By David Pearson
Principal Threat Researcher

This is Part 2 of our series solving the puzzles from the 2018 Awake Threat Hunter Olympics challenges. For those of you that missed Part 1, you can find it here and here.

Event #2: Dancing on Ice

There’s a lot to get excited about at the Winter Olympics. I personally find the figure skating competitions fascinating—the extensions and other unbelievable feats of strength and control displayed while on two thin, chrome-plated blades is awe-striking.

This challenge was inspired by some analysis we’d done of third-party extensions to the Chrome browser. The puzzle was set up to include a bunch of browser traffic (primarily via TLS) to various pages within the official Winter Olympics site. As you likely noted by the size of the packet capture (~90MB), the goal here was to make participants take a high-level approach to finding what was interesting inside. The joke about one’s head spinning when looking at too many packets was also meant to nudge you to a higher-level approach.

Starting with the overall traffic breakdown, you may have noticed that nearly all the communication is via TCP, and that of the application-layer communication, the majority is via SSL. However, there is a notably small amount of HTTP communication to catch your eye.

wireshark pcap analysis puzzle 2 http traffic capture

When changing the filter to look at only SSL or HTTP traffic, the conversations view is extremely helpful. Below, we’re sorted by conversation starting time, which helps us to understand how different communications match temporally with one another. Interestingly, we see a big gap in starting time between traffic going to akamaiedge[.]net (which is where the Olympics sites we are visiting are hosted) and that following the Games. Taking a closer look at the traffic after the time gap, you’ll see that there is a small amount of HTTP traffic to a very interesting domain—pastebin[.]com!

wireshark pcap analysis puzzle 2 http domains

Filtering to this HTTP traffic shows some extremely interesting behavior—a POST using some sort of API.

wireshark pcap analysis puzzle 2 http post API

Digging into this session shows that there’s actually data being transmitted in this POST, including a message to help solve the puzzle!

wireshark pcap analysis puzzle 2 http post message

However, the message is actually a hint to take a closer look at this session. Figuring out the name of the author that created this extension isn’t 100% straightforward, and requires more sleuthing. More thorough analysis of the session shows that there’s a Chrome extension being used to transmit the data!

wireshark pcap analysis puzzle 2 chrome extension

The extension isn’t named here, though, so additional steps are needed to discover the author’s name. Getting to the final answer for this puzzle can happen in a number of ways, but taking the 32-byte string (hmdndbgnknnelnfjiehmllanaljnejmg) and searching for it using Google will lead you to the solution.

wireshark pcap analysis puzzle 2 google search chrome extension

wireshark pcap analysis puzzle 2 google quick pastebin extension

How About If You Had Awake?

Using Awake, Dancing on Ice would be clear as day! Pastebin is a notable domain on this network, and it’s a notable artifact for this device (almost all of the traffic to Pastebin comes from this one system, as you can see from the EntityIQ profile).

awake entityIQ pastebin characteristic artifacts

Once we use Awake’s QueryIQ check out the activities communicating with pastebin[.]com, it becomes clearer still!

awake queryIQ pastebin traffic

awake queryIQ packet details

I hope you enjoyed the second challenge. Stay tuned for the solution to Part 3 of the 2018 Awake Threat Hunter Olympics, which will be posted here soon.

Network Traffic Analysis