Ah, the holiday season is close again! You might not feel it yet, but way up north, Elf McSkidy is already busy making sure you get your presents this year. As she walked through the yard of Santa’s workshop this morning, a cup of hot chocolate in her hands, everything seemed to be going great! Gifts getting wrapped, reindeer exercising on treadmills, and Santa’s sleigh being polished, the whole place was just teeming with elf activity.
When McSkidy entered the office, she immediately noticed that something was, in fact, out of order. A big, dark, half-frosted card was just lying on her desk! Who placed it there? How did they get into the locked Security Operations Centre (SOC) room? What did they want from Best Festival Company’s Chief Information Security Officer?!
Not having to think twice about it, McSkidy slammed the big “ALARM” button and yelled: “Security staff! All hands on deck. We’ve got an incident!”
She did not have to wait long – pretty quickly, the corridors of Best Festival Company’s offices saw a team of security specialists rushing to the SOC room. The McReds, ethical hackers at Santa’s command who find vulnerabilities before the bad guys do, came from the workshop. Elf Exploit McRed was first, then Elf Recon, and finally Elf Pivot skating on the icy floors. The McBlues rushed from the yard, where they were setting up monitoring, as they are responsible for Santa’s defences. McSkidy watched as Elf Log McBlue came running in, followed by Elf Admin and Elf Forensic, the gear strapped to their belts jingling loudly. Santa’s Security Team surrounded McSkidy, all holding their breaths. McSkidy picked up the evil-looking card from her desk with trembling hands, opened it, and they all saw what was inside:
oH, oH, oH,
Someone’s been naughty this year, leaving your shop open like that! We started with a little puzzle. Let’s see what more we can do! – Your Secret Santa
“But our shop wasn’t open! The door was locked when I entered. And you are monitoring the walls, right?” – McSkidy looked to her team for support. After a few clicks of the keyboard at the nearest computer, Admin McBlue announced: “It’s the gift shop website, McSkidy. It’s been defaced. There’s…. A puzzle? It says we’ll learn who did it if we solve it.”
The SOC room had just a few seconds of silence before the other elves started shouting:
“We need to investigate!”, “Check the logs!”, “Review monitoring!”, “Audit other systems!”, “Lock down the network!”
McSkidy held her hand up, waiting for the elves to calm down. “We’ve been through something like this last year. This year, we’re saving Christmas again!”
See you in the daily tasks! We hope you can help McSkidy and the Team find out who is their mysterious adversary, investigate the incident, and secure their systems once again. Please note that the difficulty of challenges might vary each day, but they will always be easily approachable by beginners in cyber security. Have fun in Advent of Cyber!
Check also:
TryHackMe Advent of Cyber 2024 Answers
Certified Security Blue Team Level 1 Study Notes
Advent of Cyber 2022 Day 1 Answer
Who is the adversary that attacked Santa’s network this year?
The Bandit Yeti
What’s the flag that they left behind?
THM{IT’S A Y3T1 CHR1$TMA$}
Advent of Cyber 2022 Day 2 Answers
Use the ls command to list the files present in the current directory. How many log files are present?
2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
webserver.log
Begin investigating the log file from question #3 to answer the following questions.
No answer needed
On what day was Santa’s naughty and nice list stolen?
Friday
What is the IP address of the attacker?
10.10.249.191
What is the name of the important list that the attacker stole from Santa?
santaslist.txt
Look through the log files for the flag. The format of the flag is: THM{}
THM{STOLENSANTASLIST}
Advent of Cyber 2022 Day 3 Answers
What is the name of the Registrar for the domain santagift.shop?
NAMECHEAP INC
Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
{THM_OSINT_WORKS}
What is the name of the file containing passwords?
config.php
What is the name of the QA server associated with the website?
qa.santagift.shop
What is the DB_PASSWORD that is being reused between the QA and PROD environments?
S@nta2022
Advent of Cyber 2022 Day 4 Answers
What is the name of the HTTP server running on the remote host?
Apache
What is the name of the service running on port 22 on the QA server?
ssh
What flag can you find after successfully accessing the Samba service?
{THM_SANTA_SMB_SERVER}
What is the password for the username santahr?
santa25
Advent of Cyber 2022 Day 5 Answers
Use Hydra to find the VNC password of the target with IP address MACHINE_IP. What is the password?
1q2w3e4r
Using a VNC client on the AttackBox, connect to the target of IP address MACHINE_IP. What is the flag written on the target’s screen?
THM{I_SEE_YOUR_SCREEN}
Advent of Cyber 2022 Day 6 Answers
What is the email address of the sender?
chief.elf@santaclaus.thm
What is the return address?
murphy.evident@bandityeti.thm
On whose behalf was the email sent?
Chief Elf
What is the X-spam score?
3
What is hidden in the value of the Message-ID field?
AoC2022_Email_Analysis
Visit the email reputation check website provided in the task.
