Advent of Cyber 2024{ALL DAYS} Tryhackme Answers | Write-ups

16 min read1 day ago

{ DAY — 1 }

Answer the questions below :

Q1) Looks like the song.mp3 file is not what we expected! Run “exiftool song.mp3” in your terminal to find out the author of the song. Who is the author?
Answers :- Tyler Ramsbey

Q2) The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Answers :- http://papash3ll.thm/data

Q3) Who is M.M? Maybe his Github profile page would provide clues?
Answers :- Mayor Malware

Q4) What is the number of commits on the GitHub repo where the issue was raised?
Answers :- 1

Q5) If you enjoyed this task, feel free to check out the OPSEC room!
Answers :- No answer needed

Q6) What’s with all these GitHub repos? Could they hide something else?

Answers :- No answer needed

{ DAY — 2 }

Answer the questions below :

Q1) What is the name of the account causing all the failed login attempts?
Answers :- service_admin

Q2) How many failed logon attempts were observed?
Answers :- 6791

Q3) What is the IP address of Glitch?
Answers :- 10.0.255.1

Q4) When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Answers :- Dec 1, 2024 08:54:39.000

Q5) What is the decoded command executed by Glitch to fix the systems of Wareville?
Answers :- Install-WindowsUpdate -AcceptAll -AutoReboot

Q6) If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.
Answers :- No answer needed

{ DAY — 3 }

Answer the questions below :

Q1)BLUE: Where was the web shell uploaded to?

Answer format: /directory/directory/directory/filename.php

Answers:- /media/images/rooms/shell.php

Q2)BLUE: What IP address accessed the web shell?

Answer:- 10.11.83.34

Q3) RED: What is the contents of the flag.txt?

Answer:- THM{Gl1tch_Was_H3r3}

Q3)If you liked today’s task, you can learn how to harness the power of advanced ELK queries.

Answer:- No answer needed

{ DAY — 4 }

Answer the questions below :

Q1)What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

Answers :- THM{GlitchTestingForSpearphishing}

Q2) What ATT&CK technique ID would be our point of interest?
Answers :- T1059

Q3) What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Answers :- T1059.003

Q4) What is the name of the Atomic Test to be simulated?
Answers :- Simulate BlackByte Ransomware Print Bombing

Q5) What is the name of the file used in the test?
Answers :- Wareville_Ransomware.txt

Q6) What is the flag found from this Atomic Test?
Answers :- THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}

Q7) Learn more about the Atomic Red Team via the linked room.
Answers :- No answer needed

{ DAY — 5 }

Answer the questions below

Q1) What is the flag discovered after navigating through the wishes?
Answers :- THM{Brut3f0rc1n6_mY_w4y}

Q2) What is the flag seen on the possible proof of sabotage?
Answers :- THM{m4y0r_m4lw4r3_b4ckd00rs}

Q3) If you want to learn more about the XXE injection attack, check out the XXE room!

Answers :- No answer needed

Q4) Following McSkidy’s advice, Software recently hardened the server. It used to have many unneeded open ports, but not anymore. Not that this matters in any way.
Answers :- No answer needed

{ DAY — 6 }

Answer the questions below :

Q1) What is the flag displayed in the popup window after the EDR detects the malware?
Answers :- THM{GlitchWasHere}

Q2) What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
Answers :- THM{HiddenClue}

Q3) If you want to more about sandboxes, have a look at the room FlareVM: Arsenal of Tools.
Answers :- No answer needed

{ DAY — 7 }

Q1) What is the other activity made by the user glitch aside from the ListObject action?

Answers :- PutObject

Q2) What is the source IP related to the S3 bucket activities of the user glitch?
Answers :- 53.94.201.69

Q3) Based on the eventSource field, what AWS service generates the ConsoleLogin event?
Answers :- signin.amazonaws.com

Q4) When did the anomalous user trigger the ConsoleLogin event?
Answers :- 2024–11–28T15:21:54Z

Q5) What was the name of the user that was created by the mcskidy user?
Answers :- glitch

Q6) What type of access was assigned to the anomalous user?
Answers :- AdministratorAccess

Q7) Which IP does Mayor Malware typically use to log into AWS?
Answers :- 53.94.201.69

Q8) What is McSkidy’s actual IP address?
Answers :- 31.210.15.79

Q9) What is the bank account number owned by Mayor Malware?
Answers :- 2394 6912 7723 1294

Q10) Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!
Answers :- No answer needed

{ DAY — 8}

Q1) What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.

