“WireDive is a combo traffic analysis exercise that contains various traces to help you understand how different protocols look on the wire where you can evaluate your DFIR skills against an artifact you usually encounter in today’s case investigations as a security blue team member.”
DHCP
Question 1
“What IP address is requested by the client?”
By filtering out DHCP traffic, we can find the IP address requests.
Answer: 192.168.2.244
Question 2
“What is the transaction ID for the DHCP release?”
Answer: 0x2a7d544b
Question 3
“What is the MAC address of the client?”
By inspecting the same packet as the request, we get the MAC address.
Answer: 00:0c:29:82:f5:94
DNS
Question 1
“What is the response for the lookup for flag.fruitinc.xyz?”
By filtering out DNS requests, we can find the response.
Answer: ACOOLDNSFLAG
Question 2
“Which root server responds to the google.com query? Hostname.”
The IP that responded to the request was 192.202.230.10.
By filtering out SMB requests, we can see a file path was opened multiple times.
Answer: HelloWorld\TradeSecrets.txt
Question 2
“What was the hex status code when the user SAMBA\jtomato logs in?”
Looking up the username jtomato, we can see a login attempt which ended up failing.
The status code for the failed logon attempt is 0xc000006d
Answer: 0xc000006d
Question 3
“What is the tree that is being browsed?”
After a Tree Connect Request to \\192.168.2.10\public, multiple read requests of TradeSecrets.txt was made.
Answer: \\192.168.2.10\public
Question 4
“What is the flag in the file?”
Inside the TradeSecrets.txt file is… the entire Bee Movie script.
We export all of these packets and find the flag.
CONSOLE
$ grep 'flag' TradeSecrets.txt
flag <OneSuperDuperSecret>
Click to expand and view more
Answer: OneSuperDuperSecret
Shell
Question 1
“What port is the shell listening on?”
After analysing the conversations, we can see there are a lot of packets between 192.168.2.5 to 192.168.2.244.
Following the TCP traffic, we can see a shell listening on the server at 192.168.2.244:4444.
Answer: 4444
Question 2
“What is the port for the second shell?”
Looking at the traffic again.
Looking at the traffic again, there is also a conversation from 192.168.2.244 to 192.168.2.5 at port 9999.
Answer: 9999
Question 3
“What version of netcat is installed?”
We knew from our previous findings that 192.168.2.5 is installing via apt – a package manager.
So, by filtering out HTTP traffic, we can see the netcat version that is being installed.
Answer: 1.10-41.1
Question 4
“What file is added to the second shell”
Checking the second shell’s traffic again
We can see the last command executed.
The client exfiltrated /etc/passwd with nc before exiting.
Answer: /etc/passwd
Question 5
“What password is used to elevate the shell?”
Looking at the commands again.
The user echoed a string and piped it to a sudo command. This is also a way to supply the password to sudo, escalating the client’s privilleges.
Answer: *umR@Q%4V&RC
Question 6
“What is the codename of the target system’s OS version?”
Looking at the HTTP request again.
The package manager was installing packages from the bionic repository, used by Ubuntu Bionic Beaver.
Answer: Bionic
Question 7
“How many users are on the target system?”
From our previous findings, we know that the client exfiltrated /etc/passwd, which is a file containing all users on the system.
By following the TCP stream of 192.168.1.5:9999 – The IP and Port of the second shell, we can read the traffic inside.
From the list, there are a total of 30 users on the system.
Answer: 30
Network
Question 1
“What is the IPv6 NTP server IP?”
By filtering out the NTP traffic, we can find the IPv6 address of the NTP server.
Answer: 2003:51:6012:110::dcf7:123
Question 2
“What is the first IP address that is requested by the DHCP client?”
By filtering out DHCP traffic, we can find the first requested IP address.
Answer: 192.168.20.11
Question 3
“What is the first authoritative name server returned for the domain that is being queried?”
After filtering out the DNS traffic, the authoritative name server that responded to webernetz.net is ns1.hans.hosteurope.de with ns2.hans.hosteurope.de as the fallback name server.
