Advent of Cyber 3 (2021) on Tryhackme

This is the write up for the Room Advent of Cyber 3 (2021) on Tryhackme and it is part of the Yearly Christmas Cyber Security Event where you will learn the basics by doing 1 task every day for 25 Days

Make a connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment if needed.

Task 1 / Task 5

Read all that is in these tasks and press complete

Task 6 – Day 1 – Web Exploitation Save the Gifts

Read all that is in the task. This one is really simple we just need to adjust the ID

1.1 After finding Santa’s account, what is their position in the company?

Change the ID to one. So the completer URL looks like

https://inventory-management.thm/activity?user_id=1

Answer: The Boss!

1.2 After finding McStocker’s account, what is their position in the company?

Change the ID to 3

Answer: Build Manager

1.3 After finding the account responsible for tampering, what is their position in the company?

Change the ID to 9

Answer: Mischief Manager

1.4 What is the received flag when McSkidy fixes the Inventory Management System?

Click on every revert action of user_id 9 found in the previous question. The flag will reveal itself when all is clicked/reverted

If you want to learn more about IDOR vulnerabilities, we suggest trying out this room IDOR on Tryhackme

Task 7 – Day 2 – Web Exploitation Elf HR Problems

Open the following website with Firefox Best Festival Company (tryhackme.cloud) and register a new account.

7.1 What is the name of the new cookie that was created for your account?

Once you have registered a new account press F12 to open the developer console. Click on the Storage tab and select the cookie it just created

Answer: user-auth

7.2 What encoding type was used for the cookie value?

Navigate to CyberChef then Copy the value of the string from the cookie in the input field and select HEX

Answer: hexadecimal

7.3 What object format is the data of the cookie stored in?

If we look at the output in Cyberchef we see that this is in JSON format

Answer: JSON

7.3 What is the value of the administrator cookie? (username = admin)

We know the format is in JSON converted in HEX and we have a username admin.

Copy the output from previous question into the input field and change From HEX to To HEX with no space. The change your login name to admin

Answer is the output in cyberchef

7.3 What team environment is not responding?

Now back to your cookie in firefox. Change the value of the cookie to the HEX from the previous question

Navigate to the original site https://static-labs.tryhackme.cloud/sites/aoc-cookies/

We now bypassed the login screen and are logged in as admin

Answer: HR

7.4 What team environment has a network warning?

Answer: Application

For more information about HTTP requests, methods, and headers, check out the Web Fundamentals room!

Task 8 – Day 3 – Christmas Blackout

Read all that is in this task. Start the Machine attached to this task. Wait until you see the IP address. If you are not connected with VPN then use the attack box. This is webbased

8.1 Using a common wordlist for discovering content, enumerate http://10.10.23.238 to find the location of the administrator dashboard. What is the name of the folder?

Navigating to the address http://MACHINE_IP
We see a website we need to enumerate with dirbuster to find the administrator dashboard

Open dirbuster ( I always open a terminal and type in dirbuster )
Fill in the target URL
Put the threads on MAX
Browse to a wordlist. In Kali, the wordlists are located in /usr/share/wordlist

After pressing start click on the tab Result – Tree View and notice the admin directory

Answer: admin

8.2 In your web browser, try some default credentials on the newly discovered login form for the “administrator” user. What is the password?

Navigate to http://MACHINE_IP/admin

Now we are going to guess this password. If you read the task correctly especially the default credentials part they more or less have given you the password

Login: Administrator
PWD: administrator

Answer: administrator

8.3 Access the admin panel. What is the value of the flag?

The flag is located on the bottom and starts with THM{

Task 9 – Day 4 – Santa’s Running Behind

Read all that is in the task. IF you are connected with VPN and not use the attack box Please the following guide Configure Burpsuite with Firefox

Access the login form at http://MACHINE_IP
Open Burpsuite
Make sure FoxyProxy is on Burp

Submit some dummy credentials and intercept the request.

All traffic is going to burp now also the firefox traffic hit the forward button until you see the password page in burpsuite.

Once you see this in burpsuite hit the action button and send to intruder

9.1 What valid password can you use to access the “santa” account?

We know the login is Santa and we now want to find the password through brute force with burp suite

In Burpsuite click on the intruder tab and within intruder click on Position. We first need to tell Burpsuite what position we need to Fuzz.

