Open in app

Sign in

Write

Sign in

THM-Advent of Cyber 2024 Day1

Mohamed Ali
5 min readDec 1, 2024

--

Maybe SOC-mas music, he thought, doesn’t come from a store?

Day 1

Find This Room: Advent of Cyber 2024

The Story

McSkidy tapped keys with a confident grin,

A suspicious website, now where to begin?

She’d seen sites like this, full of code and of grime,

Shady domains, and breadcrumbs easy to find.

McSkidy’s fingers flew across the keyboard, her eyes narrowing at the suspicious website on her screen. She had seen dozens of malware campaigns like this. This time, the trail led straight to someone who went by the name “Glitch.”

“Too easy,” she muttered with a smirk.

“I still have time,” she said, leaning closer to the screen. “Maybe there’s more.”

Little did she know, beneath the surface lay something far more complex than a simple hacker’s handle. This was just the beginning of a tangled web unravelling everything she thought she knew.

Learning Objectives

  • Learn how to investigate malicious link files.
  • Learn about OPSEC and OPSEC mistakes.
  • Understand how to track and attribute digital identities in cyber investigations.

Connecting to the Machine

Before moving forward, review the questions in the connection card shown below and start the virtual machine by pressing the Start Machine button. The VM should be fully loaded in 3 minutes. Additionally, you will need the AttackBox, which can be launched by clicking the Start AttackBox button at the top of the page.

NOTE:

If you’re clicking “Start Machine” and encountering an issue launching it, don’t worry — it’s just the high demand. What can you do?

  • Keep trying! Machines are becoming available as demand fluctuates.
  • If you’re still having trouble, come back a little later when it’s less busy.

Investigating the Website

The website we are investigating is a Youtube to MP3 converter currently being shared amongst the organizers of SOC-mas. You’ve decided to dig deeper after hearing some concerning reports about this website.

From your AttackBox, access the website by visiting MACHINE_IP using the web browser.

At first glance, the website looks legit and presentable. The About Page even says that it was made by “The Glitch “. How considerate of them to make our job easier!

Scrolling down, you’ll see the feature list, which promises to be “Secure” and “Safe.” From our experience, that isn’t very likely.

Youtube to MP3 Converter Websites

These websites have been around for a long time. They offer a convenient way to extract audio from YouTube videos, making them popular. However, historically, these websites have been observed to have significant risks, such as:

  • Malvertising: Many sites contain malicious ads that can exploit vulnerabilities in a user’s system, which could lead to infection.
  • Phishing scams: Users can be tricked into providing personal or sensitive information via fake surveys or offers.
  • Bundled malware: Some converters may come with malware, tricking users into unknowingly running it.

What nefarious thing does this website have in store for us?

Getting Some Tunes

Let’s find out by pasting any YouTube link in the search form and pressing the “Convert” button. Then select either mp3 or mp4 option. This should download a file that we could use to investigate. For example, we can use https://www.youtube.com/watch?v=dQw4w9WgXcQ, a classic if you ask me.

Once downloaded, navigate to your Downloads folder or if you are using the AttackBox, to your /root/ directory. Locate the file named download.zip, right-click on it, and select Extract To. In the dialog window, click the Extract button to complete the extraction.

You’ll now see two extracted two files: song.mp3 and somg.mp3.

To quickly determine the file’s contents, double-click on the “Terminal” icon on the desktop then run the file command on each one. First, let's try checking song.mp3.

There doesn’t seem to be anything suspicious, according to the output. As expected, this is just an MP3 file.

How about the second file somg.mp3? From the filename alone, we can tell something is not right. Still, let's confirm by running the file command on it anyway.

Q: Looks like the song.mp3 file is not what we expected! Run “exiftool song.mp3” in your terminal to find out the author of the song. Who is the author?

Q: The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?

Hint: Look for the “$c2Url” variable in the PowerShell script.

Read This PowerShell Script: https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1

Q: Who is M.M? Maybe his Github profile page would provide clues?

Search for this on Github.com or by going directly to this link: https://github.com/search?q=%22Created+by+the+one+and+only+M.M.%22&type=issues

You’ll notice something interesting if you explore the pages in the search results.

Note!

If you receive an error below, it’s because Github has rate limits in place if you are not signed in. To fix this, you can just sign in with a GitHub account or skip directly to the next step by going here: https://github.com/Bloatware-WarevilleTHM/CryptoWallet-Search/issues/1

If you look through the search results, you can be able infer the malicious actor’s identity based on information on the project’s page and the GitHub Issues section.

Q: What is the number of commits on the GitHub repo where the issue was raised?

Hint: Check out the commit history here: https://github.com/Bloatware-WarevilleTHM/CryptoWallet-Search/commits/main/

Advent Of Cyber 2024
Tryhackme Writeup
Tryhackme

--

--

Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

47 Followers
5 Following

Security Researcher

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams