It’s the eve of 30th November – McSkidy sits in her large office with a cup of hot cocoa, reminiscing over her stressful times at the Best Festival Company. Since her management of the Christmas Monster’s cyber attacks last December, she’d been promoted to Chief Information Security Office (CISO) and has managed to build a world-class security team. She made a promise to never let Christmas get affected by cyber incidents and has done everything in her power to prepare the best festival company for any incidents, and assist Santa in delivering presents globally with no disruptions!
As she grins to herself “After all we’ve done, what could go wrong”, Elf McAssistant runs into her office and gasps “All our security analysts have missed their last shift and no security personnel can be found in the building”. McSkidy jumps out of her chair and spills her hot cocoa all over herself “WHAT”.
She swiftly moves over to the Elf Security Center housing the security personnel and looks over the large area filled with empty desks. Where did everyone go on the eve of the most important time for the Best Festival Company. She rushes over to the desk of the head of her security analyst team, Elf McLeader, and notices the desk is surprisingly clean. For someone so messy, how is his work area completely empty? As she started theorising in her head, she noticed a small piece of paper hidden at the back of the desk behind the screen. As she made sense of what was on the paper, her eyes widened – why did McProfessional book a one-way flight ticket away on this exact day!
Before she had time to make any assumptions, a loud, grumpy voice was resonating across the security center from the internal announcement systems “Grinch Enterprises will never let Christmas succeed. It would be a shame if your world-class security team just suddenly disappeared”
“THIS WAS ALL PLANNED – HOW DID THEY ACCESS OUR INTERNAL SYSTEMS” cried McSkidy. Their intelligence team had prepared for this exact scenario but it didn’t help that the security center was completely empty!
“This needs to stop happening” sighed McSkidy and dragged herself to the office to save Christmas.
Check also:
TryHackMe Advent of Cyber 2024 Answers
Powershell Study Notes | Learn Powershell Quickly
Advent of Cyber 3 (2021) Day 1 Answers
After finding Santa’s account, what is their position in the company?
The Boss!
After finding McStocker’s account, what is their position in the company?
After finding the account responsible for tampering, what is their position in the company?
Mischief Manager
What is the received flag when McSkidy fixes the Inventory Management System?
THM{AOC_IDOR_2B34BHI3}
Advent of Cyber 3 (2021) Day 2 Answers
Register an account, and verify the cookies using the Developer Tools in your browser.
What is the name of the new cookie that was created for your account?
user-auth
What encoding type was used for the cookie value?
hexadecimal
What object format is the data of the cookie stored in?
JSON
Manipulate the cookie and bypass the login portal.
What is the value of the administrator cookie? (username = admin)
7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d
What team environment is not responding?
HR
What team environment has a network warning?
Application
Advent of Cyber 3 (2021) Day 3 Answers
Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?
admin
In your web browser, try some default credentials on the newly discovered login form for the “administrator” user. What is the password?
administrator
Access the admin panel. What is the value of the flag?
THM{ADM1N_AC3SS}
Advent of Cyber 3 (2021) Day 4 Answers
What valid password can you use to access the “santa” account?
cookie
What is the flag in Santa’s itinerary?
THM{SANTA_DELIVERS}
Advent of Cyber 3 (2021) Day 5 Answers
What flag did you get when you disabled the plugin?
THM{NO_MORE_BUTTMAS}
Advent of Cyber 3 (2021) Day 6 Answers
Deploy the attached VM and look around. What is the entry point for our web application?
err
Use the entry point to perform LFI to read the /etc/flag file. What is the flag?
THM{d29e08941cf7fe41df55f1a7da6c4c06}
Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?
THM{791d43d46018a0d89361dbf60d5d9eb8}
McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?
Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?
McSkidy:A0C315Aw3s0m
Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?
THM{552f313b52e3c3dbf5257d8c6db7f6f1}
The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.
lfi-aoc-awesome-59aedca683fff9261263bb084880c965
Advent of Cyber 3 (2021) Day 7 Answers
Interact with the MongoDB server to find the flag. What is the flag?
THM{8814a5e6662a9763f7df23ee59d944f9}
We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?
Use the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.
THM{b6b304f5d5834a4d089b570840b467a8}
Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?
THM{2ec099f2d602cc4968c5267970be1326}
Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?
ID:6184f516ef6da50433f100f4:mcskidy:admin
Advent of Cyber 3 (2021) Day 8 Answers
What operating system is Santa’s laptop running (“OS Name”)?
Microsoft Windows 11 Pro
Review each transcription log to get an idea for what activity was performed on the laptop just after it went missing. In the “second” transcription log, it seems as if the perpetrator created a backdoor user account!
What was the password set for the new “backdoor” account?
grinchstolechristmas
In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?
C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat
The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?
certutil.exe
Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?
.github
Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?
bag_of_toys.zip
What is the name of the user that owns the SantaRat repository?
Grinchiest
Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?
operation-bag-of-toys
Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa’s bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?
uharc-cmd-install.exe
In the last transcription log, you can see the activity that this actor used to tamper with Santa’s bag of toys! It looks as if they collected the original contents with a UHA archive. A UHA archive is similar to a ZIP or RAR archive, but faster and with better compression rates. It is very rare to see, but it looks the Grinch Enterprises are pulling out all the tricks!
