TryHackMe TShark
Omri Bornstein
Posted on June 19, 2021
TryHackMe TShark
References
- DarkSec. (2021). TryHackMe TShark Official Walkthrough [YouTube Video]. In YouTube. https://youtu.be/tbXIFRS4u7I
Reading PCAP Files
How many packets are in the dns.cap
file?
- TShark's
-r
flag enable reading a PCAP file. -
wc
's-l
flag counts the lines of a given input.
$ tshark -r dns.cap | wc -l
38
Answer: 38
How many A records are in the capture (including responses)?
- TShark's
-Y "dns.qry.type == 1"
is used to filter DNS A records.
$ tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l
6
Answer: 6
Which A record was present the most?
- TShark's
-T fields
is used to specify the output's format. - TShark's
-e dns.qry.name
is specify which field to output.
$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
Answer: GRIMM.utelsystems.local
DNS Exfil
How many packets are in this capture?
$ tshark -r task3.pcap | wc -l
125
Answer: 125
How many DNS queries are in this PCAP (excluding responses)?
$ tshark -r task3.pcap -Y "dns.flags.response == 0" | wc -l
56
Answer: 56
What is the DNS transaction ID of the suspicious queries (in hex)?
$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.id
0x0000beef
Answer: 0x0000beef
What is the string extracted from the DNS queries?
$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | cut -c1 | tr "\n" " " | sed 's/ //g'
MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5
Answer: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5
What is the flag?
$ echo 'MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5' | base32 -d
flag{th1s_is_t0ugh_with0u7_tsh4rk!}
Flag: flag{th1s_is_t0ugh_with0u7_tsh4rk!}
π πͺ π
π©
Omri Bornstein
Posted on June 19, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.