TryHackMe: Advent of Cyber [Day 6] Data Elf-iltration

Room: Advent of Cyber

Difficulty: Beginner

“McElferson! McElferson! Come quickly!” yelled Elf-ministrator.

“What is it Elf-ministrator?” McElferson replies.

“Data has been stolen off of our servers!” Elf-ministrator says!

“What was stolen?” She replied.

“I… I’m not sure… They hid it very well, all I know is something is missing” they replied.

“I know just who to call” said McElferson…

This challenge starts off by providing you with a .pcap file to download and examine. Open your .pcap file with Wireshark.

Question #1: What data was exfiltrated via DNS?

When you are looking for a specific protocol, you can use the filter option to make things much easier on yourself.

Now we can see just the DNS traffic. A common way to pass exfiltrated data through DNS is to utilize hex code. Let’s right-click on one of the DNS packets that look to be hex code and choose “Follow”, then “UDP Stream”.

We now see this:

Let’s copy and paste that hex code into a decoder to see what’s going on. There are many online tools you can use to identify different types of ciphers and then decode them. HERE is one I have been using lately.

If we needed to double-check, we could see that it is indeed hexadecimal code. Let’s click the link to get to the Hex Analysis Tool.

And here we have our results for Question #1:

Question #2: What did Little Timmy want to be for Christmas?

Let’s remove the DNS filter and look through the rest of the packets to see if we spot anything curious.

A little ways down I see a bunch of HTTP traffic, and it looks like both a .zip file and a JPEG image were passed through.

How do we get those out of Wireshark to look at them though? There are a few ways you can do that, but the easiest in this case is probably just using the “Export Objects” feature in Wireshark. Up at the top, choose “File” then “Export Objects” then “HTTP”.

Alternatively, there are .pcap analysis tools that may extract things for you. A convenient in-browser tool that I have used in the past is called Packet Total. You can also use Network Miner.

Whatever tool you use, you should now see something like this:

Save the .zip and .jpg files for further analysis. Remember to make sure the correct file extensions are on there so they are easier to open.

Let’s open the .zip file first.

When we try to open the file, we notice that it is password protected:

Luckily, there is a tool called fcrackzip. fcrackzip is a password cracker that runs on .zip files. It doesn’t come preinstalled on Kali though, so if you don’t already have it, run the following command:

sudo apt-get install fcrackzip

Great, now let’s crack the password. We will first need a wordlist that fcrackzip can use. A very popular wordlist is called rockyou.txt, which can be downloaded HERE.

fcrackzip -vbDp <wordlist path> <filepath>

The results:

Now that we have the password, let’s extract the files. We get four Christmas lists:

Open up Timmy’s to find the next flag!

Question #3: What was hidden within the file?

This picture is not really giving us much info right now, but we know that sometimes data is hidden within pictures using Steganography. There is a wide array of tools you can use to extract hidden data from files like this, but today I will be using Steghide.

Let’s get to our command line. Steghide has many options, but -sf just instructs it to extract from a certain file.

steghide extract -sf <filepath>

You’ll see a prompt come up to enter a passphrase. Don’t panic. Just ignore that and hit enter and you will see that we got an extracted file, “christmasmonster.txt”. Let’s open it up to see what is inside.

cat christmasmonster.txt

This is a creative take on a famous poem by Lewis Carroll. What looks out of place though, is the random line of text near the top.

We found our last flag!

Nice job. Hope you learned something new! Wireshark challenges have always been some of my favorites.

Happy Hacking! ❤

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store