Skip to content

Objective 11) Customer Complaint Analysis

Difficulty:

A human has accessed the Jack Frost Tower network with a non-compliant host. Which three trolls complained about the human? Enter the troll names in alphabetical order separated by spaces. Talk to Tinsel Upatree in the kitchen for hints.

Hints and Resources

Hints provided after helping Tinsel Upatree and completing the Strace, Ltrace, Retrace Terminal Challenge

Evil Bit RFC
RFC3514 defines the usage of the "Evil Bit" in IPv4 headers.

Wireshark Display Filters
Different from BPF capture filters, Wireshark's display filters can find text with the contains keyword - and evil bits with ip.flags.rb.

Other Resources

Wireshark
https://wireshark.org/#download

KringleCon Talk
RFC-3514 Compliant Pentesting: Being Good While You're Being Bad - Tom Liston

Troll Introduction

Talk to Pat Tronizer in the Frost Fest Talks Lobby

Hrmph. Oh hey, I'm Pat Tronizer.
I'm SO glad to have all these first-rate talks here.
We issued a Call for Talks, but only one person responded… We put him in track 1.
But Jack came up with an ingenious way to borrow additional talks for FrostFest! You can hardly tell where we got these great speakers!
Anyway, I cannot believe an actual human connected to the Tower network. It’s supposed to be the domain of us trolls and of course Jack Frost himself.
Mr. Frost has a strict policy: all devices must be RFC3514 compliant. It fits in with our nefarious plans.
Some human had the nerve to use our complaint website to submit a complaint!
That website is for trolls to complain about guests, NOT the other way around.
Humans have some nerve.

Setup

Download and install Wireshark on your device if it isn't already (default options should be fine).

Solution

Download the zip file linked to in the objective description or Pat's introduction. Unzip it to get the jackfrosttower-network.pcap file and open it with Wireshark.

Screenshot

Apply the filter ip.flags.rb == 0 to show only those packets that don't have the "Evil Bit" set. In other words, the non-Troll data.

Looking at the results we find one packet that is an HTTP POST. Select it and expand the HTML Form in the Packet Details to read the details of the complaint submission.

Screenshot

In the guest_info form item we see that the human, Muffy VonDuchess Sebastian, was residing in room 1024. We now apply the filter tcp contains "1024" to get any packets referencing that room.

This results in 4 POST requests, which we can look at in turn to find the names of the 3 trolls that complained about Muffy.

Screenshots

Completion

Answer

Flud Hagg Yaqh

Extra

To see all the customer complaint submissions, see this table in the Extras section.