> For the complete documentation index, see [llms.txt](https://crypt0nite.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://crypt0nite.gitbook.io/writeups/ctfs/hacktoberctf/traffic-analysis/an-evil-christmas-carol-1-and-2.md).

# An Evil Christmas Carol 1 and 2

#### Link to file:&#x20;

```
File: https://tinyurl.com/y259doyq
Password: hacktober
```

### An Evil Christmas Carol 1:&#x20;

#### Briefing:&#x20;

```
A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?
```

Like the others, you can just filter for `http` traffic and get the flag:&#x20;

![](/files/-MKHnIygnUFBvV68YugC)

`flag{205.185.125.104}`&#x20;

### An Evil Christmas Carol 2:&#x20;

#### Briefing:&#x20;

```
What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.
```

We're looking for a domain, so it must be a `dns` query. Therefore filtering for DNS traffic and specifying the ip (`10.0.0.163` as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-&#x20;

![](/files/-MKHoQj2-aoIJwcqO49b)

`flag{vlcafxbdjtlvlcduwhga.com}`&#x20;

By das
