In Network Forensics, Wireshark can resolve key questions about how an attack was orchestrated or how a network was exploited. This section is great if you want to learn more about Network Forensics, and how pcapng packets can be analyzed to retrieve information.
Information
Category Name: DFA2020: Wireshark
Files:
dhcp.pcapng: 90 kB
dns.pcapng: 6 kB
https.pcapng: 27.2 MB
network.pcapng: 473 kB
secret_sauce.txt: 28 kB
shell.pcapng: 38 kB
smb.pcapng: 121 kB
My Recommendations
This section is called “Wireshark” so it’s fairly obvious it’s all we need to find the flags.
wireshark -v
I recommend creating sub-directories for each section of the CTF to stay organized and easily remove them when you have finished.
mkdir Documents/dfa20/network && cd Documents/dfa20/network
The file is a .zip file with a folder named “Wireshark”. Download it into the “network” sub-directory, unzip and cd into the Wireshark folder:
7z x *.zip -o/ cd Wireshark
Should return: a2aa9ad4831057e17df585bdac84efc05ec0413d
Walkthrough
1. A second listener (50)
What port is the shell listening on?
File shell.pcapng
If you look at TCP Protocols, the source port is 52242 and Destination port is 4444. The Metasploit Framework uses this port as its default listening port, which is probably how the attack was orchestrated.
Answer:flag<4444>
2. I am groot (50)
What is the tree that is being browsed?
File: smb.pcapng
To find the tree, we need to filter with “smb2” (which is Windows’ filesharing protocol). Just with this filter, we can see in Frame 133 a tree connection request:
Answer: flag<\\192.168.2.10\public>
3. I will assit (50)
What IP address is requested by the client?
File: dhcp.pcapng
IP Addresses are requested over DHCP Protocols. Filtering Wireshark with dhcp, there is a record of a Request at frame 189. Clicking on it, and expanding the “Dynamic Host Configuration Protocol (Request)“, Option (50) shows that the Requested IP Address is 192.168.2.244.
Answer: flag<192.168.2.244>
4. Listening (50)
What port is the reverse shell listening on?
File: shell.pcapng
Right click(or control left click) on the first packet, and select Follow, then TCP stream. It will display the TCP stream, which is basically the conversation between two hosts. To put it simply, we can see what port 52242 (the host/attacker/jim.tomato shell) and 4444 (the reverse/attack shell) were telling each other. Towards the end of the packet, the attacker told netcat to listen on port 9999.
Answer: flag<9999>
5. Please give (50)
What is the IP address that is requested by the DHCP client?
File: network.pcapng
Filter with “dhcp“, then open the first frame (the one with Info : DHCP Request). In the Dynamic Host Configuration Protocol (Request), at Option : (50), the Requested IP Address is displayed:
Answer: flag<192.168.20.11> =
6. Shark01 (50)
What is the transaction ID for the DHCP release?
File: dhcp.pcapng
Keeping the dhcp filter of Question3, the Transaction ID for the DHCP release is 0x9f8fa557.
Answer: flag<0x9f8fa557>
7. Some good ol fashion txt (50)
What is the response for the lookup for flag.fruitinc.xyz?
File: dns.pcapng
Select Frame 24 and look at its Domain Name System (response), Answers:
Answer: flag<ACOOLDNSFLAG>
8. Tick Tock (50)
What is the NTP server IPv6 address?
File: network.pcapgng
Filtering for both NTP and IPv6. In the frame I selected, the info shows that its’ on the client side, so the server is the Destination Address.
Answer: flag<2003:51:6012:110::dcf7:123>
9. Who speaks (50)
What is the MAC address of the client?
Format: flag<XX:XX:XX:XX:XX:XX>
File: dhcp.pcapng
On any of the DHCP packets, in the Dynamic Host Configuration Protocol (Release), the client MAC address is the same: VMware_82:f5:94 (00:0c:29:82:f5:94).
Answer: flag<00:0c:29:82:f5:94>
10. Yellow Brick Road (50)
What is the path of the file that is opened?
File: smb.pcapng
Continuing with the filter of Question 2 & scrolling down, there are many requests and responses for the file at: HelloWorld\TradeSecrets.txt
Answer: flag<HelloWorld\TradeSecrets.txt>
11. Exif (75)
What file is added to the second shell?
File: shell.pcapng
Following the same TCP stream as question 4:
The file added is /etc/passwd. This type of attack is used to send the contents of /etc/passwd to the attacker.
Answer: flag</etc/passwd>
12. How recent (75)
What version of netcat is installed?
File: shell.pcapng
Using the same TCP stream as Question 4, the issued command is “sudo -S apt install netcat”. It successfully installed:
Answer: flag<1.10-41.1>
13. I have the answers (75)
Which root server responds to the query?
