This is a writeup of the Shiba Insider Challenge on Blue Team Labs Online. This challenge entails Wireshark PCAP analysis, exif data analysis, and steganography. The goal of the challenge is to discover who is the insider threat.
To start the challenge we are provided with a PCAP file as well as a zip file containing two files, README.txt and ssdog1.jpeg which are both password protected and inaccessible at this time.
To kick this off lets start by looking at the provided PCAP file. From what we can see, it’s a rather small file with only 10 lines of data. Extremely easy to parse.
Noticing that there is HTTP traffic, right click on it and select Follow HTTP Stream. Inside this stream we can notice three things right off the bat. The initial get request query contained the message “how do I open file” which is the same question that we have right now. The HTTP response containing the text “use your own password”. Seeing as we do not currently have a password, the only other clue we have available to us is the HTTP Authorization token which is base64 encoded.
Copy the authorization token and save it to a file, then run base64decode.
Now we have the username ‘fakeblue’ and the password ‘redforever’. Enter that into the password prompt on the zip file and now we have access. Opening both files we can see the following.
While amusing, opening these files doesn’t provide us any additional information, other than that we now have all the passwords that we will need for the rest of this challenge. From here we’ll run exiftool on the jpeg file and see what information we can pull out of it.
Quickly scanning through the data provided we notice almost immediately that there is text stating that there is data hidden within this file utilizing the steganography technique and it references the steghide command. Utilizing that command on the file allows us to extract an idInsider.txt file which contains the id of the insider threat.
The final step to complete the puzzle is looking up that user on the BTLO user pages.
Leave a Reply