PacketMaze

192.168.1.26	172.67.162.206	172.67.162.206 [dfir.science]
	192.168.1.20
	185.70.41.130	185.70.41.130 [mail.protonmail.com]
	23.51.191.35	23.51.191.35 [e10370.g.akamaiedge.net]
	185.70.41.35	185.70.41.35 [protonmail.com]
	142.250.190.132	142.250.190.132 [www.google.com]
	159.65.89.65	159.65.89.65 [www.7-zip.org] [7-zip.org]

23.51.191.35 [e10370.g.akamaiedge.net] [kv501.prod.do.dsp.mp.microsoft.com.edgekey.net] [kv501.prod.do.dsp.mp.microsoft.com] [cp501-prod.do.dsp.mp.microsoft.com] [cp501.prod.do.dsp.mp.microsoft.com.edgekey.net] [cp501.prod.do.dsp.mp.microsoft.com] [disc501.prod.do.dsp.mp.microsoft.com.edgekey.net] [disc501.prod.do.dsp.mp.microsoft.com] [geover.prod.do.dsp.mp.microsoft.com.edgekey.net] [geover.prod.do.dsp.mp.microsoft.com]

Q1 What is the FTP password?

192.168.1.26 192.168.1.26 192.168.1.20 FTP kali AfricaCTF2021 Unknown 2021-04-30 01:01:26 UTC+00

Q2 What is the IPv6 address of the DNS server used by `192.168.1.26`?

Ta tìm ra được dns server là 192.168.1.10 và lấy địa chỉ mac đi tìm eth.addr == ca:0b:ad:ad:20:ba && ipv6

fe80::c80b:adff:feaa:1db7

Q3 What domain is the user looking up in packet `15174`?

www.7-zip.org: type A, class IN

Q4 How many UDP packets were sent from `192.168.1.26` to `24.39.217.246`?

ip.src == 192.168.1.26 && ip.dst==24.39.217.246

Q5 What is the MAC address of the system under investigation in the PCAP file?

Ethernet II, Src: ca:0b:ad:ad:20:ba (ca:0b:ad:ad:20:ba), Dst: Intel_57:47:93 (c8:09:a8:57:47:93)

Q6 What was the camera model name used to take picture `20210429_152157.jpg`?

Q7 What is the ephemeral public key provided by the server during the TLS handshake in the session with the session ID: `da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff`?

tls.handshake.session_id == da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff

Bạn tìm gói tin có cột Info ghi là Server Key Exchange. Đây chính là nơi Server gửi các tham số thuật toán Diffie-Hellman (ECDHE) bao gồm cả Public Key tạm thời.

Pubkey: 04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

Q8 What is the first `TLS 1.3` client random that was used to establish a connection with `protonmail.com`?

TLS 1.3: tls.handshake.version == 0x0304 or tls.version == 0x0304
TLS 1.2: tls.handshake.version == 0x0303 or tls.version == 0x0303
_ws.col.protocol == "TLSv1.3”
_ws.col.protocol == "TLSv1.3" && tls.handshake.type==1 && tls contains "protonmail.com"

24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

Q9 Which country is the manufacturer of the `FTP server’s MAC` address registered in?

192.168.1.20 FTP server

Hãng: Oracle Corporation
Tiền tố (OUI): 08:00:27
Ứng dụng cụ thể: Đây là dải địa chỉ MAC mặc định dành riêng cho các máy ảo chạy trên VirtualBox.

Q10 What time was a `non-standard folder` created on the FTP server on the 20th of April?

Q11 What URL was visited by the user and connected to the IP address `104.21.89.171`?

http://dfir.science/

Q1 What is the FTP password?​

Q2 What is the IPv6 address of the DNS server used by 192.168.1.26?​

Q3 What domain is the user looking up in packet 15174?​

Q4 How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?​

Q5 What is the MAC address of the system under investigation in the PCAP file?​

Q6 What was the camera model name used to take picture 20210429_152157.jpg?​

Q7 What is the ephemeral public key provided by the server during the TLS handshake in the session with the session ID: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?​

Q8 What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?​

Q9 Which country is the manufacturer of the FTP server’s MAC address registered in?​

Q10 What time was a non-standard folder created on the FTP server on the 20th of April?​

Q11 What URL was visited by the user and connected to the IP address 104.21.89.171?​