(setq plaintext 'everywhere)


Advent Of Cyber 2022 (TryHackMe)

Table of Contents

1 Introduction

[2022-12-07 Wed]

This is a write up for the 2022 version of TryHackMe's Advent Of Cyber. Join the room here.

2 Day 1 Frameworks

2.1 Puzzle 1

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Social Engineering
  5. Exploitation
  6. Persistence
  7. Defence Evasion
  8. Command & Control

2.2 Puzzle 2

  1. Pivoting
  2. Discovery
  3. Priviledge Escalation
  4. Execution
  5. Credential Access
  6. Lateral Movement

2.3 Puzzle 3

  1. Access
  2. Collection
  3. Exfiltration
  4. Impact
  5. Objectivication

2.4 Answers

Who is the adversary that attacked Santa's network this year? 

The Bandit Yeti

What's the flag that they left behind? 

THM{IT'S A Y3T1 CHR1$TMA$}

3 Day 2 Log Analysis

Use the ls command to list the files present in the current directory. How many log files are present? 

ls *.log | wc -l

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file? 

ls *.log

On what day was Santa's naughty and nice list stolen? 

grep "santaslist.txt" webserver.log

November 18 2022 is a Friday. 

Friday

What is the IP address of the attacker?

From the grep of the previous question the IP is: 

10.10.249.191

What is the name of the important list that the attacker stole from Santa?

Again from the grep of the previous question the file name is: 

santaslist.txt

Look through the log files for the flag. The format of the flag is: THM{} 

grep THM SSDH.log

4 Day 3 OSINT

What is the name of the Registrar for the domain santagift.shop?

Go to https://who.is/whois/github.com and search for santagift.shop. The name of the registra is 

NAMECHEAP.INC

Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

The url to the source code of the webshop is: 

https://github.com/muhammadthm/SantaGiftShop

Clone the repository and grep for THM to easily find the flag. 

git clone https://github.com/muhammadthm/SantaGiftShop.git
cd SantaGiftShop
grep 'THM' **/*

What is the name of the file containing passwords? 

grep password **/*

Among the output you'll find the answer: 

config.php

What is the name of the QA server associated with the website? 

grep QA **/*

Among the output you'll find the url to the QA website: 

qa.santagift.shop

What is the DB_PASSWORD that is being reused between the QA and PROD environments? 

grep 'DB_PASSWORD' **/*

The password is: 

s@nta2022

5 Day 4 Scanning

6 Day 5 Brute Forcing

Use Hydra to find the VNC password of the target with IP address MACHINE_IP. What is the password? 

hydra -P /usr/share/wordlists/rockyou.txt MACHINE_IP vnc

Using a VNC client on the AttackBox, connect to the target of IP address MACHINE_IP. What is the flag written on the target’s screen?

When using an attackbox open Remmina from Application > Internet > Remmina. Click cancel when asked to unlock your keyring. Then select the VNC protocol on the top left corner and type the MACHINE_IP in the search bar. Use the password found in the previous question when asked for a password. Finally you'll see a screen with the flag. 

THM{I_SEE_YOUR_SCREEN}

7 Day 6 Email Analysis

  1. What is the email address of the sender?

Open the Urgent:.eml with any text editor. 

chief.elf@santaclaus.thm
  1. What is the return address?
murphy.evident@bandityeti.thm
  1. On whose behalf was the email sent?
chief elf
  1. What is the X-spam score?
3
  1. What is hidden in the value of the Message-ID field?

Decode the message with a base 64 decoder. 

AoC2022_Email_Analysis
  1. Visit the email reputation check website provided in the task. What is the reputation result of the sender's email address?

Go to https://emailrep.io/ and search for chief.elf@santaclaus.thm 

Risky
  1. Check the attachments. What is the filename of the attachment?
Division_of_labour-Load_share_plan.doc
  1. What is the hash value of the attachment?
emlAnalyzer -i Urgent\:.eml --extract-all
cd eml-attachments
sha256sum Division_of_labour-Load_share_plan.doc
  1. Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?

Go to https://www.virustotal.com/gui/home/upload and search for the hash found in the previous question. Navigate to the behaviour tab and look for the Mitre section. The second tactic is: 

defense evasion
  1. Visit the InQuest website and use the hash value to search. What is the subcategory of the file?

Go to https://labs.inquest.net/ and again search the hash found previously. Click the full page results. The sub-category is: 

macro_hunter

8 Day 7 Cyberchef

Before answering any of the questions, open firefox and click the bookmark of cyberchef. Then go through all the 11 steps as explained in the intro.

What is the version of CyberChef found in the attached VM?

You can find the version number in the url. 

9.49.0

How many recipes were used to extract URLs from the malicious doc? 

10

We found a URL that was downloading a suspicious file; what is the name of that malware? 

mysterygift.exe

What is the last defanged URL of the bandityeti domain found in the last step? 

hxxps[://]cdn[.]bandityeti[.]THM/files/index/

What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>) 

THM_MYSTERY_FLAG

9 Day 8 Smart Contracts



If something is not working, please create an issue here.