TryHackMe: Advent of Cyber Security
Recently with all the free time I could manage I followed up with Advent of Cyber Security in 25 Days where you get to learn the basics of cyber security in a more practical manner by doing beginner friendly security challenges.
This consists of 25 challenges considering one for each day. First 5 tasks however focused on setting up the environment which is pretty basic and with 6th task or called day one you start the challenge.
Challenge Link: https://tryhackme.com/room/25daysofchristmas
Day One : Inventory Management
You'll first deploy your virtual machine and with Openvpn activated access http://<your_machines_ip>:3000. Next, you have to open your Inspect Element console or called Dev tools in your browser (press F12) and check for cookies through the application tab, you'll see that you have no cookies, reason being you are not logged in. Next step is to register and Login, check your cookies again and voila! this should give you the answer to the first question.
Now for the second question, you have to decode the cookie. This cookie is encoded using base64 and now you have to decode it. For that, Google up base 64 encoder and decoder, where I used Base64Encoder. (You might need to swap the encoded equal signs (%3D) for actual equal signs (=)) After doing that one thing you'll notice when you decode is that there’s your username concatenated with another string value, could the other part possibly be the answer to the second question? Enter it and find out!
Now to the last part. You have to find what user mcinventory requested after logging into his account. Well you only know his username so how to login to his account? Well one thing you need to know is Cookies are small pieces of information websites store on your computer which stores session ID. While you're logged into Medium.com, try deleting your cookies used by Medium and you'll be automatically logged out, because your session ID has been removed in this instance. So in this case what if we had mcinventory's session ID? well that could work right ? assuming that it is indeed his username? So lets reverse engineer. We know mcinventory username and we know static content we extracted before. lets concatenate a string and decode to base 64. Now, copy that encoded value into the “Value” field of your session cookie and press enter. Reload the page, and guess what, works like a charm right? you got the answer to the final question right there, done!
Remember each challenge comes with a Google Doc which helps you to understand the logic behind everything and this covers the basics of how websites are run and how cookies work. If you’re struggling with theory, maybe read that first.
Day Two: Arctic Forum
So day two of Christmas challenge. This is a pretty easy task if you know the right tool for the job. The task tells us to deploy a virtual machine and navigate to the address: http://<your_machines_ip>:3000 like before. Once again we find ourselves looking at a login screen but without any register form. After looking at the code you'll notice that there’s nothing of any particular interest here, so we’ll move on and look to see if we can find any special files or directories in this website. You can do it with Dirb, Gobuster, DirSearch or Dirbuster which is what I used. After a few minutes, Dirbuster gives us a list of files that it has found on the server; most of these aren’t of any interest to us, but one in particular stands out is with HTTP response of 200 which gives us an available page in the server. Well, that will be the answer to your first question.
Moving up to the second question, now navigate to that path http://<your_machines_ip>:3000/<hidden-path> and you'll discover a hidden admin login page. Well let’s open up the source code again and check, you'll see a comment telling us who made the admin page that also directs us to a GitHub repository, so let’s do that.
Well credentials in a README.md file, looks like a being a little detective paid off ( Note that this would never, okay, will almost never happen in a real scenario ) There is the answer for your second question. Last one is pretty easy, you just have to type credentials and login which gives the answer to your final question.
Day Three: Evil Elf
We’ll start with opening the given file Evil Elf.pcap with Wireshark. First question is pretty basic, tells you where to look and you'll find the destination of the packet without any hindrance. Moving up to the second question, The second question asks us what item is on the Christmas list. So we’re going to be looking for some specific data that has been transferred through in the given .pcap file. To do that right-click the packet 998 select follow and select TCP stream. This gives us data that has been sent between the two computers in that particular TCP connection.
In the first line there is bash command and with that you'll find the answer to the second question. Moving to the third question, we see the second line is a request from the local computer asking the remote computer to show a file named shadow from the /etc directory. The shadow file contains information about user password, this is stored when a new user is created. In the bottom of the stream is the user “buddy” , we need to crack his password. The file contains his username, password hash and some other data. In the last line after buddy:extract the value up to next semicolons and save it in a txt file, you'll need that later. What you need to know is that hash values cannot be decrypted. These functions are not reversible, you'll get more information about that on the provided Google Doc with supporting material. Follow the walk through in the document.
Day Four: Training
Going all hands on deck, We are learning Linux ❤ . First thing tells us to do is access the machine via SSH on port 22 using the command ,
ssh mcsysadmin@[your-machines-ip]Deploy a virtual machine and type in the above in a console, type in the password when prompted and you'll be in.
First question is pretty basic; if you are familiar with Linux, you can type ls command which lists all the files in the current directory. Moving to the next question, it asks us what’s in the fifth file. The command for listing the contents of a file is cat <filename> . In this case cat file5 and press enter to get the answer to the second question. Question three is about finding a string in a directory, well you can do it manually but the efficient way to do it is using grep command. type in grep -l -e “password” -f * . Okay so what are those other commands? -l output the file name, -e specifies the string and -f to select which file(s) to search in this case * which represent all the files in the current directory. That was easy right ? Lets move to the next question.
For question four we need pattern matching where we use Regex. We can simply find the answer to the question using,
cat * | grep -Eo “([0–9]{1,3}[\.]){3}[0–9]{1,3}”Where, “([0–9]{1,3}[\.]){3}[0–9]{1,3}” is the Regex pattern . cat * gets every file in the directory, | is a bash concept called Piping and -E which says that we’re using an extended regex and -o means that we only want it to output the part that it matched. Press it in and you'll find your answer.
Question number five asks us how many users can log into the machine? Use the command cd .. to move up, list all the folders and count the number of sub-directories in the home directory. You'll have your answer. Moving to the next question, question six, Move back to Mcsysadmin’s home directory and type in sha1sum file8 to find the answer to question six, The sha1sum command computes the SHA-1 message digest of a file. Now to the last question of the day, well to do that we can look into password hashes by looking at the etc/shadow file but we do not have superuser privileges. But maybe we can look into some backup file of that? lets try out using command
find / 2>>/dev/null | grep "shadow.bak"And it gives us an output right? Open it and find the answer to the final question.
Day Five: Training
Day five: Well this is a OSINT Challenge and we have an image. Okay what to do with this? lets check image metadata with Exiftool. Download the image and while in the same directory run exiftool thegrinch.jpg . Extract the creator name and Google it. you'll end up with her twitter account, Birthday, current occupation and phone found! Answers to three questions just like that. Now lets check her website. Next question is a bit tricky, head over to the Wayback Machine and paste the Lola’s website URL into the search box and check how far it has made into history, which will give you the answer to the fourth question, well you have to do a small calculation.
Final part is pretty easy, you just have to drag and drop that image into a Google Images search bar and do a reverse image search. Finally you're done with day five!
This has already been a bit too long post, maybe I’ll catch up again with another story on the journey.
Stay Curious! :)
