Cyberdefenders PacketMaze Walkthrough
Hello! In this article I’m gonna analyz an insider activity from PacketMaze challenge which is published on cyberdefenders.org.
Challenge details : As an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer’s employee whose network activity has been monitored for a while -possible insider.
Tools that can be used : WireShark, NetworkMiner
Q1 : What is the FTP password?
View ftp traffic through filter pane, then follow tcp stream and password can be seen in the popup pane.
A1 : AfricaCTF2021
Q2 : What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)
To find DNS’ IPv6, let’s grab DNS server mac address. Filter by DNS parameter and ip that mentioned in the question. The query will be like;
ip.addr == 192.168.1.26 and dns
After that we can grab MAC address of DNS server which is “ca:0b:ad:ad:20:ba”. The last step is to look at the dns conversation. Follow Statistics -> Conversation after applying dns filter and look for MAC address we’ve already found. So IPv6 address can be seen by comparing IPv6 and Eth panes.
A2 : fe80::c80b:adff:feaa:1db7
Q3 : What domain is the user looking up in packet 15174?
Let’s grab the packet by filtering number.
frame.number == 15174
Follow UDP stream and got the answer.
A3 : www.7-zip.org
Q4 : How many UDP packets were sent from 192.168.1.26 to 188.8.131.52?
ip.addr == 192.168.1.26 and ip.addr == 184.108.40.206 and udp
A4 : 10
“The result was short, so I counted them one by one. There could be alternative for the long results..”
Q5 : What is the MAC address of the system being investigated in the PCAP?
We already know what IP is, so the filter is :
ip.addr == 192.168.1.26
A5 : c8:09:a8:57:47:93
Q6 : What was the camera model name used to take picture 20210429_152157.jpg ?
First, I tried to export FTP objects but I couldn’t succeed. Then, filter ftp data via filter pane. The query is ftp-data.
Follow TCP stream, convert data into raw and save it. The result should look like;
The model of the machine can be obtained with any exif tool.
A6 : LM-Q725K
Q7 : What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?
By filtering the TLS protocol, we get all the packets. By searching TLS session value, the public key can be seen in the details pane.
Q8 : What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?
We display all server names by filtering with
and Apply as Column feature.
Q9 : What country is the MAC address of the FTP server registered in? (two words, one space in between)
We already found out what FTP server’s IP is. Let’s grab it again and find out what is the location. FTP server IP address is “192.168.1.20” and MAC address is “08:00:27:a6:1f:86”. https://macaddress.io/ can be used for MAC look up.
A9 : United States
Q10 : What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)
One more time filtering ftp protocol, we can follow tcp stream and see that there is only one file is created on the 20th of April.
A10 : 17:53
Q11 : What domain was the user connected to in packet 27300?
To see that, we need to grab frame first.
frame.number == 27300 // after follow tcp stream
By following Statistics -> Resolved Addresses, we can filter domain name by IP address.
A11 : dfir.science