Advent of Cyber 2021 — [Day 9] Where Is All This Data Going

“McSkidy recently found out that a large amount of traffic is entering one system on the network. Use your traffic analysis skills to determine what kind of activities Grinch Enterprises are performing.”

Link to Room: https://tryhackme.com/room/adventofcyber3#

Question #1: In the HTTP #1 — GET requests section, which directory is found on the web server?

Open up the .pcap file by either downloading Wireshark on your machine (you can get it for Windows or Linux) or using the TryHackMe attack box.

Filter by GET requests:

If you check out the info section for all of the results, you can see that most of them are centered around the login directory:

login

Question #2: What is the username and password used in the login page in the HTTP #2 — POST section?

Now we can change the request method to POST:

I just picked the first one and right-clicked to follow the http stream:

This will give you much more detail. Here we can see the username and password that was used to log in.

McSkidy:Christmas2021

Question #3: What is the User-Agent’s name that has been sent in HTTP #2 — POST section?

You can find this in the very same http stream at the top:

TryHackMe-UserAgent-THM{d8ab1be969825f2c5c937aec23d55bc9}

Question #4: In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?

You can filter by DNS:

Again I just chose the first one. I looked through the UDP stream:

I came up empty handed here:

But you can move through stream details easily with this little button down on the lower left:

If you keep moving up you will find what you need on stream 77:

THM{dd63a80bf9fdd21aabbf70af7438c257}

Question #5: In the FTP section, what is the FTP login password?

Filter by FTP:

You can see the password here along with a few other interesting things:

TryH@ckM3!

Question #6: In the FTP section, what is the FTP command used to upload the secret.txt file?

Right in that same area you can see that the STOR command was used with the secret.txt file:

STOR

Question #7: In the FTP section, what is the content of the secret.txt file?

Apply the ftp-data filter.

There is only one result. You can right-click and follow the TCP stream:

This will show you what was in the secret.txt file:

Happy Holidays! ❤

--

--

--

CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ROOTCON 15 CTF Writeup — Web

The Social Security Data Governance Challenge in Mexico

Zero day vulnerability in Codester Medisol, a doctors’ patient management system

Behind an entire catalogue of malicious Chrome extensions? Allegedly, a domain registrar

Teleport

Things you need to know about Cryptocurrency Exchange Software Development | Antier Solutions

{UPDATE} Pratende Varken Oinky Hack Free Resources Generator

5 Ways How ISWP Is Reshaping The Blockchain Industry

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samantha

Samantha

CTF Writeups to facilitate cyber education.

More from Medium

The Advent of Cyber 3 (2021)

VBA Macro on Word Documents into Malwareverse : Emotet The Terrible

Picture 1.0

Advent of Cyber 2021 — [Day 7] Migration Without Security

THM Advent-of-cyber 2021 Day20