NTA Challenge 3 - Ping

Accuracy: 60%

Prompt

Cyber Command: Someone exfiltrated a flag from one of our servers. We put up tight firewall controls on the ports, so we’re not sure how this happened. Investigate and see what you can find out.

Answers

Q1 (10 pts) - What is the IP address (non-tunnel IP) of the device where the flag was exfiltrated from?
172.23.0.20

Q2 (10 pts) - What is the IP address (non-tunnel IP) of the device where the flag was exfiltrated to?
172.23.0.1

Q3 (100 pts) - What is the flag that was exfiltrated?
SKY-WXHO-2823

Steps I Took

Opened the PCAP and found the data was being hidden inside ICMP (ping) packets — the attacker used ICMP tunneling to bypass firewall port controls.

Copied the data field from the ICMP packets into CyberChef. Identified and stripped the tunnel header to expose the real IP packet underneath, which contained the flag.