Would be great to get some guidance around how to approach the question below. I’ve exhausted every possible search using wireshark, but this information doesn’t seem to exist within the pcap capture although the hint suggests that it should be there. Did anyone else come across the same issue?
What was the name of the new user created on mrb3n’s host?
Have you tried the walkthrough at the end of the section?
When you analyse the guided analysis pcap file it should be relatively straight forward. If you identify the IP with suspicious behavior and follow the TCP stream you should get the answer.
Could I be missing a part of the capture, although I set let it sit 10+ mins to pick up traffic from the specified interface.
Streams were the initial checks. Tried looking for keywords using string in packet bytes, list and details… nothing. Tried filtering to dhcp to check for host names, nothing.
Is it even possible to find a user account that was created on a host via network traffic?
The answer to this question is in one of the pcap files from the resources (right under the cheat sheet).
You can just download it form here: https://academy.hackthebox.com/storage/resources/guided-analysis.zip
As for finding the user account in the packets, it is possible. After all, the TCP packets contain all the data that is sent between the attacker and the victim. You dont have to look at the individual packets though, instead follow the tcp stream and you should be able to easily see the commands sent by the attacker.
Edit:
You are completely right!! I don’t understand why it wasn’t made clear that was the pcap that needed to be used! Next to the question, it mentions that you need to RDP to a spawned machine so I assumed you would have to capture the traffic from there. The information is in the guided-analysis.pcap and I’ve been looking in the totally wrong place! Thanks for your help!!