PacketMaze
Q1. What is the FTP password?
We can set the filter such that it filters out FTP packets.
ftp
Following the TCP stream via Follow > TCP Stream, we can see the password.
Answer
AfricaCTF2021
Q2. What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)
We can filter the DNS packets using the following filter:
dns
On analyzing the packet, we can see the source MAC address.
We can create a second filter as follows:
eth.src == c8:09:a8:57:47:93 && ipv6 && dns
Let's look at the first packet.
We can see the IPv6 address of the DNS server in the Destination Address field.
Answer
fe80::c80b:adff:feaa:1db7
Q3. What domain is the user looking up in packet 15174?
Let's filter out the relevant packet.
frame.number == 15174
The domain is specified in the Queries filed of the DNS message.
Answer
www.7-zip.org
Q4. How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?
We can filter the relevant packets using the following filter:
ip.src == 192.168.1.26 && ip.dst == 24.39.217.246 && udp
We can see that there are 10 packets that fit the description.
Answer
10
Q5. What is the MAC address of the system being investigated in the PCAP?”
We already found the answer to this while researching for a previous question.
Answer
c8:09:a8:57:47:93
Q6. What was the camera model name used to take picture 20210429_152157.jpg ?
Since the image is a file, we can filter out for FTP-Data.
ftp-data
We can see the file being moved. On following the TCP stream we can see the contents of the file.
There's the camera model name. However there is a better way to do this.
Let's save the image in Raw format.
Using exiftool we can view the metadata of the image.
$ exiftool 20210429_152157.jpg
--snip--;
Camera Model Name : LM-Q725K
--snip--;
Answer
LM-Q725K
Q7. What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?
We can filter the packet based on the session ID the we have been provided with.
tls.handshake.session_id == da:4a:00:00:34:2e:4b:73:45:9d:73:60:b4:be:a9:71:cc:30:3a:c1:8d:29:b9:90:67:e4:6d:16:cc:07:f4:ff
In the Server key Exchange field we can find the Pubkey.
Answer
04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d
Q8. What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?
We have to first set a filter.
frame contains protonmail.com && tls
Let's look at the first packet. In the Random field we can find the answer to our question.
Answer
24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70
Q9. What country is the MAC address of the FTP server registered in? (two words, one space in between)
On filtering for ftp traffic, we can find the source MAC address.
We can then search this MAC address on DNSChecker.
Alternatively, we can also use macaddress.io.
Answer
United States
Q10. What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)
We need to first filter for FTP-Data.
ftp-data
On following the TCP stream, we can see a list of folders.
Out of all the folders in the list the ftp folder is the non-standard one.
Answer
17:53
Q11. What domain was the user connected to in packet 27300?
We have to first set a filter.
frame.number == 27300
We can see the destination address of the packet.
Now let's go to Statistics > Resolved Addresses in order to see if this IP address has been resolved or not.
Answer
dfir.science