THM: Advent of Cyber 2023
Note: Images used on this page were created in MS Paint with Cocreator.
What is Advent of Cyber?
The Advent of Cyber is TryHackMe’s annual free Christmas themed event. The event takes cybersecurity enthusiasts through challenges that follow a fun narrative. Can you help Santa’s top elf in the field of cybersecurity and the Best Festival Company’s CISO, McSkidy?
Each day in the lead up to Christmas, a new challenge, more difficult than the last, is released. For every question you can answer as part of each challenge, you will gain one entry into the raffle that will be drawn shortly after Christmas. So you might earn several chances to win some great prizes. Not only that, but everyone who completes the Advent of Cyber will earn a certificate and badge.
This will be a spoiler-free review of the Advent of Cyber event. I may post separate write-ups for some of the challenges after the event has concluded though.
What is happening with the Best Festival Company in the build up to Christmas 2023?
The Best Festival Company has merged with their former competitors from the South Pole, AntarctiCrafts. The AntarctiCrafts’ CTO, now a regional manager (and apparently disgruntled) is possibly trying to sabotage the success of the merger. That is according to an anonymous tip received by the snowman, Detective Frosteau.
Frosteau gets in touch with McSkidy to warn her. It looks like it’s time for McSkidy to save Christmas again. This time she has Detective Frosteau and the chief security officer, McHoneyBell, to help her.
Day 1: Machine Learning
You should find the first day of the Advent of Cyber pretty easy. The task this day is to exploit an AI chatbot and you get walked through how to do this in the instructions. In her role as the leader of the ‘Audit and Vulnerabilities’ team, it is McHoneyBell’s job to assess an internal chatbot created by AntarctiCrafts and ensure it meets the high security standards of Best Festival Company.
You will learn how to mislead the chatbot to get it to reveal privileged information and how to work around the security measures an AI chatbot might have included. All the steps to solve this challenge are included in the description for the Day 1 task.
Day 2: Log analysis
McHoneyBell’s job today is to analyse AntarctiCrafts’ network logs with a view to getting a better understanding of their Network. The only problem is that AntarctiCrafts don’t have any standard industry tools for reviewing the logs. McHoneyBell is going to have to write some scripts in Python using Panda and Matplot to help her analyse the raw data she’s got to work with.
On this task you will get to learn how Python can be used (with the help of some modules) for data analysis. Day 2’s challenge doesn’t walk you through it like Day 1, but it is still guided and your hand will be held through the first few questions. You will have to use what you’ve learned and the smallest amount of external research (read the documentation or search Google) to answer the last question. Don’t worry if you can’t figure this one out though because the hint tells you exactly what you need to know.
Another positive from the Day 2 task is that you get to work with Jupyter notes and see how awesome it is. If you like what you see, you should consider downloading it. cmnatic kindly gave me permission to download the notebooks from the VM for this challenge when I asked about it in Discord. I thought that some of the notebooks acting as an introduction to Panda and Matplotlib made a nice reference for some of the basics of those Python modules. If you would like to download the notebooks too, but aren’t sure how, it’s pretty straight forward.
- First make sure you are connected to the VPN so you are on the same network as the virtual machine. See THM’s Access page to get the configuration file. You will also find instructions on using this if you haven’t used openVPN before.
- Then switch back to the VM (this will probably be open in split view, unless you changed it to full screen after starting the machine), open a terminal and type
ip ato get the machine’s IP address. - Once you have the IP address you now want to start a HTTP server. In the terminal enter the command
python3 -m http.server. Keep the terminal open and switch back to the browser on your own machine. - Open a new tab on your browser and enter the VM’s IP address followed by a colon then 8000 (this is the default port http.server uses, but if the number is different then use the port number you see in the terminal after giving the command in the previous step). If the IP address was 10.10.12.34 then you will enter
10.10.12.34:8000in your browser’s address bar. - The page should show a directory where you can navigate to folders or open files. The notebooks are stored in the
notebooksfolder. There will be four sub-directories in this, each with a notebook and some with an additional csv file which is also required. Right-click on the files you want to download and click ‘Save As’ to download to your computer.
