Advent of Cyber 1 [2019]
Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.
easy
45 min
To access material, start machines and answer questions login.
[The Story]
Just before the lead up to Christmas, Santa’s company(The Best Festival Company) has been compromised by his nemesis(The Christmas Monster). Luckily, one of Santa’s elf team have a background in security. Can they recover all their systems before the lead up to Christmas?
It’s the evening of 30th November - the air in the arctic circle is filled with excitement, as every year. This year has been even smoother than previous years - Santa’s digitalisation program has made lives easier for everyone in the company. Elf McElferson, the CTO of the arctic circle, starts doing a couple of last minute checks; everything has to be operating successfully running up to Christmas. With her warm hot chocolate next to his desk, all she needs to do is open the health dashboard and grin at all the green lights. She enters the URL on the dashboard and leans in closer to the screen, anxiously waiting for confirmation. The page loads faster than expected and she gets the initial glimpse of all green. Wait, the first indicator moves to red, and every other one follows the same.
In less than a minute, she and all her colleagues receive the following email:
Hey Crew!
We know that this is the busiest time of your year.
What a shame though - it looks like all of you are locked out of your systems and can’t do any work.
Boo hoo for Christmas
Santa’s Fav Nemesis,
Christmas Monster
McElferson jumps out of her seat and yells. This cannot be happening. How is she supposed to fix this - it’s only 25 days till Christmas and no one can do anything. She goes to the only person who knows about security on his team, Elf McSkidy(you), and asks them to use their l33t skills to fix this. They clearly have a big task ahead of themselves.
A new task will be revealed ever day, where each task will be independent from the previous one. These challenges will cover the following topics:
- Linux Security
- Web Application Security
- Network Security
- Reverse Engineering
- Forensics
The challenges are designed for beginners and assume no previous knowledge of security. For more information on Prizes, Swag and event details please check out the Christmas page.
By completing these challenges, you give your consent to give your email to CompTIA (the competition sponsors)
Read the above.
When you deploy a machine on TryHackMe, you will need to be connected to our network using an OpenVPN client.
For information on connecting to our network and downloading your connection pack can be found on the access page.
If you have problems connecting, please email us or ask on the Discord!
Practise connecting to our network.
In this competition, points do not matter. Your leaderboard rank will not affect you.
For each task you get correct, you get a raffle ticket. On the 26th December we will choose the winners randomly using everyone's raffle tickets.
Also, everyday you complete a challenge, you get entered into another prize draw, for the chance to win a mini-prize. The 'Daily Prizes' are done at the end of the week.
Read the above
Be a part of our growing community and join our discord!
Follow us on Twitter to receive daily challenge posts.
We will choose a random winner everyday, to enter simply complete the challenge released on that day. All winners will be announced via Twitter.
Join the Discord server and say hi!
Follow us on Twitter.
If you don't have the right desktop environment or security tools on your computer, you can deploy and access your own Kali Linux machine directly in your browser. This also removes the need to be connected to our OpenVPN server!
You need to be subscribed to do this.
If you don't want to subscribe, each task will run through the tools needed and how to set them up on your local machine.
Read the above
Elves needed a way to submit their inventory - have a web page where they submit their requests and the elf mcinventory can look at what others have submitted to approve their requests. It’s a busy time for mcinventory as elves are starting to put in their orders. mcinventory rushes into McElferson’s office.
I don’t know what to do. We need to get inventory going. Elves can log on but I can’t actually authorise people’s requests! How will the rest start manufacturing what they want.
McElferson calls you to take a look at the website to see if there’s anything you can do to help. Deploy the machine and access the website at http://<your_machines_ip>:3000 - it can take up to 3 minutes for your machine to boot!
Supporting material for the challenge is here!
What is the name of the cookie used for authentication?
If you decode the cookie, what is the value of the fixed part of the cookie?
After accessing his account, what did the user mcinventory request?
A big part of working at the best festival company is the social live! The elves have always loved interacting with everyone. Unfortunately, the christmas monster took down their main form of communication - the arctic forum!
Elf McForum has been sobbing away McElferson's office. How could the monster take down the forum! In an attempt to make McElferson happy, she sends you to McForum's office to help.
P.S. Challenge may a take up to 5 minutes to boot up and configure!
Access the page at http://MACHINE_IP:3000
Check out the supporting material here!
What is the path of the hidden page?
What is the password you found?
What do you have to take to the 'partay'
An Elf-ministrator, has a network capture file from a computer and needs help to figure out what went on! Are you able to help?
Supporting material for the challenge can be found here!
Whats the destination IP on packet number 998?
What item is on the Christmas list?
Crack buddy's password!
With the entire incident, McElferson has been very stressed.
We need all hands on deck now
To help resolve things faster, she has asked you to help the new intern(mcsysadmin) get familiar with Linux.
Access the machine via SSH on port 22 using the command
ssh mcsysadmin@[your-machines-ip]
username: mcsysadmin
password: bestelf1234
Check out the supporting material here
How many visible files are there in the home directory(excluding ./ and ../)?
