Skip to main content

Phantom Wiretap

Network Traffic Analysis | Level 1 - Phantom Wiretap

Challenge

A covert monitoring system known as Phantom Wiretap captured a stream of suspicious network traffic from a compromised internal workstation. Investigators believe the user was communicating with hidden infrastructure and exfiltrating encoded data through DNS queries.

Q1. What is the transaction ID of the first DNS query to the domain thehackpack.thp.lan?


Q2. Which email-related hostnames are queried in the capture (separated by commas AND in the order of the packet capture: [string], [string], ...)?


Q3. A DNS response for target.thp.lan contains multiple A records. What is the second IPv4 address returned in that response?


Q4. What is the DNS transaction ID in frame 11?


Q5. The domain flag.thp.lan returns both A and AAAA records. The returned IP values encode a hidden message THP-AA#A-####. Decode that IP values to get the flag.


Q6. What is the average DNS payload size in bytes (to 2 decimal places)?


Solution

Solution Guide

NOT FINISHED: Need to Personalize and Add Hints.

Over 75% of log analysis challenges can be solved with Excel. Thus, Math Rock attempts to be an introduction to using Excel in order to solve log analysis challenges. After mastering Excel, it is recomended to learn DAAS tools like Splunk, Datadog, or Solarwinds to further refine your log analysis skills to become a master in this hacking form.

The .log file is seperated into 4 columns: Time, Ticker, Frequency, and Amplitude. Now, we need to find a way to copy and paste each column as it's own column in excel. However, when I try to copy and paste the log file into excel, it puts all the data in one column, which is not what we want. Thus, we rely on good ol' reliable python to extract each individual column of the dataframe.

I have provided the python file to help you with extraction in the HINT. Now if there was a way to copy and paste each individual column from the log file to their own respective column in the excel sheet without python, then be my guest. However, in this case, we are using the help of python to seamlessly copy over the data so that the excel sheet can mirror the log file.

Although the python file extracts all the columns, we really only need to copy over 'time', 'amplitude' columns, and maybe the 'Ticker' column as well. Once you copied over the numbers and their headers to excel, select ONLY the ‘frequency’ and ‘amplitude’ columns. After selecting the two columns, search for ‘XY scatter’ and select the first scatter plot option. You should see an outlier in the data among the 'Y' axis. There is only one ticker that goes beyond the [-1.00, 1.00] Hertz frequency bound, and that ticker is the flag!

P.S. This is the actual frequency data extracted from a snippit of a ichika-nito solo. You can reconvert the audio back into the actual song using Audacity in order to hear the sound byte.

Credits

  • Author(s): Swapnil Roy (thespcrewroy)