{"id":2682,"date":"2026-04-01T19:40:00","date_gmt":"2026-04-01T19:40:00","guid":{"rendered":"https:\/\/zombierollz.blog\/?p=2682"},"modified":"2026-04-01T14:40:44","modified_gmt":"2026-04-01T14:40:44","slug":"boogeyman-1","status":"publish","type":"post","link":"https:\/\/zombierollz.blog\/?p=2682","title":{"rendered":"Boogeyman 1"},"content":{"rendered":"\n

https:\/\/tryhackme.com\/room\/boogeyman1<\/a>
Created by: tryhackme, ar33zy

This room looks like it will bring a challenge! It’s rated Medium difficulty. We will be using various tools to anaylze the Tactics, Techniques, and Procedures (TTPs) of the Boogeyman!

Prerequisites:
Tshark: The Basics<\/a>
Phishing Analysis Fundamentals<\/a>
Phishing Analysis Tools<\/a>
Windows Event Logs<\/a>
Wireshark: Traffic Analysis<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 evtx2json(opens in new tab)<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

https:\/\/github.com\/Matmaus\/LnkParse3<\/a><\/p>\n\n\n\n

Task 2 focuses on Email Analysis.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

We see that trying to use lnkparse is not going to work and opening the file itself demands a password. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

We need to examine the contents through Thunderbird. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What is the email address used to send the phishing email?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the email address of the victim?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the name of the file inside the encrypted attachment?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the password of the encrypted attachment?”

It shows this in the contents of the email itself, but here it is in View Source.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?”

Open the file with the obtained password > Extract file to Desktop > use “lnkparse Invoice_20230103.lnk” in cli.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

On to Task 3, Endpoint Security!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What is the name of the enumeration tool downloaded by the attacker?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the file accessed by the attacker using the downloaded sq3.exe<\/strong> binary? Provide the full file path with escaped backslashes.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using grep for sq3.exe, you can locate this, but it’s not the full path. You will need to manually go back to see the user path. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So the answer will be “C:\\Users\\j.westcott\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite”<\/p>\n\n\n\n

“What is the software that uses the file in Q3?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the name of the exfiltrated file?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What type of file uses the .kdbx file extension?”

keepass<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the encoding used during the exfiltration attempt of the sensitive file?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the tool used for exfiltration?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

On to our last task: Network Traffic Analysis!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let’s move to Wireshark and utilize what we have learned!<\/p>\n\n\n\n

“What software is used by the attacker to host its presumed file\/payload server?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What HTTP method is used by the C2 for the output of the commands executed by the attacker?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the protocol used during the exfiltration activity?”

Manually looking through the looks I see the DNS info.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Applying the DNS filter and I see more activity.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the password of the exfiltrated file?”

I used Claude AI to spit out a Python script to use, then used a command based on the info that I fed it.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

tshark -r capture.pcapng -Y ‘ip.dst == 159.89.205.40 and http.request.method == “POST”‘ -T fields -e urlencoded-form.key | python3 decode.py > decoded.txt

Cat the .txt file and manually scroll; you will find the password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

However, another way of doing this, and probably more practical, was going by this walkthrough: https:\/\/sibasec.com\/post\/thm-boogyman-1\/#q19<\/a> where he went by the time stamp and lined that time up with Wireshark(which is something I’ll keep in mind going forward!).<\/p>\n\n\n\n

“What is the credit card number stored inside the exfiltrated file?”

With the THM VM, the formatting requested through the CLI is very finicky with KeePass2. I tried a lot of different ways to format the output and finally landed on this line of code, thanks to various walkthroughs and ClaudeAI through DDG.<\/p>\n\n\n\n

tshark -r capture.pcapng -Y ‘dns’ -T fields -e dns.qry.name | grep “.bpakcaging.xyz” | cut -f1 -d ‘.’ | grep -v -e “files” -e “cdn” | uniq | tr -d ‘\\n’ > extracted.txt<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

https:\/\/tryhackme.com\/room\/boogeyman1Created by: tryhackme, ar33zy This room looks like it will bring a challenge! It’s rated Medium difficulty. We will be using various tools to anaylze the Tactics, Techniques, and Procedures (TTPs) of the Boogeyman! Prerequisites:Tshark: The BasicsPhishing Analysis FundamentalsPhishing Analysis ToolsWindows Event LogsWireshark: Traffic Analysis  evtx2json(opens in new tab) https:\/\/github.com\/Matmaus\/LnkParse3 Task 2 focuses on Email Analysis. We […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2682","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2682"}],"version-history":[{"count":2,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2682\/revisions"}],"predecessor-version":[{"id":2724,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2682\/revisions\/2724"}],"wp:attachment":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}