TryHackMe Advent of Cyber 2024 Side Quest Writeup & Walkthrough
This post is a detailed walkthrough of the TryHackMe Advent of Cyber 2024 Side Quest. In this post, I tried to provide detailed steps to obtain flags for the all the tasks. Some tasks aren’t finished yet so I wrote the walkthrough to obtain the L key cards needed to start solving the challenge.
T1: Operation Tiny Frostbite
Description
By the time you read this, you’ve already been attacked. I’m in your machine and you won’t get it back. You must be aware that the more you delay, the more information will be stolen away. Your SOC is so weak, I’ll lend them a hand. Here’s a PCAP of the attack, you can’t beat this band! If your machine you want to recover, the password I stole you’ll need to discover.”
The first of our enemies is the Frostbite Fox. Known for being the slyest of them all. She’s made her way into McSkidy’s machine. Luckily for us, our great SOC detected it all in time. While the team focuses on securing the machine, you are tasked with recovering the password the Fox stole, so we can get McSkidy’s data back.
Note: To attempt this challenge you will need to find the L1 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to open the ZIP file, which you can download from http://MACHINE_IP/aoc_sq_1.zip. The zip file is safe to download with MD5 of 044a78a6a1573c562bc18cefb761a578. In general, as a security practice, download the zip and analyze the forensic files on a dedicated virtual machine, and not on your host OS. The keycard will be hidden between days 1 and 4.
T1: Operation Tiny Frostbite | Answers
What is the password the attacker used to register on the site?
We extract the ZIP file using the password from the first keycard, revealing a PCAP file. Upon analysis, we identify a port scan, activity on port 22, and significant traffic on port 80. Since the first question pertains to passwords, we search for this term within the packet details. Repeatedly using the search function, we eventually discover the first set of credentials in packet 1532, which were used to register the user “frostyfox.”
Please continue here to read the rest of the walkthrough
