Writeup: Advent of Cyber 4 Day 13 - AtomicMaya/knowledge-base GitHub Wiki
Advent of Cyber 4 - Day 13
Link: Advent Of Cyber 4 on TryHackMe
Question 1
View the "Protocol Hierarchy" menu. What is the "Percent Packets" value of the "Hypertext Transfer Protocol"?
Answer: 0.3
Question 2
View the "Conversations". Navigate to the TCP section. Which port number has received more than 1000 packets?
Answer: 3389
Question 3
What is the service name of the used protocol that received more than 1000 packets?
Answer: RDP
Question 4
Filter the DNS packets. What are the domain names? Enter the domains in alphabetical order and defanged format. (format:
domain[.]zzz,domain[.]zzz
)
Answer: bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm
Question 5
Filter the HTTP packets. What are the names of the requested files? Enter the names in alphabetical order and in defanged format. (format:
file[.]xyz,file[.]xyz
)
Answer: favicon[.]ico,mysterygift[.]exe
Question 6
Which IP address downloaded the executable file? Enter your answer in defanged format.
Answer: 10[.]10[.]29[.]186
Question 7
Which domain address hosts the malicious file? Enter your answer in defanged format.
Answer: cdn[.]bandityeti[.]thm
Question 8
What is the "user-agent" value used to download the non-executable file?
Answer: Nim httpclient/1.6.8
Question 9
Export objects from the PCAP file. Calculate the file hashes. What is the sha256 hash value of the executable file?
Answer: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
Question 10
Search the hash value of the executable file on VirusTotal. Navigate to the "Behaviour" section. There are multiple IP addresses associated with this file.
What are the connected IP addresses? Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
Answer: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76