What is the content of file5?
Which file contains the string ‘password’?
What is the IP address in a file in the home folder?
How many users can log into the machine?
What is the sha1 hash of file8?
What is mcsysadmin’s password hash?
Elf Lola is an elf-of-interest. Has she been helping the Christmas Monster? lets use all available data to find more information about her! We must protect The Best Festival Company!
Resources available here.
What is Lola's date of birth? Format: Month Date, Year(e.g November 12, 2019)
What is Lola's current occupation?
What phone does Lola make?
What date did Lola first start her photography? Format: dd/mm/yyyy
What famous woman does Lola have on her web page?
"McElferson! McElferson! Come quickly!" yelled Elf-ministrator.
"What is it Elf-ministrator?" McElferson replies.
"Data has been stolen off of our servers!" Elf-ministrator says!
"What was stolen?" She replied.
"I... I'm not sure... They hid it very well, all I know is something is missing" they replied.
"I know just who to call" said McElferson...
Check out the supporting material here.
Challenge and supporting material created by Sq00ky.
What data was exfiltrated via DNS? |
What did Little Timmy want to be for Christmas?
What was hidden within the file? |
Previously, we saw mcsysadmin learning the basics of Linux. With the on-going crisis, McElferson has been very impressed and is looking to push mcsysadmin to the security team. One of the first things they have to do is look at some strange machines that they found on their network.
Check out the supporting material here.
how many TCP ports under 1000 are open?
What is the name of the OS of the host?
What version of SSH is running?
What is the name of the file that is accessible on the server you found running?
Elf Holly is suspicious of Elf-ministrator and wants to get onto the root account of a server he setup to see what files are on his account. The problem is, Holly is a low-privileged user.. can you escalate her privileges and hack your way into the root account?
Deploy and SSH into the machine.
Username: holly
Password: tuD@4vt0G*TU
SSH is not running on the standard port.. You might need to nmap scan the machine to find which port SSH is running on.
nmap <machine_ip> -p <start_port>-<end_port>
Read the supporting materials here.
What port is SSH running on?
Find and run a file as igor. Read the file /home/igor/flag1.txt
Find another binary file that has the SUID bit set. Using this file, can you become the root user and read the /root/flag2.txt file?
McSkidy has been going keeping inventory of all the infrastructure but he finds a random web server running on port 3000. All he receives when accessing '/' is
{"value":"s","next":"f"}
McSkidy needs to access the next page at /f(which is the value received from the data above) and keep track of the value at each step(in this case 's'). McSkidy needs to do this until the 'value' and 'next' data have the value equal to 'end'.
You can access the machines at the following IP:
- 10.10.169.100
Things to note about this challenge:
- The JSON object retrieved will need to be converted from unicode to ASCII(as shown in the supporting material)
- All the values retrieved until the 'end' will be the flag(end is not included in the flag)
Check out the supporting material here.
What is the value of the flag?
Once deployed, the machine will take 4 to 5 minutes to boot and configure. Please be patient.
Hi Lindsey here. I've been a great Elf all year, but there was one incident and now I think I'm on Santa's naughty list.
What? You didn't think us elves got presents too? Well we do and we get first pick of the pressies!
Can you help me hack into Santa's system that keeps track of the naughty and nice people to see if I am on it?
Check out the blog post shown above to help you on this task.
Compromise the web server using Metasploit. What is flag1?
Now you've compromised the web server, get onto the main system. What is Santa's SSH password?
Who is on line 148 of the naughty list?
Who is on line 52 of the nice list?
McSkidy has been happy with the progress they've been making, but there's still so much to do. One of their main servers has some integral services running, but they can't access these services. Did the Christmas Monster lock them out?
Deploy the machine and starting scanning the IP. The machine may take a few minutes to boot up.
Check out the supporting material here.
What is the password inside the creds.txt file?
What is the name of the file running on port 21?
What is the password after enumerating the database?
You think the Christmas Monster is intercepting and reading your messages! Elf Alice has sent you an encrypted message. Its your job to go and decrypt it!
Read the supporting materials here.
What is the md5 hashsum of the encrypted note1 file?
Where was elf Bob told to meet Alice?
Decrypt note2 and obtain the flag!
mcsysadmin has been super excited with their new security role, but wants to learn even more. In an attempt to show their l33t skills, they have found a new box to play with.
This challenge accumulates all the things you've learnt from the previous challenges(that being said, it may be a little more difficult than the previous challenges). Here's the general way to attempt exploitation when just given an IP address:
- Start out with an NMAP scan to see what services are running
- Enumerate these services and try exploit them
- use these exploited services to get an initial access to the host machine
- enumerate the host machine to elevate privileges
Credit to DarkStar7471 for creating this challenge! Not all tasks will include supporting material!
A web server is running on the target. What is the hidden directory which the website lives on?
