TryHackMe – TShark Challenge I: Teamwork

kanishkar mathikanishkar mathi
2 min read

Scenario Overview

An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."

The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.

🧰 Tools Used

  • TShark – Command-line version of Wireshark, ideal for headless analysis.

  • VirusTotal – To confirm if a domain is malicious.

  • CyberChef – For defanging URLs and emails.

PCAP Initial Review

We begin by gathering high-level insights about the PCAP file:

tshark -r teamwork.pcap -q -z io,stat,0         # Total frames and statistics
tshark -r teamwork.pcap -z io,phs -q            # Protocol hierarchy summary

📌 Total Packets: 793
📌 Protocols Detected: DNS, HTTP, TCP – indicating typical web activity.

This initial scan helps us narrow our focus toward DNS and HTTP traffic.

❓ Questions & Answers

Q1. What is the full URL of the malicious/suspicious domain address?

(Answer must be in defanged format)

Using TShark to extract all DNS queries:

tshark -r teamwork.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq -c | sort -nr

The most frequent suspicious domain is:

www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com

Confirmed as malicious on VirusTotal:

Using CyberChef, the defanged version of the URL is:

👉 hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/

Q2. When was the URL first submitted to VirusTotal?

📅 First Submission: 2017-04-17 22:52:53 UTC

Found directly on the VirusTotal analysis page.

Q3. Which known service was the domain trying to impersonate?

Analyzing the subdomain structure:

www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com

It mimics PayPal’s official login/reset flow.

Answer: paypal

Q4. What is the IP address of the malicious domain?

(Answer in defanged format)

Inspecting the HTTP request headers and IP information:

tshark -r teamwork.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e http.host

📌 Malicious domain resolved to → 184.154.127.226

👉 Defanged: 184[.]154[.]127[.]226

Q5. What is the email address that was used?

(Answer in defanged format: aaa[at]bbb[.]ccc)

Looking for HTTP POST data

tshark -r teamwork.pcap -Y "http.request.method == POST" -T fields -e http.host -e http.request.uri -e http.file_data | nl

1    www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com    /inc/visit.php    xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform
2    www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com    /inc/login.php    user=johnny5alive%40gmail.com&pass=johnny5alive&xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform&xTimeZone=Mon+Apr+17+2017+22%3A00%3A35+GMT-0400+(EDT)&xResoLution=Computer%3A+1920x1080%3B+Browser+inner%3A+1920x762%3B+Browser+outer%3A+1920x1027&xLang=en-US

The /inc/login.php request contains:

user=johnny5alive%40gmail.com

Decoded and defanged:

👉 Email: johnny5alive[at]gmail[.]com

0
Subscribe to my newsletter

Read articles from kanishkar mathi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tsharkTHM writeupthmtryhackmeCTFDFIRVirustotalSOCDigital Forensics

Written by

kanishkar mathi
kanishkar mathi