TShark Challenge II: Directory Tryhackme Walkthrough

Task 1: Introduction

Start Machine

This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.

Start the VM by pressing the green Start Machine button in this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.

NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.

Read the task above and start the attached VM.

Task 2 Case: Directory Curiosity!

An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems".

The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.

Your tools: TShark, VirusTotal.

Answer the questions below

Investigate the DNS queries.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.

1) What is the name of the malicious/suspicious domain?

Enter your answer in a defanged format.

Ans: jx2-bavuong[.]com

2) What is the total number of HTTP requests sent to the malicious domain?

Ans: 14

This is the hint you’re looking for: The "http.request.full_uri" filter can help.

3) What is the IP address associated with the malicious domain?

Enter your answer in a defanged format.

Ans: 141[.]164[.]41[.]174

4) What is the server info of the suspicious domain?

Ans: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

in the above screenshot of HTTP requests URL’s

choose any HTTP request made to the suspicious domain. Determine the frame number of that request and use it to find the associated TCP stream number. Then, follow that TCP stream using -z follow,tcp,ascii,<stream_number> to examine the HTTP response and identify the server information.

Or else we can use grep

Follow the "first TCP stream" in "ASCII".
Investigate the output carefully.

5) What is the number of listed files?

Ans: 3

Listing the first TCP stream only contains one file in the /icons folder

The other files are visible in the HTTP request URLs.

6) What is the filename of the first file?

Enter your answer in a defanged format.

Ans: 123[.]php

It took me while to figure this out

The first TCP stream is 0.

Then read the HTTP response body to see the files, content, and the Server: header for the suspicious domain.