Advent of Cyber 2021 — [Day 9] Where Is All This Data Going

“McSkidy recently found out that a large amount of traffic is entering one system on the network. Use your traffic analysis skills to determine what kind of activities Grinch Enterprises are performing.”

Link to Room: https://tryhackme.com/room/adventofcyber3#

Question #1: In the HTTP #1 — GET requests section, which directory is found on the web server?

Open up the .pcap file by either downloading Wireshark on your machine (you can get it for Windows or Linux) or using the TryHackMe attack box.

Filter by GET requests:

If you check out the info section for all of the results, you can see that most of them are centered around the login directory:

login

Question #2: What is the username and password used in the login page in the HTTP #2 — POST section?

Now we can change the request method to POST:

I just picked the first one and right-clicked to follow the http stream:

This will give you much more detail. Here we can see the username and password that was used to log in.

McSkidy:Christmas2021

Question #3: What is the User-Agent’s name that has been sent in HTTP #2 — POST section?

You can find this in the very same http stream at the top:

TryHackMe-UserAgent-THM{d8ab1be969825f2c5c937aec23d55bc9}

Question #4: In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?

You can filter by DNS:

Again I just chose the first one. I looked through the UDP stream:

I came up empty handed here:

But you can move through stream details easily with this little button down on the lower left:

If you keep moving up you will find what you need on stream 77:

THM{dd63a80bf9fdd21aabbf70af7438c257}

Question #5: In the FTP section, what is the FTP login password?

Filter by FTP:

You can see the password here along with a few other interesting things:

TryH@ckM3!

Question #6: In the FTP section, what is the FTP command used to upload the secret.txt file?

Right in that same area you can see that the STOR command was used with the secret.txt file:

STOR

Question #7: In the FTP section, what is the content of the secret.txt file?

Apply the ftp-data filter.

There is only one result. You can right-click and follow the TCP stream:

This will show you what was in the secret.txt file:

Happy Holidays! ❤

--

--

--

CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Popkon Article

{UPDATE} Shara, Pocket Girlfriend Hack Free Resources Generator

Paul Nemitz: Laws rule over tech, not the other way around

InfoSecSherpa’s News Round Up for Monday, October 4, 2021

InfoSecSherpa’s News Round Up for Saturday, October 16, 2021

Advent of Cyber 2021 — [Day 8] Santa’s Bag of Toys

{UPDATE} iJewels Hack Free Resources Generator

What Is The Dark Web?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samantha

Samantha

CTF Writeups to facilitate cyber education.

More from Medium

Extremely Easy Security — Learn Cyber Attack Types in Plain English (1.2 Part 1)

Vulnerability Assessment and Penetration to Linux OS with Nessus

Five Most Wanted Ransomware Operations of 2021

HacktheBox [Toolbox]