DEV Community

loading...

TryHackMe TShark

Omri Bornstein
Computer Science Student
Originally published at applegamer22.hashnode.dev ・2 min read

TryHackMe TShark

References

Reading PCAP Files

How many packets are in the dns.cap file?

  • TShark's -r flag enable reading a PCAP file.
  • wc's -l flag counts the lines of a given input.
$ tshark -r dns.cap | wc -l
38
Enter fullscreen mode Exit fullscreen mode

Answer: 38

How many A records are in the capture (including responses)?

  • TShark's -Y "dns.qry.type == 1" is used to filter DNS A records.
$ tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l
6
Enter fullscreen mode Exit fullscreen mode

Answer: 6

Which A record was present the most?

  • TShark's -T fields is used to specify the output's format.
  • TShark's -e dns.qry.name is specify which field to output.
$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
Enter fullscreen mode Exit fullscreen mode

Answer: GRIMM.utelsystems.local

DNS Exfil

How many packets are in this capture?

$ tshark -r task3.pcap | wc -l
125
Enter fullscreen mode Exit fullscreen mode

Answer: 125

How many DNS queries are in this PCAP (excluding responses)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" | wc -l
56
Enter fullscreen mode Exit fullscreen mode

Answer: 56

What is the DNS transaction ID of the suspicious queries (in hex)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.id
0x0000beef
Enter fullscreen mode Exit fullscreen mode

Answer: 0x0000beef

What is the string extracted from the DNS queries?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | cut -c1 | tr "\n" " " | sed 's/ //g'
MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5
Enter fullscreen mode Exit fullscreen mode

Answer: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

What is the flag?

$ echo 'MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5' | base32 -d
flag{th1s_is_t0ugh_with0u7_tsh4rk!}
Enter fullscreen mode Exit fullscreen mode

Flag: flag{th1s_is_t0ugh_with0u7_tsh4rk!}

Discussion (0)