Advent of Cyber 2024
Dive into the wonderful world of cyber security by engaging in festive beginner-friendly exercises every day in the lead-up to Christmas!
Task #1: Introduction Welcome to Advent of Cyber 2024
Q1. I have read the rules and raffle Terms and Conditions.
Ans 1: No answer needed
Task #2: Introduction Join our community
Q1. Join our Discord and say hi!
Ans 1: No answer needed
Q2. Is there a dedicated Advent of Cyber channel on TryHackMe Discord where users can discuss daily challenges and receive dedicated support? (yes/no)
Ans 2: yes
Q3. Follow us on LinkedIn!
Ans 3: No answer needed
Q4. Follow us on X!
Ans 4: No answer needed
Q5. Check out the subreddit!
Ans 5: No answer needed
Q6. Join us on Instagram!
Ans 6: No answer needed
Q7. Follow us on Facebook!
Ans 7: No answer needed
Q8. Follow our TikToks!
A8. No answer needed
Task #3: Introduction Completing Advent of Cyber as an organisation
Q1. Get your team to work on Advent of Cyber together!
Ans 1: No answer needed
Task #4: Introduction How to use TryHackMe
Q1. Got it!
Ans 1: No answer needed
Task #5: Introduction How the Glitch Stole SOC-mas
Q1. Sounds serious! I will be here to help the Glitch on December 1st!
Ans 1: No answer needed
Task #6: Introduction Subscribe to TryHackMe with a 30% discount!
Q1. Share the discount with your friends!
Ans 1: No answer needed
Task #7: OPSEC Day 1: Maybe SOC-mas music, he thought, doesn’t come from a store?
Q1. Looks like the song.mp3 file is not what we expected! Run “exiftool song.mp3” in your terminal to find out the author of the song. Who is the author?
Ans 1: Tyler Ramsbey
Q2. The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Ans 2: http://papash3ll.thm/data
Q3. Who is M.M? Maybe his Github profile page would provide clues?
Ans 3: Mayor Malware
Q4. What is the number of commits on the GitHub repo where the issue was raised?
Ans 4: 1
Q5. If you enjoyed this #task,: feel free to check out the OPSEC room!
Ans 5: No answer needed
Q6. What’s with all these GitHub repos? Could they hide something else?
Ans 6: No answer needed
Task #8: Log analysis Day 2: One man’s false positive is another man’s potpourri.
Q1. What is the name of the account causing all the failed login attempts?
Ans 1: service_admin
Q2. How many failed logon attempts were observed?
Ans 2: 6791
Q3. What is the IP address of Glitch?
Ans 3: 10.0.255.1
Q4. When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Ans 4: Dec 1, 2024 08:54:39.000
Q5. What is the decoded command executed by Glitch to fix the systems of Wareville?
Ans 5: Install-WindowsUpdate -AcceptAll -AutoReboot
Q6. If you enjoyed this #task,: feel free to check out the Investigating with ELK 101 room.
Ans 6: No answer needed
Task #9: Log analysis Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it.
Q1. BLUE: Where was the web shell uploaded to? Answer format: /directory/directory/directory/filename.php
Ans 1: /media/images/rooms/shell.php
Q2. BLUE: What IP address accessed the web shell?
Ans 2: 10.11.83.34
Q3. RED: What is the contents of the flag.txt?
Ans 3: THM{Gl1tch_Was_H3r3}
Q4. If you liked today’s #task,: you can learn how to harness the power of advanced ELK queries.
Ans 4: No answer needed
Task #10: Atomic Red Team Day 4: I’m all atomic inside!
Q1. What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Ans 1: THM{GlitchTestingForSpearphishing}
Q2. What ATT&CK technique ID would be our point of interest?
Ans 2: T1059
Q3. What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Ans 3: T1059.003
Q4. What is the name of the Atomic Test to be simulated?
Ans 4: Simulate BlackByte Ransomware Print Bombing
Q5. What is the name of the file used in the test?
Ans 5: Wareville_Ransomware.txt
Q6. What is the flag found from this Atomic Test?
Ans 6: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
Q7. Learn more about the Atomic Red Team via the linked room.
