Today I continued our little adventure into the Advent of Cyber challenge on TryHackMe. Day 9, Where Is All This Data Going, see’s us analysing previously captured data.
Day 9 – Wireshark
This CTF challenge gives you a PCAP file; a previously captured stream of network traffic. This was then opened in Wireshark for further analysis.
Thankfully most of these are simple lookups within the Wireshark GUI; which although is comprehensive, can be quite useful once you’ve got a handle on it.
The first two flags were found by filtering down on the protocol of transmission used:
http.request.method==GET and http.request.method==POST
Filtering on DNS queries is as simple as entering that protocol in the filter bar; DNS.
Thankfully for analysing the FTP connection, credentials get transferred in plaintext. So extracting them from the PCAP is an absolute doodle:
To recover the contents of the file transferred by FTP, make sure you change the protocol filter (if you’re using it), from FTP to FTP-DATA, otherwise you’ll miss the stream.
… and with that flag recovered from the top secret file – the 9th day of Advent of Cyber is completed!
The write up for CTF Day 10 is now published.