Here I’m going to give you a quick write-up for the challenges of National Cyber Drill that I was able to solve. I Hope you guys will find this helpful.
We’ve already publish Part-1 (Basic) Check Here: National Cyber Drill Part-1
Network
In the Network category we are provided with a pcap file which we have to analyze & answer the questions.
Name might be always blank!!! : 25:
n this challenge we have to find the machine name of the victim. If we just run strings command on the pcap file we will get the machine name.
Command:
strings NCD-2021.pcap | less
or
strings NCD-2021.pcap | grep -i "Desktop"
Flag : C1B3RDRLL21{DESKTOP-23FM3GM}
V1CTmi53 : 25 (Network)
In this challenge we have to find the IP address of attack machine..
If we analyze the pcap file, we can see the attacker used ftp service to get into the victim’s machine. So the source IP is the attacker IP.
Flag: C1B3RDRLL21{10.0.2.15}
Newbie : 25
In this challenge we have to find which command the newbie need to execute to start the chat session. If we analyze the pcap file or extract all the HTTP traffic from the pcap file & save them all, we can see a png file is being tranferd through the network. If we open that png file we can see a command & an instruction. The instructions says to change the port number. So here we are sure that we have the command, we just have to change the port number. If we analyze the packet, we can see the Destination Port & the Source port. The “Destination” port was the desire port number. So the command is nc64.exe -lvp 443 & that’s our flag.
Flag : C1B3RDRLL21{nc64.exe -lvp 443}
Rythmic cords! : 25
In this challenge we have to find the port number of the chat session. Analyzing the packets we can see some text is being transferred. We can consider them as the chat session. The “Destination” port number was the desire port number.
Flag : C1B3RDRLL21{4096}
When your friends betray you, sometimes the only people you can trust are strangers. : 25
In this challenge we have to find out the name of senior colleague and newbie. Analyzing through the packets, we can see some chats between two persons. Red & Andy. As Andy was guiding Red, Andy is the senior collogue.
Flag : C1B3RDRLL21{ANDY, RED} (Name in Capital letter)
500 internal server error : 25
In this challenge we have to find out the service used by the attacker to connect to the victim machine. As I mentioned before, the attacker used FTP service to access the victim machine. So the answer is ftp. [ lowercase ]
Flag : C1B3RDRLL21{ftp}
Do you know the hashcat always says meow? : 25
In this challenge we have to find a log file in the packets. If we analyze the packets, we can see so file in ftp. There’s also a log file name JBKFIUCTL5CEKQ2SLFIFISKPJZPUWRKZ.log. At first I thought this was the flag. But it wasn’t. The filename is base32 encoded. Decoding the text from base64, we will get our desire file name.
Flag : C1B3RDRLL21{HTTPS_DECRYPTION_KEY}
CHAOS 3: Scientists are continuously trying to invent something. : 100
In this challenge, we have to find out the tool name used by the attacker to get the ftp credentials of the target machine. Analyzing the packets, we can see a .QR_C0d3.png file. It seems like the qr code image might be interesting. After decoding the qr code we get the ftp credentials. But the questions asked for the tool name. After more analyzing the packets I found a .deb file in the GET requests. “zbar-tools_0.23.92-4_amd64.deb“. This was the tool name.
Flag : NCD21{zbar-tools} [ Suggestion : If you don’t know about the zbar tools, Google it ]
2 comments