TryHackMe: Masterminds — Beginner Friendly (detailed)

drop
11 min readOct 9, 2021

PLATFORM: TryHackMe

LINK ROOM: https://tryhackme.com/room/mastermindsxlq

DIFFICULTY: Medium

CATEGORY: Network Forensics

TOOLS USED: Brim

INTRODUCTION:

Today let’s learn something new. Let’s do Network Forensics but this time not using Wireshark but Brim.

But first, what is Brim? Here is a little description that I found on their GitHub Page.

“Brim is an open-source desktop application for security and network specialists. Brim makes it easy to search and analyze data from:

· packet captures, like those created by Wireshark, and

· structured logs, especially from the Zeek network analysis framework.

Brim is especially useful to security and network operators that need to handle large packet captures, especially those that are cumbersome for Wireshark, tshark, or other packet analyzers.“

Before we start the walkthrough: If it is your first time using Brim (as it was for me when I started this challenge) I HIGHLY recommend watching this video:

Brim YouTube video demo: https://www.youtube.com/watch?v=InT-7WZ5Y2Y

Note: My goal here is to give you a detailed walkthrough on how you can use Brim to do Network Forensics. It was my first time using Brim, so if you find a better way to write some queries, feel free to share in the comments 😊

Let’s dive into the analysis!

INFECTION 1:

Start by loading the Infection1 packet capture in Brim to investigate the compromise event for the first machine.

On the Desktop of the Virtual Machine, you will find the Brim’s shortcut and the PCAPs folder.

Open the Brim program and load the Infection1.pcap.

As soon you open this first .pcap file you will have this screen:

If you have already used Wireshark in the past you will be familiar with this kind of view.

Now let’s answer the questions:

Provide the victim’s IP address.

This one is quite easy because there is only one IP Source in the .pcap file.

You can see the “origin” or the “resp” IP by putting your mouse on the IP.

Good, we found the first answer. Let’s move to the second question of this section.

The victim attempted to make HTTP connections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested.

Ok, here we will need to play with filters, right? If you watched the demo video (check in the introduction of this writeup), you know that we can filter the things that we want to investigate such as protocols, IPs, and so on.

At this stage, we know the victim’s IP address. So let’s filter this IP.

Right-click on the IP that you need to filter then click on “Filter = value”.

As soon you click on “Filter = value” the right syntax will appear on the search bar.

Good! Now we know that we need to find all the HTTP connections. As we did for the IP of the victim, let’s do the same with “HTTP” protocol. Go to HTTP then right-click, then click on “Filter = value”.

Now you have two filters. The IP AND the HTTP protocol. Just for your information: Brim uses by default the “AND” logic in its Boolean search. As consequence, you will only see results that contain both filters.

So far so good! Now let’s filter only the HTTP requests which status are ‘404 Not Found’.

In Brim, if you scroll to the right side, you will see a column “status_code”. There you can filter to only see the 404 status.

In the end your query will look like this:

Now you will have only 2 GET requests. In the column “host” you will find the two suspicious domains with the status “404 Not Found’.

The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address.

Ok to answer this question, we need to filter 3 things, right? (The IP of the victim, http request 200 and the reponse_body_len 1309)

Let’s build our query:

id.orig_h==192.168.75.249 _path==”http” response_body_len==1309

Perfect, we have only one result. We just found the domain and the destination IP address.

How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)?

If you are familiar with SQL query you know that when we talk about “how many” we are talking about the count() function, right?

The question also says that there is maybe different ways that the domain is written. So I created this query:

id.orig_h==IPofthevictim _path==”dns” query==”CAB.MYFKN.COM” or query==”cap.myfkn.com” | count() by query

Good, we found the number of unique DNS requests.

Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP.

I think here you understood the logic, right? Filter by IP of the victim, the protocol (HTTP) and the host name (bhaktivrind[.]com)

id.orig_h==IPofthevictim _path==”http” host==”bhaktivrind.com”

Provide the IP address of the malicious server and the executable that the victim downloaded from the server.

So here we are talking about a “.exe” file that the victim downloaded. As we are talking about “download”, the victim probably used the web browser to do a http request. In this case, we will need to filter all the http requests.

We don’t know the name of the executable but we know how an exactable file ends right ? (hint: .exe).

So maybe we can try to create a query only looking for “uri” matching with the word “.exe”. The query looks like this:

id.orig_h==IPofthevictim _path==”http” uri matches *.exe

If you are not familiar with the syntax, I advise you to look in the “Syntax docs”:

Based on the information gathered from the second question, provide the name of the malware using VirusTotal.

