CSAW 2012 – Networking 200

“Some dude I know is planning a party at some bar in New York! I really want to go but he’s really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don’t know what else to do. Do you think there’s any way you can find out the secret password to get into the party for me? By the way, my favorite hockey player ever is mario lemieux.”
File https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/23dce85a4e96a87028cc9a3e662663ce/lemieux.pcap

The pcap contained allot of HTTP streams, we made an assumption that the request would be an HTTP post request:

:~$ tshark -nn -r CSAW/lemieux.pcap -T text -R 'http.request.method=="POST"'
757 4.321508000 -> OCSP 155 Request
852 4.910543000 -> OCSP 154 Request
9058 101.265403000 ->  OCSP 142 Request
11897 114.364233000 -> HTTP/XML 335 POST /ad/p/1? HTTP/1.1 
23294 173.222074000 -> HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)
54755 379.301826000 -> HTTP 643 POST /parties-events/ HTTP/1.1  (application/x-www-form-urlencoded)
54785 380.349715000 -> HTTP 164 POST /safebrowsing/downloads?pver=2.2&client=Safari&appver=6.0.1 HTTP/1.1  (application/x-www-form-urlencoded)
57106 395.223744000 -> HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)
64828 448.067555000 -> HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)

The POST request contains:

POST /parties-events/ HTTP/1.1 

The si_contact_message contains:

si_contact_message=Hey! I want to plan a party at your venue. 
I'm expecting a lot of people though and I don't want anyone who isn't supposed to be there showing up 
for the fun. If you can do me a favor and make sure to ask for the phrase [b]"brooklyn beat box"[/b]
before letting attendees in, that would be awesome!

FLAG: brooklyn beat box

Comments are closed.