Advent Of Cyber 2 Try Hack Me [Day 7] The Grinch really Did steal Christmas
Today in here I am going to do a walkthrough about Advent of cyber 2 — day 7
As the first step need to download the pcap file which is given by try hack me website. To view these files need to have some special software which can see the network packets in here I am going to you the software call Wireshark.
here is the link for download Wireshark
Open “pcap1.pcap” in Wireshark. What is the IP address that initiates an ICMP/ping?
So in filter bar type ICMP then it will show the results as it is shown in fig-1.
initial IP address can be found in first packet. Which is list as source IP 10.11.3.2 so answer in 10.11.3.2
If we only wanted to see HTTP GET requests in our “pcap1.pcap” file, what filter would we use?
this is the format to get any type of request
<protocol>.request.method == <option>
So answer is http.request.method == GET
Now apply this filter to “pcap1.pcap” in Wireshark, what is the name of the article that the IP address “10.10.67.199” visited?
To find out the visited pages I use the same which used in above part and add an extra part to it to filter so i can get a better view at pcap files
so you can see that i added this command in to previews command
&& ip.addr== 10.10.67.199
So in the hit they mention that website has DIR call posts in that DIR there is a page call reindeer-of-the-week
so answer is reindeer-of-the-week
Let’s begin analysing “pcap2.pcap”. Look at the captured FTP traffic; what password was leaked during the login process?
so in the question they mention something about ftp file so in filter bar we can put ftp and get all the ftp files in the pcap
when you go through this you can see a packet name PASS. that packet use password in plain text
so answer is plaintext_password_fiasco
Continuing with our analysis of “pcap2.pcap”, what is the name of the protocol that is encrypted?
In this file there are lot of packets use differces type of protocol to transfer data over network the only encrypted protocol in here is SSH
so answer is SSH
Analyse “pcap3.pcap” and recover Christmas!What is on Elf McSkidy’s wishlist that will be used to replace Elf McEage
so in pcap file when elf are transferring file they must use the http method so type http.request.method
you can see there are 2 packets if you follow the TCP stream in second packet you can see a file call wishlist.txt but its in encoded format so file must be in the second packet
now we need extract the file form second packet.
to get this you need select the second packet and go to file → export object →http the you will get a window like this then select the Christmas.zip file and press save them zip file will be saved on you PC
So this is the wish list so the answer is Rubber Ducky
