Lab Walkthrough: https://cyberdefenders.org/labs/68

Suhel Kathi
5 min readApr 11, 2022

--

About cyberdefenders.org

CyberDefenders is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need.

EXECUTIVE SUMMARY

This VAPT was performed during my winter vacation. The detailed report and our findings are described below.

OBJECTIVE

The objective of this test was to Answer all the question on the given link.

https://cyberdefenders.org/labs/68

Few points

1)The question was given on the following website

https://cyberdefenders.org/

2) Wireshark tool is used for pcap analysis. Which is installed in windows machine.

Disclaimer

All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

Lets Get Started

Summary Scan Report of https://cyberdefenders.org/labs/68

#1 What is the FTP password?

AfricaCTF2021

We simply filtered the ftp and get the following result

#2 What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)

fe80::c80b:adff:feaa:1db7

We simply search for dns and will review the results and found the answer

#3 What domain is the user looking up in packet 15174?

www.7-zip.org

We simply Ctrl+g gives us windows to search a packet and we enter the packet no and get the following result in DNS

#4 How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

10

In the filter box we simply searched : ip.src==192.168.1.26&&ip.dst==24.39.217.246&&udp

And get the result

#5 What is the MAC address of the system being monitored?

c8:09:a8:57:47:93

We simply search ftp and monitored the first packet and get the following result

#6 What was the camera model name used to take picture 20210429_152157.jpg ?

LM-Q725K

First we will filter which frame contains that file so we use frame contains 20210429_152157.jpg then we open the tcp stream and save the file as raw and open that file on the following website : http://exif.regex.info/exif.cgi.

#7 What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?

04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

First we filtered tls.handshake.type==2 then we click on the first packet and go to the session id and apply as column then found the session id on 26913 then go to the public key and get the public key the results are below

#8 What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?

24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

First we used ssl.handshake.extensions_server_name in filter we check the first packet and we found server name www.bing.com then I right click on it and apply as column and found protonmail.com and checked it and find out in Random

#9 What country is the MAC address of the FTP server registered in? (two words, one space in between)

United States

For this we filtered the ftp and click on the first packet and get mac address then we visit the website macaddress.io and get the following results

#10 What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)

17:53

I used ftp in filter search & check the tcp stream : tcp.stream eq 11 which give us following result

#11 What domain was the user connected to in packet 27300?

dfir.science

I simply tried ctrl+g but didn’t find so I notedown the ip address which is 172.67.162.206 then I move to statistics > Resolved Address and check the IP address and found the following result

This is the result

Conclusion

It can be described as a detailed process of detecting, investigating, and documenting the reason, course, and consequences of a security incident or violation against state and organization laws.

This is the end. Thank you for reading this write-up.

--

--