Advent of Cyber '24 Side Quest
Explore a series of advanced challenges alongside the core Advent of Cyber event!
hard
1337 min
To access material, start machines and answer questions login.
A Quiet SOC-mas
It's December 2024, and Elf McSkidy is preparing for the holidays. Last year, the Best Festival Company saw some indications of APT-level attacks by a group led by the Bandit Yeti. So far, there have been no new attacks this year, though, finally a quiet December at the Best Festival Company! Some say the Bandit Yeti finally surrendered, and some say he ran for office - some say Wareville's Mayor Malware sure does look familiar!
Nobody suspects the truth: their systems have already been compromised, and the Yeti has been silently lurking on their network for the whole year. While Elf McSkidy and her team were busy, he secretly got in, and now he’s given access to the Frosty Five ransomware gang to destroy the Best Festival Company once and for all!
Each member of the Frosty Five hacked into a different critical machine, installing a nasty piece of ransomware that locked everyone out. Each target could only be unlocked by a special keycard, but these were nowhere to be found: the rumour was that the Yeti took them with him. The Best Festival company was in shambles, locked out of their own systems.
The elves tried to unlock the machines for days to no avail. "All hope is lost.", Elf McSkidy said, "without the keycards, we don't stand a chance. If only we knew where they were”. Then suddenly, they received a call. "This is Glitch", McSkidy heard an unfamiliar voice. “I know your cousin, McSkidy Software, here in Wareville”. Glitch then mentioned some problems with Warevile’s Mayor and described him in great detail. "Tall and grumpy? Big red eyes?", the profile matched - Mayor Malware was the Bandit Yeti!
McSkidy quickly explained the undergoing ransomware attack. Glitch promised to be on the lookout for the ransomware keycards, in case the Mayor scattered them around Wareville. Maybe, after all, McSkidy's servers could be saved?
What Is the Advent of Cyber Side Quest?
The Advent of Cyber 2024 is an event hosted by TryHackMe. While the annual Advent of Cyber is a fully guided event accessible to users of all skill levels in cyber security, the Advent of Cyber Side Quest is prepared for advanced users.
The Advent of Cyber 2024 Side Quest is a series of five challenges in which you'll help Elf McSkidy recover access to the compromised servers and defeat the Frosty Five. These challenges will have no additional guidance and will range between "Hard" and "Insane" difficulty levels.
Please note that completing the Side Quest is entirely optional; you don't need to do it to enjoy the main Advent of Cyber 2024 event.
How To Find Side Quest Challenge Keycards
The Side Quest challenges will be published in this room, but you won't be able to access the virtual machines unless you have the corresponding keycard. To remove Frosty Five's first layer of defence, you must find the corresponding task's keycard with the password. Only then you'll be able to access the challenge and try to hack back into the machine.
The keycards to the machines in this room will be scattered around the main Advent of Cyber 2024 room, hidden in some of the core event challenges. Stay vigilant for anything uncommon!
- To attempt Side Quest Challenge 1, you must find the L1 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to open the ZIP file provided by the machine. The keycard will be hidden between days 1 and 4.
- To attempt Side Quest Challenge 2, you must find the L2 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to tear down the VM's firewall so you can attack it. The keycard will be hidden between days 5 and 8.
- To attempt Side Quest Challenge 3, you must find the L3 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to tear down the VM's firewall so you can attack it. The keycard will be hidden between days 9 and 12.
- To attempt Side Quest Challenge 4, you must find the L4 Keycard in the main Advent of Cyber room challenges. The password on the keycard will allow you to tear down the VM's firewall and attack it. The keycard will be hidden between days 13 and 17.
- To attempt Side Quest Challenge 5, you must find the L5 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to tear down the VM's firewall so you can attack it. The keycard will be hidden between days 18 and 22.
Let's find the keycards!
Side Quest Prizes
All Side Quest participants will receive additional tickets to the Advent of Cyber main prize raffle: the more answers you give here, the more extra tickets you get! Solve the entire Side Quest for an increased chance to win one of the main prizes.
