Daan PerryTryHackMe - Carnage
Daan Perry - 2025-07-23
Carnage
Find the lab here https://tryhackme.com/room/c2carnage
Let me start of with saying, no answers will be shared in this post. This post will only describe my process and how I found the answers for this lab. This post is meant for those who either got stuck or are curious about how other people solved this lab. I encourage you to try this lab on your own first and only use a walkthrough when you have been stuck for an hour. I will be sharing the mistakes I made, and how I got out of being stuck in hopes that it may help others learn too.
Do not interact directly with any domains or IP addresses in this challenge.
Some of these are still active and dangerous, use a service like virustotal or urlscan instead
Some of these are still active and dangerous, use a service like virustotal or urlscan instead
The scenario
Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on "Enable Content." The SOC Department immediately received an alert from the endpoint agent that Eric's workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.
Walkthrough
Since the .pcap file for this challenge is only available on the AttackBox, this is where we'll execute our investigation After opening the pcap file in Wireshark I like to do a couple of things, first I add the src.port and dst.port colunms. Next I rearrange the layout so that the Packet List is full width on top, Packet Details on the bottom left and Packet Bytes on the bottom right. This can be done by going to
Edit -> Appearance -> Layout
.How to add a src.port and dst.port?
Here is how to add new columns to your WireShark UI
- - Right click the table header
- - Select "Column preferences"
- - Add two new columns by clicking the plus icon
- - Give one column a name like "Source Port" or "src.port" and select the type "Source Port"
- - Give one column a name like "Destination Port" or "dst.port" and select the type "Destination Port
- - Finally drag each column below their IP column and click "Apply"
Layout with fullwidth packet list
Inspecting the pcap file
Question 1:
What was the date and time for the first HTTP connection to the malicious IP?
What was the date and time for the first HTTP connection to the malicious IP?
For this first question we have a couple of ways to find the answer. The simplest way is to filter the packets on
http
and look for the first suspicious IP. In the case of this file we are instantly shown that a document is being downloaded from a strange uri. We can check this domain with VirusTotal to double check that this is the suspicious IP-address.We can then find the Arrival Time of the packet in the Frame section of the Packet Details. Another way is to change the Time Display Format so that all packets show their arrival time in the Packet List. This can be done by going to
View -> Time Display Format -> Date and Time of Day
. Most of the time for incident reporting milliseconds are not relevant, to make live easier the option can be selected to only show seconds as shown in the screenshot below.Changing Time Display format from "Seconds Since Beginning Capture" to "Date and Time of Day"
Downloaded zip file
Question 2:
What is the name of the zip file that was downloaded?
What is the name of the zip file that was downloaded?
The first question set us up nicely for this one. We can see the answer in the first http log. However if this were not the case we could find it by using a filter like
frame contains ".zip"
or if we did not know anything about the filename we could check all objects that Wireshark found in the pcap file by going to the File -> Export Objects -> HTTP
menu. Any requests using the POST method can found by using the filter http.request.method == "POST"
and following the HTTP stream.Domain information
Question 3:
What was the domain hosting the malicious zip file?
What was the domain hosting the malicious zip file?
Staying with the first packet found, if we inspect the Packet Details closer we can find the domain hosting the zip file in there also.
Filename contained in zip
Question 4:
Without downloading the file, what is the name of the file in the zip file?
Without downloading the file, what is the name of the file in the zip file?
Again multiple ways to find this information. One option is by following the stream
Right click the packet -> Follow -> HTTP Stream
and scroll all the way to the bottom. The filename will be displayed in the Packet Bytes.Filename in the TCP stream
Another option is to click on the packet with the GET request for the zip file, go to its Packet Details and double click the
Response in Frame
line. In the Packet Bytes window of this response packet you can now click on "De-chunked entity body" and the filename will be near the top.WebServer information
Question 5 & 6:
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
What is the version of the webserver from the previous question?
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
What is the version of the webserver from the previous question?
Depending on which route you took in the previous step this information can be found in the same place. If you followed the stream you will be able to see a
server
field to answer question 5 and a x-powered-by
field to answer question 6If you are currently looking at the response packet you will find the same
server
and x-powered-by
fields in the Packet Details.Malicious files downloaded
Question 7:
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
Now this one stumped me initially, as the domain we found earlier for the .zip file is not one of the answers. And neither is the domain that shows up in the Export Objects. The reason for why that domain shows up in the Export Objects will become obvious later.
I used the hint here to get an idea for what I could use to find the domains,
frame.time < "2021-09-24 16:45:11" and frame.time > "2021-09-24 16:45:30"
. This is an important filter to remember. If ever there are events that are known to have happened in a certain time frame in a large pcap file, this is an easy way to focus on the relevant packages. You can even export these packets as a new pcap file.Back to what were trying to do. Now that we can see what happened in that time fame we can narrow down our results even further by adding the
and dns
filter. That leaves us with the three domains we are looking for.Filter for malicious domains
Certificate Authority
Question 8:
Which certificate authority issued the SSL certificate to the first domain from the previous question?
Which certificate authority issued the SSL certificate to the first domain from the previous question?
If we select the DNS query for the first domain and then remove the dns filter we can see what happened after the dns query. We know from the DNS query that we are looking for packets from the 148[.]72[.]... IP address. Now we need a Client Hello or Server Hello and simply follow the TCP stream. The certificate authority can be found in the stream data.
