TShark Challenge I : Teamwork | Tryhackme walkthrough

Task 1 Introduction

This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.

Start the VM by pressing the green Start Machine button attached to this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.

NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.

Read the task above and start the attached VM.

Task 2 Case: Teamwork!

An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."

The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.

Your tools: TShark, VirusTotal.

Answer the questions below

Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.

1. What is the full URL of the malicious/suspicious domain address?

Enter your answer in defanged format.

Ans: hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/

The IP 192.168.1.100 keeps requesting the DNS server about a suspicious domain.

Or by filtering packets with the specific field dns.qry.name, we can identify the exact domain requests and can also see how many times queried DNS server.

2. When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?

Ans: 2017-04-17 22:52:53 UTC

3. Which known service was the domain trying to impersonate?

Ans: paypal

4. What is the IP address of the malicious domain?

Enter your answer in defanged format.

Ans: 184[.]154[.]127[.]226

We can see IPs —> sending DNS queries to the DNS server, requesting the IP address of specific domains, and the packets that contain the DNS responses with those resolved IPs.

Or , We can analyze their activity using specific fields for better structure:
frame.number, frame.time, ip.src, ip.dst, dns.qry.name, and dns.qry.type to identify the DNS requests, responses, and involved IPs.

5. What is the email address that was used?

Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)

Ans: johnny5alive[at]gmail[.]com

Let’s track its conversations using conv,ip to see which endpoints are talking in the pcap given.

To read their conversations over HTTP, focus on streams:

• Include requested URLs, HTTP methods, timestamps, and frame numbers.

Use -V for verbose output so each packet’s details are readable.

Follow TCP streams

• Find the frame number containing relevant data (e.g., POST to login.php).

• Use that frame’s TCP stream ID to reconstruct the full HTTP conversation:

Or Using grep to find email:

Congratulations! You have finished the first challenge room, but there is one more ticket before calling it out a day!

• TShark Challenge II: Directory