TryHackMe: TShark Challenge 1: Teamwork Walkthrough

Welcome to this walkthrough of the Tshark Challenge 1: Teamwork Room on TryHackMe. In this challenge room we put our TShark skills into practice and analyse some network traffic.

Room URL:
https://tryhackme.com/room/wiresharktrafficanalysis

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let’s start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.

Start the VM by pressing the green Start Machine button attached to this task. The machine will start in split view, so you don’t need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.

NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.

Questions

Read the task above and start the attached VM.

Answer: No answer needed

Task 2: Case: Teamwork!

An alert has been triggered: “The threat research team discovered a suspicious domain that could be a potential threat to the organisation.”

The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.

Your tools: TShark, VirusTotal.

Questions

Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the full URL of the malicious/suspicious domain address in defanged format?

Are you ready? I am!

I tend to start these kind of challenges by having a quick look by reading the pcap file with a regular -r flag:

tshark -r teamwork.pcap --color

I added the –color flag to make the output easier to distinguish. Anway, we have 793 packets:

This is a large number, and probably to large to go through manually, but I took a quick scrolling around and found some interesting domains as part of a DNS query:

It is usually a good look to look at some summary statistics as well, for example by looking at the protocol hierarchy:

tshark -r teamwork.pcap -z io,phs -q

This gives a great overview over the packets, and which protocols are in use. We see 33 DNS frames here, which we can look at more thoroughly by using some display filters.

Let’s run a display filter to filter on all DNS A queries:

tshark -r teamwork.pcap -Y 'dns.qry.type == 1' --color | nl

We see 15 DNS A queries, and we again see the suspicious looking domain due to the unusual concetenations. This is probably the answer! We can defang the URL by using CyberChef:

https://gchq.github.io/CyberChef/#recipe=Defang_URL(true,true,true,’Valid%20domains%20and%20full%20URLs’)&input=d3d3LnBheXBhbC5jb200dXN3ZWJhcHBzcmVzZXRhY2NvdW50cmVjb3ZlcnkudGltZXNlYXdheXMuY29t

Note, we can also use extract the relevant DNS query names by running a command like this:

tshark -r dns-queries.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r

Answer: www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com

When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?

Go to VirusTotal and search on the found URL. You will get to the following result page:

https://www.virustotal.com/gui/url/16db0aadc2423a67cd3a01af39655146b0f15d20dc2fd0e14b325026d8d1717e

Go under Details, and here you can find the history of the URL on VirusTotal:

The URL is first submitted on the 17th of April 2017.

Answer: 2017-04-17 22:52:53 UTC

Which known service was the domain trying to impersonate?

This one is very obvious! The answer here is paypal, which is what the URL starts with, followed by a bunch of text.

Answer: PayPal

What is the IP address of the malicious domain? Enter your answer in defanged format.

We have already found the answer to this question earlier when we ran the following command:

tshark -r teamwork.pcap -Y 'dns.qry.type == 1' --color | nl

We found the following packets:

 1       29   3.877040 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 2       38   8.876570 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 3       39   8.965505  75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 4      437 108.586825 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 5      438 108.586828 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 6      443 108.673854  75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 7      445 108.675070  75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 8      716 192.616682 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 9      719 192.616911 192.168.1.100 → 75.75.75.75  DNS 120 Standard query 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
10      722 192.635487  75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
11      724 192.640405  75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
12      738 236.083617 192.168.1.100 → 75.75.75.75  DNS 85 Standard query 0x4e6a A toolbarqueries.google.com
13      740 236.084019 192.168.1.100 → 75.75.75.75  DNS 85 Standard query 0x202d A toolbarqueries.google.com
14      741 236.100171  75.75.75.75 → 192.168.1.100 DNS 132 Standard query response 0x4e6a A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 172.217.7.228
15      742 236.106015  75.75.75.75 → 192.168.1.100 DNS 132 Standard query response 0x202d A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 216.58.217.100

Let’s focus on this specific packet:

6 443 108.673854 75.75.75.75 → 192.168.1.100 DNS 136 Standard query response 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226

Here’s what it all means (ignoring the 6 since this is just a count added by the nl command):

Packet Number (443): This is the unique identifier for the packet in the capture.
Time (108.673854): The timestamp for when this packet was captured in seconds (since the capture started). In this case, it was captured approximately 108.67 seconds into the capture.
Source (75.75.75.75): This is the IP address of the DNS server that responded to the query. In this case, the DNS server is likely a public DNS server (such as one provided by your ISP or another third party).
Destination (192.168.1.100): This is the IP address of the machine that made the DNS request (in your case, a machine in your internal network). It’s requesting information from the DNS server.
Protocol (DNS): This indicates that the packet is part of the DNS protocol. DNS is used to translate domain names (like www.paypal.com) into IP addresses (like 184.154.127.226).
Length (136): This is the total length of the DNS response in bytes. It includes the DNS header, the query, and the response.
Info (Standard query response 0x60ea): This part shows that this packet is a DNS query response.
Query (A www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com): This part shows the DNS query that was made, asking for an A record for the domain. The A record means the query is asking for an IPv4 address associated with this domain name.
Response (A 184.154.127.226): This is the actual response to the query, providing the A record for the domain , which resolves to the IP address 184.154.127.226. This IP address is where the domain points to and could be hosting malicious content, which is why it’s important to investigate further.

The final field is the one we are looking for!

Answer: 184[.]154[.]127[.]226

Another way through VirusTotal!

There is another way to find this anwer. If you go at the VirusTotal page again, you will see that there is another link for the same URL (just without http://).

On this page you can see a relations tab where you can find the IP as well.

Remember, within cybersecurity there are often many ways to solve a problem!

What is the email address that was used? Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)

This one was a bit tougher. I started looking for email addresses

tshark -r teamwork.pcap -Y tshark -Y "http contains .com"

Nearly at the top we see an interesting “login.php” packet. Time to investigate this. We can look for the packet and show all data by using the following command with the use of the -V flag:

tshark -r teamwork.pcap -Y "frame contains login.php" -V

You can also do something like this, as some more experimenting shows we are dealing with a gmail account:

tshark -r teamwork.pcap -Y tshark -Y "http contains gmail.com" -V

The important thing here is the use of the -V to show the packet data. Anyway, look into the data and you will find the following:

There we have an email! It seems the person entered their initials on this false domain, and this way their credentials got snatched!

Answer: johnny5alive[at]gmail[.]com

Congratulations! You have finished the first challenge room, but there is one more ticket before calling it out a day! TShark Challenge II: Directory

Great job! Nothing to do here 🙂

Answer: No answer needed

Congratulations on completing TShark Challenge 1: Teamwork!!!

Congratulations on completing on completing this TShark Challenge room. It was great to get some practical experience with TShark as I found the previous rooms did not offer enough to make the knowledge stick. I hope you learned something as well!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find more of my walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

TryHackMe: TShark Challenge 1: Teamwork Walkthrough (SOC Level 1)

Task 1: Introduction

Questions

Read the task above and start the attached VM.

Task 2: Case: Teamwork!

Questions

Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the full URL of the malicious/suspicious domain address in defanged format?

When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?

Which known service was the domain trying to impersonate?

What is the IP address of the malicious domain? Enter your answer in defanged format.

Another way through VirusTotal!

What is the email address that was used? Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)

Congratulations! You have finished the first challenge room, but there is one more ticket before calling it out a day! TShark Challenge II: Directory

Congratulations on completing TShark Challenge 1: Teamwork!!!

Like my articles?

Leave a ReplyCancel Reply