DEV Community

Franciscomelov
Franciscomelov

Posted on

1

TShark Challenge II: Directory write up - TryHackMe

https://tryhackme.com/r/room/tsharkchallengestwo

What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format

tshark -r directory-curiosity.pcap -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r

  • I got a list of all the url's
  • Scanning them with virustotal to look for the malicious/suspicious domain
  • 1 of them got flagged

What is the total number of HTTP requests sent to the malicious domain?

tshark -r directory-curiosity.pcap -Y 'http.request' -T fields -e http.host| awk NF | sort -r | uniq -c | sort -r

  • -Y 'http.request' to get list of HTTP requests
  • -e http.host to show only the url's
  • | awk NF | sort -r | uniq -c | sort -r to make it pretty
  • And the output is a list, with all the HTTP request We already know the domain and the count of the repetitions is shown

What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.

shark -r directory-curiosity.pcap -Y 'http.request' -T fields -e ip -e http.host | sort``
similar to the previous code but now we add

  • -e ip to show source and destination ip's

(we can defang manually or use cyberchef)
(XX.XX.XX.XX -> XX[.]XX[.]XX[.]XX)

What is the server info of the suspicious domain?

tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
In this case, following the tcp stream 0, we can get all the information the server

  • search from the output

Follow the "first TCP stream" in "ASCII".
Investigate the output carefully.
What is the number of listed files?

tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
Same code as the previous task

  • The Output gives us, html code
  • copy html code and see preview the preview give us a list of the files

What is the filename of the first file?
Enter your answer in a defanged format.

using the html code from before.

Export all HTTP traffic objects.
What is the name of the downloaded executable file?
Enter your answer in a defanged format.

using the html code from before.

What is the SHA256 value of the malicious file?

tshark -r directory-curiosity.pcap --export-objects http,./http/
sha256sum vlauto.exe

  • To export http objects sha256sum [file]
  • To get the sha256 hash

Search the SHA256 value of the file on VirtusTotal.
What is the "PEiD packer" value?

  • A virustotal search is enough

Search the SHA256 value of the file on VirtusTotal.
What does the "Lastline Sandbox" flag this as?

  • A virustotal search is enough

Image of Bright Data

Maximize Data Efficiency – Store and process vast amounts efficiently.

Optimize your infrastructure with our solutions designed for high-volume data processing and storage.

Optimize Now

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay