Advent of Cyber Prep Track

A short TryHackMe tutorial

New tasks are released daily at 4pm GMT, with the first challenge being released on 1st December all aimed at beginners. Each task in the event will include instructions on how to interact with the practical material. Please follow them carefully! The instructions will include a connection card similar to the one shown below:

Let's work our way through the different options.

If the AttackBox option is available:

TryHackMe's AttackBox is an Ubuntu Virtual Machine hosted in the cloud. Think of the AttackBox as your virtual computer, which you would use to conduct a security engagement. There will be multiple tasks during the event that will ask you to deploy the AttackBox.

You can deploy the AttackBox by clicking the "Start AttackBox" button at the top of this page.

Using the web-based AttackBox, you can complete exercises through your browser. If you're a regular user, you can deploy the AttackBox for free for 1 hour a day. If you're subscribed, you can deploy it for an unlimited amount of time!

Please note that you can use your own attacker machine instead of the AttackBox. In that case, you will need to connect using OpenVPN. Instructions on how to set up OpenVPN are here.

You can open the AttackBox full-screen view in a new tab using this button:

If the VM option is available:

Most tasks in Advent of Cyber will have a virtual machine attached to them. You will use some of them as targets to train your offensive security skills and some of them as hosts for your analysis and investigations. If this option is available, you need to click the "Start Machine" button.

After the machine is deployed, you will see a frame appear at the top of the room. It will display some important information, like the IP address of the target machine, as well as options to extend the machine's timer or terminate it.

If the split-screen option is available:

Some tasks will allow you to view your deployed VM in a split-screen view. Typically, if this option is enabled, the split screen will open automatically. If it doesn't, you can click this button at the top of the page for the split screen to open.

Please note that you can open split-screen virtual machines in another tab using this button:

If there's a direct link available:

Some virtual machines allow you to view the necessary content directly in another tab on your browser. In this case, you'll be able to see a link to the virtual machine directly in the task content.

Please note that for the link to work, you first need to deploy the virtual machine attached to the task.

If there is a direct connection option available:

Some tasks will allow you to connect to the virtual machines attached using RDP, SSH, or VNC. This is always optional, and virtual machines with this enabled will also be accessible via a split screen. In these cases, login credentials will be provided, like in the image below:

We provide this as some users might prefer to connect directly. However, please note that some tasks will deliberately have this option disabled. If no credentials are given, direct connection is not possible. Now that the admin is out of the way, are you ready to get warmed up for this year's event?

Join our community

Follow us on social media for exclusive giveaways, Advent of Cyber rooms releases, and your weekly missions! 

Join our Discord

Discord is the heartbeat of the TryHackMe community. It's where we go to connect with fellow hackers, get help with difficult rooms, and find out when a new room launches. Our Discord server has over 326,000 members (and continues to grow every day), so there's always something happening.

Are you excited about Advent of Cyber? Visit a dedicated channel on our Discord, where you can chat with other participants in the event and follow the daily releases!

If you haven't used it before, it's very easy to set up (we recommend installing the app). We'll ask a couple of onboarding questions to help figure out which channels are most relevant to you.

What do you get with Discord?

There are so many benefits to joining:

• Discuss the day's Advent of Cyber challenges and receive support in a dedicated channel.
• Discover how to improve your job applications and fast-track your way into a cyber career.
• Learn about upcoming TryHackMe events and challenges.
• Browse discussion forums for all of our learning paths and releases.

Click on this link to join our Discord Server: Join the Community!

Grab your swag!

Want to rep swag from your favourite cyber security training platform? We have a NEW special edition Advent of Cyber swag, now available for order!

Let's Get Warmed Up

The snow has started falling in Wareville, home of The Best Festival Company (TBFC). The team is preparing for SOCMAS, the annual cyber celebration, but something’s not right. Systems are glitching, passwords are failing, and McSkidy suspects something is afoot. This name keeps coming up: King Malhare. What could it mean?

Before joining the SOCMAS Response Team, you can complete 10 short missions to ensure you are ready. Each one teaches an essential cyber security skill and uncovers clues to help get you ready for Advent of Cyber 2025.

How it Works

To start each challenge, click the “View Site” button in the top-right corner of the task page. You’ll need to press this button again for every new task, as each one loads its own challenge site. Once clicked, the room will open in a split-screen view, letting you follow the instructions on the left while interacting with the challenge on the right. This is where you’ll complete all of our interactive challenges to get you ready for this year's event!

Password Pandemonium

As you log into your new TBFC workstation, an alert pops up:

“Weak passwords detected on 73 TBFC accounts!”

Even McSkidy’s password, P@ssw0rd123, has been flagged. Before gaining full access, you’ll need to prove your password prowess.

Strong passwords are one of the simplest yet most effective defences against cyber attacks.

Objective:
Create a password that passes all system checks and isn’t found in the leaked password list.