Additionally, the first three people to solve each challenge will win:
- 1st place: 100 GBP swag voucher, 1 year subscription voucher.
- 2nd place: 75 GBP swag voucher, 6-month subscription voucher.
- 3rd place: 50 GBP swag voucher, 3-month subscription voucher.
For the prize raffle terms and conditions, please visit this page.
Please note that even though teams are allowed for the event, the prizes will be assigned individually based on answer submission timestamps.
Badge
Submitting all flags in this room and completing it will award you the Defrosted Five badge:
Wallpaper
Download the Frosty Five wallpaper below!
Ready to win!
The Rules
Spread the word
Let people know about your participation! Feel free to post about it on social media and help us get as many people as possible on board to stop the Frosty Five!
Writeups, streaming & recording rules
The Advent of Cyber Side Quest is part of a competition and a raffle running through December 2024. As such, posting any writeups, videos, public streams, or details of the challenges is strictly forbidden until January 1st, 2025.
Teams allowed
We highly encourage you to join our Discord Server and find people to collaborate with to tackle the challenges. These challenges were devised to be difficult, so working together may give you an edge in finding the solutions. While there's no restriction on the size of teams, the prizes are assigned to individual accounts based on answer submission timestamps. Should you win a prize as a result of a team effort, you can give it away to one of your teammates.
Do not share the keycards
In the spirit of competition, please don't share any keycards you find with others outside your team. Keep the game fair and fun for everyone!
NO HINTS
Just as last year, McSkidy will be making sure no hints are shared in public channels.
Bans and disqualifications
Any users breaking the rules of the competition may be disqualified from the Side Quest and Advent of Cyber 2024 events, including prize draws.
I have read and accept the rules of the competition.
Ransomware Note #1
"By the time you read this, you've already been attacked. I'm in your machine and you won't get it back. You must be aware that the more you delay, the more information will be stolen away. Your SOC is so weak, I'll lend them a hand. Here's a PCAP of the attack, you can't beat this band! If your machine you want to recover, the password I stole you'll need to discover."
The first of our enemies is the Frostbite Fox. Known for being the slyest of them all. She's made her way into McSkidy's machine. Luckily for us, our great SOC detected it all in time. While the team focuses on securing the machine, you are tasked with recovering the password the Fox stole, so we can get McSkidy's data back.
Note: To attempt this challenge you will need to find the L1 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to open the ZIP file, which you can download from http://MACHINE_IP/aoc_sq_1.zip. The zip file is safe to download with MD5 of 044a78a6a1573c562bc18cefb761a578. In general, as a security practice, download the zip and analyze the forensic files on a dedicated virtual machine, and not on your host OS. The keycard will be hidden between days 1 and 4.
Note from Frostbite Fox: All of the questions can be answered directly from the ZIP file provided. Please do not investigate any other artefacts found, such as IP addresses and hostnames. No VMs or remote hosts need to be accessed during this challenge. If you find yourself doing so, take a step back and don't overthink it.
Sincerely
FF
What is the password the attacker used to register on the site?
What is the password that the attacker captured?
What is the password of the zip file transferred by the attacker?
What is McSkidy's password that was inside the database file stolen by the attacker?
Ransomware Note #2
It was the night before the Best Festival Company’s annual holiday production run, and their state-of-the-art robotic duo, YIN and YANG, were the pride of the operation. YIN handled precision crafting with unrivalled finesse, while YANG managed mass production at breathtaking speed. Together, they kept the toy lines humming, spreading joy to millions.
But in the shadows of the icy Arctic night, Penguin Zero, the tech genius of the Frostlings Five, had other plans.
The Hack
Using his signature cybernetic "Frost Override," Penguin Zero infiltrated the company’s network. With a few keystrokes and a sly grin, he uploaded a malicious script into YIN and YANG, seizing control of the robotic pair. Production came to an abrupt halt as the machines began churning out nothing but frozen figurines of the Frostlings Five. Their icy grins mocked the frantic elves, scrambling to regain control.
