TShark I - Teamwork
TryHackMe Challenge Walkthrough
Challenge Overview
An alert has been triggered: “The threat research team discovered a suspicious domain that could be a potential threat to the organisation.”
The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.
Q & A
Q1 What is the full URL of the malicious/suspicious domain address?
So, to start open terminal and go to the directory where our file is located.
then start to use shark, lets recap what we learned, we want to get an URL
Bash:
tshark -r teamwork.pcap -T fields -e http.host | awk NF | sort -r | uniq -c | sort -r
- -r {filename}
- -T fields
- -e dns.qry.name
- | awk NF -> remove empty lines
- | sort -r -> sort before handling the values
- | uniq -c -> show unique values, but calculate and show the number of occurrences
- | sort -r -> sort again
Definitely suspicious the first one, check it on virustotal to see if its even malicious to be sure
Defang it with Cyberchef and we get the first answer
Answer
hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
Q2 When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
Let’s go on details in the page we already open on virustotal and we get our answer
Answer
2017-04-17 22:52:53 UTC
Q3 Which known service was the domain trying to impersonate?
Well this is an easy one
Answer
PayPal
Q4 What is the IP address of the malicious domain?
This time we want to get the ip of the domain we just found, we just target for a second field
- dns.a -> we ask for an IPv4 address associated with this domain name
Bash:
tshark -r teamwork.pcap -T fields -e dns.qry.name -e dns.a | awk NF | sort -r | uniq -c | sort -r
Again lets ask to Cyberchef to defang it (or put the [] around the dot if u r not that lazy!)
Answer
184[.]154[.]127[.]226
Q5 What is the email address that was used?
Now we need to get an email address.
I did a room on regex, so I could grep the regex for an email address from our file
Bash:
tshark -r teamwork.pcap -V | grep -Eo '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' - -V we go verbose to have more info
- -Eo (look for regular expression)
- ‘[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}’ the regular expession for an email address i saved during my study
And we have our email address..
I don’t think we were meant to use this trick, so lets check this one properly
lets check for a POST request
Bash:
thsark -r teamwork.pcap -Y 'http.request.method matches POST'
We get results, I would bet that our answer is on login.php but lets extract something meaningful
Bash:
tshark -r teamwork.pcap -Y 'http.request.method matches POST' -T fields -e text
and we get our email
Answer
johnny5alive[at]gmail[.]com
Conclusion
Nothing brings people together like shared network traffic and poor opsec.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.