AoC3#09: Where Is All This Data Going

Today I continued our little adventure into the Advent of Cyber challenge on TryHackMe. Day 9, Where Is All This Data Going, see’s us analysing previously captured data.

Recent posts for AoC day 7 (Patch Management Is Hard) and day 8 (Santa’s Bag of Toys) saw me looking at web exploitation and PowerShell analysis, respectively.

Day 9 – Wireshark

This CTF challenge gives you a PCAP file; a previously captured stream of network traffic. This was then opened in Wireshark for further analysis.

sudo wireshark ./AoC3.pcap

Thankfully most of these are simple lookups within the Wireshark GUI; which although is comprehensive, can be quite useful once you’ve got a handle on it.

The first two flags were found by filtering down on the protocol of transmission used:

http.request.method==GET
and
http.request.method==POST

Filtering on DNS queries is as simple as entering that protocol in the filter bar; DNS.

Thankfully for analysing the FTP connection, credentials get transferred in plaintext. So extracting them from the PCAP is an absolute doodle:

FTP password transmitted in plaintext

To recover the contents of the file transferred by FTP, make sure you change the protocol filter (if you’re using it), from FTP to FTP-DATA, otherwise you’ll miss the stream.

… and with that flag recovered from the top secret file – the 9th day of Advent of Cyber is completed!

The write up for CTF Day 10 is now published.

Leave a Reply

Your email address will not be published. Required fields are marked *