Disclaimer: This CTF scenario is satirical and doesn't represent anyone's opinion, about anything.
This is a network forensics CTF I set up recently for a team training event. It was well received and I think it is a bit of a laugh and challenge for a range of experience levels. I hope you enjoy it!
Background: You're an agent with a government law enforcement agency. You've been tracking a group of criminal hackers known as "TufMups". This group either keeps a low profile, your agency's capacity to run investigations on the internet is very poor, or some combination of those two factors. Up until two days ago you had an active relationship with an informant who went by the handle "K3anu". As you walked into your office you received a package containing a flash drive, a printed screenshot (at the top of this blog post) and a very short note.
"Review this PCAP. It will all make sense. Woaaahhhh. - K3anu"
That package was the last you heard from K3anu.
DOWNLOAD EVIDENCE LINK <-- Everything you need to answer the questions is in the PCAP. There is a server I left up which you can use to get a couple flags, but it's not intended to be hackable. It may be more fun to get the flag(s) directly from the webserver - so I'll leave it up!
If you're approaching this new to either CTF or analyzing PCAP's I have a couple of tips:
- Use CyberChef and love it. I have a blogpost about it here.
- Know and love WireShark. There are other ways to approach a PCAP challenge by replaying the cap through Bro/Suricata/VortexIDS (thx to D.K. for this tip) or summarizing with another command line tool like TShark but that isn't totally necessary.
- Find a tool to help crack zip files, think about both brute force and dictionary attacks as viable strategies. There might be one in Kali Linux, and on other Linux distributions it may be just an "apt install" away :D.
- Metadata is always useful - make sure you have a tool to check for it.
- Read ahead through the questions if you're getting stuck. Use the screenshot at the top of the post as a starting point. Hit me up on Twitter for hints @securitymustard or to berate me.
DOWNLOAD ANSWERS LINK : Don't get too hasty looking up the answers! You can always ping me on Twitter @securitymustard for hints :D.