You can see the actor compressed the original contents of the bag of toys with a password. Unfortunately, we are unable to see what the specific password was in these transcription logs! Perhaps we could find it elsewhere…
Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these “malicious” files (coal, mold, and all the others)?
GRINCHMAS
What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)
TheGrinchiestGrinchmasOfAll
McSkidy was able to download and save a copy of the bag_of_toys.uha archive, and you have it accessible on the Desktop of the Windows analysis machine. After uncovering the password from the actor’s GitHub repository, you have everything you need to restore Santa’s original bag of toys!!
Double-click on the archive on the desktop to open a graphical UHARC extraction utility that has been prepared for you. Using the password you uncovered, extract the contents into a location of your choosing (you might make a “Bag of Toys” directory on the Desktop to save all the files into).
With that, you have successfully recovered the original contents of Santa’s Bag of Toys! You can view these in the Windows Explorer file browser to see how many were present.
How many original files were present in Santa’s Bag of Toys?
228
Advent of Cyber 3 (2021) Day 9 Answers
In the HTTP #1 – GET requests section, which directory is found on the web server?
login
What is the username and password used in the login page in the HTTP #2 – POST section?
McSkidy:Christmas2021!
What is the User-Agent’s name that has been sent in HTTP #2 – POST section?
TryHackMe-UserAgent-THM{d8ab1be969825f2c5c937aec23d55bc9}
In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?
THM{dd63a80bf9fdd21aabbf70af7438c257}
In the FTP section, what is the FTP login password?
TryH@ckM3!
In the FTP section, what is the FTP command used to upload the secret.txt file?
STOR
In the FTP section, what is the content of the secret.txt file?
123^-^321
Advent of Cyber 3 (2021) Day 10 Answers
Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 and 100?
2
What is the smallest port number that is open?
22
What is the service related to the highest port number you found in the first question?
HTTP
Now run nmap -sS MACHINE_IP. Did you get the same results? (Y/N)
Y
If you want Nmap to detect the version info of the services installed, you can use nmap -sV MACHINE_IP. What is the version number of the web server?
Apache httpd 2.4.49
By checking the vulnerabilities related to the installed web server, you learn that there is a critical vulnerability that allows path traversal and remote code execution. Now you can tell McSkidy that Grinch Enterprises used this vulnerability. What is the CVE number of the vulnerability that was solved in version 2.4.51?
CVE-2021-42013
You are putting the pieces together and have a good idea of how your web server was exploited. McSkidy is suspicious that the attacker might have installed a backdoor. She asks you to check if there is some service listening on an uncommon port, i.e. outside the 1000 common ports that Nmap scans by default. She explains that adding -p1-65535 or -p- will scan all 65,535 TCP ports instead of only scanning the 1000 most common ports. What is the port number that appeared in the results now?
20212
What is the name of the program listening on the newly discovered port?
telnetd
Advent of Cyber 3 (2021) Day 11 Answers
You decided that the first step would be to check the running services on MACHINE_IP. You resort to yesterday’s tool, Nmap.
Knowing that MACHINE_IP is a MS Windows system, you expect it to not respond to ping probes by default; therefore, you need to add -Pn to your nmap command to perform the scan. This instructs Nmap to skip pinging the target to see if the host is reachable. Without this option, Nmap will assume the target host is offline and not proceed with scanning.
There is an open port related to MS SQL Server accessible over the network. What is the port number?
1433
Knowing the MS SQL Server is running and accessible over the network, we want to check if our username and password are still valid. Using the AttackBox terminal, we will use the command sqsh (pronounced skwish), an interactive database shell.
A simple syntax would be sqsh -S server -U username -P password, where:
-S server is used to specify the server, for example -S MACHINE_IP
-U username is used to provide the username; for example, -U sa is the username that we have enabled.
-P password lets us specify the password.
Let’s try to run, sqsh -S MACHINE_IP -U sa -P t7uLKzddQzVjVFJp
If the connection is successful, you will get a prompt. What is the prompt that you have received?
1>
We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?
Rudolph
Check the table schedule. What is the destination of the trip scheduled on December 7?
Prague
Check the table presents. What is the quantity available for the present “Power Bank”?
25000
There is a flag hidden in the grinch user’s home directory. What are its contents?
THM{YjtKeUy2qT3v5dDH}
Advent of Cyber 3 (2021) Day 12 Answers
Scan the target server with the IP MACHINE_IP. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn MACHINE_IP for the scan to work correctly. How many TCP ports are open?
7
In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?
2049
As we can see in the terminal output above, we have two shares, /share and /my-notes. After you have started the attached machine, use the AttackBox terminal to discover the shares on MACHINE_IP.
How many shares did you find?
4
How many shares show “everyone”?
3
What is the title of file 2680-0.txt?
Meditations
It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?
confidential
We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?
3e2d315a38f377f304f5598dc2f044de
Advent of Cyber 3 (2021) Day 13 Answers
Complete the username: p…..
pepper
What is the OS version?