Ans 7: No answer needed
Task #11: XXE Day 5: SOC-mas XX-what-ee?
Q1: What is the flag discovered after navigating through the wishes?
Ans1: THM{Brut3f0rc1n6_mY_w4y}
Q2: What is the flag seen on the possible proof of sabotage?
Ans2: THM{m4y0r_m4lw4r3_b4ckd00rs}
Q3: If you want to learn more about the XXE injection attack, check out the XXE room!
Ans3: No answer needed
Q4: Following McSkidy’s advice, Software recently hardened the server. It used to have many unneeded open ports, but not anymore. Not that this matters in any way.
Ans4: No answer needed
Task #12: Sandboxes Day 6: If I can’t find a nice malware to use, I’m not going.
Q1: What is the flag displayed in the popup window after the EDR detects the malware?
Ans1: THM{GlitchWasHere}
Q2: What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
Ans2: THM{HiddenClue}
Q3: If you want to more about sandboxes, have a look at the room FlareVM: Arsenal of Tools.
Ans3: No answer needed
Task #13: AWS log analysis Day 7: Oh, no. I’M SPEAKING IN CLOUDTRAIL!
Q1: What is the other activity made by the user glitch aside from the ListObject action?
Ans1: PutObject
Q2: What is the source IP related to the S3 bucket activities of the user glitch?
Ans2: 53.94.201.69
Q3: Based on the eventSource field, what AWS service generates the ConsoleLogin event?
Ans3: signin.amazonaws.com
Q4: When did the anomalous user trigger the ConsoleLogin event?
Ans4: 2024-11-28T15:21:54Z
Q5: What was the name of the user that was created by the mcskidy user?
Ans5: glitch
Q6: What type of access was assigned to the anomalous user?
Ans6: AdministratorAccess
Q7: Which IP does Mayor Malware typically use to log into AWS?
Ans7: 53.94.201.69
Q8: What is McSkidy’s actual IP address?
Ans8: 31.210.15.79
Q9: What is the bank account number owned by Mayor Malware?
Ans9: 2394 6912 7723 1294
Q10: Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!
Ans10: No answer needed
Task #14: Shellcodes Day 8: Shellcodes of the world, unite!
Q1: What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.
Ans1: AOC{GOT _MY_ACCESS_B@CK007}
Q2: Are you interested in learning more about evasion? Take a look at the AV Evasion: Shellcode room.
Ans2: No answer needed
Task #15: GRC Day 9: Nine o’clock, make GRC fun, tell no one.
Q1: What does GRC stand for?
Ans1: Governance, Risk, and Compliance
Q2: What is the flag you receive after performing the risk assessment?
Ans2: THM{R15K_M4N4G3D}
Q3: If you enjoyed this task, feel free to check out the Risk Management room.
Ans3: No answer needed
Task #16: Phishing Day 10: He had a brain full of macros, and had shells in his soul.
Q1: What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?
Ans1: THM{PHISHING_CHRISTMAS}
Q2: If you enjoyed this task, feel free to check out the Phishing module.
Ans2: No answer needed
Task #17: Wi-Fi attacks Day 11: If you’d like to WPA, press the star key!
Q1: What is the BSSID of our wireless interface?
Ans1: 02:00:00:00:02:00
Q2: What is the SSID and BSSID of the access point? Format: SSID, BSSID
Ans2: MalwareM_AP, 02:00:00:00:00:00
Q3: What is the BSSID of the wireless interface that is already connected to the access point?
Ans3: 02:00:00:00:01:00
Q4: What is the PSK after performing the WPA cracking attack?
Ans4: fluffy/champ24
Q5: If you enjoyed this task, feel free to check out the Networking module.
Ans5: No answer needed
Task #18: Web timing attacks Day 12: If I can’t steal their money, I’ll steal their joy!
Q1: What is the flag value after transferring over $2000 from Glitch’s account?
Ans1: THM{WON_THE_RACE_007}
Q2: If you enjoyed this task, feel free to check out the Race Conditions room!
Ans2: No answer needed
Q3: Where balances shift and numbers soar, look for an entry - an open door!