If you open a terminal from the notebooks folder or navigate the terminal there then you can save yourself a couple of clicks.
Day 3: Brute forcing
It’s been three days since Detective Frosteau received his tip and it’s been fairly uneventful so far. McHoneyBell has identified some vulnerabilities in the chat bot and now has pretty good understanding of the network, but no evidence of sabotage so far. Frosteau is on the scene diligently continuing his investigation all the same; If there is any risk of someone ruining Christmas, he won’t stand idly by. Without warning, several critical systems are locked and the building itself goes into lockdown. The security doors slam shut and lock themselves.
The poor detective got his arm caught in the IT server room door trying to escape. The door easily broke through Frosteau’s arm of snow, severing it off. Not only that, but someone’s changed the door’s password. The detective is trapped in the server room with only one arm left. It looks like we might have found our first real evidence of sabotage after all.
Fortunately, the door’s 3-character password isn’t protected against brute force attacks and we can make short work of this. The password uses hexadecimal characters (0-9 and A-F), so we can use the crunch command to generate a password list of every permutation and hyrda to attack the door lock itself. We’ll get the Detective out of there. Let’s hope we can reattach his arm or make him a new one.
Everything you need to know to do this challenge is given in the description, so beginners will have no problem working through this one and you will get to learn about brute forcing and the benefits of long complex passwords.
Day 4: Brute forcing
More brute forcing on Day 4, but this time we’re crafting custom dictionaries to use in the attack. No word on Frosteau. I hope he’s doing alright after Day 3’s trying experience.
It looks like McGreedy’s really tipped his hand now. He, or someone else with his already improbable name, has been selling company credentials. These credentials have been exploited and a hacker has gained access to the customer portal. Presumably someone else is dealing with that because, today, our job is to replicate the attack. …for some reason?
For this challenge, we will enumerate possible usernames and passwords from the website hosting portal by using CeWL to spider for likely usernames and passwords. Then we’ll attack the login portal with wfuzz. Again, the challenges today walk you through all the steps to complete the task.
Day 5: Reverse engineering
Detective Frosteau is back and he has a cool new mechanical arm! What a legend, he loses an arm and only takes one day off to recover!
The backup tapes have been recovered from the IT server room, but the backup software isn’t working and no one can remember how to troubleshoot it. Fortunately, there is an old, nearly forgotten, computer with an older version of the software running on DOS that can be used to troubleshoot and hopefully fix the problem.
In the Day 5 challenge you will learn about magic bytes and file signatures, and how to use MS-DOS. You will navigate the computer’s file system, read and edit files from MS-DOS; you will restore a corrupted backup file by analysing and amending faults in its data; and you will restore the backup using this legacy system.
With that done, the detective sends the restored backup tape to McSkidy so the system can properly be restored to this backup. Now we’ve got a bit of spare time, why don’t we explore this old PC. See what else we can find on it.
Day 6: Memory corruption
We’re back working with McHoneyBell today. The programmers from AntarctiCrafts are being trained on memory corruption to improve their coding standards. We are presented with a game in which we need to earn enough coins to buy a star to put on top of the Christmas tree. The only problem is that McGreedy rigged the game to make it impossible to buy the star.
This is where memory corruption comes in. Can we exploit a buffer overflow in the game’s other mechanics to make getting the star possible?
Day 6 continues the trend of slightly increasing the difficulty against the previous day’s challenges, but there is enough advice given in the setup to get a beginner started. You will how variables are handled in RAM, how user input could overflow into other areas of memory and how these overflows can be exploited to your advantage.
Day 7: Log analysis
McGreedy has installed malware on all the computers. It looks like the children’s Christmas wish lists are being leaked to a command and control (C2) server. Σ(°□°´Ⅲ)!!? Lets dive into these logs and figure out what’s going on.
