CTF Challenge Walkthrough: Network Traffic Analysis, Rogue User

In this walkthrough, we will be analyzing a packet capture (PCAP) file, rogue_user.pcap. The challenge was to identify the rogue user that was created by the attacker.

My tool of choice for this type of analysis is Wireshark.

The first step I typically take when analyzing a PCAP is to take a look at the captured protocols. This is done by accessing Statistics > Protocol Hierarchy. This is intentionally a pretty pared down capture, so we only see a few protocols listed.

Statistics > Protocol Hierarchy

Note that the protocols are listed in a hierarchical fashion as the name implies, following the TCP/IP stack, which makes it relatively easy to drill down to the items of interest.

Displayed Layers and Protocols (thanks to UnlockedCat for noticing the previous typo)

Since we are likely looking for evidence of user creation, probably remotely via command line, I am going to drill down on “Data”. This can be done quickly by right-clicking on the Data line and selecting Apply as Filter > Selected.

Apply “Data” as a Filter

Now we are viewing all the frames marked as data and, in this case, there are 28 of them. Note the PSH, ACK TCP flags, which also indicate an exchange of data.

Data Frames
Total Packet and Displayed Packet Counts

I have customized my display columns to include the “Stream Index” value. A stream essentially reflects a conversation between two nodes. We can see from the above image that stream 0 starts at frame number 4 and stream 1 starts at frame number 40. Both of these are of interest, so we will take a look at each. We can “follow” the stream by right-clicking and selecting Follow > TCP.

Follow TCP Stream

Below are the results from following stream 0:

TCP Stream 0

Interesting, but no rogue user creation there. Next, we try following stream 1:

TCP Stream 1

It looks like stream 1 has some potential for relevant activity. The pink text represents the request to our victim box and the blue text represents the response. This activity looks like remote shell access. We can see in the above image that the attacker ran the following commands: whoami, finger, ls, and then catted a file rather enticingly titled “passhash.txt” that appears to be the output of the /etc/shadow file.

We will take a look further in stream 1 and see if we can find evidence of the rogue user creation.

Adduser Command

From the above image we can observe the use of the adduser command to create a user named “marcelle” with a password of “password”. Directly after creation of the marcelle account, the attacker checks the contents of /etc/shadow to see if the user was successfully created. From the results shown below, we can see that they did succeed. Further, based on the attacker’s access to the privileged shadow file it would appear that they have root access — not good!

Account Information for the “marcelle” User

I created this challenge in virtual machine environment using Wireshark to capture the traffic and netcat to establish the remote shell.

Security researcher, educator and business owner in the field of cybersecurity. Advocate of diversity in tech. https://marcellelee.github.io