Gain initial access and read the contents of user.txt
[Optional] Elevate privileges and read the content of root.txt
McElferson opens today's news paper and see's the headline
Private information leaked from the best festival company
This shocks her! She calls in her lead security consultant to find out more information about this. How do we not know about our own s3 bucket.
McSkidy's only starting point is a single bucket name: advent-bucket-one
Check out the supporting material here.
What is the name of the file you found?
What is in the file?
Elf Charlie likes to make notes and store them on his server. Are you able to take advantage of this functionality and crack his password?
Read the supporting materials here.
What is Charlie going to book a holiday to?
Read /etc/shadow and crack Charlies password.
What is flag1.txt?
The Christmas monster got access to some files and made a lot of weird changes. Can you help fix these changes?
Use a (python) script to do the following:
- extract all the files in the archives
- extract metadata from the files
- extract text from the files
Use the questions to guide you on how to write the script. Check out the supporting material here.
How many files did you extract(excluding all the .zip files)
How many files contain Version: 1.1 in their metadata?
Which file contains the password?
You suspect Elf Molly is communicating with the Christmas Monster. Compromise her accounts by brute forcing them!
Use Hydra to brute force Elf Molly's password. Use the rockyou.txt password list, which can be found here.
Supporting materials can be found here.
This machine will take between 3-4 minutes to boot.
Use Hydra to bruteforce molly's web password. What is flag 1? (The flag is mistyped, its THM, not TMH)
Use Hydra to bruteforce molly's SSH password. What is flag 2?
McSkidy knows the crisis isn't over. The best thing to do at this point is OSINT
we need to learn more about the christmas monster
During their OSINT, they came across a Hacker Forum. Their research has shown them that this forum belongs to the Christmas Monster. Can they gain access to the admin section of the forum? They haven't made an account yet so make sure to register.
Access the machine at http://[your-ip-address]:3000 - it may take a few minutes to deploy.
Check out the supporting material here.
P.S. If you want to learn more about XSS, we have a room where you can learn about it in depth.
What is the admin's authid cookie value?
Another day, another hack from the Christmas Monster. Can you get back control of the system?
Access the web server on http://[your-ip]:3000/
McSkidy actually found something interesting on the /api/cmd endpoint.
Check out the supporting material here.
What are the contents of the user.txt file?
You think the evil Christmas monster is acting on Elf Sam's account!
Hack into her account and escalate your privileges on this Linux machine.
There is no supporting material - the only new concept in this challenge is Linux cronjobs. Join our Discord if you're really struggling.
What port is SSH running on?
Crack sam's password and read flag1.txt
Escalate your privileges by taking advantage of a cronjob running every minute. What is flag2?
McSkidy has never really touched low level languages - this is something they must learn in their quest to defeat the Christmas monster.
Download the archive and apply the command to the following binary files: chmod +x file-name
Please note that these files are compiled to be executed on Linux x86-64 systems.
The questions below are regarding the challenge1 binary file.
Read the supporting materials here.
What is the value of local_ch when its corresponding movl instruction is called(first if multiple)?
What is the value of eax when the imull instruction is called?
What is the value of local_4h before eax is set to 0?
McSkidy has been faring on well so far with assembly - they got some inside knowledge that the christmas monster is weaponizing if statements. Can they get ahead of the curve?
These programs have been compiled to be executed on Linux x86-64 systems.
Check out the supporting material here.
The questions below relate to the if2 binary.
what is the value of local_8h before the end of the main function?
what is the value of local_4h before the end of the main function?
Santa’s been inundated with Facebook messages containing Christmas wishlists, so Elf Jr. has taken an online course in developing a North Pole-exclusive social network, LapLANd! Unfortunately, he had to cut a few corners on security to complete the site in time for Christmas and now there are rumours spreading through the workshop about Santa! Can you gain access to LapLANd and find out the truth once and for all?
This machine may take up to 5 minutes to boot and configure.
Supporting material available here.
Which field is SQL injectable? Use the input name used in the HTML code.
What is Santa Claus' email address?
What is Santa Claus' plaintext password?
Santa has a secret! Which station is he meeting Mrs Mistletoe in?
Once you're logged in to LapLANd, there's a way you can gain a shell on the machine! Find a way to do so and read the file in /home/user/
McDatabaseAdmin has been trying out some new storage technology and came across the ELK stack(consisting of Elastic Search, Kibana and Log Stash).
The Christmas Monster found this insecurely configured instance and locked McDatabaseAdmin out of it. Can McSkidy help to retrieve the lost data?
While this task does not have supporting material, here is a general approach on how to go about this challenge:
- scan the machine to look for open ports(specific to services running as well)
- as with any database enumeration, check if the database requires authentication. If not, enumerate the database to check the tables and records
- for other open ports, identify misconfigurations or public exploits based on version numbers
The machine may take up to 5 minutes to boot.
Find the password in the database
Read the contents of the /root.txt file
Complete another room on TryHackMe.
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in