Click on the Clear button
Select attack type -> Cluster Bomb
Select username and click on ADD
Select password and click on ADD

The password list we are going to use can be found here. We will also use this list for login names https://assets.tryhackme.com/additional/aoc2021/day4/passwords.txt

We will configure Burp to use this list for the password and for the login name. Position 1 is now username and position 2 is password. Normally if you already know the login name you do not select the username in burp when adding it to the intruder for the payload we just did. For now, I’m doing this to show you that you can also rotate usernames with passwords by loading different lists

This list is very small so you can copy the list and then paste it in. normally lists are bigger and you need to load it. For now, copy the list and press on paste

Once position payload is set. Select position 2 and do the same

Once the lists are loaded press the Start attack button

Below you see the progress bar. Once finished take a look at the Lenght field. You will notice a different value for when the login is correct

Answer: cookie

9.2 What is the flag in Santa’s itinerary?

Turn off Burpsuite in firefox. Reload the page and use the credentials we just found

The flag is on this page and starts with THM{

Task 10 – Day 5 – Pesky Elf Forum

This is a really easy task just follow all that is in this task and you will find the flag

Task 11 – Day 6 – Patch management is Hard

Deploy the machine attached to this task and read all that is in this task

11.1 Deploy the attached VM and look around. What is the entry point for our web application?

Open Firefox and navigate to the page as provided in the task HTTP://MACHINE_IP.p.thmlabs.com/

Now we see in the URL err=error.txt. So this PHP file is reading from local files

Answer: err

11.2 Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

Type /etc/flag after err= and press enter

The flag will show itself on the page

11.3 Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

in order to read the file, we need to convert it to a base64 code first. Type in the following after err=

php://filter/convert.base64-encode/resource=index.php

Now copy the base64 code and go to cyberchef to convert is back

the flag is on the second line of the PHP code

11.4 Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

Now that we have the code of the index.php. look at the 3rd line. it includes a creds.php. Let’s get it by typing in the following after err=

php://filter/convert.base64-encode/resource=./includes/creds.php

Do not forget the dot before the /includes. This means root and then the subfolder

Now we have another base64 code. Decode it with cyberchef and you will get the credentials

The answer is in format username:password

11.5 Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server? 

On the webpage press home and then on the login text. Or just put the login.php

https://MACHINE_IP.p.thmlabs.com/login.php

Login with the found credentials and click on password recovery

11.6 The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

We are still logged in. Click on log access and click on reset logs. You do not have to but I did to find it faster what I’m looking for

Now log out

Got o login page and type in the login field

Press sing in and it will tell you invalid user. But in the background it wrote the info to the log

Now we use the LFI to get the log file

https://10-10-122-135.p.thmlabs.com/index.php?err=./includes/logs/app_access.log

Answer: lfi-aoc-awesome-59aedca683fff9261263bb084880c965

Task 12 – Day 7 – Web Exploitation – Migration Without Security

Read all that is in this task and start the machine attached to it

12. Interact with the MongoDB server to find the flag. What is the flag?

If you followed along with the instruction you already connected with ssh to the machine

Type in the following command to retrieve to flag ( Capital sensitive )

• show databases
• use flagdb
• db.getCollectionNames();
• db.flagColl.find()

The flag will reveal itself after the last command

12.2 Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?

Open the webpage http://MACHINE_IP in firefox
Open burp suite and turn on the proxy in firefox. If you do not know how then follow this guide

Configure Burpsuite with Firefox – The Dutch Hacker

We know the username is admin. Fill this in at username and password field

Press forward in burp until you see the request then add [$ne] after the word password and press forward

Turn of burp in firefox and click on the flag link

12.3 Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

Navigate to dashboard then click on search

Just type a search string press enter and look at the URL

type in the following after username [$ne]=guest&role=guest

The flag is on this page

12.4 Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

this user is probably probably has got an other role.

type in the following after username =mcskidy&role[$ne]=user

Answer: ID:6184f516ef6da50433f100f4:mcskidy:admin

Task 13 – Day 8 – Santa’s bag of Toys

Start the machine attached to this task and use the terminal to setup a remote connection to the windows machine

xfreerdp /u:Administrator /p:grinch123! /v:10.10.175.187

13.1 What operating system is Santa’s laptop running (“OS Name”)?

Open the folder names SntasLaptopLogs on the desktop
Open the file called PowerShell_transcript.LAPTOP._s3k_jad.20211128153510

