TryHackMe — Advent of Cyber 2 — Day 7

Good evening all,

Meetings finally over, chow eaten, tea made, ready to keep playing catch-up on these.. Day 7’s intro:

“It’s 6 AM and Elf McSkidy is clocking-in to The Best Festival Company’s SOC headquarters to begin his watch over TBFC’s infrastructure. After logging in, Elf McEager proceeds to read through emails left by Elf McSkidy during the nightshift.

More automatic scanning alerts, oh look, another APT group. It feels like it’s going to be a long, but easy start to the week for Elf McEager.

Whilst clearing the backlog of emails, Elf McEager reads the following: “URGENT: Data exfiltration detected on TBFC-WEB-01”. “Uh oh” goes Elf McEager. “TBFC-WEB-01? That’s Santa’s webserver! Who has the motive to steal data from there?!”. It’s time for the ever-vigilant Elf McEager to prove his salt and find out exactly what happened.

Unknowingly to Elf McEager, Elf McSkidy made this all up! Fortunately, this isn’t a real attack — but a training exercise created ahead of Elf McEager’s performance review.”

Now we have moved into the ‘Networking’ section of challenges in the Advent Calendar. This should come a little easier to me, I’ve only a handful of certificates and work in the networking field. Anyhow, let’s read more into what they are looking for. They give us 3 .pcap files to analyze with Wireshark. I’m not guru with Wireshark, I use it at work usually just to verify that extremely specific traffic is flowing, again, if you read my first blog, the intro, I do this to Cover My ….

Anyhow, lets get to question 1: Open “pcap1.pcap” in Wireshark. What is the IP address that initiates an ICMP/ping?

Didn’t have to look far or setup any filters to see this one..

Onto question 2: If we only wanted to see HTTP GET requests in our “pcap1.pcap” file, what filter would we use?

Thankfully Wireshark makes it useful with a little googling and also the autocomplete features. Also make sure you use ‘GET’ not ‘get’, Wireshark is case-sensitive.. forgot for a minute. Anyhow, our filter we will use will look like this:

Next question: Now apply this filter to “pcap1.pcap” in Wireshark, what is the name of the article that the IP address “10.10.67.199” visited?

Unrelated to the question but kind of funny, found in a HTML stream..

<p>We&rsquo;d just like to give a quick shoutout to Reindeer Rufus for being our best performing Reindeer of the week! Reindeer Rufus only managed to knock over three elves this week, proving to be a great role model for all the other Reindeers.</p>
<p>Everyone here at TBFC all proud of you Rufus — keep it up!

If we follow the HTML stream, we find this..

We also see it here in the pcap listing..

Onto the next question, and the next .pcap file: Let’s begin analysing “pcap2.pcap”. Look at the captured FTP traffic; what password was leaked during the login process?

quickly looking at it, we can see a plaintext password immediately.

Unrelated, what we can do, if lookup the FTP response code to “Login Successful” which happens to be 230. We can apply that to a filter to see where they logged in as well, and follow the stream to see what they did.

Onto the next question: Continuing with our analysis of “pcap2.pcap”, what is the name of the protocol that is encrypted?

Just scrolling through the pcaps, we see everything from TCP handshakes, FTP, ICMP, ARP, and finally SSH, which we know is encrypted.

Onto the final question and the next .pcap: What is on Elf McSkidy’s wishlist that will be used to replace Elf McEager?

Scrolling through the streams, I found a wishlist.txt file. Here we have to use the ‘export objects’ from the file menu to grab all of the files that were in the stream. We can export christmas.zip. Now all we need to do unzip the file and take a look at Elf McSkidy’s Wishlist.

I’ll let you do the last portion. As always, best of luck.

Until next time,

-3lduderino