Format: flag<hostname>
File: dns.pcapng
Filtering with dns.response_to the only root-server that responds is e.root-servers.net:
Answer: flag<e.root-servers.net>
14. Uh uh uh (75)
What is the hex status code when the user SAMBA\jtomato logs in?
File: smb.pcapng
Removing the filters from smb.pcapng, and using the find (Packet details, Narrow & Wide, Strings) option of Wireshark (noob life) for SAMBA. There is a STATUS_LOGON_FAILURE at Frame 76. To find its hex status code we must go to NT STATUS of this frame, which is (0x000006d).
Answer: flag<0x000006d>
15. A very secure authentication method (100)
What password is used to elevate the shell?
File: shell.pcapng
Again, in the same TCP stream as other shell.pcapng questions, you may have noticed the attack keeps on using ‘echo “*umR@Q%4V&RC”‘. This is the password to gain root privileges.
Answer: flag<*umR@Q%4V&RC>
16. According to all known laws of aviation (100)
There is a nice simple flag in the file that was accessed.
File: smb.pcapng
Use the Follow TCP Stream on frame 282, and find the word flag. It will take you right there!
Answer: flag<OneSuperDuperSecret>
17. What version pt. 2 (100)
What is the OS version name of the target system?
File: shell.pcapgng
In the same TCP stream, when netcat was installed, the Get: command went to the Ubuntu server to install netcat. The OS & its version name is “Ubuntu Bionic”. Its version name is just bionic.
Answer: flag<bionic>
18. Who has authority (100)
What is the authoritative name server for the domain that is being queried?
Only need one
File: network.pcapgng
Filtering with “dns”, the domain being queried is “blog.webernetz.net”. Some of the frames are responses, and the authoritative NS is displayed right there:
Answer: flag<ns2.hans.hosteurope.de>
19. How am I talking? (150)
What is the port for CDP for CCNP-LAB-S2?
File: network.pcapgng
Filter with “cdp“, and make sure you check the Device ID: in the info tab, as there are two CCNP-LAB – CCNP-LAB1 and CCNP-LAB2:
Answer: flag<GigabitEthernet0/2>
20. Who changed (150)
What is the number of the first VLAN to have a topology change occur?
File: network.pcapgng
Using this filter “stp.flags.tc“, and since it’s a boolean, we need to set it to == 1 (aka TRUE). The first one is frame 42, looking at its Scanning Tree Protocol:
Answer: flag<20>
21. Who is using me (150)
How many users are on the target system?
File: shell.pcapng
Follow the TCP stream of the reverse shell (Frame 248), aka the /etc/passwd file. Copy its contents and in a new terminal window, type:
echo "##paste contents
###
" | wc -l
Wc counts 32 lines, because of the last ” line, in reality there’s 31 lines.
Answer: flag<31>
22. How cool are you (200)
What is the IOS version running on CCNP-LAB-S2?
File: network.pcapgng
Filtering with “cdp” again, and selecting a frame with the Device: ID CCNP-LAB-S2, and looking at its Software Version:
Answer: flag<12.1(22)EA14>
23. Please talk (200)
How many Router solicitations were sent?
File: network.pcapgng
The filter needed is “icmpv6. type==133” (SO StackOverflow). It shows only three frames.
Answer: flag<3>
24. Some secret sauce (200)
What has been added to web interaction with web01.fruitinc.xyz?
File: https.pcapgng
First, decrypt the packet with the secret-sauce.txt file, by going into Preferences, selecting TLS from protocols and loading the file. (!!Massive shoutout to petermstewart!!)Then, find any instances where the source is “web01.fruitinc.xyz” and select “Filter by Selected“. Finally, chose one of the Frames that is a TLSv1.2 Protocol and chose Follow… TLS Stream.
Answer: flag<y2*Lg4cHe@Ps
25. Virtual Sharing (200)
What is the virtual IP address used for hsrp group 121?
File: network.pcapgng
Filtering with “hsrp” and selecting frame 121, looking at the Group State TLV:
Answer: flag<192.168.121.1>
26. Who is root (200)
What is the MAC address for the root bridge for VLAN 60?
Format: flag<XX:XX:XX:XX:XX:XX>
File: network.pcapgng
Filtering with “vlan.id == 60” and looking at the “Root Identifier” in Spanning Tree Control:
Answer: flag<00:21:1b:ae:31:80>
27. Who is sharing (200)
What are the shared networks being advertised by 192.168.10.1 and 192.168.20.1?
If necessary, format lower to higher networks, separated by a semicolon.
File: network.pcapgng
Using each IP address as a filter, and opening the Routing Information Protocol shows:
The shared networks being advertised are 0.0.0.0;192.168.10.0;192.168.20.0;192.168.30.0;192.168.121.0.
However, 192.168.10.0 and 192.168.20.0 are the advertisers, so they can be omitted. The network on 0.0.0.0 contains no Netmask, so it’s advertising for /0. The other networks have a Netmask of 255.255.255.0, meaning they are advertising for .0/24.
