your curling shoes and place your slider firmly on the hack as you prepare to apply just enough weight to solve this challenge!

Hints

While I had a lot of fun creating the narrative for this challenge by using my newly learned curling lingo, there were also direct hints to what you should be looking for in the PCAP. The most important bits were these two sentences:

I got so excited after watching a hammer slide across the sheet and stop on the button that last time I tried to rush the rink; unfortunately, they told me I was not authorized.

If you find someone who is, then you’ve solved this challenge.

I imagine it was obvious that I didn’t actually rush the rink. I mentioned that when I performed my hypothetical rink rush that I was not authorized. That seems like an odd, very specific word choice. I then, fairly directly pointed out that if you found someone that was authorized, then you will have solved the challenge. Before even looking at the PCAP, you may have already guessed that the traffic within will have something to do with credentials.

The PCAP

Once you open up the PCAP you should immediately see that it consists of at least HTTP and TLS traffic.

wireshark pcap puzzle #1

You may have noticed the domain is a nod to the curling theme I adopted for this challenge 😉.

First thing I usually do when analyzing a PCAP of HTTP traffic is take a look at the contents.

wireshark pcap analysis puzzle 1 view http contents

One thing that might stand out is that this traffic includes HTTP Basic Authorization traffic and so it might be useful to decode the Base64 encoded username/password.

Looking back at the HTTP response, you’ll see that the HTTP GET request is met with a 301 redirect. Specifically, the request is being redirected to the same page, over HTTPS. This is something that you would see in legitimate network traffic if the website directs all HTTP traffic (or specific pages) to be encrypted. To verify that 301 is the only response code, we can either sort by the ‘Info’ column in Wireshark, or run the following in CLI land:

You may also notice the user agent is “curl/7.43.0”, which was certainly, purposely, a pun ;). There are a couple more Easter eggs hidden in the PCAP—do you know what they are? (more on this later)

Now that we know that the HTTP traffic is being redirected to HTTPS, how are we going to find which of the attempted logins is successful?

http 200 ok meme

Ok Boromir, then how do we tell which request was authenticated when all the responses (following the 301 redirects) are encrypted? Let’s continue looking at the PCAP to find out.

One thing we can do is look at all the different basic auth combinations; perhaps all but the correct ones are identical. The easiest way to do this in Wireshark (in my opinion) is to add the decoded credentials as their own column (yes, Wireshark decodes Basic Auth creds for you!).

wireshark pcap analysis puzzle 1 decode basic auth

wireshark pcap analysis puzzle 1 decode basic auth

Of course, you could also go the GUI-less route with tshark:

Well, it doesn’t look like there’s anything that sticks out that well. There are a few user names that you see more than once with different passwords, but there are plenty that are only used once…so there isn’t a pattern there. By the way, where did I get all those names anyway? They’re probably just random names plucked out of the sky…right? (More on that later too.)

At this point, there are a couple of ways we can solve this puzzle (and we’re almost there, I promise!). I’m very curious to see how others moved forward from this point. The basic (hee hee) idea here was that I wanted you to recognize that if one of the username/password combinations were successful and all of the others weren’t, then the amount of content sent back in the HTTP response would be larger (or at least different) for the successful login. Each of the unsuccessful attempts are met with a 401 response (which of course you don’t see because it’s encrypted). The successful login would be met with a different page (whatever is sitting at awakecurling.team’s root directory).

Now we know that we’re looking for a HTTP request that’s followed by a different amount of encrypted data than all the other requests. The least sophisticated and simplest way (maybe) to find this could be to just scroll through the PCAP until you notice an amount of TLS traffic that is different than all the others. This is probably most evident while looking at the summary visualization adjacent to the scroll bar.

wireshark pcap analysis puzzle 1 tls traffic size

Another, probably more sensible, way to find the outlier is to look at the ‘Destinations and Ports’ under the ‘Statistics’ menu, and then sort by either percent or count.

wireshark pcap analysis puzzle 1 tls destinations and ports

wireshark pcap analysis puzzle 1 tls destinations and ports

As you can see, TCP port 52216 has a higher count and percentage than the other ephemeral destination ports. So, go ahead and plug that in as a filter:

wireshark pcap analysis puzzle 1 tls port filter

Click on the first frame, remove the filter and then what do you see?

wireshark pcap analysis puzzle 1 decoded credentials

sschmirler:U0V49NE39SOLJ6I4

Bonus

So now you’ve solved the challenge, but did you notice the Easter eggs I threw in just for fun?

Source and Destination IPs
There are only two IP addresses in the entire PCAP: 10.18.2.9 and 10.18.2.25. It’s subtle, but do you see it? The dates of this year’s Winter Olympics were 2/9 – 2/25, and what’s the year? 2018. Hence both of the IPs being in the 10.18.0.0/16 subnet, and then the last two octets of each being the start and end dates. I could have made the IPs part of the 20.0.0.0/8, but I thought it might be too distracting if I used IP addresses that are typically not used internally.

The TLS Cert
If you look at the Certificate information in the Server Hello message, you may have noticed some more references to the Winter Olympics—just not this Winter Olympics.

wireshark pcap analysis puzzle 1 tls certificate

The first Winter Olympics (in French: Les Iers Jeux olympiques d’hiver) was held in Chamonix, Auvergne-Rh, France. The organizational name is ‘Curling’ and the email address is [email protected] ‘Wjackson’ is referring to William Kilgour “Willie” Jackson, the skip (aka captain) of the first Olympic gold medal winning team. His name is also in the list of users attempting to authenticate…perhaps there is a clue there?

The Users
Earlier I implied that there was some sort of method I used to create the user names for this challenge. If you look at the user names, you may notice that the last names of the individuals seem fairly eclectic. There’s a reason for that: they are the last names of real people from all over the planet. The user names are the first initials, followed by the last names, of Olympic medalists in curling. Of course, I didn’t include the medalists from 2018 since I created the challenge before this year’s Winter Olympics and haven’t quite figured out how to predict the future (but I’ll write another blog post when I do).

The Answer
I already included the first gold medalist in curling in the TLS Certificate. The username in the answer actually ‘belongs’ to another first in the sport. It may surprise you to learn that even though curling was included in the 1924 Winter Games in Chamonix, it was not included in the Olympics again until the 1998 Nagano Games. In 1924, the only sport in the Olympics with women participants was skating. Therefore, the first Olympic gold medal awarded to a woman in curling didn’t occur until 1998. 1998 was also the first year that a gold medal was awarded to women in ice hockey. “sschmirler”, the username in the answer to the challenge, refers to Sandra Marie Schmirler, the skip (aka captain) of the Canadian curling team that won the first gold medal in women’s curling.

Shameless Plug

In a separate post we show how quickly you can get to the answer with a solution like Awake.

Network Traffic Analysis
Security Analysis