TShark Challenge II: Directory write up - TryHackMe

What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format

tshark -r directory-curiosity.pcap -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r

What is the total number of HTTP requests sent to the malicious domain?

tshark -r directory-curiosity.pcap -Y 'http.request' -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r

-Y 'http.request' to get list of HTTP requests
-e http.host to show only the url's
| awk NF | sort -r | uniq -c | sort -r to make it pretty
And the output is a list, with all the HTTP request We already know the domain and the count of the repetitions is shown

What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.

shark -r directory-curiosity.pcap -Y 'http.request' -T fields -e ip -e http.host | sort``
similar to the previous code but now we add

(we can defang manually or use cyberchef)
(XX.XX.XX.XX -> XX[.]XX[.]XX[.]XX)

What is the server info of the suspicious domain?

tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
In this case, following the tcp stream 0, we can get all the information the server

Follow the "first TCP stream" in "ASCII".
Investigate the output carefully.
What is the number of listed files?

tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
Same code as the previous task

What is the filename of the first file?
Enter your answer in a defanged format.

using the html code from before.

Export all HTTP traffic objects.
What is the name of the downloaded executable file?
Enter your answer in a defanged format.

using the html code from before.

What is the SHA256 value of the malicious file?

tshark -r directory-curiosity.pcap --export-objects http,./http/ sha256sum vlauto.exe

Search the SHA256 value of the file on VirtusTotal.
What is the "PEiD packer" value?

Search the SHA256 value of the file on VirtusTotal.
What does the "Lastline Sandbox" flag this as?

DEV Community