Day 20

If you utter so much as one packet…

Welcome to day 20 of Advent of Cyber

In todays challenge we analyze Command and Control (C2) traffic using Wireshark. we will be inspecting network packets, filtering traffic, reconstructing communications, and decrypting messages using tools like Wireshark and CyberChef.

Lets Begin:

• Start the machine and wait for it to deploy

Once deployed:

Double-click on "C2_Traffic_Analysis" on the desktop. This opens the file in Wireshark.

Apply a display filter: In the Display Filter Bar, type: ip.src == 10.10.229.217

If you scroll down a bit, you will find some interesting packets,

First we will analyze the POST request to /initial:

We can see the message "I am in Mayor!"

Next we will analyze the /command request to see what was the command executed:

Command was whoami

Next we will analyze /exfiltrate:

We see that the filename is credentials.txt and a key for decrypting

Finally we will analyze /beacon for the encrypted message:

We can see the encrypted message, Its an AES encyption (ECB mode)

Lets decrypt using cyberchef:

Thats it , we found the message!

Questions:

1.What was the first message the payload sent to Mayor Malware’s C2?

A: I am in Mayor!

2.What was the IP address of the C2 server?

A: 10.10.123.224

3.What was the command sent by the C2 server to the target machine?

A: whoami

4.What was the filename of the critical file exfiltrated by the C2 server?

A: credentials.txt

5.What secret message was sent back to the C2 in an encrypted format through beacons?

A: THM_Secret_101

Stay tuned for Day 21 and Happy Hacking 🎄

Thank you!