For this challenge we will be working with some standard Linux commands. You might have to get creative at stringing them together. Don’t worry, all the information you need to complete the challenge is given. This task will improve your familiarity with the Linux command line, expand on what we’ve previously learned about log files, get comfortable analysing proxy logs and get an insight into malware and C2 servers.
Day 8: Disk forensics
McGreedy is at it again and he’s leading one of the frostlings astray. McGreedy has convinced Van Sprinkles to spread about some USB drives loaded with malware and waiting on some naive, unsuspecting victim to pick one up and plug it in. An anonymous tip reaches McSkidy too late; Someone has already plugged it into their computer and the malware is now on the network.
Our job today is to analyse the contents of the disk drive with FTK Imager. We’ll learn about the malware and recover some clues behind this latest attack.
This is a good task to introduce us to digital forensics. We will also learn about analysis of digital artefacts and evidence, how to recover deleted data and how to verify the integrity of a disk image. FTK Imager has an intuitive interface and all the information you need to complete the challenge is given, so this is another good beginner friendly task.
Day 9: Malware analysis
Today we are working with a blue team and Forensic McBlue to analyse McGreedy’s elf mind control malware (How evil is this piece of work?). Well lets see if we can understand this malignant piece of software and protect the good elves of Best Festival (and the world) from whatever sick commands McGreedy thinks to issue from his C2 server.
This challenge sees another increase in difficulty, but everything you need, as ever, is provided. Today we are working with dnSpy, a useful tool for decompiling and analysing malware. This is introduction to the methods of malware analysis makes a good challenge if you are interested in learning digital forensics. The code we are looking at is written in C#, but don’t worry if you aren’t familiar with this language; the code has been written clearly enough to follow and a breakdown is provided documenting the functions included in the malware.
Day 10: SQL injection
The site bestfestival.thm has been hacked, defaced and the rightful site admins are locked out. After carrying out some open source intelligence (OSINT), Forensic McBlue has found someone calling themselves Gr33dstr selling vulnerabilities for the Best Festival Company’s website, including zero days, on the dark web. I wonder who this Gr33dstr can possibly be…
Exploit McRed has determined the only way we can get back in control of the website is by exploiting the same vulnerabilities the hacker exploited. It has been discovered that the Gift Search page is vulnerable to SQL Injections. Credentials won’t be exposed through this database, but maybe we can get some remote code execution (RCE) from the exploit. We should be able to leverage that to regain control over the website once more.
As well as SQL injection and remote command execution, today’s challenge will introduce reverse shells and Windows command prompts.
Day 11: Active Directory
Today we’re getting on with the business merger. We’ve got no role in the investigation and no incidents to respond to. Ah! It’ll be nice to be getting on with day job for a change. We will be continuing our security audit of AntarctiCraft’s systems before we continue integrating with Best Festival’s. Let’s make sure Active Directory (AD) is properly configured and there are no vulnerabilities that can be exploited there.
Today we will learn how to enumerate AD for vulnerabilities using PowerView, how to leverage that vulnerability using Whisker and Rubeus, so we can then go on to exploit it with Evil-WinRM. We will also learn about Active Directory and Windows Hello for Business. If you pay attention today, you might find evidence relating to a previous incident. It might be worth digging a little deeper into that.
Check back later
Day 12: Defence in depth
We are continuing the security audit. Today we are working with McHoneyBell, hardening the server against attack. This challenge will involve a mix of red team work to identify vulnerabilities and blue team work to resolve those vulnerabilities. We will also be looking at some basic privilege escalation and pivoting laterally.
As we identify and exploit vulnerabilities from the perspective of a hypothetical attacker, we will use our legitimate administrator access to address those vulnerabilities. We will apply the principle of least privilege, close up vulnerabilities and make it more difficult for attacker to leverage any access they may gain to the system. Switching back to red, we can then check that the server has been secured against our previous attacks.
