frncscrlnd's writeups

Writeups from challenges and CTFs i take part in.

---

Project maintained by frncscrlnd Hosted on GitHub Pages — Theme by mattgraham

Compromised host (1/4)

This challenge gives us a network_traffic.pcap file to analyze. It also tells us that a network scan has occurred. It then asks us “What port/ports were opened on the host?”. TCP (Transmission Control Protocol) is a connection-oriented trnasport level protocol. This means that data exchange happens after a triple handshake.

This “triple handshake” is estabilished via specific TCP segments:

• SYN
• SYN-ACK
• ACK

If the server replies with SYN-ACK to an initial SYN, that means that port is open. Otherwise, the server would have dropped the segment or responded with a RST.

This means that we have look for SYN-ACK segments in our .pcap file.

After opening up network_traffic.pcap in Wireshark, we can use this filter in the filter bar: tcp.flags.syn==1 and tcp.flags.ack==1. The resulting segments will be:

SYN-ACK segments directed towards the attacker (192.168.1.18) come from the following ports:

22,2375

This will be the challenge’s flag.