As an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer's employee whose network activity has been monitored for a while -possible insider.
Information
Category Name: PacketMaze
Files:
c50-AfricanFalls3.zip 32.6 MB
– UNODC-GPC-001-003-JohnDoe-NetworkCapture-2021-04-29.pcapng 37 MB
My Recommendations
It’s all we need to solve the challenge:
wireshark -v
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c50-AfricanFalls3.zipSHA1SUM: 8d259580fe6bd28a42bd3667ff5d135d04149899
Walkthrough
1. What is the FTP password?
Filtering the Pcap with ftp, packet 500 is a Request to the FTP service with the Password in plaintext:
Answer: AfricaCTF2021
2. What is the IPv6 address of the DNS server used by 192.168.1.26?
Filtering the pcap with dns, and then looking at Statistics -> Conversations:
The IPV4 tab shows that the Address B is ‘192.168.1.26’:
Checking the IPv6 tab for address B will show the IPv6 address of the DNS server:
Answer: fe80::c80b:adff:feaa:1db7
3. What domain is the user looking up in packet 15174?
Filtering with frame.number == 15174:
Answer: http://www.7-zip.org
4. How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?
Filtering with udp && ip.src == 192.168.1.26 && ip.dst == 24.39.217.246:
In total, ten packets were sent. Alternatively, we can check the Statistics –> Conversations:
Answer: 10
5. What is the MAC address of the system being investigated in the PCAP?
We can simply filter the pcap for ‘ip.src == 192.168.1.26’ and look at the Ethernet Source address:
Answer: c8:09:a8:57:47:93
6. What was the camera model name used to take picture 20210429_152157.jpg ?
If we use the Find utility, and search for the string ‘0210429_152157.jpg ‘ in Packet Bytes, Frame 7070 will show an FTP request for this file. We can then select Follow -> TCP Stream:
The next stream, 14, contains the jpg. We can save it as raw into our Working Directory and check its exif metadata with exiftool:
exiftool 20210429_152157.jpg
The Camera model name is LM-Q725K which is a LG Q7+.
Answer: LM-Q725K
7. What is the server certificate public key that was used in TLS session...
da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?
We can use the Find feature, and look for the session with ‘Hex value’ filter:
Only one frame is returned: 26906. Next, we just need to click on ‘Reassembled PDU in frame:26913’ which will contain the full TLS Handshake protocol. The Public Key is under Server Key Exchange:
Answer: 04edcc123af7b13e90ce101a31c2f996f471a7c
8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37
bceb2cbdc7ce2a8994dcd76dd6834eefc5438c
3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d
8. What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?
Filtering with TLS, the first ‘Client Hello’ occurred on 2021-04-30 at 01:04:29 UTC.
The Client Random is Stored under Handshake Protocol: Client Hello:
Answer: 24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70
9. What country is the MAC address of the FTP server registered in?
(two words, one space in between)
Filtering with FTP, the FTP server has IPv4 192.168.1.20, and its Mac Address is 08:00:27:a6:1f:86:
Using an online tool like dnschecker, we can find its registration address:
Answer: United States
10. What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)
Filtering the pcap with FTP, TCP stream 11 shows a request for Directory Listing:
The next stream shows the response of the Directory listing:
The folder ftp is not standard in a Kali distribution. The folder was created on April 20th at 17:53.
Answer: 17:53
11. What domain was the user connected to in packet 27300?
Filtering the pcap with: frame.number == 27300:
The user was connected to dfir.science.
Answer: dfir.science