With these issues address, we are moving closer to successfully and securely integrating AntarctiCrafts with Best Festival in time for Christmas. I wonder if that Tracy McGreedy has any more tricks up his sleeve before then or if we’re finally able to get on with the day job. I’m not convinced.
Day 13: Intrusion detection
No further incidents that we’ve noticed, and we’ve been paying particular attention today. McHoneyBell has us doing some intrusion detection today, including threat hunting. This should help protect us against further attacks and if that McGreedy tries anything, we’ll be ready.
On this challenge, we will configure a firewall and setup a honeypot ready to catch any villains trying to ruin Christmas or the Best Festival – AntarctiCrafts merger (we’re watching you McGreedy!). We will be configuring Ubuntu’s UcomplicatedFirewall (UFW) and setting up our honeypot with PenTBox. Additionally, we will learn about the Diamond Model and applying this to incident analysis. The model will also inform our defensive strategies.
All the information you need to succeed is provided. If you haven’t had experience setting up firewalls or honeypots, this one should be informative.
Day 14, 15 & 16: Machine learning
Days 14, 15 and 16 all share the theme of machine learning (ML). Looks like our saboteur, McGreedy, is causing problems again. We’re seeing defective toys being produced somewhere in the pipeline (day 14), the spam filter is broken (day 15) and McSkidy has been locked out of an Admin panel (day 16).
First we need to deal with the defective toys. They seem to be coming from compromised elves (is this the mind control virus again?), but it’s a big job to identify all the problem areas. So, we are going to outsource this particular job to a machine. We’re going to be doing some machine learning (ML) to train a model for a neural network to identify defective toys. As well as more efficiently removing the faulty goods, this will also help identify problem areas that we can then address.
With the model complete, defective toys are being identified more efficiently and we’re able to locate the source of the defects in the pipeline. Now we can move on to the next problem.
To deal with the spam problem, we’ll go a little deeper into what we learned when setting up the AI to identify defective toys. This time we need our AI to separate “spam” from “ham” in our email inboxes. For this challenge, we’ll be looking more at the steps in the ML pipeline, preparing the model and testing it.
Now that our inboxes are less cluttered, we can focus on more important things. McSkidy has been locked out of the Elf HQ admin panel. McGreedy has changed the password and setup a Captcha to make bruteforcing our way back in difficult. But perhaps we can leverage what we’ve learned about ML to attacking the Captcha.
Here we will be working with a ML model trained to identify characters (numbers in this case) from images like Captcha tests. We’ll be learning about how ML processes images and simplifies the problem for efficiency without sacrificing accuracy and we can automate our Captcha attempts as well as password guesses to hack back into the admin panel.
With that done, we have learned to use machine learning both defensively and offensively. We have protected business operations by identifying defective toys on the product line and tracing their origin to address the root cause; we have secured the company email inboxes against (potentially harmful) spam; and we have used a machine to attack a check intended to prevent a machine gaining automated access (savour the irony). We can make sure that we produce enough toys of the highest quality to meet our target for the big delivery on the 24th, we can focus on important communications in our uncluttered inboxes and McSkidy has gotten control over the admin panel again.
Day 17: Traffic analysis
Today we are looking at traffic analysis. With the traffic flow data captured, we should be able to identify the infected host on our network and the IP address of McGreedy’s C2 server. We will be analysing network flow using the SiLK suite of tools to identify suspicious network activity and carry our further analysis.
We are guided through all the steps necessary to complete today’s challenge and it serves as a good introduction to traffic analysis and, in particular, the SiLK quite of tools and what you can do with them.
Day 18: Eradication
Someone has installed a cryptominer on the systems and it is proving difficult to remove. I’m not going to point the finger at any McGreedy… er… greedy elf who might have done such a thing, but we need to deal with this thing hogging up our resources.
We can do everything we need to complete this challenge on the Linux command line using the normal tools provided. We will get more familiarity with the Linux command line, learn how we can kill unwanted persistent processes and how to eradicate them from our machine.
