Advent of Cyber 2021 — [Day 9] Where Is All This Data Going

4 min readDec 10, 2021

“McSkidy recently found out that a large amount of traffic is entering one system on the network. Use your traffic analysis skills to determine what kind of activities Grinch Enterprises are performing.”

Link to Room:

Question #1: In the HTTP #1 — GET requests section, which directory is found on the web server?

Open up the .pcap file by either downloading Wireshark on your machine (you can get it for Windows or Linux) or using the TryHackMe attack box.

Filter by GET requests:

If you check out the info section for all of the results, you can see that most of them are centered around the login directory:


Question #2: What is the username and password used in the login page in the HTTP #2 — POST section?

Now we can change the request method to POST:

I just picked the first one and right-clicked to follow the http stream:

This will give you much more detail. Here we can see the username and password that was used to log in.


Question #3: What is the User-Agent’s name that has been sent in HTTP #2 — POST section?

You can find this in the very same http stream at the top:


Question #4: In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?

You can filter by DNS:

Again I just chose the first one. I looked through the UDP stream:

I came up empty handed here:

But you can move through stream details easily with this little button down on the lower left:

If you keep moving up you will find what you need on stream 77:


Question #5: In the FTP section, what is the FTP login password?

Filter by FTP:

You can see the password here along with a few other interesting things:


Question #6: In the FTP section, what is the FTP command used to upload the secret.txt file?

Right in that same area you can see that the STOR command was used with the secret.txt file:


Question #7: In the FTP section, what is the content of the secret.txt file?

Apply the ftp-data filter.

There is only one result. You can right-click and follow the TCP stream:

This will show you what was in the secret.txt file:

Happy Holidays! ❤




CTF writeups to facilitate cyber education and help me earn CPEs