eJPT - 3.2 CTF Network Based Attacks

HmadHmad
2 min read

Table of contents

Question 1

What is the URL accessed by the infected user that returned a 200 OK response code.

Firstly, we can open up the test.pcap file. This will open it up directly into Wireshark. We can use the search icon to search for 200 OK. We are given two results both which show what the requested URI is. In both cases, the top domain is the same, 623start.site which is the flag.

Question 2

What is the IP address, MAC address of the infected Windows client?

Using the packet that we just clicked on to find the requested URI, we can see that the source of the request came from the IP address 10.7.10.47. To find the MAC address, click on the Ethernet II option and we can see that the destination MAC address is 80:86:5b:ab:1e:c4. Both of these separated by a comma is the flag.

Question 3

Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?

The filter to display the NetBIOS Name Server traffic is nbns. To find the hostname, click on the NetBIOS option and then on additional records.

Question 4

Which user got infected and ran the mystery_file.ps1 PowerShell script?

Again use the search option to search for the file but make sure you search using the Packet Bytes option which can be found on the left hand side of the search bar. Then once you have found the correct line, click on Analyse and select the Show Packet Bytes option or do Ctrl+Shift+O.

Question 5

What User-Agent string indicates the traffic generated by a PowerShell script?

Again, use the search option to search for PowerShell but select the Packet Details option this time. Now for some reason, all of the User-Agent header is not the answer - just WindowsPowerShell.

Question 6

Which wallet extension ID is associated with the Coinbase wallet?

Perform the same search as question 4 but for Coinbase. Then click on Analyse and select the Show Packet Bytes option. The copy the string of characters before Coinbase.

That’s it for this section. Next one up is the Metasploit framework section.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptCTFCTF WriteupWireshark

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.