หน้าเว็บ

วันเสาร์ที่ 8 พฤศจิกายน พ.ศ. 2557

picoCTF 2014: Spoof Proof (Forensics) Write-up


Solve:
The police have retrieved a network trace of some suspicious activity. Most of the traffic is users viewing their own profiles on a social networking website, but one of the users on the network downloaded a file from the Thyrin Labs VPN and spoofed their IP address in order to hide their identity. Can you figure out the last name of person that accessed the Thyrin files, and the two source IP addresses they used?
[Example valid flag format: "davis,192.168.50.6,192.168.50.7"]

PCAP file available here. You can also view it on CloudShark
Hint:
The IP address was changed, but what about the MAC Address?
Solution:
          From hint, I open traffic.pcap with wireshark and focus to IP Address and MAC Address and I found 4 person and one person accessed the Thyrin files (secretfile.txt)


Next step, What MAC Address and IP Address who accessed to secretfile.txt. (MAC: 08:00:27:2b:f7:02, IP: 192.168.50.4) 


I interested in john johnson (MAC: 08:00:27:2b:f7:02, IP: 192.168.50.3)


Go to read problem again: Can you figure out the last name of person that accessed the Thyrin files, and the two source IP addresses they used?
[Example valid flag format: "davis,192.168.50.6,192.168.50.7"]

It mean johnson,192.168.50.3,192.168.50.4

Flag: johnson,192.168.50.3,192.168.50.4

ไม่มีความคิดเห็น:

แสดงความคิดเห็น