What is the reputation result of the sender’s email address?
RISKY
What is the filename of the attachment?
Division_of_labour-Load_share_plan.doc
What is the hash value of the attachment?
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Visit the Virus Total website and use the hash value to search.
Navigate to the behaviour section.
What is the second tactic marked in the Mitre ATT&CK section?
Defense Evasion
Visit the InQuest website and use the hash value to search.
What is the subcategory of the file?
macro_hunter
Advent of Cyber 2022 Day 7 Answers
What is the version of CyberChef found in the attached VM?
9.49.0
How many recipes were used to extract URLs from the malicious doc?
10
We found a URL that was downloading a suspicious file; what is the name of that malware?
mysterygift.exe
What is the last defanged URL of the bandityeti domain found in the last step?
hxxps[://]cdn[.]bandityeti[.]THM/files/index/
What is the ticket found in one of the domains? (Format: Domain/)
THM_MYSTERY_FLAG
Advent of Cyber 2022 Day 8 Answers
What flag is found after attacking the provided EtherStore Contract?
flag{411_ur_37h_15_m1n3}
Advent of Cyber 2022 Day 9 Answers
Deploy the attached VM, and wait a few minutes. What ports are open?
80
What framework is the web application developed with?
laravel
What CVE is the application vulnerable to?
CVE-2021-3129
What command can be used to upgrade the last opened session to a Meterpreter session?
sessions -u -1
What file indicates a session has been opened within a Docker container?
/.dockerenv
What file often contains useful credentials for web applications?
.env
What database table contains useful credentials?
users
What is Santa’s password?
p4$$w0rd
What ports are open on the host machine?
22,80
What is the root flag?
THM{47C61A0FA8738BA77308A8A600F88E4B}
Advent of Cyber 2022 Day 10 Answers
What is the Guard’s flag?
THM{5_star_Fl4gzzz}
What is the Yeti’s flag?
THM{yetiyetiyetiflagflagflag}
Advent of Cyber 2022 Day 11 Answers
What is the Windows version number that the memory image captured?
Note: this initial scan may take up towards 10 minutes to complete. Why not grab some water or stretch your legs?
10
What is the name of the binary/gift that secret Santa left?
mysterygift.exe
What is the Process ID (PID) of this binary?
2040
Dump the contents of this binary. How many files are dumped?
16
Advent of Cyber 2022 Day 12 Answers
What is the architecture of the malware sample? (32-bit/64-bit)
64-bit
What is the packer used in the malware sample? (format: lowercase)
upx
What is the compiler used to build the malware sample? (format: lowercase)
nim
How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
2
What is the registry key abused by the malware?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
What is the value written on the registry key based on the previous question?
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
test.jpg,wishes.bat
What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
bestfestivalcompany.thm,virustotal.com
Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
http://bestfestivalcompany.thm/favicon.ico
Advent of Cyber 2022 Day 13 Answers
View the “Protocol Hierarchy” menu.
What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?
0.3
View the “Conversations”.
Navigate to the TCP section.
Which port number has received more than 1000 packets?
3389
What is the service name of the used protocol that received more than 1000 packets?
RDP
Filter the DNS packets.
What are the domain names?
Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz)
bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm
Filter the HTTP packets.
What are the names of the requested files?
Enter the names in alphabetical order and in defanged format. (format: file[.]xyz,file[.]xyz)
favicon[.]ico,mysterygift[.]exe
Which IP address downloaded the executable file?
Enter your answer in defanged format.
10[.]10[.]29[.]186
Which domain address hosts the malicious file?
Enter your answer in defanged format.
cdn[.]bandityeti[.]thm
What is the “user-agent” value used to download the non-executable file?
Nim httpclient/1.6.8
Export objects from the PCAP file.
Calculate the file hashes.
What is the sha256 hash value of the executable file?
0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
Search the hash value of the executable file on VirusTotal.
Navigate to the “Behaviour” section.
There are multiple IP addresses associated with this file.
We know IP addresses starting with 20[.], and 23[.] are associated with Bandit Yeti APT.
What are the connected IP addresses in the mentioned pattern?
Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
Please note that the VT entry changed since the official walkthrough video was recorded – check the VT website to get all the IP addresses you need!
20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76
Advent of Cyber 2022 Day 14 Answers
What is the office number of Elf Pivot McRed?
134
Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?
THM{CLOSE_THE_DOOR}
Advent of Cyber 2022 Day 15 Answers
What is the name given to file uploads that allow threat actors to upload any files that they want?
Unrestricted
What is the title of the web application developed by Santa’s freelancer?
SantaSideKick2
What is the value of the flag stored in the HR Elf’s Documents directory?
THM{Naughty.File.Uploads.Can.Get.You.RCE}
What defence technique can be implemented to ensure that specific file types can be uploaded?
File Extension Validation
What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?
File Renaming
What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?