Answers :- AOC{GOT_MY_ACCESS_B@CK007}

Q2) Are you interested in learning more about evasion? Take a look at the AV Evasion: Shellcode room.

Answers :- No answer needed

{ DAY — 9}

Q1) What does GRC stand for?
Answers :- Governance, Risk, and Compliance

Q2) What is the flag you receive after performing the risk assessment?
Answers :- THM{R15K_M4N4G3D}

Q3) If you enjoyed this task, feel free to check out the Risk Management room.
Answers :- No answer needed

{ DAY — 10 }

The Story

Mayor Malware had one, just one SOC-mas wish:

The SOC organiser would fall for his phish!

Well on top of this, he wanted as well,

Once the email opened, to gain a rev shell.

Q1) What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

Answer:- THM{PHISHING_CHRISTMAS}

Q2) If you enjoyed this task, feel free to check out the Phishing module.

Answer:- No answer needed

{ DAY — 11 }

Q1) What is the BSSID of our wireless interface?

Answers :- 02:00:00:00:02:00

Q2) What is the SSID and BSSID of the access point? Format: SSID, BSSID

Answers :- MalwareM_AP, 02:00:00:00:00:00

Q3) What is the BSSID of the wireless interface that is already connected to the access point?

Answers :- 02:00:00:00:01:00

Q4) What is the PSK after performing the WPA cracking attack?

Answers :- fluffy/champ24

Q5) If you enjoyed this task, feel free to check out the Networking module.

Answers :- No answer needed

{ DAY — 12 }

Q1) What is the flag value after transferring over $2000 from Glitch’s account?

Answers :- THM{WON_THE_RACE_007}

Q2) If you enjoyed this task, feel free to check out the Race Conditions room!
Answers :- No answer needed

Q3) Where balances shift and numbers soar, look for an entry — an open door!
Answers :- No answer needed

{ DAY — 13 }

Q1) What is the value of Flag1?

Answers :- THM{dude_where_is_my_car}

Q2)What is the value of Flag2?
Answers :- THM{my_name_is_malware._mayor_malware}

Q3)If you enjoyed this task, feel free to check out the Burp Suite module.
Answers :- No answer needed

{ DAY — 14 }

Q1) What is the name of the CA that has signed the Gift Scheduler certificate?

Answers :- THM

Q2)Look inside the POST requests in the HTTP history. What is the password for the snowballelf account?
Answers :- c4rrotn0s3

Q3)Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?
Answers :- THM{AoC-3lf0nth3Sh3lf}

Q4) What is the password for Marta May Ware’s account?
Answers :- H0llyJ0llySOCMAS!

Q5) Mayor Malware finally succeeded in his evil intent: with Marta May Ware’s username and password, he can finally access the administrative console for the Gift Scheduler. G-Day is cancelled!
What is the flag shown on the admin page?
Answers :- THM{AoC-h0wt0ru1nG1ftD4y}

Q6)If you enjoyed this task, feel free to check out the Burp Suite module.
Answers :- No answer needed

{ DAY — 15 }

Q1) Use the “Security” tab within Event Viewer to answer questions 1 and 2.
Answers :- No answer needed

Q2) On what day was Glitch_Malware last logged in?

Answer format: DD/MM/YYYY
Answers :- 07/11/2024

Q3) What event ID shows the login of the Glitch_Malware user?
Answers :- 4624

Q4) Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?
Answers :- Get-ADUser -Filter * -Properties MemberOf | Select-Object Name

Q5) Look in the PowerShell log file located in Application and Services Logs -> Windows PowerShell. What was Glitch_Malware's set password?
Answers :- SuperSecretP@ssw0rd!

Q6) Review the Group Policy Objects present on the machine. What is the name of the installed GPO?
Answers : -Malicious GPO — Glitch_Malware Persistence

Q7) If you enjoyed this task, feel free to check out the Active Directory Hardening room.
Answers :- No answer needed

{ DAY — 16 }

Q1) What is the password for backupware that was leaked?
Answers :- R3c0v3r_s3cr3ts!

Q2) What is the group ID of the Secret Recovery Group?
Answers :- 7d96660a-02e1–4112–9515–1762d0cb66b7

Q3) What is the name of the vault secret?
Answers :- aoc2024

Q4) What are the contents of the secret stored in the vault?
Answers :- WhereIsMyMind1999

Q5) Liked today’s task? Check the Exploiting Active Directory room to practice user and group enumeration in a similar yet different environment!
Answers :- No answer needed

{ DAY — 17 }

Q1) Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login?

