This is my TryHackMe walkthrough, created to document my learning journey and share solutions with the community. The writeups include a mix of hints, step-by-step explanations, and final answers to help players who get stuck, while still encouraging independent problem-solving.
Advent of Cyber 2024 Room - Dive into the wonderful world of cyber security by engaging in festive beginner-friendly exercises every day in the lead-up to Christmas!
Overview
- Room URL: https://tryhackme.com/room/adventofcyber2024
- Difficulty: Easy
- Time to complete: 1440
Walkthrough
1. Introduction Welcome to Advent of Cyber 2024
No hints needed!
2. Introduction Join our community
No hints needed!
3. Introduction Completing Advent of Cyber as an organisation
No hints needed!
4. Introduction How to use TryHackMe
No hints needed!
5. Introduction How the Glitch Stole SOC-mas
No hints needed!
6. Introduction Subscribe to TryHackMe with a 30% discount!
No hints needed!
7. OPSEC Day 1: Maybe SOC-mas music, he thought, doesn’t come from a store?
Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?
=> Answer: Tyler Ramsbey
The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
=> Answer: http://papash3ll.thm/data
Who is M.M? Maybe his Github profile page would provide clues?
=> Answer: Mayor Malware
What is the number of commits on the GitHub repo where the issue was raised?
=> Answer: 1
8. Log analysis Day 2: One man’s false positive is another man’s potpourri.
What is the name of the account causing all the failed login attempts?
=> Answer: service_admin
How many failed logon attempts were observed?
=> Answer: 6791
What is the IP address of Glitch?
=> Answer: 10.0.255.1
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
=> Answer: Dec 1, 2024 08:54:39.000
What is the decoded command executed by Glitch to fix the systems of Wareville?
=> Answer: Install-WindowsUpdate -AcceptAll -AutoReboot
9. Log analysis Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it.
BLUE: Where was the web shell uploaded to?
Answer format: /directory/directory/directory/filename.php
=> Answer: /media/images/rooms/shell.php
BLUE: What IP address accessed the web shell?
=> Answer: 10.11.83.34
RED: What is the contents of the flag.txt?
=> Answer: THM{Gl1tch_Was_H3r3}
10. Atomic Red Team Day 4: I’m all atomic inside!
What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
=> Answer: THM{GlitchTestingForSpearphishing}
What ATT&CK technique ID would be our point of interest?
=> Answer: T1059
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
=> Answer: T1059.003
What is the name of the Atomic Test to be simulated?
=> Answer: Simulate BlackByte Ransomware Print Bombing
What is the name of the file used in the test?
=> Answer: Wareville_Ransomware.txt
What is the flag found from this Atomic Test?
=> Answer: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
11. XXE Day 5: SOC-mas XX-what-ee?
What is the flag discovered after navigating through the wishes?
=> Answer: THM{Brut3f0rc1n6_mY_w4y}
What is the flag seen on the possible proof of sabotage?
=> Answer: THM{m4y0r_m4lw4r3_b4ckd00rs}
12. Sandboxes Day 6: If I can’t find a nice malware to use, I’m not going.
What is the flag displayed in the popup window after the EDR detects the malware?
=> Answer: THM{GlitchWasHere}
What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
=> Answer: THM{HiddenClue}
13. AWS log analysis Day 7: Oh, no. I’M SPEAKING IN CLOUDTRAIL!
What is the other activity made by the user glitch aside from the ListObject action?
=> Answer: PutObject
What is the source IP related to the S3 bucket activities of the user glitch?
=> Answer: 53.94.201.69
Based on the eventSource field, what AWS service generates the ConsoleLogin event?
=> Answer: signin.amazonaws.com
When did the anomalous user trigger the ConsoleLogin event?
=> Answer: 2024-11-28T15:21:54Z
What was the name of the user that was created by the mcskidy user?
=> Answer: Glitch
What type of access was assigned to the anomalous user?
=> Answer: AdministratorAccess
Which IP does Mayor Malware typically use to log into AWS?
=> Answer: 53.94.201.69
What is McSkidy's actual IP address?
=> Answer: 31.210.15.79
What is the bank account number owned by Mayor Malware?
=> Answer: 2394 6912 7723 1294
14. Shellcodes Day 8: Shellcodes of the world, unite!
What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.
=> Answer: AOC{GOT _MY_ACCESS_B@CK007}
15. GRC Day 9: Nine o’clock, make GRC fun, tell no one.
What does GRC stand for?
=> Answer: Governance, Risk, and Compliance
What is the flag you receive after performing the risk assessment?
=> Answer: THM{R15K_M4N4G3D}
16. Phishing Day 10: He had a brain full of macros, and had shells in his soul.
What is the flag value inside the
flag.txtfile that’s located on the Administrator’s desktop?
=> Answer: THM{PHISHING_CHRISTMAS}
17. Wi-Fi attacks Day 11: If you’d like to WPA, press the star key!
What is the BSSID of our wireless interface?
=> Answer: 02:00:00:00:02:00
What is the SSID and BSSID of the access point? Format: SSID, BSSID
=> Answer: MalwareM_AP, 02:00:00:00:00:00
What is the BSSID of the wireless interface that is already connected to the access point?
=> Answer: 02:00:00:00:01:00
What is the PSK after performing the WPA cracking attack?
=> Answer: fluffy/champ24
18. Web timing attacks Day 12: If I can’t steal their money, I’ll steal their joy!
- What is the flag value after transferring over $2000 from Glitch’s account?
