aka working with pcaps
Loading...
Loading...
Loading...
Like the others, you can just filter for http
traffic and get the flag:
flag{205.185.125.104}
We're looking for a domain, so it must be a dns
query. Therefore filtering for DNS traffic and specifying the ip (10.0.0.163
as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-
flag{vlcafxbdjtlvlcduwhga.com}
By das
Simply opening it up in wireshark, we can see the flag-
flag{solut.exe}
All you need to do here is filter for dns
traffic. Because there weren't too many packets, I spotted the flag almost immediately and didn't have to filter further.
flag{solution.myddns.me}
Right so they started off easy. Opening up the pcap I used the http
display filter to show packets of this protocol:
Here, we need to use some display filters to refine our search. Firstly, we know it uses the same port as HTTPS. This is port 443. Secondly, We're talking about the malware and know that the infected client's ip is 192.168.1.91
from challenge 1. Putting this into a display filter would look like this:
Although there are quite a few packets, there are only so many different ips, so trying about 5 got me the correct answer, which was flag{213.136.94.177}
.
This was an interesting one. After some googling, I found out that Certificates are sent during tls handshakes, as TLS is used to encrypt HTTP traffic, making it HTTPS. The Display filter i needed to show these packets was tls.handshake.type == 11
.
As said in the brief, we need the packet from the source IP 37.205.9.252
. Therefore expaning this packet's details, then TLSv1.2 Record Layer: Handshake Protocol: Certificate
then Handshake Protocol: Certificate
then Certificates
then subject: rdnSequence (0)
finally gives us the LocalityName.
flag{Mogadishu}
By das :)
Opening up the details for the first packet, we can see the full request URL
at . I then ran wget
to download the file. As the brief suggests, this is not a png but rather a windows executable. Therefore renaming it to ecorp.exe
and running the command md5sum ecorp.exe
gives us the flag of flag{a95d24937acb3420ee94493db298b295}
.