Answer: flag<0.0.0.0/0;192.168.30.0/24;192.168.121.0/24>
28. Working together (200)
What is the actor state when the actor is “00:0a:8a:a1:5a:80”?
File: network.pcapgng
Filtering with “lacp.actor.state” and selecting frame 165, and looking at the Link Aggregation Control Protocol:
I was not so sure, so I tried the “long” answer, but in the end only the hex value is needed!
Answer: flag<0x3d>
29. How are you controlled (250)
What is the management address of CCNP-LAB-S2?
File: network.pcapgng
iltering with “cdp“, and looking at frame 133, the last “tab” of the Cisco Discovery Protocol contains the management address:
Answer: flag<192.168.121.20>
30. Sharing is caring (250)
What is the interface being reported on in the first SNMP query?
File: network.pcapgng
Filtering with “snmp“, and choosing frame 1912. Frame 191 is technically the first, but it’s a request. If you look at the request’s Simple Network Management Protocol data, the variable-bindings are all empty. What we need is the response, as that’s what completes the query:
Answer: flag<Fa0/2>
31. A sneak peak (300)
What is the name of the photo that is viewed in slack?
File: https.pcapgng
n the Frame 6135, the entire slack conversation is accessible in Json format. Open it by selecting “Show Packet Bytes” on JavaScript Object Notation, and the filename is on the 1st/2nd line!
However, it’s not the correct filename. If we look at frame 6642, the HTTP is “getting” the file, a thumbnail named get_a_new_phone_today__720.jpg. It makes sense that it’s this file, because files viewed in slack are thumbnails not full sized images.
Answer: flag<get_a_new_phone_today__720.jpg> =
32. Someone needs a change (400)
What is the email of someone who needs to change their password?
File: https.pcapgng
Find -> password, and … Jim Tomato’s email and password are available from frame 4758 from the app.slack.com:
Answer: flag<Jim.Tomato@fruitinc.xyz>
33. That’s not good (400)
What is the username and password to login to fw01.fruitinc.xyz?
Format flag<username:password>
File: https.pcapgng
Looking at the HTTP stream for fw01.fruitinc.xyz, there is the password and login in plain sight:
Another easier method is to look for Password with find, eventually it will take you to frame 937, and the logon and password are under the HTML Form URL Encoded:
Answer: flag<admin:Ac5R4D9iyqD5bSh>
34. Last update (500)
When was the NVRAM config last updated?
Format: flag<HH:MM:SS mm/dd/yyyy>
Use the Find tool, select “Packet bytes, Narrow & Wide, String” and look for NVRAM. At frame 3770, we have a TFTP Data Packet. If you use find, it will automatically select the corresponding data. Right click (or control left click) on that data and select “show packet bytes“:
Answer: flag<21:02:36 03/03/2017>
35. Some Authentication (500)
What is the IP of the radius server?
File: network.pcapgng
Same old, same old. Using the Find tool with the same filter as the previous question, I look for radius. On frame 3786, there is an associated ipv6 address displayed near radius. Using “Show Packet Bytes” on the (automatically) highlighted Data:
Answer: flag<2001:DB8::1812>
36. Some more sharing (500)
What IPv6 prefixes are being advertised that will be used by clients?
If necessary, format lower to higher networks, separated by a semicolon.
File: network.pcapgng
We must filter by “ripng” because it is the protocol that supports IPv6 addresses. Opening the RIPng of the frames, there are the following prefixes:
Metric 2 means that the network is two routers away. Metric 1 is the “favorable one”. So we ommit those with Metric 2.
Answer: flag<2003:51:6012:121::/64;2003:51:6012:122::/64>
37. What changed? (600)
A service is assigned to an interface. What is the interface and what is the service?
flag<interface:service>
File: https.pcapgng
With my 0 knowledge in network forensics, I took ages to solve this, thankfully petermstewart did it!! From his writeup, the frame 1113 contains a text/html data frame, with the LAN service assigned to the Network Transport Protocol (NTP).
With the correct answer, I tried to reverse-solve the question. From what I understood, a service assigned to an interface is basically the user making some settings (please correct me if I’m wrong!). I spent a lot of time playing with different filters, but in the end the simplest thing to do was to first filter for ip.src == 192.168.2.1 (fw01.fruitinc.xyz). Since the case is centered around fruitinc, it’s best to look there first. Then, we want to filter with http2.flags.end_stream because we need to see the “final product” of the whole stream, aka when all the separated frames from the stream were reunited into one (pls correct me if I misunderstood this). Those filters combined return 21 packets, the last one being frame n1113! You can look into the data to find the flag, or you can select Follow… TLS Stream and if you look for “interface”:
I would’ve never ever ever found this without petermstewart’s writeup!
Answer: flag<lan:ntp>
TLDR
– MacOS
