The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?
After talking with Alabaster Snowball you will get following hint:
The victim web server is 10.12.42.16. Which host is the next top talker?
We'll unzip the artifacts and get a PCAP file which we can open using Wireshark. To see the Top Talkers we select statistics - conversations and the tab IPv4. By sorting the column packets we can see which host is sending/receiving the most packets and causing the biggest traffic.
In our case it's 18.222.86.32
.
We get following hints:
The site's login function is at /login.html
. Maybe start by searching for a string.