To access material, start machines and answer questions login.
Invitation Received
You have an invitation to play a Squid Game.
In this game, you will have to play the defensive role and eliminate five attackers. Let us tell you before the game starts; this is not going to be easy. Less hints are provided in this room to challenge you. You won't believe it, but sometimes the best way to learn is to do your own research and come up with your own approach to solve the challenges. You will have all the necessary tools needed in the Virtual Machine to complete the challenge.
We look forward to your writeups!
What is the prize for the winner?
You will get the credits for being awesome and also take away a bunch of knowledge.
And, on the final note, let the game begin!
Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.
If you don't see a virtual machine load then click the Show Split View button.
Attacker 1 will give you a warm-up before the hardest yet to come challenge... Try to push Attacker 1 outside the lines.
Good Luck!
What executable file is the maldoc trying to drop?
In what folder is it dropping the malicious executable? (hint: %Folder%)
Provide the name of the COM object the maldoc is trying to access.
Include the malicious IP and the php extension found in the maldoc. (Format: IP/name.php)
Find the phone number in the maldoc. (Answer format: xxx-xxx-xxxx)
Doing some static analysis, provide the type of maldoc this is under the keyword “AutoOpen”.
Provide the subject for this maldoc. (make sure to remove the extra whitespace)
Provide the stream number that contains a macro.
Provide the name of the stream that contains a macro.
Uh oh! Looks like you have got the next opponent - Attacker 2!
Ready for the challenge?
Provide the size (bytes) of the compiled code for the second stream that contains a macro.
Provide the largest number of bytes found while analyzing the streams.
Find the command located in the ‘fun’ field ( make sure to reverse the string).
Provide the first domain found in the maldoc.
Provide the second domain found in the maldoc.
Provide the name of the first malicious DLL it retrieves from the C2 server.
How many DLLs does the maldoc retrieve from the domains?
Provide the path of where the malicious DLLs are getting dropped onto?
What program is it using to run DLLs?
How many seconds does the function in the maldoc sleep for to fully execute the malicious DLLs?
Under what stream did the main malicious script use to retrieve DLLs from the C2 domains? (Provide the name of the stream).
Looks like Attacker 3 is trying to dominate a home base. Find his weaknesses and eliminate him.
What program is used to run the executable?
Provide the malicious URI included in the maldoc that was used to download the binary (without http/https).
What folder does the binary gets dropped in?
You are very close to the finish line, but the Attacker 4 is still standing in your way. Don't let him win!
Provide the name of the binary being dropped.
Provide the folder where the binary is being dropped to.
Provide the name of the second binary.
Provide the full URI from which the second binary was downloaded (exclude http/https).
Congratulations, my friend! You have made it to the final stage. Remember to use your brain, not your fists, to defeat Attacker 5.
You can do it!
What is the XOR decimal value found in the decoded-base64 script?
Provide the C2 IP address of the Cobalt Strike server.
Provide the full user-agent found.
Provide the path value for the Cobalt Strike shellcode.
Provide the port number of the Cobalt Strike C2 Server.
Provide the first two APIs found.
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
4,298
Created
1367 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in