By David Pearson
Principal Threat Researcher

This is Part 5 of our series solving the puzzles from the 2018 Awake Threat Hunter Olympics challenges. The previous solutions are available here, here, here and here.

Event #5: Soohorang Looks to the Future

The Winter Olympics are a wonderful display of athletic prowess and teamwork, and nobody is prouder than Pyeongchang 2018’s mascot Soohorang! Of course, all good things must come to an end. Soohorang knows it will soon be time to pass the torch on to Beijing at a date already set in four years! Let’s take a moment to reminisce about the games and dream about what the future has in store!

Soohorang Looks to the Future was a lot of fun to create. Despite the challenge description being a mere paragraph in length, it is chock full of hints to help you along the path. Since the size of the PCAP is reasonably small (but still too large to explore completely manually), the first thing I do to get my bearings is look at the DNS requests that are happening. Pretty quickly, it becomes clear that there is a lot of traffic associated with Pyeongchang, the Olympics in general and the upcoming Beijing 2022 Olympics.

wireshark pcap analysis puzzle 5 dns analysis 1 of 4

wireshark pcap analysis puzzle 5 dns analysis 2 of 4

wireshark pcap analysis puzzle 5 dns analysis 3 of 4

wireshark pcap analysis puzzle 5 dns analysis 4 of 4

Given that the hints in the puzzle description mention all these things, this is a good place to start. By looking around these sessions (within the larger PCAP), it’s clear to see that a fair amount of communication is occurring with the current Olympics pages; however, that traffic is encrypted. Continuing through the list of interesting DNS queries and associated communications, we come across HTTP traffic to the Beijing 2022 Winter Olympics.

wireshark pcap analysis puzzle 5 Beijing 2022 traffic

Because we now know that this data is in plaintext, we can check out the HTTP requests directly. Doing so shows that there were a lot of visits to the various Olympics years.

wireshark pcap analysis puzzle 5 Beijing 2022 http requests

Looking at the sessions in the PCAP, we see that these are all tightly coupled and seem to be incremental in order by date.

wireshark pcap analysis puzzle 5 Beijing 2022 http requests pcap

Interestingly, soon after the HTTP traffic, there is a flurry of SMB activity between the source computer and another local system. Turning attention to that shows that the user authenticating is soohorang!

wireshark pcap analysis puzzle 5 Beijing 2022 smb pcap

Digging deeper into the SMB traffic shows that this is definitely relevant, as there are a number of HTML files related to the Olympics that are being saved to and viewed from soohorang’s share.

wireshark pcap analysis puzzle 5 Beijing 2022 smb html pcap

However, upon careful analysis, there is one file that is not an HTML file, despite the same naming scheme as the others:

wireshark pcap analysis puzzle 5 Beijing 2022 smb 7-zip pcap

Since Wireshark is smart enough to recognize files transferred via SMB, the next step is to extract these files and figure out why the curling file has a .7z extension!

wireshark pcap analysis puzzle 5 Beijing 2022 extract archive

Analysis via the OS X built-in file command show that it is, in fact, a 7-zip archive file. However, attempting to extract it shows that we need a password.

wireshark pcap analysis puzzle 5 Beijing 2022 extract archive password

Thinking back to how we’ve gotten here, we have focused on traffic associated with the Winter Olympics—and specifically the hints (and the traffic itself) have led us to more and more recent games. At this point, we also know that the next Winter Olympics are of interest to Soohorang, especially thanks to the hints in the challenge description. Did you find it a little specific that we mentioned “at a date already set in four years?” Looking for a date four years from now (via Wireshark’s find capability) turns up some promising info:

wireshark pcap analysis puzzle 5 Beijing 2022 file modified date

That date, when entered in the form mmddyyyy (02042022) is the password for the 7-zip archive! Opening it in any browser will show the following message:

wireshark pcap analysis puzzle 5 flag captured

From there, putting all of the pieces together will give us the entry point to the final puzzle!

wireshark pcap analysis puzzle 5 URLwireshark pcap analysis puzzle 5 auth request

As the message above implies though, there is yet another obstacle to cross. Fortunately, there are clues within the message. Going back to the original puzzle (Basically Amazing) and pulling the credentials used as the answer (sschmirler:U0V49NE39SOLJ6I4) will authenticate you to the final challenge directory.

wireshark pcap analysis puzzle 5 file listing

Awake to the Rescue

Teamwork Makes the Dream Work and Soohorang Looks to the Future were actually both created on the same device, and the Awake platform was intelligent enough to stitch them together. Below we see Awake’s EntityIQ identifies the authentication that happens by user soohorang on the device named desktop-3rvcgp2, which we needed for the latter challenge. Additionally, Awake found the existence of TeamViewer to be notable for this device, and directly pulled out the ID we needed to solve the former challenge!

wireshark pcap analysis puzzle 5 with Awake entityIQ device details

When we zoom back out to a view of multiple devices, we can see that the most notable artifacts associated with this device are actually the SMB communications.

wireshark pcap analysis puzzle 5 with Awake detectIQ SMB behavior

From there, it’s one click to pivot into the activities and dig into the content of each packet. While we had to dig a little deeper to find the final answer, we quickly find that the 7-zip file differs from the others.

wireshark pcap analysis puzzle 5 with Awake detectIQ SMB activity pcap

Stay tuned for the sixth and final challenge from the 2018 Awake Threat Hunter Olympics, which will be posted here soon.

Network Traffic Analysis
Security