Answer: ns1.hans.hosteurope.de
Question 4
“What is the number of the first VLAN to have a topology change occur?”
“Switch encounters a topology change whenever it detects link status change on one of its interfaces due to a link or another switch failure. After detecting topology change within the network it generates a Topology Change Notification BPDU with all the information about the topology that is currently being used and sends it towards the root switch through its root port.” – GeeksForGeeks
Topology Change is a feature of the STP protocol.
To filter out Topology Changes, we can use stp.flags.tc == true
The first Topology Change occurs at VLAN 20.
Answer: 20
Question 5
“What is the port for CDP for CCNP-LAB-S2?”
By filtering out CDP traffic, we will get the Port ID.
Answer: GigabitEthernet0/2
Question 6
“What is the MAC address for the root bridge for VLAN 60?”
After filtering out traffic from VLAN 60, we get our answer.
Answer: 00:21:1b:ae:31:80
Question 7
“What is the IOS version running on CCNP-LAB-S2?”
We can find the IOS version by inspecting the CCNP-LAB-S2 CDP packet.
Answer: 12.1(22)EA14
Question 8
“What is the virtual IP address used for HSRP group 121?”
By filtering out HSRP traffic from group 121, we can find the Virtual IP Address.
Answer: 192.168.121.1
Question 9
“How many router solicitations were sent?”
“The format for Router Solicitation (RS) Message is defined in RFC 4861. The format for a Router Solicitation (RS) Message is based on a normal ICMPv6 message format.” – OmniSecu
By filtering out ICMPv6 traffic with type 133, we get our answer.
Answer: 3
Question 10
“What is the management address of CCNP-LAB-S2?”
Answer: 192.168.121.20
Question 11
“What is the interface being reported on in the first SNMP query?”
By filtering out SNMP traffic, we can find the first SNMP query and get it’s response.
Answer: Fa0/1
Question 12
“When was the NVRAM config last updated?”
By searching for NVRAM, we can find a TFTP packet listing the version.
Answer: 2017-03-03 21:02
Question 13
“What is the IPv6 of the RADIUS server?”
By searching for RADIUS, we can find it’s address.
Answer: 2001:DB8::1812
HTTPS
Question 1
“What has been added to web interaction with web01.fruitinc.xyz?”
After decrypting the TLS traffic with secret-sauce.txt, we can filter out packets with web01.fruitinc.xyz in it. This leads to a HTTP request.
Checking the header of the reponse.
We can see a weird flag added to the header.
Answer: y2*Lg4cHe@Ps
Question 2
“What is the name of the photo that is viewed in slack?”
By filtering out HTTP request with files.slack.com in the URI, we can narrow it downto 4 request with the last one responding with a JPEG file.
By checking the full URI request, we can see the name of the photo.
Answer: get_a_new_phone_today__720.jpg
Question 3
“What is the username and password to login to 192.168.2.1?”
By filtering out traffic from and to 192.168.2.1, we can find a peculiar request.
This is a decrypted submitted HTTP form traffic. Which after decryption can leak the data inside.
Answer: admin:Ac5R4D9iyqD5bSh
Question 4
“What is the certStatus for the certificate with a serial number of 07752cebe5222fcf5c7d2038984c5198?”
By search for this serial number, we are lead to an OSCP request with a response status of good
Answer: good
Question 5
“What is the email of someone who needs to change their password?”
From question 3, we know that secrets submitted from HTTP forms can be seen now after decryption, so we will filter that out.
This then leads to another user who got their secrets decrypted.
Answer: Jim.Tomato@fruitinc.xyz
Question 6
“A service is assigned to an interface. What is the interface, and what is the service?”
By looking for services, we can see a single request to services_ntpd.php which hints at an NTP service.
To the following packet, we can see some sort of configurations going on with a field called interface[].
Along with that is a field called server0, which contain a link to an NTP server, confirming our suspicion.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please attribute the source, use non-commercially, and maintain the same license.