A bit tricky this question, I didn’t find the answer in the VirusTotal website. However, as the hint talks about the community, I did a google search:

On the second page that I found on google (https://bazaar.abuse.ch/sample/a2d525c9bd8128160c64990fa84afc4da2bea8a72cfb4ca42f14cddac1343df2/) I found the name of the Malware:

Good we just finished Infection 1. Let’s move now to Infection 2:

INFECTION 2:

Provide the IP address of the victim machine.

First let’s open the second .pcap file (Infection2.pcap)

As we are trying to find the victim machine IP address, try to look for “id.orig_h”

Ok, now we know the victim's IP address.

Provide the IP address the victim made the POST connections to.

As the question talks about POST connections, we can say that we will work with HTTP protocol, right? Let’s first filter all the HTTP trafic.

Ok, now we can add to our query the method POST.

Perfect, we just found the IP address that the victim made the POST connections.

How many POST connections were made to the IP address in the previous question?

Ok, this is an easy one :p Just count the number of POST requests you found in the last question.

Provide the domain where the binary was downloaded from.

Ok, if you have some web basics, you know that every time that you download something you do a GET request, right? So, in this case, we just need to change a bit our query.

EZ PZ !

Provide the name of the binary including the full URI.

If you have found the previous answer then you have also found the answer for this question :)

Provide the IP address of the domain that hosts the binary.

If you have found the previous answer then you have also found the answer for this question :)

There were 2 Suricata “A Network Trojan was detected” alerts. What were the source and destination IP addresses?

To answer this question, I first looked at all the columns that Brim has. I found an interesting one: alert.signature.

I filtered this column with the alert message: “A Network Trojan was detected”

alert.signature==”A Network Trojan was detected”

Perfect! We just found the source and the destination IP addresses.

Taking a look at .top domain in HTTP requests, provide the name of the stealer (Trojan that gathers information from a system) involved in this packet capture using URLhaus Database.

Ok, let’s first filter all the HTTP trafic and search for hosts containing the word “.top”.

Great, we have the domain name. Let’s find the name of the stealer. Go to https://urlhaus.abuse.ch/ click on “URLaus Database” and past the domain name that you found.

If you struggle to find the name of the trojan, here is my hint: check the “tags” 😊

Amazing! We just finished the second Infection. Let’s move to the last Infection (Infection 3).

INFECTION 3:

Provide the IP address of the victim machine.

I think you know how to find it right? (hint: id.orig_h)

Provide three C2 domains from which the binaries were downloaded (starting from the earliest to the latest in the timestamp)

Here we are talking about downloads. So it will be something related to “HTTP” and “GET” requests right? Let’s start filtering by those criteria (IP of the victim, HTTP protocol, and GET requests).

id.orig_h==IPVICTIM _path==”http” method==”GET”

Good! We have found all the domains (column “host”). Now you need to put them in the right order according to the timestamps (ts column)

Provide the IP addresses for all three domains in the previous question.

This one is easy because you found already the answer in the previous question. You can find the IPs in the “id.resp_h” column.

How many unique DNS queries were made to the domain associated with the first IP address from the previous answer?

Ok… first we need to figure out the domain of the first IP. This we have already found in the previous question.

Let’s filter only with this domain.

Hmm… there is no DNS here. I struggled a lot here… I didn’t find this answer only using BRIM so I tried several numbers and I found the answer. Sorry for that one ☹

How many binaries were downloaded from the above domain in total?

In the previous question, we used the name of the domain to see all the interactions with the domain. We can see that the user downloaded some files. Just count the amount of .exe files and you will have the right number of binaries that the user downloaded.

Provided the user-agent listed to download the binaries.

This one is easy 😊 Check the “user_agent” column.

Provide the amount of DNS connections made in total for this packet capture.

Normally here you are familiar with the count() function, right? Let’s count() all the DNS connections.

With some OSINT skills, provide the name of the worm using the first domain you have managed to collect from Question 2. (Please use quotation marks for Google searches, don’t use .ru in your search, and DO NOT interact with the domain directly).

Easy one, just google it 😎

CONCLUSION:

The first thing that I need to say… this room is super cool! I learned a lot of things here.

I was always struggling with Wireshark and packet analysis challenges. With Brim, my fear is gone. It was super easy to create queries and find the right information. Brim is a game-changer in my opinion.

From now, I will try to use Brim in all packet analysis challenges.

Big thanks to heaveraiza and RussianPanda for creating this room. Great job guys!

Here are some resources that I used to solve all the challenges:

Brim Website:

Just to have an idea what Brim can do:

Brim GitHub:

Brim YouTube video demo:

I hope that my writeup helped you to understand better all the aspects of this CTF. If you want to read more writeups like this one or have any questions, you can find me on Twitter @dropn0w.

Stay curious and keep learning!

--

--