TShark II - Directory
TryHackMe Challenge Walkthrough
Challenge Overview
An alert has been triggered: “A user came across a poor file index, and their curiosity led to problems”.
The case was assigned to you. Inspect the provided *directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.
Q & A
Q1 What is the name of the malicious/suspicious domain?
Like in Tshark1 we start looking for suspicious domain
Bash:
tshark -r directory-curiosity.pcap -T fields -e http.qry.name | awk NF | sort -r | uniq -c | sort -r
I guess jx2-bavuong[.]com look quite suspicious.
Lets check our domain on VirusTotal and see which one is actually a malicious one
and our winner is
Answer
jx2-bavuong[.]com
Q2 What is the total number of HTTP requests sent to the malicious domain?
this time we go for the http.host field, (with the http.request.full_uri we could see the various page of the request, but now we are just looking for a number)
Bash:
tshark -r directory-curiosity.pcap -T fields -e http.host | awk NF | sort -r | uniq -c | sort -r | grep jx2-bavuong.com
To check which page its been requested we could have use this command
Bash:
tshark -r directory-curiosity.pcap -T fields -e http.request.full_uri | awk NF | sort -r | uniq -c | sort -r | grep jx2-bavuong.com
but, the we need to sum manually, way too much effort
Answer
14
Q3 What is the IP address associated with the malicious domain?
for this answer we extract the ip address (field ip.dst) associated to our domain
Bash:
tshark -r directory-curiosity.pcap -T fields -e http.host -e ip.dst | awk NF | sort -r | uniq -c | sort -r | grep jx2-bavuong.com
Answer
141[.]164[.]41[.]174
Q4 What is the server info of the suspicious domain?
The server is under the http.server field, we can combine with http.host or ip field to be sure that is associated to our suspicious domain
Answer
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Q5 Follow the "first TCP stream" in "ASCII". Investigate the output carefully. What is the number of listed files?
In the TShark room we learnt that the command to follow the TCP stream in ASCII is
(note, this is another way to get the server ofc, follow the tcp!)
Bash:
tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
and here there are our files
123.php
vlauto.exe
vlauto.php
Answer
3
Q6 What is the filename of the first file?
Answer
123[.]php
Q7 Export all HTTP traffic objects. What is the name of the downloaded executable file?
well we already know without exporting it, but lets follow the question
Bash:
tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/export -q
and inside our new folder “export” on the desktop we have vlauto[.]exe
Answer
vlauto[.]exe
Q8 Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?
For this on an easy sha256sum and then look in the details tab of virustotal
Answer
.NET executable
Q9 Search the SHA256 value of the file on VirtusTotal. What does the "Lastline Sandbox" flag this as?
On virustotal, move on the behaviour tab and we can see that, along with CAPE and Zenbox, Lastine flag this dude as a Malvare trojan
Answer
MALWARE TROJAN
Conclusion
Another user’s curiosity led to malware — who could have guessed?
Thanks to tshark, I unraveled the digital breadcrumb trail they left behind. Remember, just because you can click on a suspicious file index doesn’t mean you should.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.