# PacketMaze Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/68#nav-questions ::: :::info Instructions: Uncompress the challenge (pass: cyberdefenders.org) Load suricatarunner.exe and suricataupdater.exe in BrimSecurity. Uncompress suricata.zip and move suircata.rules to ".\var\lib\suricata\rules" inside suricatarunner directory. As a soc analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer's employee whose network activity has been monitored for a while -possible insider. Tools: BrimSecurity suricatarunner suricata.rules NetworkMiner WireShark MAC lookup ::: #### 1. What is the FTP password? ``` AfricaCTF2021 ``` wireshark 用 ftp 進行 filter 後再follow tcp就可以發現ftp pass  #### 2. What is the IPv6 address of the DNS server used by 192.168.1.26? ``` fe80::c80b:adff:feaa:1db7 ``` 利用wireshark查詢可以得知192.168.1.26使用得 DNS server 的 ip 是 192.168.1.10  192.168.1.10的MAC ADDR 是ca:0b:ad:ad:20:ba  再用MAC ADDR去找IPv6  #### 3. What domain is the user looking up in packet 15174? ``` www.7-zip.org ```  #### 4. How many UDP packets were sent from 192.168.1.26 to 24.39.217.246? ``` 10 ```  #### 5. What is the MAC address of the system being investigated in the PCAP?” ``` c8:09:a8:57:47:93 ``` 檢視封包紀錄除了可以發現192.168.1.26在對172.67.162.206進行port scan，因此先針對192.168.1.26進行調查，它的MAC ADDR是c8:09:a8:57:47:93 #### 6. What was the camera model name used to take picture 20210429_152157.jpg ? ``` ``` 用string搜尋20210429_152157.jpg，可以發現有用ftp在傳輸這個檔案  file --> export object ftp-data找到這個檔案後匯出  檢視檔案資訊得到相機資訊LM-Q725K  #### 7. What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff? ``` 04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d ``` 用string搜尋da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff可以看到這一個session出現在封包26913  檢視封包內容public key  #### 8. What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com? ``` 24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70 ``` 先查詢protonmail.com的ip，可以看到有dns查詢是185.70.41.35  用tls 和 185.70.41.35 來 filter，找到第一筆tls中使用的random  #### 9. What country is the MAC address of the FTP server registered in? (two words, one space in between) ``` United States ``` FTP server 的ip是192.168.1.20，MAC ADDR 是 08:00:27:a6:1f:86  用MAC ADDR去查詢之後發現是註冊在US  #### 10. What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm) ``` 17:53 ``` ftp 建立目錄的指令是MKD，但是搜尋之後發現沒有相關的封包，而且pcap封包資料的時間都是在4/30  ftp查詢目錄的指令是LIST，利用LIST搜尋發現有4筆資料。follow tcp 下去查  FTP command會透過FTP protocol port 21傳送，其資料的傳送則是會透過ftp-data protocol進行(server port 20 --> client high port)。封包524有LIST指令查詢，在封包530 FTP-DATA response查詢結果中可以看到一個不是預設該有的目錄ftp，他的建立時間是4/20 17:53  參考資料： https://zh.wikipedia.org/zh-tw/FTP%E5%91%BD%E4%BB%A4%E5%88%97%E8%A1%A8 http://old.linux.vbird.org/linux_server/0400wuftp.php #### 11. What domain was the user connected to in packet 27300? ``` dfir.science ``` 封包27300可以看到是和ip 172.67.162.206進行連線  dns filter 再用string搜尋ip 172.67.162.206，可以找到它的domain是dfir.science