Use the Wireshark Phishing terminal in the Tolkien Ring to solve the mysteries around the suspicious PCAP. Get hints for this challenge by typing hint
in the upper panel of the terminal.
Let's open the terminal
This all started when I clicked on a link in my email.
Can you help me? yes
The first question appears:
1. There are objects in the PCAP file that can be exported by Wireshark and/or Tshark. What type of objects can be exported from this PCAP?
HTTP
When opening the PCAP file in Wireshark we can already see a few HTTP protocol entries. The second questions appears:
2. What is the file name of the largest file we can export?
app.php
Just select File -> export objects -> HTTP, we can see app.php with a size of 808KB. The third question appears:
3. What packet number starts that app.php file?
687
Can also be seen in the exports objects windows. The fourth question appears:
4. What is the IP of the Apache server?
192.185.57.242
We'll inspect the IP Source and Destination from that HTTP stream. The fifth question appears:
5. What file is saved to the infected host?
Ref_Sept24-2020.zip
We'll follow that HTTP stream, scroll down and see the following line: saveAs(blob1, 'Ref_Sept24-2020.zip');
. The sixth question appears:
6. Attackers used bad TLS certificates in this traffic. Which countries were they registered to? Submit the names of the countries in alphabetical order separated by a commas (Ex: Norway, South Korea).
Ireland, Isreal, South Sudan, United States
We'll grep the relevant fields (this time using tshark as it's easier to parse the output):
tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V > out.txt
cat out.txt | grep -i country
The seventh question appears:
7. Is the host infected (Yes/No)?
Yes
Results from the analysis above.
We have solved that challenge and get the confirmation:
Find the Next Objective
Talk to Dusty Giftwrap for the next objective.
We get following hints:
The hardest steps in this challenge have hints. Just type hint
in the top panel!
New to Windows event logs? Get a jump start with Eric's talk!
If you're curious what's inside that package:
└─$ cat suspicious.js
const fs = require('fs');
let byteCharacters = atob('UEsDBBQAAAAIAFCjN
...
//saveAs(blob1, 'Ref_Sept24-2020.zip');
fs.writeFile('Ref_Sept24-2020.zip', Buffer.from(byteArray), 'binary', (err)=> {
if (err) {
console.log("There was an error writing the image")
}
else {
console.log("Written File")
}
});
└─$ node suspicious.js
Written File
└─$ unzip Ref_Sept24-2020.zip
Archive: Ref_Sept24-2020.zip
inflating: Ref_Sept24-2020.scr
└─$ unrar x Ref_Sept24-2020.scr
...
Extracting PLS.exe OK
Extracting selector.vbs OK
Extracting dsep.bat OK
Extracting SLP.txt OK
All OK
└─$ unrar e -pVersion SLP.txt
...
Extracting fatless.vbs OK
Extracting lll.bat OK
Extracting CONFIG.dll OK
All OK
└─$ cat lll.bat
...
regsvr32 -s CONFIG.dll
...