THM | AoC 2024 | Day 01-08
Summary:
From the first day until the 8th day of day of the Advent of Cyber event on the TryHackMe website.
General
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.
Day-01
Title | Maybe SOC-mas music, he thought, doesn't come from a store?
The Story
McSkidy tapped keys with a confident grin,
A suspicious website, now where to begin?
She'd seen sites like this, full of code and of grime,
Shady domains, and breadcrumbs easy to find.
Learning Objectives
- Learn how to investigate malicious link files.
- Learn about OPSEC and OPSEC mistakes.
- Understand how to track and attribute digital identities in cyber investigations.
Questions & Answers
Question-1: Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?
Tyler Ramsbey
Question-2: The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Question-3: Who is M.M? Maybe his Github profile page would provide clues?
Mayor Malware
Question-4: What is the number of commits on the GitHub repo where the issue was raised?
1
Question-5: If you enjoyed this task, feel free to check out the OPSEC room!
No answer needed
Question-6: What's with all these GitHub repos? Could they hide something else?
No answer needed
Day-02
Title | One man's false positive is another man's potpourri.
Questions & Answers
Question-1: What is the name of the account causing all the failed login attempts?
service_admin
Question-2: How many failed logon attempts were observed?
6791
Question-3: What is the IP address of Glitch?
10.0.255.1
Question-4: When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Dec 1, 2024 08:54:39.000
Question-5: What is the decoded command executed by Glitch to fix the systems of Wareville?
Install-WindowsUpdate -AcceptAll -AutoReboot
Question-6: If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.
No answer needed
Day-03
Title | Even if I wanted to go, their vulnerabilities wouldn't allow it.
Learning Objectives
- Learn about Log analysis and tools like ELK.
- Learn about KQL and how it can be used to investigate logs using ELK.
- Learn about RCE (Remote Code Execution), and how this can be done via insecure file upload.
Questions & Answers
Question-1 | BLUE: Where was the web shell uploaded to?
- Answer format: /directory/directory/directory/filename.php
/media/images/rooms/shell.php
Question-2 | BLUE: What IP address accessed the web shell?
10.11.83.34
Question-3 | RED: What is the contents of the flag.txt?
<flag>
Question-4: If you liked today's task, you can learn how to harness the power of advanced ELK queries.
No answer needed
Day-04
Title | I’m all atomic inside!
Learning Objectives
- Learn how to identify malicious techniques using the MITRE ATT&CK framework.
- Learn about how to use Atomic Red Team tests to conduct attack simulations.
- Understand how to create alerting and detection rules from the attack tests.
Questions & Answers
Question-1: What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
<flag>
Question-2: What ATT&CK technique ID would be our point of interest?
T1059
Question-3: What ATT&CK subtechnique ID focuses on the Windows Command Shell?
T1059.003
Question-4: What is the name of the Atomic Test to be simulated?
Simulate BlackByte Ransomware Print Bombing
Question-5: What is the name of the file used in the test?
Wareville_Ransomware.txt
Question-6: What is the flag found from this Atomic Test?
<flag>
Question-7: Learn more about the Atomic Red Team via the linked room.
No answer needed
Day-05
Title | SOC-mas XX-what-ee?
Learning Objectives
- Understand the basic concepts related to XML
- Explore XML External Entity (XXE) and its components
- Learn how to exploit the vulnerability
- Understand remediation measures
Questions & Answers
Question-1: What is the flag discovered after navigating through the wishes?
<flag>
Question-2: What is the flag seen on the possible proof of sabotage?
<flag>
Question-3: If you want to learn more about the XXE injection attack, check out the XXE room!
No answer needed
Question-4: Following McSkidy's advice, Software recently hardened the server. It used to have many unneeded open ports, but not anymore. Not that this matters in any way.
No answer needed
Day-06
Title | If I can't find a nice malware to use, I'm not going.
Learning Objectives
- Analyze malware behaviour using sandbox tools.
- Explore how to use YARA rules to detect malicious patterns.
- Learn about various malware evasion techniques.
- Implement an evasion technique to bypass YARA rule detection.
Questions & Answers
Question-1: What is the flag displayed in the popup window after the EDR detects the malware?
<flag>
Question-2: What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
<flag>
Question-3: If you want to more about sandboxes, have a look at the room FlareVM: Arsenal of Tools.
No answer needed
Day-07
Title | Oh, no. I'M SPEAKING IN CLOUDTRAIL!
Questions & Answers
Question-1: What is the other activity made by the user glitch aside from the ListObject action?
PutObject
Question-2: What is the source IP related to the S3 bucket activities of the user glitch?
53.94.201.69
Question-3: Based on the eventSource field, what AWS service generates the ConsoleLogin event?
signin.amazonaws.com
Question-4: When did the anomalous user trigger the ConsoleLogin event?
2024-11-28T15:21:54Z
Question-5: What was the name of the user that was created by the mcskidy user?
glitch
Question-6: What type of access was assigned to the anomalous user?
AdministratorAccess
Question-7: Which IP does Mayor Malware typically use to log into AWS?
53.94.201.69
Question-8: What is McSkidy's actual IP address?
31.210.15.79
Question-9: What is the bank account number owned by Mayor Malware?
2394 6912 7723 1294
Question-10: Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!
No answer needed
Day-08
Title | Shellcodes of the world, unite!
Learning Objectives
- Grasp the fundamentals of writing shellcode
- Generate shellcode for reverse shells
- Executing shellcode with PowerShell
Questions & Answers
Question-1: What is the flag value once Glitch gets reverse shell on the digital vault using port 4444?
- Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.
<flag>
Question-2: Are you interested in learning more about evasion? Take a look at the AV Evasion: Shellcode room.
No answer needed