https://tryhackme.com/r/room/tsharkchallengestwo
What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format
tshark -r directory-curiosity.pcap -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r
- I got a list of all the url's
- Scanning them with virustotal to look for the malicious/suspicious domain
- 1 of them got flagged
What is the total number of HTTP requests sent to the malicious domain?
tshark -r directory-curiosity.pcap -Y 'http.request' -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r
-
-Y 'http.request'
to get list of HTTP requests -
-e http.host
to show only the url's -
| awk NF | sort -r | uniq -c | sort -r
to make it pretty - And the output is a list, with all the HTTP request We already know the domain and the count of the repetitions is shown
What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.
shark -r directory-curiosity.pcap -Y 'http.request' -T fields -e ip -e http.host | sort
``
similar to the previous code but now we add
- -e ip to show source and destination ip's
(we can defang manually or use cyberchef)
(XX.XX.XX.XX -> XX[.]XX[.]XX[.]XX)
What is the server info of the suspicious domain?
tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
In this case, following the tcp stream 0, we can get all the information the server
- search from the output
Follow the "first TCP stream" in "ASCII".
Investigate the output carefully.
What is the number of listed files?
tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
Same code as the previous task
- The Output gives us, html code
- copy html code and see preview the preview give us a list of the files
What is the filename of the first file?
Enter your answer in a defanged format.
using the html code from before.
Export all HTTP traffic objects.
What is the name of the downloaded executable file?
Enter your answer in a defanged format.
using the html code from before.
What is the SHA256 value of the malicious file?
tshark -r directory-curiosity.pcap --export-objects http,./http/
sha256sum vlauto.exe
- To export http objects
sha256sum [file]
- To get the sha256 hash
Search the SHA256 value of the file on VirtusTotal.
What is the "PEiD packer" value?
- A virustotal search is enough
Search the SHA256 value of the file on VirtusTotal.
What does the "Lastline Sandbox" flag this as?
- A virustotal search is enough
Top comments (0)