Skip to content

Customer Complaint Analysis

Challenge :
A human has accessed the Jack Frost Tower network with a non-compliant host.
Which three trolls complained about the human? Enter the troll names in alphabetical order separated by spaces.
Talk to Tinsel Upatree in the kitchen for hints.
Difficulty Level :
drawing
 Location :
Jack’s Tower Talks Lobby 		Elf/Troll :
drawing Pat Tronizer
drawing Pat Tronizer
I cannot believe an actual human connected to the Tower network. It’s supposed to be the domain of us trolls and of course Jack Frost himself.
Mr. Frost has a strict policy: all devices must be RFC3514 compliant. It fits in with our nefarious plans.
Some human had the nerve to use our complaint website to submit a complaint!
Note:
https://downloads.jackfrosttower.com/2021/jackfrosttower-network.zip has a pcap file which we will analyze to get the answer for this objective.

Understanding the RFC 3514

If we look at the RFC which is about a security flag in IPv4 header.

https://datatracker.ietf.org/doc/html/rfc3514

"Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1"

drawing

Reading the evil bit/flag in the PCAP file

How can we read this reserved flag in the pcap via Wireshark?
If we look at the Wireshark packet dissector page on Github, its ip.flags.rb

https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-ip.c

drawing

Armed with this information, we add the custom column for the Reserved/Evil bit based on "ip.flags.rb".
We also add http.request.method and http.request.uri.

drawing

Now, Mr. Frost is evil and if he has the strict policy all the devices RFC 3514 compliant, they all be sending that flag set to 1 (ip.flags.rb = 1).
Let's check which device is sending NOT compliant i.e., sending ip.flags.rb == 0.

drawing

We look at the data posted via /feedback/guest_complaint.php.
We see Muffy VonDuchess Sebastian is complaining about the hotel staff from room 1024.

drawing

Find complaininig trolls

Now let's find out which trolls are complaining about the guest.
What information we can use to inspect the packet:

  1. Trolls must be complaint to RFC 3514 so ip.flags.rb ==0.
  2. Trolls must be sending the complaint via the feedback form /feedback/guest_complaint.php
  3. Tolls must be complaining about the room 1024.

Wireshark query 

ip.flags.rb == 1 && http.request.method=="POST" &&  http.request.uri=="/feedback/guest_complaint.php" && urlencoded-form.key contains "guest_info"  && urlencoded-form.value contains "1024"

drawing

So now, we look at each of those 3 packets picking up the names of the trolls complaining about the guest in room 1024.

Row #276 (Yaqh)
drawing
Row# 312 (Flud)
drawing
Row# 384 (Hagg)
drawing

We submit the above as the answer for the objective and the objective is now complete.

drawing