Malware Scanning
Advent of Cyber 2022 Day 16 Answers
What is the value of Flag1?
THM{McCode, Elf McCode}
What is the value of Flag2?
THM{KodeNRoll}
What is the value of Flag3?
THM{Are we secure yet?}
What is the value of Flag4?
THM{SQLi_who???}
Advent of Cyber Day 17 Answers
Filtering for Usernames: How many usernames fit the syntax above?
8
Filtering for Usernames: One username consists of a readable word concatenated with a number. What is it?
User35
Filtering for Emails: How many emails fit the syntax above?
11
Filtering for Emails: How many unique domains are there?
8
Filtering for Emails: What is the domain of the email with the local-part “lewisham44”?
amg.com
Filtering for Emails: What is the domain of the email with the local-part “maxximax”?
fedfull.com
Filtering for Emails: What is the local-part of the email with the domain name “hotmail.com”?
hussain.volt
Filtering for URLs: How many URLs fit the syntax provided?
16
Filtering for URLs: How many of these URLs start with “https”?
7
Advent of Cyber 2022 Day 18 Answers
What is the Challenge #1 flag?
THM{n0t_just_your_u$ser}
From the Challenge 1 log, what user account was created?
BanditYetiMini
What is the Challenge #2 flag?
THM{wh@t_1s_Runn1ng_H3r3}
What was the User’s path in the Challenge #2 log file?
SIGMA_AOC2022\Bandit Yeti
What is the Challenge #3 flag?
THM{sch3dule_0npo1nt_101}
What was the MD5 hash associated with Challenge #3 logs?
2F6CE97FAF2D5EEA919E4393BDD416A7
Advent of Cyber 2022 Day 19 Answers
What device can be used to probe the signals being sent on electrical wires between two devices?
Logic Analyser
USART is faster than SPI for communication? (Yea,Nay)
Nay
USART communication uses fewer wires than SPI? (Yea,Nay)
Yea
USART is faster than I2C for communication? (Yea,Nay)
Nay
I2C uses more wires than SPI for communication? (Yea,Nay)
Nay
SPI is faster than I2C for communication? (Yea,Nay)
Yea
What is the maximum number of devices that can be connected on a single pair of I2C lines?
1008
What is the new baud rate that is negotiated between the microprocessor and ESP32 chip?
9600
What is the flag that is transmitted once the new baud rate was accepted?
THM{Hacking.Hardware.Is.Fun}
Advent of Cyber 2022 Day 20 Answers
What is the flag value after reversing the file firmwarev2.2-encrypted.gpg?
Note: The flag contains underscores – if you’re seeing spaces, the underscores might not be rendering.
THM{WE_GOT_THE_FIRMWARE_CODE}
What is the Paraphrase value for the binary firmwarev1.0_unsigned?
Santa@2022
After reversing the encrypted firmware, can you find the build number for rootfs?
2.6.31
Advent of Cyber 2022 Day 21 Answers
What port is Mosquitto running on?
1883
Is the device/init topic enumerated by Nmap during a script scan of all ports? (y/n)
y
What Mosquitto version is the device using?
1.6.9
What flag is obtained from viewing the RTSP stream?
THM{UR_CAMERA_IS_MINE}
Advent of Cyber 2022 Day 22 Answers
Follow the instructions in the attached static site to help McSkidy reduce her attack surface against attacks from the Yeti. Use the flag as an answer to complete the task.
THM{4TT4CK SURF4C3 R3DUC3D}
Advent of Cyber 2022 Day 23 Answers
Case 1: What is the password for Santa’s Vault?
S3cr3tV@ultPW
Case 1: What is the Flag?
THM{EZ_fl@6!}
Case 2: What is Santa’s favourite thing?
MilkAndCookies
Case 2: What is the password for Santa’s Vault?
3XtrR@_S3cr3tV@ultPW
Case 2: What is the Flag?
THM{m0@r_5t3pS_n0w!}
Case 3: What is the Executive Assistant’s favourite thing?
BanoffeePie
Case 3: What is Santa’s previous password?
H0tCh0coL@t3_01
Case 3: What is Santa’s current password?
H0tCh0coL@t3_02
Case 3: What is the 1st part of the vault’s password?
N3w4nd1m
Case 3: What is the 2nd part of the vault’s password?
Pr0v3dV@ultPW
Case 3: What is the password for Santa’s Vault?
N3w4nd1mPr0v3dV@ultPW
Case 3: What is the Flag?
THM{B@d_Y3t1_1s_n@u6hty}
What is Santa’s Code?
2845
Mission ELFPossible: What is the Abominable for a Day Flag?
THM{D3f3n5e_1n_D3pth_1s_k00L!!}
Advent of Cyber 2022 Day 24 Answers
Please help us improve by answering this 5-minute survey. Make sure to grab the flag before you click “Submit”!
THM{AoC2022!thank_you!}