Steps:

1. Enter a password with at least 12 characters.

2. Include uppercase, lowercase, numbers, and symbols.

3. Ensure it isn’t in the breach database.

The Suspicious Chocolate.exe

A shiny USB labelled “SOCMAS Party Playlist” appears on your desk. Inside is a mysterious file called chocolate.exe.
It looks festive, but who sent it?

In this challenge, you’ll scan the file using a simulated VirusTotal tool to decide whether it’s safe or malicious.
Checking suspicious files is a crucial skill for every defender.

Objective:
Determine if chocolate.exe is safe or infected.

Steps:

1. Click the “Scan” Button.

2. Review the scan report (49 clean results, 1 malicious).

3. Decide correctly whether the file is safe or dangerous.

Welcome to the AttackBox!

You step into TBFC’s AttackBox, a secure virtual environment built for training. The system hums quietly, waiting for your first command.

This is where defenders learn, break, and rebuild safely. Getting comfortable with the command line is your first step toward cyber mastery.

Objective:
Find and read the hidden welcome message inside your AttackBox.

Steps:

1. Use ls to list files.

2. Use cd challenges/ to change directories.

3. Use cat welcome.txt to read the text file.

The CMD Conundrum

McSkidy’s workstation shows signs of tampering, suspicious files moved, logs wiped, and a strange folder named mystery_data.

It’s time to use the Windows Command Prompt to uncover what’s hidden.
Learning these commands helps you investigate systems and find what the GUI can’t.

Objective:
Find the hidden flag file using Windows commands.

Steps:

1. Use dir to list visible files.

2. Try dir /a to reveal hidden ones.

3. Use type hidden_flag.txt to read the flag.

Linux Lore

TBFC’s delivery drones are glitching, dropping eggs instead of presents! McSkidy’s last login came from a Linux server, and something in his account might explain why.

Linux powers most servers worldwide, and knowing how to search within it is a must for any defender.

Objective:
Locate McSkidy’s hidden message in his Linux home directory.

Steps:

1. Use cd /home/mcskidy/ to enter his folder.

2. Run ls -la to show all files.

3. Use cat .secret_message to reveal the flag.

The Leak in the List

Rumours swirl that TBFC’s data has been leaked. Emails are bouncing, and the staff are panicking.
McSkidy suspects his account might have been part of a breach.

Defenders often use tools like Have I Been Pwned to check for compromised accounts. Early detection can stop an attack from spreading.

Objective:
Check if McSkidy’s email has appeared in a breach.

Steps:

1. Enter [email protected] into the breach checker.

2. Review results for each domain.

3. Identify the one marked “Compromised.”

WiFi Woes in Wareville

The TBFC drones are looping endlessly over Wareville Square. Someone logged into the company router using default credentials!

Securing WiFi is critical. Default passwords are like leaving the front gate wide open.

Objective:
Log into the router and secure it with a strong new password.

Steps:

1. Log in with username admin and password admin.

2. Go to “Security Settings.”

3. Set a new strong password that passes validation.

The App Trap

McSkidy’s social account has gone rogue, posting strange messages about “EASTMAS.” A suspicious third party app may be behind it.

Learning to review and manage app permissions helps stop data leaks before they start.

Objective:
Find and remove the malicious connected app.

Steps:

1. Review the list of connected apps.

2. Look for one with unusual permissions (like “password vault” access).

3. Click “Revoke Access.”

The Chatbot Confession

TBFC’s AI assistant, FestiveBot, was meant to help write cheerful emails, but it’s been spilling secrets.
Some messages reveal internal URLs and even passwords.

AI tools can be powerful, but defenders must know how to prevent them from oversharing.

Objective:
Identify which chatbot messages contain sensitive information.

Steps:

1. Read each line of the conversation.

2. Select the ones containing private data.

3. Submit your findings.

The Bunny’s Browser Trail

SOCMAS web servers are showing heavy traffic, but one log entry stands out:

“User Agent: BunnyOS/1.0 (HopSecBot)”

Someone or something has infiltrated the system.
User Agent strings help defenders spot automated or suspicious visitors in network logs.

Objective:
Find the unusual User Agent in the HTTP log.

Steps:

1. Read the provided web log entries.

2. Compare them to common browsers (Chrome, Firefox, Edge).

3. Identify and select the suspicious entry.

Consider Yourself Warmed Up!

Well done for making your way through Advent of Cyber 2025's Prep Track! These mini challenges have been designed to familiarise you with some of the key tricks and tools you'll need at your disposal to help save SOC-mas in this year's event. If you're looking to start your cyber security journey, there's no better place to do it than with us, as we take you on a tour of topics from Linux CLI to Prompt Injection, getting you up to speed with the world of cyber and all, while earning chances to win some of our amazing prizes in our annual AoC giveaway!

Sounds like fun? It is! And you can wait for the fun to begin at this year's Advent of Cyber landing page!