Root-me

Twitter Authentication

Packet Capture Analysis

We’re giving a pcap that contains a twitter authentication session. We need to retrieve the password.

If we open the pcap in wireshark we can see that there’s only one packet.

If we follow tcp stream on it we get this:

GET /statuses/replies.xml HTTP/1.1
User-Agent: CFNetwork/330
Cookie: _twitter_sess=BAh7CDoJdXNlcjA6B2lkIiVmZGQ2ODc5MTMwMWFhOTFiMWExZDViZmQwMGEz%250AOWNkMyIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--ea12e7bc090d05202cd7e3f972c2b4414a97f657
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcnRlc3Q6cGFzc3dvcmQ=
Connection: keep-alive
Host: twitter.com

It’s another Basic authorization. We’ll decode it and we’ll get the information needed.

echo "dXNlcnRlc3Q6cGFzc3dvcmQ=" | base64 -d

usertest:password

The password is password. Also the password was visible in the HTTP -> Authorization -> Credential part of the packet.

Another way to find it is using tshark.

This commands looks for all the Basic authorization in the file.

tshark -r ch3.pcap -T fields -e http.authbasic
usertest:password