Phantom Wiretap

Network Traffic Analysis | Level 1 - Phantom Wiretap

Challenge

A covert monitoring system known as Phantom Wiretap captured a stream of suspicious network traffic from a compromised internal workstation. Investigators believe the user was communicating with hidden infrastructure and exfiltrating encoded data through DNS queries.

Q1. What is the transaction ID of the first DNS query to the domain thehackpack.thp.lan?

Submission

Q2. Which email-related hostnames are queried in the capture (separated by commas)?

Submission

Q3. A DNS response for target.thp.lan contains multiple A records. What is the second IPv4 address returned in that response?

Submission

Q4. What is the DNS transaction ID in frame 11?

Submission

Q5. The domain flag.thp.lan returns both A and AAAA records. The returned IP values encode a hidden message THP-ABCD-####. Decode that IP values to get the flag.

Submission

Q6. What is the average DNS payload size in bytes (to 2 decimal places)?

Submission

Credits

• Author(s): Swapnil Roy (thespcrewroy)