But YIN and YANG were designed to operate in perfect harmony, sharing critical data through an encrypted feedback loop. Penguin Zero, knowing the encryption's complexity, left a chilling message for the company: "Balance is key. Can you find it before your deadline melts away?"
The Challenge
Hacking YIN without YANG would result in corrupted files, rendering YIN useless. Similarly, hacking YANG without YIN would cause a fatal system error. The encryption tethered their systems in a perfect symbiosis. They communicate using the language of turtle robots.
You can connect to YIN using the following:
| Username | yin |
| Password | yang |
| IP | MACHINE_IP |
You can find and start YANG from this room.
Note: This challenge requires you to start two VMs simultaneously. Be sure to start both at the same time. You can't hack one without the other.
What is the flag for YIN?
What is the flag for YANG?
Ransomware Note #3
Guess what? I just hit the jackpot in your network. Your construction permit server is now mine. Without it, BFC won't be able to grow as needed to cope with the current toy demand. Who would say such a small company had so much bureaucracy? I even managed to hack your old text-based service. Talk about a blast from the 90's!
The Blizzard Bear, a mysterious figure, appears to have cracked the defences of the Best Company Festival security team. His elusive nature and unmatched cracking skills got him a critical server. This bear might look small, but he can ROAR for sure!
Can you match the Blizzard Bear skills and find a way to stop the backdoor from running by taking back control of the compromised machine?
Note: To attempt this challenge you will need to find the L3 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you tear down the VM's firewall so you can attack it. The keycard will be hidden between days 9 and 12.
What is the content of the file foothold.txt?
What is the content of the file user.txt?
What is the content of the file root.txt?
Ransomware Note #4
"Looks like I misplaced my naughty list. I was on the hunt for a new one for a bit, and then I stumbled upon this server—an Active Directory, of all things! Just a heads up, all your users are now part of the game. The Krampus is out to snatch your naughty elves. Will they end up all in my bag, or will you find a way to take control back?"
As if the elves hadn't enough already, the Kewl Krampus got their AD in its bag. He is even using it as we speak. His assistant is even sending emails and all from it. Will you be able to recover access before the Krampus your info snatches?
Note: To attempt this challenge you will need to find the L4 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you tear down the VM's firewall so you can attack it. The keycard will be hidden between days 13 and 17.
The VM does take about 4 minutes to fully boot up.
What is the content of flag.txt?
What is the content of user.txt?
What is the content of root.txt?
Ransomware Note #5
"You got caught in the avalanche. I compromised most of your web applications without being detected. You can't compete with a leopard's speed. Who cares about getting root in your machine if all your data is stored on exposed apps? Not that I didn't get root, though."
There is little information about the Avalanche Leopard. Some say he is the fastest leopard on earth, and some say he is a raccoon with an AI-generated name. We may never know for sure. All we've heard is he likes arriving late and making a flashy entrance. With all our web apps compromised, he sure did. Let's retrace his steps and get back our apps. One more villain to go!
Note: To attempt this challenge you will need to find the L5 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you tear down the VM's firewall so you can attack it. The keycard will be hidden between days 18 and 22.
Note: The VM takes about 5 minutes to properly boot up.
What is the value of flag 1?
What is the value of flag 2?
What is the value of flag 3?
What is the value of flag 4?
Hello,
Congratulations on getting to the last task of Advent of Cyber Side Quest! We appreciate you being here. Whether you solved all side quests or just answered some questions, we hope you enjoyed it.
We plan to return with the Side Quest next year. For Side Quest 2025 to be exceptional, we need your feedback! We have prepared a short survey that will take only 2 minutes to fill out and grant you the flag to solve this last task.
See you in 2025!
The TryHackMe Team
What is the flag you get at the end of the survey? Please make sure to copy the flag before closing the tab!
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
15,263
Created
251 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in