Day 19 : Memory forensics
More digital forensics (Go Blue Team!) on day 19. It seems that Santa’s Security Operations Centre (SSOC) identified a problem when the cryptominer was deployed and the quick-thinking Forensic McBlue captured a memory dump for us to investigate. Now we can analyse it and try to understand what has happened and how.
For this challenge we are working with Volatility and will learn some good practices and techniques to apply to memory forensics. Volatility is a powerful tool for analysing volatile data (a dump of a computer’s RAM at a given point in time). This tool helps forensic investigators understand the state of a machine around the time a memory dump is captured, which is an important step in incident response.
Today’s challenge is another walkthrough of the steps needed to complete the tasks, but pay attention if you have an interest in digital forensics. This is a good one for introducing you to one of the many important tools in this field.
Day 20 & 21: DevSecOps
Days 20 and 21 are all about DevSecOps – that is DevOps with a focus on security. We’re looking at poisoned pipeline execution (PPE) that has been used in our GitLab environment to attack an advent calendar web application on Day 20. But that’s not all, we’re getting to work with Detective Frosteau again. Although you might have seen him around the past few days, he’s not really had much to say. I’m glad to be working with the gumshoe once again.
On Day 21, we’re working with a Git environment again, but this one is linked to Jenkins (an automation platform to handle our builds from Git). The task today is to exploit an indirect PPE vulnerability that arises from a discrepancy between how our Git and how Jenkins are configured. Day 21 doesn’t hold your hand so much as previous days, but if you have a basic familiarity with the Linux command line then all the other information you need to succeed is provided. If you are stuck then look at the hints.
As you might expect, this challenge teaches us about Git, DevSecOps and PPE. Just a heads up for Day 20 though, when you are asked to submit the commit ID in question 5, it’s the short version that is visible on screen rather than the full commit ID. Make sure you only copy the first 8 digits of the full commit by highlighting and copying the text version that appears on screen when you are looking at the relevant file. Clicking the copy icon copies the full (longer) commit ID.
Day 22: SSRF
We’re finally going to shut down McGreedy’s C2 server. That should limit the damage that greedy elf can do. How are we going to do this? We’re going to hack into the server by exploiting a vulnerability to server-side request forgery (SSRF). It seems while McGreedy has been undermining our security from within and exploiting other existing vulnerabilities, he’s failed to maintain his own security.
Normally, I’d be saying how everything you need to accomplish today’s tasks is given in the task description, but this one is even more helpful. McGreedy has pretty much given everything we need on his own command and control server. Have a look for yourself. It’s all there. …okay so the task description does explain how to exploit SSRF and how to setup your hosts file in case you haven’t done that before, but McGreedy has everything we need to save us stumbling around in the dark.
Day 23: Coerced authentication
McSkidy’s been locked out of yet another system by McGreedy. It’s down to us to recover access. We’ll be doing this by capturing the authentication attempt using responder, but with so many people working from home and connecting over VPN, we’ll need a way to force or coerce authentication to take place under conditions we control. With coerced authentication, we can direct AD authentication to send to our machine where we will be ready to capture the password hash. Then it’s a simple matter of cracking the hash to regain control over McSkidy’s admin account.
With that done, we just have one day left to fend of McGreedy’s attacks and another Christmas is saved!
Day 24: Mobile analysis
Finishing off on another digital forensics task makes me happy. Finishing off on a digital forensics task were we grab some concrete evidence on McGreedy makes me ecstatic. It’s time we dealt with the menace!
On this last day we’re analysing an image that has been cloned of McGreedy’s work phone. If we find evidence of his misdeeds on this, there is no denying it. We’ll have him!
The trial
We have McGreedy on trial for his crimes! Judge Claus presiding. To finish of the Advent of Cyber for 2023, we are presenting our evidence against McGreedy in a fun little minigame. If we convince Santa of McGreedy’s guilt then we’ll have done our job well. Good luck.
