TryHackMe.com - Advent of Cyber 2022 - Day 13 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 13, if anyone gets stuck or need bit of help solving questions. In today's task main program will be Wireshark. Wireshark is free and opensource package analyzer which will help us solve today's task. Before you start answering questions you need to start the VM, which it takes few minutes. After the VM is booted up you can open trace file which is placed on desktop.

1. Q1

When you opened the file you can open drop down meanu options Statistics / Protocol Hierarchy. With data from popup window we can answer first question.
2. Q2

We can now close Procotol Analysis window and open Statistics / Conversation under TCP tab where you will find all data to answer second question.
3. Q3

For answering this question you will need to google what service uses this port.
4. Q4

In search/filter bar you write DNS to filter only dns packages and in the packets under Query / Name we can see domain names that were searched. Dont forget to defang answers. Defanging is process to format url in such way that it can't be clcked by accident. You should forget to put in alphabetical order.
5. Q5 & Q6 & Q7 & Q8

We filter by http requests and then we can find answers from 5 to 8.
6. Q9

For exporting files from trace we head to File/ Export Objects/ HTPP... and we download the file. For obtaining the hash value of the file can run

sha256sum filename

and copy part of the output.
7. Q10

Open Virus total and copy hash value of mailcious file and in thab behavour you will find answer to this last question. Dont forget to defang answers.

I hope anyone who gets stuck finds it helpful
AudiTTRSi