TryHackme Advent of Cyber 2023 — Day 17 Notes

URL: https://tryhackme.com/room/adventofcyber2023#

It is worth remembering the following protocol numbers to help with filtering later:
ICMP = 1, IPv4 = 4, TCP = 6, and UDP =17

Task 1: Which version of SiLK is installed on the VM.

It already provides the commands in the challenge so let’s use:
$ silk_config -v

$ rwfileinfo suspicious-flows.silk

If you would like a quicker way of getting the information I used the following:
$ rwfileinfo suspicious-flows.silk |egrep -i “version|count”

Task 2: What is the size of the flows in the count records.

So with the above command we have been able to answer task 1 & 2.

Task 3: What is the start time (sTime) of the sixth record in the file.

We can use the rwcut command provided but with a couple of pipes to get the answer we need with:
$ rwcut –fields=sTime –num-recs=10 suspicious-flows.silk |head -6 |tail -1

Task 4: What is the destination port of the sixth UDP record.

In this task we are going to use the rwfilter with the rwcut and making sure we use proto 17 which is UDP using:
$ rwfilter suspicious-flows.silk –proto=17 –pass=stdout |rwcut –num-recs=10 |head -6 |tail -1

Task 5: What is the record value (%) of the dport 53.

Using rwstats with the following filters we can get the % using:
$ rwstats suspicious-flows.silk –fields=dPort –values=records,packets,bytes,sIP-Distinct,dIP-Distinct, –count=3