DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 970,177 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Omri Bornstein
Omri Bornstein

Posted on • Updated on

TryHackMe TShark

TryHackMe TShark

References

Reading PCAP Files

How many packets are in the dns.cap file?

  • TShark's -r flag enable reading a PCAP file.
  • wc's -l flag counts the lines of a given input.
$ tshark -r dns.cap | wc -l
38
Enter fullscreen mode Exit fullscreen mode

Answer: 38

How many A records are in the capture (including responses)?

  • TShark's -Y "dns.qry.type == 1" is used to filter DNS A records.
$ tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l
6
Enter fullscreen mode Exit fullscreen mode

Answer: 6

Which A record was present the most?

  • TShark's -T fields is used to specify the output's format.
  • TShark's -e dns.qry.name is specify which field to output.
$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
Enter fullscreen mode Exit fullscreen mode

Answer: GRIMM.utelsystems.local

DNS Exfil

How many packets are in this capture?

$ tshark -r task3.pcap | wc -l
125
Enter fullscreen mode Exit fullscreen mode

Answer: 125

How many DNS queries are in this PCAP (excluding responses)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" | wc -l
56
Enter fullscreen mode Exit fullscreen mode

Answer: 56

What is the DNS transaction ID of the suspicious queries (in hex)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.id
0x0000beef
Enter fullscreen mode Exit fullscreen mode

Answer: 0x0000beef

What is the string extracted from the DNS queries?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | cut -c1 | tr "\n" " " | sed 's/ //g'
MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5
Enter fullscreen mode Exit fullscreen mode

Answer: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

What is the flag?

$ echo 'MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5' | base32 -d
flag{th1s_is_t0ugh_with0u7_tsh4rk!}
Enter fullscreen mode Exit fullscreen mode

Flag: flag{th1s_is_t0ugh_with0u7_tsh4rk!}

Top comments (0)

Update Your DEV Experience Level:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›