Skip to main content

THM | AoC 2024 | Day 17-24

· 7 min read

Summary:

From the seventeenth day until the twenty-fourth day of the Advent of Cyber event on the TryHackMe website.

General

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.

Day-17

Title | He analyzed and analyzed till his analyzer was sore!

Learning Objectives

  • Learn how to extract custom fields in Splunk
  • Learn to create a parser for the custom logs
  • Filter and narrow down the search results using Search Processing Language (SPL)
  • How to investigate in Splunk

Questions & Answers

Question-1: Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login?

642

Question-2: What is the Session_id associated with the attacker who deleted the recording?

rij5uu4gt204q0d3eb7jj86okt

Question-3: What is the name of the attacker found in the logs, who deleted the CCTV footage?

mmalware

Question-4: Check out the Splunk: Data Manipulation room to learn more about parsing and manipulating data in Splunk.

No answer needed

Question-5: Good thing we had a backup of the CCTV application from yesterday. We got it running again in no time!

No answer needed

Day-18

Title | I could use a little AI interaction!

Learning Objectives

  • Gain a fundamental understanding of how AI chatbots work
  • Learn some vulnerabilities faced by AI chatbots
  • Practice a prompt injection attack on WareWise, Wareville's AI-powered assistant

Questions & Answers

Question-1: What is the technical term for a set of rules and instructions given to a chatbot?

system prompt

Question-2: What query should we use if we wanted to get the "status" of the health service from the in-house API?

Use the health service with the query: status

Question-3: Perform a prompt injection attack that leads to a reverse shell on the target machine.

No answer needed

Question-4: After achieving a reverse shell, look around for a flag.txt. What is the value?

<flag>

Question-5: If you liked today's task, you can practice your skills by prompt injecting "Van Chatty" (Day 1) of Advent of Cyber 2023.

No answer needed

Day-19

Title | I merely noticed that you’re improperly stored, my dear secret!

Learning Objectives

  • Understand how to interact with an executable's API.
  • Intercept and modify internal APIs using Frida.
  • Hack a game with the help of Frida.

Questions & Answers

Question-1: What is the OTP flag?

<flag>

Question-2: What is the billionaire item flag?

<flag>

Question-3: What is the biometric flag?

<flag>

Question-4: If you liked today's task, you can practice your skills with "Memories of Christmas Past" from Advent of Cyber 2023.

No answer needed

Question-5: The second penguin gave pretty solid advice. Maybe you should listen to him more.

No answer needed

Day-20

Title | If you utter so much as one packet…

Learning Objectives

  • Investigate network traffic using Wireshark
  • Identify indicators of compromise (IOCs) in captured network traffic
  • Understand how C2 servers operate and communicate with compromised systems

Questions & Answers

Question-1: What was the first message the payload sent to Mayor Malware’s C2?

I am in Mayor!

Question-2: What was the IP address of the C2 server?

10.10.123.224

Question-3: What was the command sent by the C2 server to the target machine?

whoami

Question-4: What was the filename of the critical file exfiltrated by the C2 server?

credentials.txt

Question-5: What secret message was sent back to the C2 in an encrypted format through beacons?

<secret-message>

Question-6: Learn more about WireShark in our Wireshark: Traffic Analysis room.

No answer needed

Day-21

Title | HELP ME...I'm REVERSE ENGINEERING!

Learning Objectives

  • Understanding the structure of a binary file
  • The difference between Disassembly vs Decompiling
  • Familiarity with multi-stage binaries
  • Practically reversing a multi-stage binary

Questions & Answers

Question-1: What is the function name that downloads and executes files in the WarevilleApp.exe?

DownloadAndExecuteFile

Question-2: Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?

explorer.exe

Question-3: What domain name is the one from where the file is downloaded after running WarevilleApp.exe?

mayorc2.thm

Question-4: The stage 2 binary is executed automatically and creates a zip file comprising the victim's computer data; what is the name of the zip file?

CollectedFiles.zip

Question-5: What is the name of the C2 server where the stage 2 binary tries to upload files?

anonymousc2.thm

Question-6: If you enjoyed this task, feel free to check out the x86 Assembly Crash Course room.

No answer needed

Day-22

Title | It's because I'm kubed, isn't it?

Learning Objectives

  • Learn about Kubernetes, what it is and why it is used.
  • Learn about DFIR, and the challenges that come with DFIR in an ephemeral environment.
  • Learn how DFIR can be done in a Kubernetes environment using log analysis.

Questions & Answers

Question-1: What is the name of the webshell that was used by Mayor Malware?

shelly.php

Question-2: What file did Mayor Malware read from the pod?

db.php

Question-3: What tool did Mayor Malware search for that could be used to create a remote connection from the pod?

nc

Question-4: What IP connected to the docker registry that was unexpected?

10.10.130.253

Question-5: At what time is the first connection made from this IP to the docker registry?

29/Oct/2024:10:06:33 +0000

Question-6: At what time is the updated malicious image pushed to the registry?

29/Oct/2024:12:34:28 +0000

Question-7: What is the value stored in the "pull-creds" secret?

<secret-value>

Question-8: Enjoy today's lesson? Check out our Intro to Kubernetes for a more in-depth introduction to Kubernetes!

No answer needed

Day-23

Title | You wanna know what happens to your hashes?

Learning Objectives

  • Hash functions and hash values
  • Saving hashed passwords
  • Cracking hashes
  • Finding the password of a password-protected document

Questions & Answers

Question-1: Crack the hash value stored in hash1.txt. What was the password?

<password>

Question-2: What is the flag at the top of the private.pdf file?

<flag>

Question-3: To learn more about cryptography, we recommend the Cryptography module. If you want to practice more hash cracking, please consider the John the Ripper: The Basics room.

No answer needed

Day-24

Title | You can’t hurt SOC-mas, Mayor Malware!

Learning Objectives

  • The basics of the MQTT protocol
  • How to use Wireshark to analyze MQTT traffic
  • Reverse engineering a simple network protocol

Questions & Answers

Question-1: What is the flag?

<flag>

Question-2: If you enjoyed this task, feel free to check out the Wireshark module.

No answer needed

Advent of Cyber 2024 | The End

How the Glitch saved SOC-mas

Question-1: Congratulations on saving SOC-mas!

No answer needed

Thank you, and congratulations!

Question-1: What is the flag you get at the end of the survey?

<flag>