The network at Factory-Made-Winning had been acting strange all day and Tim was getting very concerned what was happening at his company. He began looking over some traffic....
Use the packet capture in this folder to help Tim find out what's happening:
1) What is the 3rd ingredient on the list from the mysterious file that was transfered?
This is pretty much the same process as the last challenge. The only difference is a new file. In this case the file is “\ingredients-list-133t-pi11.7z”. This time the password is the word that the attacker found on a sticky note : useonce@.
chester@bluestem:~/DRILL/05$ tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
chester@bluestem:~/DRILL/05$ tshark -r SMB.cap | grep "Create AndX Request"
12 0.007632 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \srvsvc
39 3.045251 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
44 3.060912 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \desktop.ini
47 3.062061 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
66 6.659435 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \Thumbs.db
69 8.996870 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
73 9.002135 172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \ingredients-list-133t-pi11.7z
chester@bluestem:~/DRILL/05$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap
Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:25280], exporting to 00000000.p7z
Opening the file, you can find the password : 8.4 oz- Red Bull
No comments:
Post a Comment
Comments are moderated and will appear only after being reviewed.