Objective 11 Customer Complaint Analysis
Difficulty:
Shown in Report
You have forgotten that person.
Objective Image
Back
Challenge

A human has accessed the Jack Frost Tower network with a non-compliant host. Which three trolls complained about the human? Enter the troll names in alphabetical order separated by spaces. Talk to Tinsel Upatree in the kitchen for hints.

Solution

Jack Frost is using the so-called "Evil bit" to distinguish between good and bad traffic. So most likely the "non-compliant" human has not set the "evil bit".

We unzip the PCAP file and set a filter accordingly:

$ tcpdump 'ip[6] & 128 == 0' -r jackfrosttower-network.pcap | grep complaint
reading from file jackfrosttower-network.pcap, link-type EN10MB (Ethernet), snapshot length 65535
19:32:17.576190 IP 10.70.84.251.36674 > 10.70.84.10.http: Flags [P.], seq 0:437, ack 1, win 502, options [nop,nop,TS val 4276157356 ecr 3229766183], length 437: HTTP: GET /feedback/guest_complaint.html HTTP/1.1
19:34:58.994082 IP 10.70.84.251.36676 > 10.70.84.10.http: Flags [P.], seq 0:959, ack 1, win 502, options [nop,nop,TS val 4276318755 ecr 3229927601], length 959: HTTP: POST /feedback/guest_complaint.php HTTP/1.1

So the human most likely had the IP 10.70.84.251 To make searching a little easier we're using Wireshark and setting the filters:

ip.src == 10.70.84.251 and http.request.method == "POST"

If we follow the HTTP traffic we can see the traffic:

name=Muffy+VonDuchess+Sebastian&troll_id=I+don%27t+know.+There+were+several+of+them.&guest_info=Room+1024&description=I+have+never%2C+in+my+life%2C+been+in+a+facility+with+such+a+horrible+staff.+They+are+rude+and+insulting.+What+kind+of+place+is+this%3F+You+can+be+sure+that+I+%28or+my+lawyer%29+will+be+speaking+directly+with+Mr.+Frost%21&submit=Submit

So just look for any other person which might have been in that room:

ip.src != 10.70.84.251 and http.request.method == "POST" and urlencoded-form contains "1024"

That results in exactly three complaints, we’re looking into the traffic (Wireshark - Follow HTTP stream)

The three trolls mentioned in the stream are: Flud Hagg Yaqh