Day 13: Wireshark – Session & File Reconstruction lab

🎯 Objective

Learn how to reconstruct sessions and extract transferred files from PCAP data using Wireshark. The goal is to identify and extract a suspicious file transferred during an HTTP session.

🧠 Challenge Description

In this simulation, a suspected internal user has downloaded a suspicious file from a malicious server hosted at http://malicious.talosec.lab. As a SOC analyst, your job is to:

Identify the HTTP session where the download occurred.
Reconstruct the full TCP session.
Extract the file.
Inspect it for indicators of compromise (IoCs).
Locate and submit the embedded flag (e.g., TSEC{} format).

🛠️ Tools Required

Wireshark (latest version)
Optional: CyberChef, Base64 decoder, or VirusTotal for analyzing decoded data

🧭 Steps to Solve

https://www.dropbox.com/scl/fi/xx81fgt0d3hd9stiznp1a/day-13.pcap?rlkey=65m2jx8giaoyulphwinbdmkpv&st=va395ku5&dl=0

🔎 Step-by-Step Guide

Open Wireshark & Filter HTTP Traffic
- Launch Wireshark and load the PCAP file.
- Use display filter:
  http
Locate File Transfer Request
- Look for an HTTP GET request that points to a file.
  - Example:
    GET /evil_payload.exe HTTP/1.1 Host: malicious.talosec.lab
- Right-click the GET request → Follow → TCP Stream
Review the Stream
- Wireshark displays the full HTTP request and the server's response.
- Scroll down to the response — the raw binary content begins after HTTP headers.
Analyze the File
- Open the file in a hex editor, strings utility, or submit to VirusTotal.
- Search for string patterns like TSEC{...} or any suspicious behavior.
Submit the Flag
- Example extracted flag:
  TSEC{....}

PreviousDay 12: Wireshark – Inspecting SMB Traffic and NetBIOS Name Service NextPhishing & Email Analysis

Last updated 3 months ago

hashtag🎯 Objective

hashtag🧠 Challenge Description

hashtag🛠️ Tools Required

hashtag🧭 Steps to Solve

hashtag🔎 Step-by-Step Guide

🎯 Objective

🧠 Challenge Description

🛠️ Tools Required

🧭 Steps to Solve

🔎 Step-by-Step Guide