# CTF - Network Based Attacks *** ### Question 1 > What is the URL accessed by the infected user that returned a 200 OK response code. Firstly, we can open up the `test.pcap` file. This will open it up directly into Wireshark. We can use the search icon to search for 200 OK. We are given two results both which show what the requested URI is. In both cases, the top domain is the same, `623start.site` which is the flag. ### Question 2 > What is the IP address, MAC address of the infected Windows client? Using the packet that we just clicked on to find the requested URI, we can see that the source of the request came from the IP address `10.7.10.47`. To find the MAC address, click on the Ethernet II option and we can see that the destination MAC address is `80:86:5b:ab:1e:c4`. Both of these separated by a comma is the flag. ### Question 3 > Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection? The filter to display the NetBIOS Name Server traffic is `nbns`. To find the hostname, click on the NetBIOS option and then on additional records. ### Question 4 > Which user got infected and ran the mystery\_file.ps1 PowerShell script? Again use the search option to search for the file but make sure you search using the Packet Bytes option which can be found on the left hand side of the search bar. Then once you have found the correct line, click on Analyse and select the Show Packet Bytes option or do `Ctrl+Shift+O`. ### Question 5 > What User-Agent string indicates the traffic generated by a PowerShell script? Again, use the search option to search for PowerShell but select the Packet Details option this time. Now for some reason, all of the User-Agent header is not the answer - just `WindowsPowerShell`. ### Question 6 > Which wallet extension ID is associated with the Coinbase wallet? Perform the same search as question 4 but for Coinbase. Then click on Analyse and select the Show Packet Bytes option. The copy the string of characters before Coinbase.