Scroll down and you see the name of the OS

Answer: Microsoft Windows 11 Pro

13.2 What was the password set for the new “backdoor” account?

Open the log with the name PowerShell_transcript.LAPTOP.k_dg27us.20211128153538
Scroll down a little to see the command net user s4nta grinchstolechristmas /add

Answer:  grinchstolechristmas  

13.3 In one of the transcription logs,  the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file? 

Open the file called PowerShell_transcript.LAPTOP.Zw6PA+c4.20211128153734
We see the command copy is being used

Answer: C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat

13.4 The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

Opening the URL provided in the question we see that is has to do with certutil
When you look in the log it is being used to encode a file

Answer: certutil.exe

Now copy all in the log between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. Open the cyberchef which is n the desktop

Download the file

Now follow the rest of the task and open the file you just downloaded with the program provided in the task

13.5 Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

We see the santarat as folder on the desktop. Opening it we see .github

Answer:  .github

13.6 Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder? 

Navigate to the folder. There is only one file in it

Answer: bag_of_toys.zip

13.7 What is the name of the user that owns the SantaRat repository?

Here is the github I found GitHub – Grinchiest/SantaRat: A remote access trojan to use against Santa’s laptop!

Answer Grinchiest

13.8 Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?

Answer: operation-bag-of-toys

13.9 What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?

Back to the log files. Open the log with the name PowerShell_transcript.LAPTOP.b+XfnW7t.20211128154858

In the log we see it downloaded a file

Answer: uharc-cmd-install.exe

13.10 What are the contents of these “malicious” files (coal, mold, and all the others)?

The easiest way is to Download the zip file from the github and open one file with notepad that is in this zip file

If you want to find the password the in the github open the commit

Answer: GRINCHMAS

13.11 What is the password to the original bag_of_toys.uha archive?

13.12 How many original files were present in Santa’s Bag of Toys?

Answer: 228

Task 14 – Day 9 – Networking – Where is all this data going

Read all that is in this task. Download the pcap file attached to this task. If you do not have Wireshark installed on your machine then you can download it here Download Wireshark

Open Wireshark
Go to file and open -> Select the PCAP file you just downloaded

Follow the task before you go into the questions

14.1 In the HTTP #1 – GET requests section, which directory is found on the web server?

Filter on HTTP then click on the first package. Make sure you open the Hypertext Transfer Protocol

Answer: Login

14.2 What is the username and password used in the login page in the HTTP #2 – POST section? 

Filter: http.request.method == POST
Click First package
Answer is under HTML Form URL encoded

Answer: McSkidy:Christmas2021!

14.3 What is the User-Agent’s name that has been sent in HTTP #2 – POST section?

Stay in the same package and look under Hypertext Transfer Protocol

Answer: User-Agent: TryHackMe-UserAgent-THM{d8ab1be969825f2c5c937aec23d55bc9}

14.4 n the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?

Filter on dns
scroll down until you see a TXT query

14.5 In the FTP section, what is the FTP login password?

filer on FTP

14.6 In the FTP section, what is the FTP command used to upload the secret.txt  file?

filer on ftp-data

Answer: STOR

14.7 In the FTP section, what is the content of the secret.txt file?

Same package

Answer: 123^-^32

Task 15 – Day 10 – Offensive is the Best Defence

Start the machine attached to this task and open up a terminal

If you want all questions answered in one scan use nmap -T4 -A -p- MACHINEIP

15.5 Help McSkidy and run nmap -sT 10.10.72.99. How many ports are open between 1 and 100?

Answer: 2

15.6 What is the smallest port number that is open?

Answer: 22

15.7 Now run nmap -sS 10.10.72.99. Did you get the same results? (Y/N)

Answer: Y

15.8 If you want Nmap to detect the version info of the services installed, you can use nmap -sV 10.10.72.99. What is the version number of the web server?

Answer: Apache httpd 2.4.49

15.9 What is the CVE number of the vulnerability that was solved in version 2.4.51?

Answer: CVE-2021-42013

15.10 What is the port number that appeared in the results now?

use command nmap -T4 -A -p- MACHINEIP

Answer: 20212

15.11 What is the name of the program listening on the newly discovered port?

Answer: telnetd