Host & Network Penetration Testing: Network-Based Attacks CTF 1 (EJPT INE)

Hello everyone,

This is a CTF challenge based on Wireshark. Honestly, I’m not very skilled with it, but I managed to complete it with the help of Aimua. Thank you, buddy!

Wireshark is a free and widely used network analysis tool. It allows you to capture and inspect data packets in real-time, helping you understand what’s happening in a network. With Wireshark, we can troubleshoot network issues, analyze traffic, and even find security vulnerabilities.

Let’s get started.

Q.1 What is the URL accessed by the infected user that returned a 200 OK response code.

To find this, open the test.pcap file by clicking on it. This will automatically open the file in Wireshark for analysis.

Now, the question asks us to identify the URL accessed by the user that returned a 200 OK response code. To do this, we can use the following Wireshark filter: http.response.code == 200

This filter will display all HTTP responses with a 200 OK status, making it easier to locate the required URL.

In the Hypertext Transfer Protocol dropdown, you will find a parameter named Request URI .

Copy the value of the Request URI and extract only the top domain, which is: 623start.site . So our first flag is:

FLAG 1: 623start.site

Q.2 What is the IP address, MAC address of the infected Windows client?

To identify the infected Windows client, focus on the traffic that went through HTTP. Use the following filter in Wireshark: http

This will display all HTTP traffic, helping you locate the necessary information.

At the top, you can see a request mentioning Windows Defender. From this, identify the source IP address and copy it. The IP address is: 10.7.10.47.

To find the MAC address, expand the Ethernet II section and note the source MAC address.

From the Ethernet II section, we find the MAC address, which is: 80:86:5b:ab:1e:c4. So our second flag is as follows:

FLAG 2: 10.7.10.47, 80:86:5b:ab:1e:c4

Q.3 Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?

To determine the victim’s hostname, the Wireshark filter used is: nbns

This filter will display NetBIOS Name Service traffic, allowing you to identify the victim’s hostname.

To find the hostname, expand NETBIOS Name Service and then click on Queries. This will display the relevant details for identifying the victim’s hostname.

Copy the hostname name, which is: DESKTOP-9PEA63H. So the third flag is as follows:

FLAG 3: nbns, DESKTOP-9PEA63H

Q.4 Which user got infected and ran the mystery_file.ps1 PowerShell script?

To find this, clear all the filters and press CTRL+F to search.

Change the Display Filter to String and enter the file name you are looking for: mystery_file.ps1. Then, search using Packet bytes on the left side of the Find functionality and click on find.

Copy the content on the right side by right-clicking and selecting as Printable Text.

Paste the content into a text editor, like Notepad, to enumerate. After enumerating, we find the user, which is: rwalters.

FLAG 4: rwalters

Q.5 What User-Agent string indicates the traffic generated by a PowerShell script?

To find this, press CTRL+F to search. In the String parameter, type PowerShell, and search using Packet Details on the left side of the Find functionality.

Expand the Hypertext Transfer Protocol section and copy the User-Agent from there.

Now, the funny part is that the entire User-Agent is not the answer. Only the name of PowerShell, which is: WindowsPowerShell :)

FLAG 5: WindowsPowerShell

Q.6: Which wallet extension ID is associated with the Coinbase wallet?

To find this, press CTRL+F to search. In the String parameter, type Coinbase and search using Packet Bytes on the left side of the Find functionality.

Here, we found some details for Coinbase. Right-click the main request and select Follow > TCP Stream Ctrl+Alt+Shift+T.

Here, we found our last flag, which is:

FLAG 6: hnfanknocfeofbddgcijnmhnfnkdnaad

Thank you, everyone, for reading! I hope this article has been helpful in guiding you through the steps.

Happy Hacking!