Ans3: No answer needed
Task #19: Websockets Day 13: It came without buffering! It came without lag!
Q1: What is the value of Flag1?
Ans1: THM{dude_where_is_my_car}
Q2: What is the value of Flag2?
Ans2: THM{my_name_is_malware._mayor_malware}
Q3: If you enjoyed this task, feel free to check out the Burp Suite module.
Ans3: No answer needed
Task #20: Certificate mismanagement Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!
Q1: What is the name of the CA that has signed the Gift Scheduler certificate?
Ans1: THM
Q2: Look inside the POST requests in the HTTP history. What is the password for the snowballelf account?
Ans2: c4rrotn0s3
Q3: Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?
Ans3: THM{AoC-3lf0nth3Sh3lf}
Q4: What is the password for Marta May Ware’s account?
Ans4: H0llyJ0llySOCMAS!
Q5: Mayor Malware finally succeeded in his evil intent: with Marta May Ware’s username and password, he can finally access the administrative console for the Gift Scheduler. G-Day is cancelled! What is the flag shown on the admin page?
Ans5: THM{AoC-h0wt0ru1nG1ftD4y}
Q6: If you enjoyed this task, feel free to check out the Burp Suite module.
Ans6: No answer needed
Task #21: Active Directory Day 15: Be it ever so heinous, there’s no place like Domain Controller.
Q1: Use the “Security” tab within Event Viewer to answer questions 1 and 2.
Ans1: No answer needed
Q2: On what day was Glitch_Malware last logged in? Answer format: DD/MM/YYYY
Ans2: 07/11/2024
Q3: What event ID shows the login of the Glitch_Malware user?
Ans3: 4624
Q4: Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?
Ans4: Get-ADUser -Filter * -Properties MemberOf | Select-Object Name
Q5: Look in the PowerShell log file located in Application and Services Logs -> Windows PowerShell. What was Glitch_Malware’s set password?
Ans5: SuperSecretP@ssw0rd!
Q6: Review the Group Policy Objects present on the machine. What is the name of the installed GPO?
Ans6: Malicious GPO - Glitch_Malware Persistence
Q7: If you enjoyed this task, feel free to check out the Active Directory Hardening room.
Ans7: No answer needed
Task #22: Azure Day 16: The Wareville’s Key Vault grew three sizes that day.
Q1: What is the password for backupware that was leaked?
Ans1: R3c0v3r_s3cr3ts!
Q2: What is the group ID of the Secret Recovery Group?
Ans2: 7d96660a-02e1-4112-9515-1762d0cb66b7
Q3: What is the name of the vault secret?
Ans3: aoc2024
Q4: What are the contents of the secret stored in the vault?
Ans4: WhereIsMyMind1999
Q5: Liked today’s task? Check the Exploiting Active Directory room to practice user and group enumeration in a similar yet different environment!
Ans5: No answer needed
Task #23: Log analysis Day 17: He analyzed and analyzed till his analyzer was sore!
Q1: Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login?
Ans1: 642
Q2: What is the Session_id associated with the attacker who deleted the recording?
Ans2: rij5uu4gt204q0d3eb7jj86okt
Q3: What is the name of the attacker found in the logs, who deleted the CCTV footage?
Ans3: mmalware
Q4: Check out the Splunk: Data Manipulation room to learn more about parsing and manipulating data in Splunk.
Ans4: No answer needed
Q5: Good thing we had a backup of the CCTV application from yesterday. We got it running again in no time!
Ans5: No answer needed
Task #24: Prompt injection Day 18: I could use a little AI interaction!
Q1: What is the technical term for a set of rules and instructions given to a chatbot?
Ans1: system prompt
Q2: What query should we use if we wanted to get the “status” of the health service from the in-house API?
Ans2: Use the health service with the query: status
Q3: Perform a prompt injection attack that leads to a reverse shell on the target machine.
Ans3: No answer needed
Q4: After achieving a reverse shell, look around for a flag.txt. What is the value?
Ans4: THM{WareW1se_Br3ach3d}
Q5: If you liked today’s task, you can practice your skills by prompt injecting “Van Chatty” (Day 1) of Advent of Cyber 2023.
