Rating:
Network Admin :: Q2
=================
Challenge Prompt
--------
> Using the pcaps from Q1
> What machine is the network admin on (IP address)?
> NOTE: you get ONE attempt at this question
------------
__For these challenges, three files were supplied: [`NET_ADMIN.pcapng`](../NET_ADMIN.pcapng), [`NET_ADMIN2.pcapng`](../NET_ADMIN2.pcapng), and [`Net_admin_Diagram.png`](../Net_admin_Diagram.png)__
This was the first of many _awful_ questions, which I nicknamed "trigger" challenges, since we only got one shot. You could only try and submit the flag _once_, and if you ever had a typo or missed a letter or number or anything, ___too bad.___ Maybe I'm wrong, I'm only one dude, but I think that handicapping flag submission is an absurd thing to do at a CTF. Er, I have to refer to this a "GTF"... because for more than a handful of these you have to "_guess_ the flag."
I think a lot of people strayed from this question because you only had one chance... or they just pulled the trigger, missed, and got locked out of the challenge forever. Who knows.
I think the catch here is that in the [pcap] file we looked at in the previous challenge, [Q1](../q1), which was [`NET_ADMIN2.pcapng`](../NET_ADMIN2.pcapng), the "network admin" looks to be working from a 10.10.2.1 IP address.... but, if you examine the _first_ [PCAP], [`NET_ADMIN.pcapng`](../NET_ADMIN.pcapng). You can see there is an [SSH] connection to what we assume is the server (`10.10.2.200`) coming from `10.10.1.1`. Typically that is a gateway address, but we don't always see a router [SSH] into something all on its own... so I would think it would be a person using that machine.
Testing faith, I tried to submit it, and -- _thank god_ -- I got it.
__Flag was: `10.10.1.1`__
