Advent of Cyber — TryHackMe
Challenge link : https://tryhackme.com/room/25daysofchristmas
[Day 1] [Task 6] — Inventory Management
After deploying the machine, navigate to http://<your_machines_ip>:3000
Upon visiting, you will be presented with a nice little login screen.
Since we don’t have any credentials to login, let’s register with a random username by clicking on the Register button.
I created an account with username: coco and email/password : coco@x.com/coco
Now let’s login with these credentials and see where it goes. After logging in, we see an Inventory submission page with an input field where we can request some inventory.
Let’s check our cookie by navigating to storage pane of browser (right-click -> inspect elements -> storage tab)
From here we can see that name of the cookie used for authentication is given. The value of the cookie is alpha-numeric so let’s try to base64 decode it.
After decoding, we can see that the decoded value starts with our username ‘coco’ foolowed by some random characters. Registering another account with different username and decoding it’s cookie value shows that decoded value always starts with username followed by the same fixed random characters i.e, the decoded value after the username is a fixed value.
Since this is an authentication cookie, we can try to replace our username with some admin in the above decoded value and then encode back to base64 in attemp to access admin’s account. For this challenge spcifically, we want to check mcinventory’s account.
So let’s do “base64encode(mcinventoryXXXXXXXXX)” [Here XXXXXXXXX are those fixed values after the username] and let’s inject this cookie in our browser by replacing current cookie value with this one(simply double-click on the value and paste modified cookie). After this, refresh the page and BOOM we are in mcinventory’s account.
From here, we can see what mcinventory requested.
[Day 2] [Task 7] — Arctic Forum
After deploying day 2’s machine, navigate to http://[your-ip-here]:3000 Upon visiting, this is the page we are presented with.
According to the task we have to find the hidden directory/page. So let’s bruteforce directories using an amazing tool ‘ffuf’.
While fuzzing we came accross an interesting directory let’s visit it and see it’s page source code. Scrolling to the bottom we see a potential OSINT vector.
So let’s check it out on github.
And looks like we got some credentials, so let’s try logging in to our preciously found hidden page with these credentials. And indeed we can login and see our hidden stuff.
[Day 3] [Task 8] — Evil Elf
In this challenge, we are given a .pcap fie to download, so let’s analyze this file using wireshark. Check out packet number 998 for answering the challenge question.
Now let’s follow the TCP stream from this packet to check it’s content (select this packet -> right-cick -> follow -> TCP Stream)
From the top-most line, we can see the item listed. Our next task is to crack buddy’s password. Here we are given /etc/shadow file which is a file on linux system that stores all users password in encrypted format.
For cracking the password, we will use hashcat which is a great tool for cracking encrypted passwords.
Here, hash.txt contains user buddy’s hash i.e the blurreed part above. And within a span of time you will get the password.
[Day 4] [Task 9] — Training
Deploy the given machine and access it via ssh.
Now, after accessing, our first task is to tell how many files are there in the home directory. For this just simply do ‘ls’ and we will be presented with all visible files. In case there were large number of files, counting then manually would be a tedious task. So a simple command to just output the number of files is ‘ls | wc -l’
#2 What is the content of file5?
Content of the file can be viewed using ‘cat’ utility.
#3 Which file contains the string ‘password’?
Note: “cat *” is reducdant here. If you only want the filname that contains that text, you can simply run grep -lnr ‘password’
#4 What is the IP address in a file in the home folder?
For finding IP address in a file, we can use regex in grep. We can use -o flag to get exact regex output and remove other unnecessary text.
#5 How many users can log into the machine?
Note: In case the user’s default shell is not /bin/bash, we can check for that with grep -v “nologin” and then filtering out other users.
#6 What is the sha1 hash of file8?
sha1 hash of a file can be found using sha1sum utility of linux.
#7 What is mcsysadmin’s password hash?
User’s password hashes are stored in /etc/shadow file however we can’t just open and view this file because for viewing this file we require higher privileges which in this case we don’t have. So, what else we can do? Well it is always good to check for backup files on the system (also mentioned in the challenge’s guide). Generally backup files are stored with .bak extesion, so we can use grep to find the files with .bak extension
Reading this shadow file (since this file has read permission set for out user) we will get mcsysadmin’s password hash
[Day 5] [Task 10] — Ho-Ho-Hosint
Here, we are given a file to download. It’s a jpg file.
Let’s analyse this file with exiftool.
Interesting detail here is the creator’s name. Searching this name on google gives a twitter account matching this name.
From here we can grab her DOB, here occupation and even the phone owned.
Now, there is a link for her blog as well. For checking her first post, let’s use waybackmachine which allows us to see how website used to look in past. The first activity was in october 2019 (as seen from waybackmachine) so let’s check it.
From here we can find out when she actually started her photography.
Also, from this old website itself we can find out the name of that famous women (Note : we can use reverse image search as well to find her name).
[Day 6][Task 11] — Data Elf-iltration
Here we are given a pcap file, so let’s analyze it with wireshark.
For finding the data exfiltrated via DNS, let’s insecpt first DNS request and follow it’s UDP stream (right click on DNS request -> Follow -> UDP stream).
Here, we can see some data exfiltrated with alphanumeric characters. Hex decoding them will reveal the first flag.
Now, our next step is to extract contents/files from this pcap file, which can be done by export objects feature of wireshark (File -> Export Objects -> HTTP -> objects)
Here we got a zip and an image file. The zip file was found to be password protected so we can try bruteforcing for a password using fcrackzip which is a utility in kali that allows us for achieving our task.
Running this command will crack the password of this zip file. After extracting this zip, we’ll have few text files in which one of them contains our second flag.
Other than zip, we have an image file. Opening the image gives default Tryhackme’s image. For extracting some additional hidden details from an image we can run exiftool but in this case doesn’t gave us anything useful. For further forensics, the image might contain some secret using steganography. So for trying that, we will use steghide which helps in extracting as well as embedding some secret in image.
Here we used empty passphrase string and it extracted the hidden secret to christmasmonster.txt file. Reading the file will give us our final flag.
[Day 7] [Task 12] — Skilling Up
Deploy the given machine. For finding open ports, services running, etc, we will run nmap.
Here, i used -A flag for aggressive scan to make task easier but we can scan for specific things by specifying flags such as,
-Ofor OS discovery-sVfor enumerting services’ verion-p-1000for scanning ports 1–1000
After scan is finished, we will get all our answer. On port 999 there is a http server running. Visiting this server via browser will reveal the required file name.