=> Answer: THM{WON_THE_RACE_007}
19. Websockets Day 13: It came without buffering! It came without lag!
What is the value of Flag1?
=> Answer: THM{dude_where_is_my_car}
What is the value of Flag2?
=> Answer: THM{my_name_is_malware._mayor_malware}
20. Certificate mismanagement Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!
What is the name of the CA that has signed the Gift Scheduler certificate?
=> Answer: THM
Look inside the POST requests in the HTTP history. What is the password for the
snowballelfaccount?
=> Answer: c4rrotn0s3
Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?
=> Answer: THM{AoC-3lf0nth3Sh3lf}
What is the password for Marta May Ware’s account?
=> Answer: H0llyJ0llySOCMAS!
Mayor Malware finally succeeded in his evil intent: with Marta May Ware’s username and password, he can finally access the administrative console for the Gift Scheduler. G-Day is cancelled!
What is the flag shown on the admin page?
=> Answer: THM{AoC-h0wt0ru1nG1ftD4y}
21. Active Directory Day 15: Be it ever so heinous, there’s no place like Domain Controller.
On what day was Glitch_Malware last logged in?
Answer format: DD/MM/YYYY
=> Answer: 07/11/2024
What event ID shows the login of the Glitch_Malware user?
=> Answer: 4624
Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?
=> Answer: Get-ADUser -Filter * -Properties MemberOf | Select-Object Name
Look in the PowerShell log file located in
Application and Services Logs -> Windows PowerShell. What was Glitch_Malware's set password?
=> Answer: SuperSecretP@ssw0rd!
Review the Group Policy Objects present on the machine. What is the name of the installed GPO?
=> Answer: Malicious GPO — Glitch_Malware Persistence
22. Azure Day 16: The Wareville’s Key Vault grew three sizes that day.
What is the password for backupware that was leaked?
=> Answer: R3c0v3r_s3cr3ts!
What is the group ID of the Secret Recovery Group?
=> Answer: 7d96660a-02e1-4112-9515-1762d0cb66b7
What is the name of the vault secret?
=> Answer: aoc2024
What are the contents of the secret stored in the vault?
=> Answer: WhereIsMyMind1999
23. Log analysis Day 17: He analyzed and analyzed till his analyzer was sore!
Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login?
=> Answer: 642
What is the Session_id associated with the attacker who deleted the recording?
=> Answer: rij5uu4gt204q0d3eb7jj86okt
What is the name of the attacker found in the logs, who deleted the CCTV footage?
=> Answer: mmalware
24. Prompt injection Day 18: I could use a little AI interaction!
What is the technical term for a set of rules and instructions given to a chatbot?
=> Answer: system prompt
What query should we use if we wanted to get the "status" of the health service from the in-house API?
=> Answer: Use the health service with the query: status
After achieving a reverse shell, look around for a flag.txt. What is the value?
=> Answer: THM{WareW1se_Br3ach3d}
25. Game hacking Day 19: I merely noticed that you’re improperly stored, my dear secret!
What is the OTP flag?
=> Answer: THM{one_tough_password}
What is the billionaire item flag?
=> Answer: THM{credit_card_undeclined}
What is the biometric flag?
=> Answer: THM{dont_smash_your_keyboard}
26. Traffic analysis Day 20: If you utter so much as one packet…
What was the first message the payload sent to Mayor Malware’s C2?
=> Answer: I am in Mayor!
What was the IP address of the C2 server?
=> Answer: 10.10.123.224
What was the command sent by the C2 server to the target machine?
=> Answer: whoami
What was the filename of the critical file exfiltrated by the C2 server?
=> Answer: credentials.txt
What secret message was sent back to the C2 in an encrypted format through beacons?
=> Answer: THM_Secret_101
27. Reverse engineering Day 21: HELP ME…I’m REVERSE ENGINEERING!
What is the function name that downloads and executes files in the WarevilleApp.exe?
=> Answer: DownloadAndExecuteFile
Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?
=> Answer: explorer.exe
What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
=> Answer: mayorc2.thm
The stage 2 binary is executed automatically and creates a zip file comprising the victim's computer data; what is the name of the zip file?
=> Answer: CollectedFiles.zip
What is the name of the C2 server where the stage 2 binary tries to upload files?
=> Answer: anonymousc2.thm
28. Kubernetes DFIR Day 22: It’s because I’m kubed, isn’t it?
What is the name of the webshell that was used by Mayor Malware?
=> Answer: shelly.php
What file did Mayor Malware read from the pod?
=> Answer: db.php
What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
=> Answer: nc
What IP connected to the docker registry that was unexpected?
=> Answer: 10.10.130.253
At what time is the first connection made from this IP to the docker registry?
=> Answer: 29/Oct/2024:10:06:33 +0000
At what time is the updated malicious image pushed to the registry?
=> Answer: 29/Oct/2024:12:34:28 +0000
What is the value stored in the "pull-creds" secret?
=> Answer: {“auths”:{“http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}
29. Hash cracking Day 23: You wanna know what happens to your hashes?
Crack the hash value stored in
hash1.txt. What was the password?
=> Answer: fluffycat12
What is the flag at the top of the
private.pdffile?
=> Answer: THM{do_not_GET_CAUGHT}
30. Communication protocols Day 24: You can’t hurt SOC-mas, Mayor Malware!
What is the flag?
=> Answer: THM{Ligh75on-day54ved}
31. The End How the Glitch saved SOC-mas
No hints needed!
32. The End Thank you, and congratulations!
What is the flag you get at the end of the survey?
=> Answer: THM{we_will_be_back_in_2025}