30
Sep
2012

CSAW 2012 – Networking 200

“Some dude I know is planning a party at some bar in New York! I really want to go but he’s really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don’t know what else to do. Do you think there’s any way you can find out the secret password to get into the party for me? By the way, my favorite hockey player ever is mario lemieux.”
File https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/23dce85a4e96a87028cc9a3e662663ce/lemieux.pcap

The pcap contained allot of HTTP streams, we made an assumption that the request would be an HTTP post request:

:~$ tshark -nn -r CSAW/lemieux.pcap -T text -R 'http.request.method=="POST"'
757 4.321508000 192.168.1.104 -> 178.255.83.1 OCSP 155 Request
852 4.910543000 192.168.1.104 -> 178.255.83.1 OCSP 154 Request
9058 101.265403000 192.168.1.104 -> 199.7.51.72  OCSP 142 Request
11897 114.364233000 192.168.1.104 -> 63.251.28.128 HTTP/XML 335 POST /ad/p/1? HTTP/1.1 
23294 173.222074000 192.168.1.104 -> 66.96.131.56 HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)
54755 379.301826000 192.168.1.104 -> 66.96.131.56 HTTP 643 POST /parties-events/ HTTP/1.1  (application/x-www-form-urlencoded)
54785 380.349715000 192.168.1.104 -> 173.194.43.5 HTTP 164 POST /safebrowsing/downloads?pver=2.2&client=Safari&appver=6.0.1 HTTP/1.1  (application/x-www-form-urlencoded)
57106 395.223744000 192.168.1.104 -> 66.96.131.56 HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)
64828 448.067555000 192.168.1.104 -> 66.96.131.56 HTTP 153 POST /wp-admin/admin-ajax.php HTTP/1.1  (application/x-www-form-urlencoded)

The POST request contains:

POST /parties-events/ HTTP/1.1 
{SNIP} 
si_contact_CID=1&si_contact_name=Mike+Jones&si_contact_email=mike%40example.com&si_contact_ex_field1=917-459-2485&si_contact_subject=Party+time%21&si_contact_message=Hey%21+I+want+to+plan+a+party+at+your+venue.+I%27m+expecting+a+lot+of+people+though+and+I+don%27t+want+anyone+who+isn%27t+supposed+to+be+there+showing+up+for+the+fun.+If+you+can+do+me+a+favor+and+make+sure+to+ask+for+the+phrase+%22brooklyn+beat+box%22+before+letting+attendees+in%2C+that+would+be+awesome%21&si_code_ctf_4=H2cEwa6GC0WdaT8P&si_contact_captcha_code=B38F&si_contact_action=send&si_contact_form_id=4
{SNIP}

The si_contact_message contains:

si_contact_message=Hey! I want to plan a party at your venue. 
I'm expecting a lot of people though and I don't want anyone who isn't supposed to be there showing up 
for the fun. If you can do me a favor and make sure to ask for the phrase [b]"brooklyn beat box"[/b]
before letting attendees in, that would be awesome!

FLAG: brooklyn beat box

Comments are closed.