TryHackMe: Advent of Cyber 2023 (Day 17) I Tawt I Taw A C2 Tat!

4 min readDec 26, 2023

“Congratulations, you made it to Day 17! The story, however, is just getting started. There are more things to discover, examine, and analyse!

Until now, you have worked with multiple events, including prompt injection, log analysis, brute force, data recovery, exploitation, data exfiltration, suspicious drives, malware, injection, account takeover, phishing, and machine learning concepts. Yes, there are tons of anomalies, indicators of attack (IoA), and indicators of compromise (IoC). Santa’s Security Operations Centre (SSOC) needs to see the big picture to identify, scope, prioritise, and evaluate these anomalies in order to manage the ongoing situation effectively.

So, how can we zoom out a bit and create a timeline to set the investigation’s initial boundaries and scope? McSkidy decides to focus on network statistics. When there are many network artefacts, it’s a good choice to consider network in & out as well as load statistics to create a hypothesis.

Now it’s time to help the SSOC team by quickly checking network traffic statistics to gain insight into the ongoing madness! Let’s go!”

Q1: Which version of SiLK is installed on the VM?

You can find this answer by pulling up the configuration information.

Q2: What is the size of the flows in the count records?

Use rwfileinfo to answer this question.

Q3: What is the start time (sTime) of the sixth record in the file?

I filtered the top 6 records with only start time.

Q4: What is the destination port of the sixth UDP record?

I used a combo of rwfilter and rwcut to grab this record.

Q5: What is the record value (%) of the dport 53?

I listed the top 10 dports and their record value %. Port 53 was the most common.

Q6: What is the number of bytes transmitted by the top talker on the network?

Similarly, I did the same thing for bytes, using the source IP field.

Q7: What is the sTime value of the first DNS record going to port 53?

Here you can see the times of the first 10 DNS communications, which are all occurring between the same two IP address in quick succession, which could be a red flag.

Q8: What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

I split those two IPs up to investigate them separately and saw that .221 is the one that is initiating all the DNS requests.

It would appear that the .221 address is potentially compromised.

Q9: Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

Going back to Q5, you’ll notice that there is also traffic on port 80 which could potentially be involved.

All the activity on port 80 is happening between these two IP addresses:

You can filter it a bit further by dPort, which will show which IP is initiating the requests.

175.215.236.223 is responsible. If we look further into these requests, we can see that it is a bunch of SYN packets in quick succession, which could possibly signal a DoS attack.