04step · module overview

You finished Lab 02. Here's what stuck.

A quick recap of the moves you just used on the network — keep them handy. The next lab uses the same "follow the trail" mindset, this time on hidden clues tucked inside the internet's address system.

Module complete · networking-packet-analysis

You opened the recording, cleared away the noise, followed the suspicious conversation, and pulled out a clean address-and-door fingerprint of the attack. A network recording isn't just a file anymore — it's a story you now know how to read.

XP earned+200xp

DifficultyBeginner

Time spent~30min

TrackInfo

≡ Recap · the five moves keep close

01 A recording captures everything. Open it and you see every message a computer sent or received on the network. Most of it is noise — the case is one single conversation.
02 Zoom in on the one conversation that matters. A filter squeezes 120 messages down to 3 conversations. Two look like normal web browsing. One reaches a door no normal program should be using — tcp.flags.syn==1, tcp.stream eq N.
03 Replay the conversation to read what was said. tshark -qz follow,tcp,ascii,N glues both sides back into one readable chat. The very first line is /bin/bash -i — a command that hands over control. Now there's no doubt.
04 Pull out the two facts. Throw away everything except who sent it, who got it, and which door. The same attacker address and door show up on every message in the conversation — that pair is your fingerprint of the attack.
05 The flag is the fingerprint. In a real security team, that fingerprint goes into the report so everyone can watch for the attacker. Here it becomes the flag — same job, same proof, lower stakes.

Next module

Lab 03 · DNS TXT Chain Reconnaissance

Follow a trail of scrambled clues hidden in the internet's address system — each one points to the next. Dodge the fake, follow the trail, and find the prize at the end. Same "decode, jump, double-check" mindset, a different part of the network.

start · lab 03 →