Cyberdefenders PacketMaze Walkthrough

4 min readFeb 13, 2022

Hello! In this article I’m gonna analyz an insider activity from PacketMaze challenge which is published on cyberdefenders.org.

Challenge details : As an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer’s employee whose network activity has been monitored for a while -possible insider.

Tools that can be used : WireShark, NetworkMiner

Q1 : What is the FTP password?

View ftp traffic through filter pane, then follow tcp stream and password can be seen in the popup pane.

A1 : AfricaCTF2021

Q2 : What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)

To find DNS’ IPv6, let’s grab DNS server mac address. Filter by DNS parameter and ip that mentioned in the question. The query will be like;

ip.addr == 192.168.1.26 and dns

After that we can grab MAC address of DNS server which is “ca:0b:ad:ad:20:ba”. The last step is to look at the dns conversation. Follow Statistics -> Conversation after applying dns filter and look for MAC address we’ve already found. So IPv6 address can be seen by comparing IPv6 and Eth panes.

A2 : fe80::c80b:adff:feaa:1db7

Q3 : What domain is the user looking up in packet 15174?

Let’s grab the packet by filtering number.

frame.number == 15174

Follow UDP stream and got the answer.

A3 : www.7-zip.org

Q4 : How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

ip.addr == 192.168.1.26 and ip.addr == 24.39.217.246 and udp

A4 : 10

“The result was short, so I counted them one by one. There could be alternative for the long results..”

Q5 : What is the MAC address of the system being investigated in the PCAP?

We already know what IP is, so the filter is :

ip.addr == 192.168.1.26

A5 : c8:09:a8:57:47:93

Q6 : What was the camera model name used to take picture 20210429_152157.jpg ?

First, I tried to export FTP objects but I couldn’t succeed. Then, filter ftp data via filter pane. The query is ftp-data.

Follow TCP stream, convert data into raw and save it. The result should look like;

The model of the machine can be obtained with any exif tool.

A6 : LM-Q725K

Q7 : What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?

By filtering the TLS protocol, we get all the packets. By searching TLS session value, the public key can be seen in the details pane.

A7 :04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

Q8 : What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?

We display all server names by filtering with

ssl.handshake.extensions_server_name

and Apply as Column feature.

A8 :24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

Q9 : What country is the MAC address of the FTP server registered in? (two words, one space in between)

We already found out what FTP server’s IP is. Let’s grab it again and find out what is the location. FTP server IP address is “192.168.1.20” and MAC address is “08:00:27:a6:1f:86”. https://macaddress.io/ can be used for MAC look up.

A9 : United States

Q10 : What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)

One more time filtering ftp protocol, we can follow tcp stream and see that there is only one file is created on the 20th of April.