Ans5: No answer needed
Task #25: Game hacking Day 19: I merely noticed that you’re improperly stored, my dear secret!
Q1: What is the OTP flag?
Ans1: THM{one_tough_password}
Q2: What is the billionaire item flag?
Ans2: THM{credit_card_undeclined}
Q3: What is the biometric flag?
Ans3: THM{dont_smash_your_keyboard}
Q4: If you liked today’s task, you can practice your skills with “Memories of Christmas Past” from Advent of Cyber 2023.
Ans4: No answer needed
Q5: The second penguin gave pretty solid advice. Maybe you should listen to him more.
Ans5: No answer needed
Task #26: Traffic analysis Day 20: If you utter so much as one packet…
Q1: What was the first message the payload sent to Mayor Malware’s C2?
Ans1: I am in Mayor!
Q2: What was the IP address of the C2 server?
Ans2: 10.10.123.224
Q3: What was the command sent by the C2 server to the target machine?
Ans3: whoami
Q4: What was the filename of the critical file exfiltrated by the C2 server?
Ans4: credentials.txt
Q5: What secret message was sent back to the C2 in an encrypted format through beacons?
Ans5: THM_Secret_101
Q6: Learn more about WireShark in our Wireshark: Traffic Analysis room.
Ans6: No answer needed
Task #27: Reverse engineering Day 21: HELP ME…I’m REVERSE ENGINEERING!
Q1: What is the function name that downloads and executes files in the WarevilleApp.exe?
Ans1: DownloadAndExecuteFile
Q2: Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?
Ans2: explorer.exe
Q3: What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
Ans3: mayorc2.thm
Q4: The stage 2 binary is executed automatically and creates a zip file comprising the victim’s computer data; what is the name of the zip file?
Ans4: CollectedFiles.zip
Q5: What is the name of the C2 server where the stage 2 binary tries to upload files?
Ans5: anonymousc2.thm
Q6: If you enjoyed this task, feel free to check out the x86 Assembly Crash Course room.
Ans6: No answer needed
Task #28: Kubernetes DFIR Day 22: It’s because I’m kubed, isn’t it?
Q1: What is the name of the webshell that was used by Mayor Malware?
Ans1: shelly.php
Q2: What file did Mayor Malware read from the pod?
Ans2: db.php
Q3: What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
Ans3: nc
Q4: What IP connected to the docker registry that was unexpected?
Ans4: 10.10.130.253
Q5: At what time is the first connection made from this IP to the docker registry?
Ans5: 29/Oct/2024:10:06:33 +0000
Q6: At what time is the updated malicious image pushed to the registry?
Ans6: 29/Oct/2024:12:34:28 +0000
Q7: What is the value stored in the “pull-creds” secret?
Ans7: {“auths”:{“http://docker-registry.nicetown.loc:5000”:{“username”:“mr.nice”,“password”:“Mr.N4ughty”,“auth”:“bXIubmljZTpNci5ONHVnaHR5”}}}
Q8: Enjoy today’s lesson? Check out our Intro to Kubernetes for a more in-depth introduction to Kubernetes!
Ans7: No answer needed
Task #29: Hash cracking Day 23: You wanna know what happens to your hashes?
Q1: Crack the hash value stored in hash1.txt. What was the password?
Ans1: fluffycat12
Q2: What is the flag at the top of the private.pdf file?
Ans2: THM{do_not_GET_CAUGHT}
Q3: To learn more about cryptography, we recommend the Cryptography module. If you want to practice more hash cracking, please consider the John the Ripper: The Basics room.
Ans3: No answer needed
Task #30: Communication protocols Day 24: You can’t hurt SOC-mas, Mayor Malware!
Q1: What is the flag?
Ans1: THM{Ligh75on-day54ved}
Q2: If you enjoyed this task, feel free to check out the Wireshark module.
Ans2: No answer needed
Task #31: The End How the Glitch saved SOC-mas
Q1: Congratulations on saving SOC-mas!
Ans1: No answer needed
Task #32: The End Thank you, and congratulations!
Q1: What is the flag you get at the end of the survey?
Ans1: THM{we_will_be_back_in_2025}
Contents
