WireDive - Packet Analysis

File: dhcp.pcapng - What IP address is requested by the client?

192.168.2.244

File: dhcp.pcapng - What is the transaction ID for the DHCP release?

# filter 'dhcp'
0x9f8fa557

File: dhcp.pcapng - What is the MAC address of the client?

# filter 'dhcp'
00:0c:29:82:f5:94

File dns.pcapng - What is the response for the lookup for flag.fruitinc.xyz?

# packet no.24
ACOOLDNSFLAG

File: dns.pcapng - Which root server responds to the query? Hostname.

e.root-servers.net

File smb.pcapng - What is the path of the file that is opened?

# Export Objects
HelloWorld\TradeSecrets.txt

File smb.pcapng - What is the hex status code when the user SAMBA\jtomato logs in?

# filter 'smb2', fail login, check smb2 header
0xc0000016

File smb.pcapng - What is the tree that is being browsed?

# filter 'smb2', check packet no.133
\\192.168.2.10\public

File smb.pcapng - What is the flag in the file?

# i copy all of the strings in text file and filter 'flag' :3
flag<OneSuperDuperSecret>

File shell.pcapng - What port is the shell listening on?

File shell.pcapng - What is the port for the second shell?

jtomato@ns01:~$ echo "*umR@Q%4V&RC" | sudo -S nc -nvlp 9999 < /etc/passwd
echo "*umR@Q%4V&RC" | sudo -S nc -nvlp 9999 < /etc/passwd
Listening on [0.0.0.0] (family 0, port 9999)
Connection from 192.168.2.244 34972 received!
jtomato@ns01:~$ exit
exit
exit

9999

File shell.pcapng - What version of netcat is installed?

Unpacking netcat (1.10-41.1) ...
Setting up netcat (1.10-41.1) ...

File shell.pcapng - What file is added to the second shell

jtomato@ns01:~$ echo "*umR@Q%4V&RC" | sudo -S nc -nvlp 9999 < /etc/passwd
echo "*umR@Q%4V&RC" | sudo -S nc -nvlp 9999 < /etc/passwd
Listening on [0.0.0.0] (family 0, port 9999)
Connection from 192.168.2.244 34972 received!
jtomato@ns01:~$ exit

/etc/passwd

File shell.pcapng - What password is used to elevate the shell?

jtomato@ns01:~$ echo "*umR@Q%4V&RC" | sudo -S apt update
echo "*umR@Q%4V&RC" | sudo -S apt update

*umR@Q%4V&RC

File shell.pcapgng - What is the OS version of the target system?

GET /ubuntu/dists/bionic/InRelease HTTP/1.1
Host: us.archive.ubuntu.com
Cache-Control: max-age=0
Accept: text/*
If-Modified-Since: Thu, 26 Apr 2018 23:38:40 GMT
User-Agent: Debian APT-HTTP/1.3 (1.6.12)

bionic

File shell.pcapng - How many users are on the target system?

File network.pcapgng - What is the IPv6 NTP server IP?

# filter 'ntp' and look packet no.2919
2003:51:6012:110::dcf7:123

File network.pcapgng - What is the IP address that is requested by the DHCP client?

192.168.20.11

File network.pcapgng - What is the first authoritative name server for the domain that is being queried?

# filter 'dns'
ns1.hans.hosteurope.de

File network.pcapgng - What is the number of the first VLAN to have a topology change occur?

# https://osqa-ask.wireshark.org/questions/34918/topology-change-inside-stp/
# filter = stp.flags.tc==1
20

File network.pcapgng - What is the port for CDP for CCNP-LAB-S2?

# filter 'cdp'
GigabitEthernet0/2

File network.pcapgng - What is the MAC address for the root bridge for VLAN 60?

# filter 'stp'
00:21:1b:ae:31:80

File network.pcapgng - What is the IOS version running on CCNP-LAB-S2?

# filter 'cdp'
12.1(22)EA14

File network.pcapgng - What is the virtual IP address used for hsrp group 121?

# filter 'hsrp', packet no.3878
192.168.121.1

File network.pcapgng - How many router solicitations were sent?

# filter icmpv6.type == 133 (135 is neighbour)
# https://osqa-ask.wireshark.org/questions/19753/ipv6-router-solicitation/
3

File network.pcapgng - What is the management address of CCNP-LAB-S2?

# filter 'cdp'
192.168.121.20

File network.pcapgng - What is the interface being reported on in the first snmp query?

# filter snmp, follow udp stream on lowest packet
Fa0/1

File network.pcapgng - When was the NVRAM config last updated? Format: 'HH:MM:SS mm:dd:yyyy' without quotes.

# edit > find packets > NVRAM(string), packet bytes, inspect
21:02:36 03/03/2017

File nework.pcapgng - What is the ip of the radius server?

edit > find packets > radius(string), inspect
2001:DB8::1812

File https.pcapgng - What has been added to web interaction with web01.fruitinc.xyz?

# Decrypt ssl using secret_sauce.txt
# Edit > Preferences > TLS > browse
# http.host == web01.fruitinc.xyz
flag: y2*Lg4cHe@Ps

File https.pcapgng - What is the name of the photo that is viewed in slack?

# export objects
get_a_new_phone_today__720.jpg

File https.pcapgng - What is the username and password to login to 192.168.2.1? Format: 'username:password' without quotes.

# filter 'ip.addr == 192.168.2.1', packet no.940
&usernamefld=admin&passwordfld=Ac5R4D9iyqD5bSh&login=Sign+In
admin:Ac5R4D9iyqD5bSh

File https.pcapgng - What is the certStatus for the certificate with a serial number of 07752cebe5222fcf5c7d2038984c5198?

good

File https.pcapgng - What is the email of someone who needs to change their password?

# Use regex :(
[a-zA-Z0-9._ -]@[a-zA-Z0-9._ -]
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Jim.Tomato@fruitinc.xyz

File https.pcapgng - A service is assigned to an interface. What is the interface, and what is the service? Format: interface_name:service_name

# filter 'http2'
lan:ntp

PreviousNetwork Forensics Nextl337 S4uc3

Last updated 4 years ago