March 14, 2019

Network Traffic Forensics

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup


1- Watch Chris’ & Chris’ talk about HTTP/2.0 : 🔗

2- Goto 🔗 and register an account the login into the website

Hint : if you get this error message “Invalid Username or Password Combination”, try to register again or wait a few minutes and try to login again.

3- Let’s begin with sniffing traffic to analysis :

  • Click on SNIFF TRAFFIC button and wait 20 sec to finish.
  • If look at the analyzed traffic you will find there are no useful information.
  • Download sniffed traffic file: Click Capture > download icon next to sniff name .

4- Let’s open the capture file in wireshark to view traffic for any leads :

  • Open Wireshark app :
  • Select File from top menu > open > Select the file you just downloaded
  • As you can see it’s all encrypted with no useful information


So we need the SSL keys log (as mentioned in Tutorial) to decrypt and read http2 traffic.

5- Now let’s view the page source code and try to compromise SSL on the website and steal logins as elf hint suggested:

  • Right click >View Page Source > Inspect Page Source code for any useful information

All extensions and sizes are validated server-side in app.js

  • Let’s try to grab app.js file and incept it for any leads to ssl key log , we know the public folder :
  • Inspect Page Source code for any interesting information, You will find the following :


const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )
The app.js uses an environment variables as elf hint suggested which lead to ssl key log file.
The process.env property returns an object containing the user environment, So now we need to figure out what are actual values for DEV and SSLKEYLOGFILE to get the ssl key log file from server.


keylog : key_log_path //used for dev mode to view traffic. Stores a few minutes worth at a time
Interesting comment about sniffing and time.

load_envs() function


This code tells us that in dev mode the load_envs() function used to modify env_dirs

router.get function


This code modify url when any file requested in public folder, also tells us that __dirname is the main url and the public files served from pub directory if there is no process.env property set.

  • Now we need to figure out ssl keys log file url , from previous step we know that ssl keys log file url structured as following:
    __dirname + process.env.DEV + process.env.SSLKEYLOGFILE
    And we know the __dirname , so the url should be similar to this : + DEV + SSLKEYLOGFILE
  • Let’s try to grab ssl keys file by manipulating url with what we know:
    You will get this message :
    Error: ENOENT: no such file or directory, open ‘/opt/http2/dev//SSLKEYLOGFILE’
    ENOENT (No such file or directory): Commonly raised by fs operations to indicate that a component of the specified pathname does not exist — no entity (file or directory) could be found by the given path.
    Find more about node.js errors here 🔗
  • Notice there is a directory named http2 , Path opt/http2/ is equal to the main url locally on the server, the double slash // .
  • Try , You will get this message :
    Error: EISDIR: illegal operation on a directory, read
    EISDIR (Is a directory): An operation expected a file, but the given pathname was a directory.
  • So now we know that process.env.DEV returns object which is a directory named dev

    Try ,You will get the following message :
    Error: ENOENT: no such file or directory, open ‘/opt/http2packalyzer_clientrandom_ssl.log/’
    Notice http2 after opt/ , Why there is no slash after it ?
  • Let’s assume based on the results above that the correct local url should be :
    So that make SSLKEYLOGFILE = packalyzer_clientrandom_ssl.log

    Now let’s try our new url :

Bingo you got the file , Save it > right click > save page as > save

  • Let’s test the ssl key log on wireshark :
    1. Click wireshark from upper menu > Preferences
    2. Expand Protocols on the left > Select SSL
    3. Click Browse under “ Pre-MasterSecert Log filename” and upload ssl keys log file

After you import the ssl key log you will see traffic still not decrypted because ssl keys not related to this pcap, So we need to capture more as the comment in app.js said .

6- Go back to , Let’s capture a few minutes , Repeat capture process until you get about 13 captures which equals to 4.5 - 5 minutes then just download the last capture.

7- Download SSL key log file again then import it into Wireshark


As you can see we successfully decrypted the traffic, and we have http2 traffic.

8-Let’s analysis the traffic :

  • Filter the traffic by http2, write http2 in “Apply a Display filter “ box
  • We are looking for communication between Holly Evergreen to Alabaster Snowball , let’s filter the traffic which contain “alabaster” name , write the following in “Apply a Display filter “ box :
    http2 contains “alabaster”

  • Right click on traffic raw > Follow > SSL stream :

This source code of the main page for Packalyzer .

  • In find box write “alabaster” , and you will find the following :
    const user_info = {“username”:”alabaster”,”is_admin”:true,”email”:”[email protected]”,”_id”:”5bd73470388788152cf8b906”};
    this the user details for Alabaster Snowball account we can confirm we have session for him in the traffic.
  • Let’s search for his login details , we will search login using POST method because this what Packalyzer use for login, write the following in filter box:
    no luck no useful results
  • For this connection we know that Alabaster Snowball computer source ip is And the server ip is, Let’s use the following filter to trace cookies for this connection, write the following in filter box :
    ip.dst == && http2.headers.set_cookie
    In the bottom panel expand HyperText Transfer Protocol 2 > Stream: HEADERS> Header: set-cookie :


9- Let’s use cookie to grant access to Alabaster Snowball session :

  • Go to
  • Right click on the page > Select inspect element > Select Storage tab >Select cookies from left list
  • Select cookie named “ PASESSION
  • Double click number under value column
  • Clear number and enter the number we got from wireshark 96432072889200889879230708058477

  • Close inspection panel and refresh the page to activate cookie change
  • Click account button in upper menu to check if we are in Alabaster Snowball session :

10-Download Alabaster sniffed traffic file to look at his communication with Holly Evergreen , Click on Captures button on website > download the capture pcap there.

11- Let’s analysis this capture :

  • Open the capture file in wireshark
  • Apply filter to the traffic which contain “Holly” name , write the following in filter box :
    You can filter by using SMTP {emails} protocol
    smtp contains “Holly”

    Or by using find packet option in wireshark
    Go to > edit in upper menu > find packet > enter “Holly” in search box > click find
  • Right click on found packet > Select follow > TCP stream

Now we have the email between [email protected] and [email protected] which include an attachment encoded in BASE64 .

12- Let’s convert our attachment file into readable format :

  • In wireshark : Convert the mail to raw as shown :

then save it to file attachment.raw

  • Open file attachment.raw in notepad or any text editor , then remove text from the beginning until base64 code as shown.

  • Also go to the end of the file and remove after == until the end as shown .

now we have our attachment file coded as base64 , let’s decoded it.

13- Now let’s decode the attachment to readable format:

Method1 :


As you can see first line is file type which is PDF .
Now upload the file again and click decode and download to save it

Method2 :

  • Using terminal write the following in folder path which file exists :
    base64 -d attachment.raw > attachment.pdf
  • Open the file attachment.pdf to check it .

14- Read the attachment.pdf to find any clues about song name.


The song name is Mary Had a Little Lamb

📟 Go to your Badge > Objectives > Enter Mary Had a Little Lamb