Skip to main content

PacketMaze

📅 Published: 2026-04-18 20:11 | 🔄 Last Updated: 2026-05-11 17:52


https://cyberdefenders.org/blueteam-ctf-challenges/packetmaze/

Basic triage​

192.168.1.26 (windows)172.67.162.206172.67.162.206 [dfir.science]
192.168.1.20
185.70.41.130185.70.41.130 [mail.protonmail.com]
23.51.191.3523.51.191.35 [e10370.g.akamaiedge.net]
185.70.41.35185.70.41.35 [protonmail.com]
142.250.190.132142.250.190.132 [www.google.com]
159.65.89.65159.65.89.65 [www.7-zip.org] [7-zip.org]

Q1 What is the FTP password?​

use the filter: ftp

192.168.1.26 192.168.1.26 192.168.1.20 FTP kali AfricaCTF2021 Unknown 2021-04-30 01:01:26 UTC+00

AfricaCTF2021

Q2 What is the IPv6 address of the DNS server used by 192.168.1.26?​

use the filter: dns → figure out the DNS server ipv4 is: 192.168.1.10

We can also extract the mac address is: Destination: ca:0b:ad:ad:20:ba eth.addr == ca:0b:ad:ad:20:ba && ipv6

fe80::c80b:adff:feaa:1db7

Q3 What domain is the user looking up in packet 15174?​

www.7-zip.org: type A, class IN

Q4 How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?​

ip.src == 192.168.1.26 && ip.dst==24.39.217.246

10

Q5 What is the MAC address of the system under investigation in the PCAP file?​

From Q2 we can also find out the MAC of 192.168.1.26 (windows)

Ethernet II, Src: Intel_57:47:93 (c8:09:a8:57:47:93), Dst: ca:0b:ad:ad:20:ba (ca:0b:ad:ad:20:ba)

c8:09:a8:57:47:93

Q6 What was the camera model name used to take picture 20210429_152157.jpg?​

use networkminer to find the image, then view the image’s properties

LM-Q725K

Q7 What is the ephemeral public key provided by the server during the TLS handshake in the session with the session ID: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?​

tls.handshake.session_id == da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff

Look for pubkey in packet detail

Pubkey: 04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

Q8 What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?​

I use google and search for: tls version wireshark filter

  • TLS 1.3: tls.handshake.version == 0x0304 or tls.version == 0x0304
  • TLS 1.2: tls.handshake.version == 0x0303 or tls.version == 0x0303

But it doesn’t work. So i brute force it using filter: tls and discover the true filter:

  • _ws.col.protocol == "TLSv1.3”
  • _ws.col.protocol == "TLSv1.3" && tls.handshake.type==1 && tls contains "protonmail.com"

24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

Q9 Which country is the manufacturer of the FTP server’s MAC address registered in?​

use the filter: ftp

⇒ 192.168.1.20 FTP server and find the MAC address.

Destination: PCSSystemtec_a6:1f:86 (08:00:27:a6:1f:86)

United States

Q10 What time was a non-standard folder created on the FTP server on the 20th of April?​

i found a message: “Here comes the directory listing” → follow tcp stream

Check the next stream

17:53

Q11 What URL was visited by the user and connected to the IP address 104.21.89.171?​

ip.addr==104.21.89.171 && http

http://dfir.science/