https://tryhackme.com/room/tsharkchallengestwo
Created by: tryhackme
“Investigate the DNS queries.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format.”
“What is the total number of HTTP requests sent to the malicious domain?”
“What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.”
If you go to virusttotal, you will see this IP there.
“What is the server info of the suspicious domain?”
“Follow the “first TCP stream” in “ASCII”.
Investigate the output carefully.
What is the number of listed files?”
There are 3 files.
“What is the filename of the first file?
Enter your answer in a defanged format. “
See above.
“Export all HTTP traffic objects.
What is the name of the downloaded executable file?”
Enter your answer in a defanged format.
“What is the SHA256 value of the malicious file?”
We need to extract the file.
“Search the SHA256 value of the file on VirtusTotal.
What is the “PEiD packer” value?”
“Search the SHA256 value of the file on VirtusTotal.
What does the “Lastline Sandbox” flag this as?”
With completing the Tshark related rooms, I have obtained a badge!
