Jasper Alblas
TryHackMe: TShark Challenge 2: Directory Walkthrough (SOC Level 1)
Welcome to this walkthrough of the TShark Challenge 2: Directory room on TryHackMe. This room continues the earlier TShark Challenge room on which I also made a walkthrough. Let’s continue with another fun challenge!
Room URL:
https://tryhackme.com/room/tsharkchallengestwo
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let’s start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.
Start the VM by pressing the green Start Machine button in this task. The machine will start in split view, so you don’t need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.
NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.
Questions
Read the task above and start the attached VM.
Answer: No answer needed
Task 2: Case: Directory Curiosity!
An alert has been triggered: “A user came across a poor file index, and their curiosity led to problems”.
The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.
Your tools: TShark, VirusTotal.
Questions
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the name of the malicious/suspicious domain? Enter your answer in a defanged format.
We will start by simply reading the pcap file with TShark to get a quick view of the data we are working with:
tshark -r directory-curiosity.pcap --color
There are 472 packets, which once more is a lot to handle manually. I did not notice something while quickly looking at the data, so let’s get working with some statistics data.
We can look at the Protocol Hierarchy to get a quick overview of the packets and their protocols:
tshark -r directory-curiosity.pcap -z io,phs -q
This gives a great overview over the packets, and which protocols are in use. A lot of traffic is using UDP, especially for services like NBNS, SSDP, and DNS. TCP traffic is significant, with HTTP and TLS making up the bulk of the payloads (likely indicating web traffic).
We also see 14 DNS frames here, and since DNS is the subject of this question we can look at these more thoroughly by using some display filters.
Let’s run a display filter to filter on all DNS packets:
tshark -r directory-curiosity.pcap -Y dns --color | nl
We see a bunch of query names here, which we can see in a list by running:
tshark -r directory-curiosity.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
The domains are as follows:
8 isatap
4 www.bing.com
2 r20swj13mr.microsoft.com
2 ocsp.digicert.com
2 jx2-bavuong.com
2 iecvlist.microsoft.com
2 api.bing.comI then proceeded by checking the relevant domains in VirusTotal. All but one seem to be legit. The suspicious domain is the 5th on the list.
Answer: jx2-bavuong[.]com
What is the total number of HTTP requests sent to the malicious domain?
In the above DNS traffic we can see the following DNS packet on the malicious domain:
2 12 2.098611 192.168.100.2 → 192.168.100.116 DNS 91 Standard query response 0x82a6 A jx2-bavuong.com A 141.164.41.174This shows that the domain resolves to the IP 141[.]164[.]41[.]174. Knowing this, we can look at the HTTP packets sent to the malicious domain by looking at all the ip.dst field values for all HTTP requests:
tshark -r directory-curiosity.pcap -Y "http.request" -T fields -e ip.dst
Alternatively, you can look at the http.request.full_uri values (as the hint suggests):
tshark -r directory-curiosity.pcap -Y "http.request" -T fields -e http.request.full_uri
Alternatively, you can use a display filter to search for the destination IP:
hark -r directory-curiosity.pcap -Y "http.request && ip.src == 141.164.41.174"
Whatever method you pick, the answer is 14.
Answer: 14
What is the IP address associated with the malicious domain?Enter your answer in a defanged format.
Woops! I already answer this question. As discussed before, we can see the IP address in the following DNS packet (the resolved IP is the final IP value).
2 12 2.098611 192.168.100.2 → 192.168.100.116 DNS 91 Standard query response 0x82a6 A jx2-bavuong.com A 141.164.41.174Answer: 141[.]164[.]41[.]174
What is the server info of the suspicious domain?
Ok. It is time for some serious TShark ninja skills. Are you ready? Let’s use display filters combined with some column extractions. The field we are most interested in is http.server, which often includes web server details (e.g., Apache/2.4.41 (Ubuntu)).
Look at the following command:
tshark -r directory-curiosity.pcap -Y "http.response && ip.src == 141.164.41.174" -T fields -e ip.dst -e http.host -e http.serverWe read the pcap file, filter on both responses (remember the server is sending the server info in a response to the client) and the SOURCE IP address. Finally, we extract the destination IP, host info and server info.
Each of the packets includes the expected server info.
Answer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Follow the “first TCP stream” in “ASCII”. Investigate the output carefully. What is the number of listed files?
Remember how to follow TCP stream in TShark. We learned this back in the second TShark room:
tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
I thought this question was a bit hard to answer, since there are other files mentioned in the conversation (such as text.gif), but I think THM expects the following three files:
- 123.php
- vlauto.exe
- vlauto.php
If these are the three files pointed at I am not sure, but the answer is 3.
Answer: 3
What is the filename of the first file? Enter your answer in a defanged format.
The filename of the first file is 123.php.
Answer: 123[.]php
Export all HTTP traffic objects. What is the name of the downloaded executable file? Enter your answer in a defanged format.
We learned in the second TShark room how to do this. We are interested in HTTP objects, so the command is:
tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
The executable file is called vlauto.exe.
Answer: vlauto[.]exe
What is the SHA256 value of the malicious file?
To find this answer we can use the sha256sum command:
sha256sum vlauto.exeThe answer is b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de.
Answer: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
Search the SHA256 value of the file on VirtusTotal. What is the “PEiD packer” value?
Searching on VirusTotal will lead you to the following url:
https://www.virustotal.com/gui/file/b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
It definitely is confirmed malicious, and is identified as a Bluebot trojan. To find the answer on the question we can visit the Details pane:
In case you are wondering, PEiD is a feature-packed application that can scan PE files and identify packers and compilers. The PEid value is .NET executable
Answer: .NET executable
Search the SHA256 value of the file on VirtusTotal. What does the “Lastline Sandbox” flag this as?
You can find this on the Behaviour pane:
The Lastline sandbox flags this as a malware trojan.
Answer: MALWARE TROJAN
Congratulations on completing TShark Challenge 2: Directory!!!
Congratulations on completing TShark Challenge 2: Directory room. I loved how this uses even more of the techniques leared in the TShark theory rooms. I hope you got a feel on how a real SOC analyst would start investigating traffic and use tools such as VirusTotal to confirm suspicions.
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find more of my walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] TryHackMe: TShark Challenge 2: Directory Walkthrough (SOC Level 1) […]