Rating:

Network Admin :: Q3
=================

Challenge Prompt
--------

> The network admin is busy today, from the pcap, figure out the following questions.
>
> The network admin is multi-tasking, what domain is conspicuously left out of his activity?

-------------------

__For these challenges, three files were supplied: [`NET_ADMIN.pcapng`](../NET_ADMIN.pcapng), [`NET_ADMIN2.pcapng`](../NET_ADMIN2.pcapng), and [`Net_admin_Diagram.png`](../Net_admin_Diagram.png)__

I hated this challenge. I still hate this challenge. I will forever that this challenge. This is a stupid challenge, based off of a guess, and I don't think it is related to technology or cyber security.

But I'll get off my soapbox, give you the details, and let you form your own opinion.

I looked through the original [PCAP], [`NET_ADMIN.pcapng`](../NET_ADMIN.pcapng), for a good while... looking through the Endpoints and Conversations statistics, examining the domains, `grep`-ing for domains with [regex] and even checking through everything with [`scapy`][scapy]. I found all the domains and tried to figure out which one had the least number of occurences, which had the minimum traffic, etc. etc..

Turns out that was all a waste of time.

Eventually, when LCDR Wyman and LCDR Hartshorn were just over my shoulder and asking me about what I was working on, I explained it aloud. Since Peyton was just beside me, she overheard what I was saying and looked at my screen.

She noticed that all the school domains present in the [PCAP] were all schools that were part of a football league conference.

_Seriously?_ There were all part of the [ACC, the Atlantic Coast Conference](https://en.wikipedia.org/wiki/Atlantic_Coast_Conference).

I put the list of domains and the schools in the conference side by side and tried to eliminate the ones that were present in both lists, to see "what the network admin had left out."

```
198.82.215.14 vt.edu
52.176.60.7 miami.edu
128.143.33.150 virginia.edu
172.217.10.100 www.google.com
128.230.18.198 syracuse.edu
13.68.209.221 miami.edu
52.6.129.12 nd.edu
146.201.111.62 fsu.edu
130.207.160.173 gatech.edu
136.165.238.241 louisville.edu
128.143.22.36 virginia.edu
130.127.204.30 clemson.edu
128.143.33.149 virginia.edu
152.2.64.93 unc.edu
152.17.48.164 wfu.edu
136.167.2.220 bc.edu
136.142.35.137 pitt.edu

* NC State
* Clemson
* Syracuse
* Florida State
* Wake Forest
* Boston College
* Louisville
* Miami
* Georgia Tech
* Virginia
* Virginia Tech
* Pittsburgh
* North Carolina
* Duke
```

The school that was missing was Duke University. There was no trace of it in the [PCAP]. I guess maybe if I were more cultured or knew college football I could have gotten this challenge, but I didn't know I was at that kind of competition.

So I Googled the domain, and submitted it. Correct flag, got the points.

_What the fuck_.

__Flag: `duke.edu`__

[pcap]: https://en.wikipedia.org/wiki/Pcap
[PCAP]: https://en.wikipedia.org/wiki/Pcap
[CyberSEED]: https://www.csi.uconn.edu/cybersecurity-week/
[RTL-SDR]: https://www.rtl-sdr.com/
[System76]: https://system76.com/
[PCAP]: [pcap]: https://en.wikipedia.org/wiki/Pcap
[regex]: https://en.wikipedia.org/wiki/Regular_expression
[scapy]: http://www.secdev.org/projects/scapy/

Original writeup (https://github.com/USCGA/cyberseed_2017/tree/master/capture_the_flag/network_admin/q3).