CyberDefenders PCAP Or It Didn't Happen Challenge Write Up

Hello everyone! In this post I will walk you through this challenge. You will need to make sure that you have Wireshark installed. It can be done so through here - https://www.wireshark.org/download.html

What is the FTP password?
To get the FTP password, I simply used the ftp filter. Then I scrolled down to a packet that had the term PASS in it. As you can see, the password is AfricaCTF2021. 
​​



What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)
To get the IPV6 address of the DNS server used by the IP, I first used the dns filter. Then, I found the first packer that said "query response" in it. This would show that the DNS server is responding to the request. By the source address, it is  fe80::c80b:adff:feaa:1db7 

---

What domain is the user looking up in packet 15174?

In Wireshark, click on the "Go" tab at the top, then select the "to packet" option which will let you type in the number in a search box shown on the right. The domain is www.7-zip.org.

​How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

For this question, I used the ip.src == 192.168.1.26 && ip.dst == 24.39.217.246. Then I counted the amount of UDP packets, 10 appear. 

​What is the MAC address of the system being investigated in the PCAP?”

I used the ipv6 filter. Then I found an ipV6 address of  c8:09:a8:57:47:93 which matches what we saw in the second question minus the fe80:: part. 

What was the camera model name used to take picture 20210429_152157.jpg ?

​First I clicked on the File tab, then to Export Objects, then selected FTP-DATA. I clicked on the filename. 

Then I selected the first packet associated with the file as shown in the top screenshot. Then I right clicked, and selected "Follow TCP Stream". As you can see highlighted, the EXIF data is highlighted. The LM-Q725K is the model. 

What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff? 

I used the tls.handshake.type==2 filter, selected the first packet, then I made the session ID in the packet a column. This is done by right clicking on the value and selecting "apply as column". I then searched for a packet with the matching session number. The certificate public key is listed under the PubKey value shown in the screenshot. The answer is:  
​04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?
I used the ssl.handshake.extensions_server_name filter to find the server names in the packet capture. I selected the first packet, and in the server name field, I applied that as a column like I did in the previous step. I then found packets with protonmail.com. I selected the first packet, and in the Random field that is highlighted, I found  24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70.

What country is the MAC address of the FTP server registered in? (two words, one space in between)

I first used the FTP filter. Then I selected the first packet since it has the IP of the FTP server. On maclookup.app I looked up the IP, and it is located in Lowell, MA, so the United States.

What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)
I first used the ftp-data filter. Then I selected the highlighted packet below. 
​

​Then I found in the TCP stream the date on the last line. The time is  17:53

What domain was the user connected to in packet 27300?

I went to packet 27300. There was no domain name. I went to Statistics > Resolved Addresses. Then on the right drop down menu, I filtered for hosts, then searched the destination IP. It is dfir.science