TShark [THM] writeup

Room link: https://tryhackme.com/room/tshark

Task 1: Pre-Reqs (This is about installation and some usage about tshark)
Task 2: Reading PCAP Files (Firstly, I have downloaded the file given for the task. Btw all the answer is in the hints)

saved it as dns.cap

I opened the folder where i downloaded dns.cap file and opened terminal.

i read the walk-through write up and attended to solve the flag. so

ques 1: How many packets are in the dns.cap file?

tshark -r dns.cap | wc -l

ques 2: How many A records are in the capture? (Including responses)

tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l

ques 3: Which A record was present the most?

tshark -r dns.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name

Task 3:- DNS Exfil ( I downloaded the attached file and saved it as dns.pcap)

Opened terminal at the file directory.

ques 1: How many packets are in this capture?

tshark -r dns.pcap | wc -l

ques 2: How many DNS queries are in this pcap? (Not responses!)

tshark -r dns.pcap -Y “dns.flags.response == 0” | wc -l

ques 3: What is the DNS transaction ID of the suspicious queries (in hex)?

tshark -r dns.pcap -Y “dns.flags.response == 0”

output form this command and i checked dns id column and it was 0xbe**

ques 4: What is the string extracted from the DNS queries?

command

tshark -r dns.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

this showed me some address. i looked at the subdomains which where different .

125 output appeared

I copied them all and pasted in Visual studio code . Then I replaced

.m4lwhere.org with blank space.

Then i replaced new line . here is the regular expression

\n.

with blank space.

After this i have a 125 character output ( * for Do it yourself ;p)

MMMZZZWWWGGGCCCZZZ33333OORRUUDDCC442********ZZVV6655BQQQ********WQQXXX33XXNNFF*********DDVVGG55PPPXXII4433IIGGRRZZZGGWWIILL55

I saw that there is sequenced character which are same, so i only keep 1 character at a time like there is MMM and I made it M … QQ i made it Q. but there is some single character also I didnt change them. then I got a output like this ( * for do it youself ;p )

MZWGCZ33ORU****************TWQX3XNF2GQMDVG5PXI43IGRZGWIL5

ques 4: What is the flag?

I just decoded the previous output from Base32, which gave me the flag

flag{th1s_is_*****_*******_tsh4rk!}