11) Customer Complaint Analysis

Obj

Details

  • Objective Link 1: Link
  • github files: Link

The terminal challenge for this objective is the terminal "Strace Ltrace Retrace" offered by Tinsel Upatree. Solving this terminal challenge provides additional hints for this objective. To view the hints use the menu on the left.

To start this objective download the jackfrosttower-network.zip available in the objective menu. You will need Wireshark or a network packet reader.

From the hints, we know that Jack Frost Tower sets the evil bit from FRC791 for their communication.

RFC791

To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

The evil bit can be filtered in Wireshark by ip.flags.rb.

Load the provided Jack Frost Tower network capture into Wireshark.

In the filter field type ip.flags.rb != 1. This will filter out all the packets that have the evil bit set. The result shows a HTTP POST request that does not have the evil bit set:

Obj

Opening this packet(# 384) shows the following:

Obj

The POST request is a complaint from the Elf Muffy Sebastian VonDuchess in Room 1024.

To search for complaints for room 1024, clear existing filters and add urlencoded-form.value contains "1024". This filter will search for 1024 in the POST request.

The result are 3 packets (384,312, 276):

Packet 384

Obj

Packet 312

Obj

Packet 276

Obj

From the above packets you see the three trolls that complained were Flud Hagg Yaqh.

Answer

Flud Hagg Yaqh