10.0.17763 N/A Build 17763
What backup service did you find running on the system?
IperiusSvc
What is the path of the executable for the backup service you have identified?
C:\Program Files (x86)\Iperius Backup\IperiusService.exe
Run the whoami command on the connection you have received on your attacking machine. What user do you have?
the-grinch-hack\thegrinch
What is the content of the flag.txt file?
THM-736635221
The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?
jazzercize
Advent of Cyber 3 (2021) Day 14 Answers
How many pages did the dirb scan find with its default wordlist?
4
How many scripts do you see in the /home/thegrinch/scripts folder?
4
What are the five characters following $6$G in pepper’s password hash?
ZUP42
What is the content of the flag.txt file on the Grinch’s user’s desktop?
DI3H4rdIsTheBestX-masMovie!
Advent of Cyber 3 (2021) Day 15 Answers
What is the operator’s username?
GrinchWho31
What social media platform is the username associated with?
Twitter
What is the cryptographic identifier associated with the operator?
1GW8QR7CWW3cpvVPGMCF5tZz4j96ncEgrVaR
What platform is the cryptographic identifier associated with?
keybase.io
What is the bitcoin address of the operator?
bc1q5q2w2x6yka5gchr89988p2c8w8nquem6tndw2f
What platform does the operator leak the bitcoin address on?
GitHub
What is the operator’s personal email?
DonteHeath21@gmail.com
What is the operator’s real name?
Donte Heath
Advent of Cyber 3 (2021) Day 16 Answers
What is the name of the S3 Bucket used to host the HR Website announcement?
images.bestfestivalcompany.com
What is the message left in the flag.txt object from that bucket?
It’s easy to get your elves data when you leave it so easy to find!
What other file in that bucket looks interesting to you?
wp-backup.zip
What is the AWS Access Key ID in that file?
AKIAQI52OJVCPZXFYAOI
What is the AWS Account ID that access-key works for?
019181489476
What is the Username for that access-key?
ElfMcHR@bfc.com
There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?
HR-Portal
What is the database password stored in Secrets Manager?
Winter2021!
Advent of Cyber 3 (2021) Day 18 Answers
What command will list container images stored in your local container registry?
docker images
What command will allow you to save a docker image as a tar archive?
docker save
What is the name of the file (including file extension) for the configuration, repository tags, and layer hash values stored in a container image?
manifest.json
What is the token value you found for the bonus challenge?
7095b3e9300542edadbc2dd558ac11fa
Advent of Cyber 3 (2021) Day 19 Answers
Who was the email sent to? (Answer is the email address)
elfmcphearson@tbfc.com
Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)
customerservice@t8fc.info
Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?
fisher@tempmailz.grinch
Less sophisticated phishing emails will have typos. What is the misspelled word?
stright
The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?
https://89xgwsnmo5.grinch/out/fishing/
View the email source code. There is an unusual email header. What is the header and its value?
X-GrinchPhish: >;^)
You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?
password-reset-instructions.pdf
What is the flag in the PDF file?
THM{A0C_Thr33_Ph1sh1ng_An4lys!s}
Advent of Cyber 3 (2021) Day 20 Answers
Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?
EICAR virus test files
Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?
2005-10-17 22:03:48
On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?
Virus:DOS/EICAR_Test_File
Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
ducklin.htm or ducklin-html.htm
The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?
128
Advent of Cyber 3 (2021) Day 21 Answers
We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?
or
What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
-m
What section contains information about the author of the Yara rule?
metadata
What option is used to print only rules that did not hit?
-n
Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?
0
Advent of Cyber 3 (2021) Day 22 Answers
What is the username (email address of Grinch Enterprises) from the decoded script?
Grinch.Enterprises.2021@gmail.com
What is the mailbox password you found?
S@ntai$comingt0t0wn
What is the subject of the email?
Christmas Wishlist
What port is the script using to exfiltrate data from the North Pole?
587
What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).
YouFoundGrinchCookie
There is still a second flag somewhere… can you find it on the machine?
S@nt@c1Au$IsrEAl
Advent of Cyber 3 (2021) Day 23 Answers
What command was executed as Elf McNealy to add a new user to the machine?
Invoke-Nightmare
What user executed the PowerShell file to send the password.txt file from the administrator’s desktop to a remote server?
adm1n
What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)
10.10.148.96,4321
What was the encryption key used to encrypt the contents of the text file sent to the remote server?
j3pn50vkw21hhurbqmxjlpmo9doiukyb
What application was used to delete the password.txt file?
sdelete.exe
What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
11/11/2021 7:29:27 PM
What were the contents of the deleted password.txt file?
Mission Control: letitsnowletitsnowletitsnow
Advent of Cyber 3 (2021) Day 24 Answers
What is the username of the other user on the system?
emily
What is the NTLM hash of this user?
8af326aa4850225b75c592d4ce19ccf5
What is the password for this user?
1234567890
Advent of Cyber 3 (2021) Day 25 Answers
Please help us improve by answering this 5 minute survey! https://forms.gle/ET6KY5dwcBumsqNv8
thm{thank_you_2021}
