Objective 8: Network Traffic Forensics

Difficulty: 4/5

Santa has introduced a web-based packet capture and analysis tool at https://packalyzer.kringlecastle.com to support the elves and their information security work. Using the system, access and decrypt HTTP/2 network activity.
What is the name of the song described in the document sent from Holly Evergreen to Alabaster Snowball?

For hints on achieving this objective, please visit SugarPlum Mary and help her with the Python Escape from LA Cranberry Pi terminal challenge.
Note: SugarPlum Mary can be found on Floor 1, on the Western side of the lobby area

Hints given:
Did you see Chris' (https://www.youtube.com/watch?v=PC6-mn9g9Cs) & Chris' (https://www.youtube.com/watch?v=YHOnxlQ6zec) talk on HTTP/2.0?

SugarPlum Mary:
As a token of my gratitude, I would like to share a rumor I had heard about Santa's new web-based packet analyzer - Packalyzer. Another elf told me that Packalyzer was rushed and deployed with development code sitting in the web root. Apparently, he found this out by looking at HTML comments left behind and was able to grab the server-side source code. There was suspicious-looking development code using environment variables to store SSL keys and open up directories. This elf then told me that manipulating values in the URL gave back weird and descriptive errors. I'm hoping these errors can't be used to compromise SSL on the website and steal logins. On a tooootally unrelated note, have you seen the HTTP2 talk at at KringleCon by the Chrises? I never knew HTTP2 was so different!


The objective can be accessed directly via this link:
https://packalyzer.kringlecastle.com/


Navigate to https://packalyzer.kringlecastle.com/
Click Register
Username: jollyfrogs
Email : thefrog@thepond.invalid
password: jollyfrogs
confirm password: jollyfrogs
Note: The username and password both need to be lowercase.

After the username is created, login to Packalyzer with the new credentials.

Once logged in, right-click the website and select "View Source"

The key bits of info from the source code are below

https://packalyzer.kringlecastle.com:80/pub/css/materialize.css
https://packalyzer.kringlecastle.com:80/pub/js/loader.js
//File upload Function. All extensions and sizes are validated server-side in app.js

The directories above seem to indicate that most of the source code is contained within the https://packalyzer.kringlecastle.com:80/pub/ folder.

Navigating to https://packalyzer.kringlecastle.com:80/pub/app.js reveals the server-side NodeJS source code:

The app.js file contains the following key bits of info

const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )

function load_envs() {
  var dirs = []
  var env_keys = Object.keys(process.env)
  for (var i=0; i < env_keys.length; i++) {
    if (typeof process.env[env_keys[i]] === "string" ) {
      dirs.push(( "/"+env_keys[i].toLowerCase()+'/*') )
    }
  }
  return uniqueArray(dirs)
}

From the information above, both process.env.DEV and process.env.SSLKEYLOGFILE are pushed (used) as website directories.

Browsing to https://packalyzer.kringlecastle.com/DEV/ reveals it is a directory, although we do not yet know what file to access in it.

Error: EISDIR: illegal operation on a directory, read

Browsing to https://packalyzer.kringlecastle.com/SSLKEYLOGFILE/ reveals the SSL key log file name "packalyzer_clientrandom_ssl.log"

Error: ENOENT: no such file or directory, open '/opt/http2packalyzer_clientrandom_ssl.log/'

Together, the directory and the file name reveal the SSL key log file contents

Using the Packalyzer "Sniff Traffic" feature, a capture is taken

In Wireshark, the contents of the pcap file are decoded using the 'packalyzer_clientrandom_ssl.log' file. The decoded contents reveal the credentials of a few elves, including 'alabaster' who has admin privileges.

Open 69805829_1-1-2019_2-0-52.pcap in WireShark
In Wireshark, click "Edit" menu
"Preferences..."
"Protocols"
"SSL"
(Pre)-Master-Secret log filename: packalyzer_clientrandom_ssl.log
Click "OK" - the encrypted SSL streams are decrypted

In the top bar, type: http2.data.data
Highlight one of the "DATA1" packets
Expand "HyperText Transfer Protocol 2"
Expand Stream: DATA, Stream ID: 1, Length 98
Highlight "JavaScript Object Notation: application/json"
{"username": "alabaster", "password": "Packer-p@re-turntable192"}

Login to the Packalyzer website using Alabaster's credentials:
username: alabaster
password: Packer-p@re-turntable192

And download the capture file "super_secret_packet_capture.pcap", (the file is renamed to "upload_2a4a5ae98007cb261119b208bf9369ef.pcap" when downloaded)

Using Wireshark, open the file 'upload_2a4a5ae98007cb261119b208bf9369ef.pcap' and right-click any packet -> Follow -> TCP Stream. This will show the raw SMTP email from "Holly.evergreen@mail.kringlecastle.com" to "alabaster.snowball@mail.kringlecastle.com".

Copy the Base64 encoded attachment, and decode it in using Kali

root@kali ~# leafpad attachment.b64
root@kali ~# cat attachment.b64 | base64 -d > objective8
root@kali ~# file objective8
objective8: PDF document, version 1.5
root@kali ~# mv objective8 objective8.pdf
root@kali ~# evince objective8.pdf

The song name referenced in the PDF is:
Mary Had a Little Lamb