We analyzed data exfiltration through DNS given a pcap file with Wireshark. This was part of TryHackMe Advent of Cyber 1 Day 6.
Network Traffic Analysis Notes
Introduction
The task involves a combination of Wireshark packet analysis and sticker analysis (the process of extracting hidden information from images).Three questions need to be answered:
- What data was exfiltrated via DNS?
- What did “little Timmy” want to be for Christmas?
- What was hidden within a file?
Wireshark Analysis
The PCAP file is loaded into Wireshark, and the DNS traffic is filtered using the dns filter.Among the packets, hex-encoded data is found, indicating that information has been exfiltrated via DNS.By following the UDP stream and extracting the hex string, it is decoded using CyberChef into the text “Candy Cane Serial Number: 8491”.The first question is answered with this result.
Finding Timmy’s Christmas Wish
The second question requires further analysis of the HTTP traffic. Several files, including christmas_list.zip and tryhackme.jpg, are downloaded.The zip file is password-protected, so the tool fcrackzip is used to brute-force the password. The password is “december”, and the file is successfully extracted.Inside the extracted files, Timmy’s Christmas wish is found: he wants to be a pen tester.
Steganography (Sticker Analysis)
The image file tryhackme.jpg is analyzed for hidden data using the steghide tool.The passphrase from the previous step (“december”) does not work, but running steghide without a password reveals a hidden text file, which contains technical data related to RFC ARP.The third question is answered using the hidden text found in the image.
Conclusion
The video wraps up by recommending visiting SSD Secure Disclosure, a site that brokers zero-day vulnerabilities, provides detailed exploit summaries, and offers a valuable resource for security researchers or bug bounty hunters.
Challenge Answers
| What data was exfiltrated via DNS? |
What did Little Timmy want to be for Christmas?
| What was hidden within the file? |
