Wireshark Phishing
Difficulty:
Shown in Report
Sparkle Redberry is standing is next to a terminal.
Objective Image
Back
Challenge

Use the Wireshark Phishing terminal in the Tolkien Ring to solve the mysteries around the suspicious PCAP. Get hints for this challenge by typing hint in the upper panel of the terminal.

Solution

Let's open the terminal

This all started when I clicked on  a link in my email.
Can you help me? yes

The first question appears:

1. There are objects in the PCAP file that can be exported by Wireshark and/or Tshark. What type of objects can be exported from this PCAP?
HTTP

When opening the PCAP file in Wireshark we can already see a few HTTP protocol entries. The second questions appears:

2. What is the file name of the largest file we can export?
app.php

Just select File -> export objects -> HTTP, we can see app.php with a size of 808KB. The third question appears:

3. What packet number starts that app.php file?
687

Can also be seen in the exports objects windows. The fourth question appears:

4. What is the IP of the Apache server?
192.185.57.242

We'll inspect the IP Source and Destination from that HTTP stream. The fifth question appears:

5. What file is saved to the infected host?
Ref_Sept24-2020.zip

We'll follow that HTTP stream, scroll down and see the following line: saveAs(blob1, 'Ref_Sept24-2020.zip');. The sixth question appears:

6. Attackers used bad TLS certificates in this traffic. Which countries were they registered to? Submit the names of the countries in alphabetical order separated by a commas (Ex: Norway, South Korea).
Ireland, Isreal, South Sudan, United States

We'll grep the relevant fields (this time using tshark as it's easier to parse the output):

tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V > out.txt
cat out.txt | grep -i country

The seventh question appears:

7. Is the host infected (Yes/No)?
Yes

Results from the analysis above.
We have solved that challenge and get the confirmation:
Find the Next Objective
Talk to Dusty Giftwrap for the next objective.

We get following hints:

Built-In Hints

The hardest steps in this challenge have hints. Just type hint in the top panel!

Event Logs Exposé

New to Windows event logs? Get a jump start with Eric's talk!

If you're curious what's inside that package:

└─$ cat suspicious.js 
const fs = require('fs');
    let byteCharacters = atob('UEsDBBQAAAAIAFCjN
        ...
    //saveAs(blob1, 'Ref_Sept24-2020.zip');

fs.writeFile('Ref_Sept24-2020.zip', Buffer.from(byteArray), 'binary',  (err)=> {
          if (err) {
              console.log("There was an error writing the image")
          }
          else {
              console.log("Written File")
          }
      });

└─$ node suspicious.js
Written File

└─$ unzip Ref_Sept24-2020.zip
Archive:  Ref_Sept24-2020.zip
  inflating: Ref_Sept24-2020.scr   

└─$ unrar x Ref_Sept24-2020.scr
...
Extracting  PLS.exe                                                   OK 
Extracting  selector.vbs                                              OK 
Extracting  dsep.bat                                                  OK 
Extracting  SLP.txt                                                   OK 
All OK

└─$ unrar e -pVersion SLP.txt
...
Extracting  fatless.vbs                                               OK 
Extracting  lll.bat                                                   OK 
Extracting  CONFIG.dll                                                OK 
All OK


└─$ cat lll.bat
...
regsvr32 -s CONFIG.dll 
...