# Host & Network Penetration Testing: Network-Based Attacks CTF 1

Network and host-based penetration testing often involves analysing and uncovering details about services, vulnerabilities, and potential points of compromise. This lab focuses on post-exploitation activities such as analysing traffic to identify malicious activity, investigating infected hosts, and extracting critical information using forensic techniques.

In this scenario, a network has been compromised, and your objective is to analyze captured network traffic to extract key information about the attack. You will use tools like Wireshark to examine network activity and identify malicious actions, affected systems, and associated artifacts.

In this lab environment, you will have GUI access to a Kali machine with access to a captured network packet file **test.pcap**.

**Objective:** Use network analysis techniques to identify and capture the following flags related to the infection and attack:

* **Flag 1:** What is the domain name(abcd.site) accessed by the infected user that returned a 200 OK response code?
* **Flag 2:** What is the IP address, MAC address of the infected Windows client?
* **Flag 3:** Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?
* **Flag 4:** Which user got infected and ran the mystery\_file.ps1 PowerShell script?
* **Flag 5:** What User-Agent string indicates the traffic generated by a PowerShell script?
* **Flag 6:** Which wallet extension ID is associated with the Coinbase wallet?

#### Flag 1: What is the URL accessed by the infected user that returned a 200 OK response code.

```
1. open test.pcap file in wireshark
2. use filter : http.response.code == 200
3. check for Hypertext Transfer Protocol section
4. then check for parameter requested URI : http://623start.site/?status=install
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FJGMA0py6N4irkvd7aH0z%2FScreenshot_2.png?alt=media&#x26;token=f7204c5e-2d08-4c8c-a5e2-048c3931262f" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
623start.site
{% endhint %}

### **Flag 2:** What is the IP address, MAC address of the infected Windows client?

To identify the infected Windows client, focus on the traffic that went through HTTP. Use the following filter in Wireshark: `http`

This will display all HTTP traffic, helping you locate the necessary information.

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2Fp3MOWlZ2LiZ1c8H01Dby%2Fimage.png?alt=media&#x26;token=be435926-7db7-438f-8c89-c14034a85567" alt=""><figcaption></figcaption></figure>

At the top, you can see a request mentioning Windows Defender. From this, identify the source IP address and copy it. The IP address is: 10.7.10.47.

To find the MAC address, expand the Ethernet II section and note the source MAC address.

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FwEO98Bmjsx5ydnzq9R2Y%2Fimage.png?alt=media&#x26;token=da13151d-3d3a-475c-9920-a379ab18024e" alt=""><figcaption></figcaption></figure>

```
1. Go to a packet and expand:
2. Ethernet II ➝ You'll find MAC address
3. Internet Protocol ➝ You'll find IP address
```

{% hint style="info" %}
10.7.10.47, 80:86:5b:ab:1e:c4
{% endhint %}

### **Flag 3:** Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?

```
1. use filter nbns
2. check for the hostname section
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FydCRkfMtI74vkTwgrQWY%2Fimage.png?alt=media&#x26;token=605cb5c3-18eb-419c-a325-5c407288507c" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
nbns, DESKTOP-9PEA63H
{% endhint %}

### Flag 4: Which user got infected and ran the mystery\_file.ps1 PowerShell script?

To find this, clear all the filters and press **CTRL+F** to search.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*8vJ8XqK3Ee6NNKLJGt8F6Q.png" alt="" height="88" width="700"><figcaption></figcaption></figure>

Change the **Display Filter** to **String** and enter the file name you are looking for: `mystery_file.ps1`. Then, search using **Packet bytes** on the left side of the **Find** functionality and click on find.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*15d2SYxiu_jThxeuaHFALQ.png" alt="" height="290" width="700"><figcaption></figcaption></figure>

Copy the content on the right side by right-clicking and selecting **as Printable Text**.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*h26-TO3dLDxMmiJPGDF5ig.png" alt="" height="310" width="700"><figcaption></figcaption></figure>

Paste the content into a text editor, like Notepad, to enumerate. After enumerating, we find the user, which is: `rwalters`.

{% hint style="info" %}
rwalters
{% endhint %}

### **Flag 5:** What User-Agent string indicates the traffic generated by a PowerShell script?

To find this, press **CTRL+F** to search. In the **String** parameter, type `PowerShell`, and search using **Packet Details** on the left side of the **Find** functionality.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*JWuzD-SZiTUXp0OtBgSuzg.png" alt="" height="293" width="700"><figcaption></figcaption></figure>

Expand the **Hypertext Transfer Protocol** section and copy the `User-Agent` from there.

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*opYo1JorP5EaLJ9BRNKq_w.png" alt="" height="288" width="700"><figcaption></figcaption></figure>

Now, the funny part is that the entire **User-Agent** is not the answer. Only the name of PowerShell, which is: `WindowsPowerShell` :)

{% hint style="info" %}
WindowsPowerShell
{% endhint %}

### **Flag 6:** Which wallet extension ID is associated with the Coinbase wallet?

To find this, press CTRL+F to search. In the String parameter, type Coinbase and search using Packet Bytes on the left side of the Find functionality.

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FWW3mSzlv7vy04JdjvyBN%2Fimage.png?alt=media&#x26;token=1d59a33b-5f8b-4a34-ba84-ea50b86bd5bb" alt=""><figcaption></figcaption></figure>

Here, we found some details for Coinbase. Right-click the main request and select Follow > TCP Stream Ctrl+Alt+Shift+T.

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FRt3T6C7G6SNT8aF4OojK%2Fimage.png?alt=media&#x26;token=31b41ee6-4fc6-407c-ad00-2f637da7ba49" alt=""><figcaption></figcaption></figure>

Here, we found our last flag, which is:

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FhYGCZ8hGNDIhC5K1W9lk%2Fimage.png?alt=media&#x26;token=956d3691-f578-42e1-b17c-e60a1df50f2a" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
hnfanknocfeofbddgcijnmhnfnkdnaad
{% endhint %}

<br>