Answers :- 642

Q2) What is the Session_id associated with the attacker who deleted the recording?

Answers :- rij5uu4gt204q0d3eb7jj86okt

Q3) What is the name of the attacker found in the logs, who deleted the CCTV footage?

Answers :- mmalware

Q4) Check out the Splunk: Data Manipulation room to learn more about parsing and manipulating data in Splunk.

Answers :- No answer needed

Q5) Good thing we had a backup of the CCTV application from yesterday. We got it running again in no time!

Answers :- No answer needed

{ DAY — 18 }

Q1) What is the technical term for a set of rules and instructions given to a chatbot?
Answers :- system prompt

Q2) What query should we use if we wanted to get the “status” of the health service from the in-house API?
Answers :- Use the health service with the query: status

Q3) Perform a prompt injection attack that leads to a reverse shell on the target machine.
Answers :- No answer needed

Q4) After achieving a reverse shell, look around for a flag.txt. What is the value?

Answers :- THM{WareW1se_Br3ach3d}

Q5) If you liked today’s task, you can practice your skills by prompt injecting “Van Chatty” (Day 1) of Advent of Cyber 2023.

Answers :- No answer needed

{ DAY — 19 }

Q1) What is the OTP flag?
Answers :- THM{one_tough_password}

Q2) What is the billionaire item flag?
Answers :- THM{credit_card_undeclined}

Q3) What is the biometric flag?
Answers :- THM{dont_smash_your_keyboard}

Q4) If you liked today’s task, you can practice your skills with “Memories of Christmas Past” from Advent of Cyber 2023.
Answers :- No answer needed

Q5) The second penguin gave pretty solid advice. Maybe you should listen to him more.

Answers :- No answer needed

{ DAY — 20}

Q1) What was the first message the payload sent to Mayor Malware’s C2?
Answers :- I am in Mayor!

Q2) What was the IP address of the C2 server?
Answers :- 10.10.123.224

Q3) What was the command sent by the C2 server to the target machine?
Answers :- whoami

Q4) What was the filename of the critical file exfiltrated by the C2 server?
Answers :- credentials.txt

Q5) What secret message was sent back to the C2 in an encrypted format through beacons?
Answers :- THM_Secret_101

Q6) Learn more about WireShark in our Wireshark: Traffic Analysis room.

Answers :- No answer needed

{ DAY — 21}

Q1) What is the function name that downloads and executes files in the WarevilleApp.exe?

Answers :- DownloadAndExecuteFile

Q2) Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?

Answers :- explorer.exe

Q3) What domain name is the one from where the file is downloaded after running WarevilleApp.exe?

Answers :- mayorc2.thm

Q4) The stage 2 binary is executed automatically and creates a zip file comprising the victim’s computer data; what is the name of the zip file?

Answers :- CollectedFiles.zip

Q5) What is the name of the C2 server where the stage 2 binary tries to upload files?

Answers :- anonymousc2.thm

Q6) If you enjoyed this task, feel free to check out the x86 Assembly Crash Course room.

Answers :- No answer needed

{ DAY — 22}

Q1)What is the name of the webshell that was used by Mayor Malware?

Answers:- shelly.php

Q2)What file did Mayor Malware read from the pod?

Answers:- db.php

Q3)What tool did Mayor Malware search for that could be used to create a remote connection from the pod?

Answers:- nc

Q4)What IP connected to the docker registry that was unexpected?

Answers:- 10.10.130.253

Q5)At what time is the first connection made from this IP to the docker registry?

Answers:- 29/Oct/2024:10:06:33 +0000

Q6)At what time is the updated malicious image pushed to the registry?

Answers:- 29/Oct/2024:12:34:28 +0000

Q7)What is the value stored in the “pull-creds” secret?

Answers:- {“auths”:{“http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}

Q)Enjoy today’s lesson? Check out our Intro to Kubernetes for a more in-depth introduction to Kubernetes!

Answers:- No answer needed

{ DAY — 23}

Q1) Crack the hash value stored in hash1.txt. What was the password?

Answer:- fluffycat12

Q2) What is the flag at the top of the private.pdf file?

Answer:- THM{do_not_GET_CAUGHT}

Q3)To learn more about cryptography, we recommend the Cryptography module. If you want to practice more hash cracking, please consider the John the Ripper: The Basics room.

Answer:- No answer needed