# Day 20

#### Task 26 — Traffic analysis Day 20: If you utter so much as one packet… <a href="#id-8d94" id="id-8d94"></a>

**1. What was the first message the payload sent to Mayor Malware's C2?**

1. Start the Machine and open the cap file
2. Apply this filter — `ip.src == 10.10.229.217`
3. Click on the Protocol Column to sort out the http request.
4. Right Click and Click follow `http/tcp` stream in `/initial` request line.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*i5Puo-apUf-4_hx9R63wTA.png" alt=""><figcaption></figcaption></figure>

```makefile
CopyAns: I am in Mayor!
```

**2. What was the IP address of the C2 server?**

Observe the same Request.

```makefile
CopyAns: 10.10.123.224
```

**3. What was the command sent by the C2 server to the target machine?**

Again set the filter and follow the stream in `/command` request

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*FisZ8mBMK1qAz9mcGRZAZA.png" alt=""><figcaption></figcaption></figure>

```bash
CopyAns: whoami
```

**4. What was the filename of the critical file exfiltrated by the C2 server?**

Do the same for `/exfiltrate` request and observe it.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*uz6pZd1-_0aMB3SDbYBqEw.png" alt=""><figcaption></figcaption></figure>

```makefile
CopyAns: credentials.txt
```

**5. What secret message was sent back to the C2 in an encrypted format through beacons?**

1. Copy the key in `/exfiltrate` request.
2. Set the same filter and open the `/beacon` request and note down the encrypted text.
3. Open [cyberchef](https://gchq.github.io/CyberChef/), add AES Decrypt to the Recipe, Paste the key in the recipe, and add the encrypted text in input to get the decrypted text.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*YakoEQJJfkLZLSrt5lDd-w.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*TbvROVs8XLyM7iGqC_GyDA.png" alt=""><figcaption></figcaption></figure>

```makefile
CopyAns: THM_Secret_101
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/advent-of-cyber-2024/day-20.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.