Inspecting the TCP Stream for Certificate Auth
Finding Cobalt Strike C2 servers
Question 9:
What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers.
What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers.
From the hint I think the room creator wants us to use the conversations menu in Wireshark.
Statistics -< Conversations -< Filter on packets
go to the TCP tab and then check those that have send more than 1000 packets on Virustotal and are using common Cobalt Strike C2 ports. This is where doing your research on Indicators of Compromise (IoC) is very important. If we do and check the Community tab for the IP usings ports 80 an 8080 on Virustotal we do indeed find two Cobalt Strike C2 servers.Optional reading, alternative way to find Cobalt Strike beacons without relying on the Statistics menu
This next section is for those who are curious about another way to find these beacons, if perhaps there are many more IP addresses in the conversations tab and it might not be as obvious. Remember there is a reason Cobalt Strike uses these common ports.
I wanted to see if it was possible to figure this out with a little less "brute force". By doing some research we quickly learn that Cobalt Strike likes to use ports 80, 443, 8443 and 8080. If we filter on
frame.time > "2021-09-24 16:45:30" and http.request.method == "GET"
we can already find one suspicious ip making an unusual number of GET requests on port 80.First beacon using GET requests
Changing the method to POST returns another ip with odd behaviour, however it is not marked as a C2 server on VirusTotal and so not our answer for this question. But if you are actually reading this I'll reward you with this one, make a note of the address and perhaps the Full request URI.
Interesting find
Let's check the other ports, first
tcp.srcport == 443
, lots of traffic on this port. Nothing really stands out initially, so let's try to get the low hanging fruit first and try to other ports. No traffic on tcp.src.port == 8443
. Lets check the final port tcp.src.port == 8080
. Bingo a single IP that is using this port which, when verified on VirusTotal, is our second beacon.An interesting to note about this second beacon is the amount of packets it sends in a short amount of time.
Second beacon
Cobalt Strike Host header
Question 9:
What is the Host header for the first Cobalt Strike IP address from the previous question?
What is the Host header for the first Cobalt Strike IP address from the previous question?
Filtering the pcap on ip.addr == c2_ip_address and following the TCP stream on the first packet will give us the Host header right away.
Host header in the packet stream
Find hostnames of the Cobalt Strike servers
Question 10 & 11:
What is the domain name for the first IP address of the Cobalt Strike server?
What is the domain name for the second IP address of the Cobalt Strike server?
What is the domain name for the first IP address of the Cobalt Strike server?
What is the domain name for the second IP address of the Cobalt Strike server?
Those who have ever hosted a website, or had to deal with DNS know that an A-Record in DNS maps a hostname / domain name to an IP. This means we can either use the Virutotal page we opened earlier, or check our pcap file for DNS queries.
We can make it easy and get both in a single filter by using:
dns.a == 185.106.96.158 or dns.a == 185.125.204.174
One filter to find them all
Find the post-infection server
Question 12:
What is the domain name of the post-infection traffic?
What is the domain name of the post-infection traffic?
Those who took the time to really read through question 9 already found another suspicious IP and domain. For the others, we know that Cobalt Strike likes to use GET and POST requests on ports 80, 443, 8080, 8443.
The
The
http.request.method == POST
gives us another suspicious address that is sending an usual number of POST requests with data. Inspecting one of the packets will give us the host.
First characters the victim host transmits
Question 13:
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
This question was formulated a little confusing in my opinion, however I also realize that formulating the question differently could very easily make this question too easy. To answer this question we stick with the same packet and literally take the first characters the victim sends.
Length of the first packet send
Question 14:
What was the length for the first packet sent out to the C2 server?
What was the length for the first packet sent out to the C2 server?
Again staying with the same packet, we can find the size in the Packet Details. If you get the wrong answer then make sure to read the question carefully again. We're looking for the size of the whole packet.
Server header
Question 15:
What was the Server header for the malicious domain from the previous question?
What was the Server header for the malicious domain from the previous question?
This time we want to inspect the packet like we've done before for question 5. Make sure to copy the entire Server field.
IP address query
Question 16 & 17:
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred?
What was the domain in the DNS query from the previous question?
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred?
What was the domain in the DNS query from the previous question?
We can simply use a filter to search for DNS queries that contain and API like this:
dns && frame contains "api"
and again use the Arrival Time from the Packet Details or switch the view of our Packet List to display date and time. Make sure to enter the date and time in the correct format. yyyy-mm-dd hh:mm:ssMAIL FROM
Question 18:
Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Another big hint in the question itself, simply use the filter
frame contains "MAIL FROM"
and find the answer.SMPT Traffic
Question 18:
How many packets were observed for the SMTP traffic?
How many packets were observed for the SMTP traffic?
And lastely we can use the
smtp
filter to see all Simple Mail Transfer Protocol (smtp) related traffic. The number of packets for a given filter can be found in the lower right part of the interface. Small easter egg fo those who are interested in the SMPT packets, ZGluYW1pdA==Conclusion
Another very well paced lab that is touching on many different parts of the Wireshark program. Great lab to become more familiar with how Wireshark works and what is the best way to find certain info. The last few questions may not have required too much searching but they all touched on a very specific type of information.