A company’s internal server has been flagged for unusual network activity, with multiple outbound connections to an unknown external IP. Initial analysis suggests possible data exfiltration. Investigate the provided network logs to determine the source and method of compromise.

Question 1

What is the FTP password?

By filtering out FTP traffic in the packet capture, we can see the attacker authenticated successfully with this password.

Answer: AfricaCTF2021.

Question 2

What is the IPv6 address of the DNS server used by 192.168.1.26?

Under DNS Analysis, there are only answers from 2 IPs, one is IPv4 and one is IPv6.

Answer: fe80::c80b:adff:feaa:1db7.

Question 3

What domain is the user looking up in packet 15174?

In frame number 15174, the user is looking up www.7-zip.org

Answer: www.7-zip.org.

Question 4

How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

After filtering, there are 10 UDP packets sent to 24.39.217.246

Answer: 10.

Question 5

What is the MAC address of the system under investigation in the PCAP file?

The attacker compromised the device with the MAC address c8:09:a8:57:47:93 with FTP.

Answer: c8:09:a8:57:47:93.

Question 6

What was the camera model name used to take picture 20210429_152157.jpg?

The attacker made an FTP request for 20210429_152157.jpg. The camera model may be stored as metadata, which could be stored at the start of the files. Which we can find by inspecting the first few transfered data traffic.

Answer: LM-Q725K.

Question 7

What is the ephemeral public key provided by the server during the TLS handshake in the session with the session ID: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?

Filtering out the traffic, we get:

Answer: 04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

Question 8

What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?

Answer: 24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

Question 9

Which country is the manufacturer of the FTP server’s MAC address registered in?

From the response, we know that the MAC address of the FTP server is 08:00:27:a6:1f:86, a quick lookup using https://maclookup.app/search/result gives us:

Answer: United States.

Question 10

What time was a non-standard folder created on the FTP server on the 20th of April?

Filtering out the FTP traffic, we can see the attacker made some LIST request, with one of them got a response in frame 530

Inspecting frame 530, we are able to see the directory listing of the FTP server.

The non-standard folder here is ftp which was created on April 20th at 17:53.

Answer: 17:53.

Question 11

What URL was visited by the user and connected to the IP address 104.21.89.171?

The user made a request to 104.21.89.171 at frame 26257

The host for this GET request is dfir.science

Answer: http://dfir.science/.

Packet Maze