Thursday, 30 January 2014

Nullcon HackIm 2014 Forensics-3

Question : There was a network traffic dump on the machine. The dump suggests an attack being carried out on a target. As per the client’s information the attack was performed from china (he says that the system was located in china when attack was carried out). Our investigator thinks otherwise. Can you find out the location from where the attack was carried out.

Wireshark is the tool.I used export feature in that and found geo.html interesting.
Look at that the location "failed".So I thought accessing Html5demos and i used tamper data to look how it is accessing the location.There was a javascript file named "ViewportInfoService.GetViewportInfo?1m6&1m2&1d24.56320627014958&2d73.6366821305144......." which by looking itself can be understood that its accessing the geo co-ordinates..It access 4 co-ordinates to make the place accurate..
Now in the challenge i looked at the javascript file and i got four co-ordinates like this :
[24.60706913770969,73.564453125],[24.68695241199915,73.740234375],[24.52713482259781,73.564453125],[24.60706913770969,73.740234375]

By googling we find a place near udaipur.Admins had released a hint in IRC that the name was suffixed with scheme.Now it wasnt so difficult.It was "Ambamata Scheme".

FLAG : Ambamata Scheme 

No comments:

Post a Comment

enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.