search

πŸŽ„Advent of Cyber 4 (2022)

Get started with Cyber Security in 24 Days - learn the basics by doing a new, beginner-friendly security challenge every day leading up to Christmas.

Room Attributes
Value

Subscription Required

False [Free]

Type

Walkthroughs

Difficulty

Easy

Tags

beginner, christmas, challenge, advent

hashtag
Task 6 [Day 1] Frameworks Someone's coming to town!

Your task is to help the Elves solve a puzzle left for them to identify who is trying to stop Christmas. Click the View Site button at the top of the task to launch the static site in split view. You may have to open the static site on a new window and zoom in for a clearer view of the puzzle pieces.

chevron-rightPuzzle Solutionshashtag

Puzzle 1/3

Puzzle 2/3

Puzzle 3/3

Once you complete the puzzles you'll be presented with defaced site containing the flag and a calling card from the malicious actor:

hashtag
Who is the adversary that attacked Santa's network this year?

chevron-rightReveal Flag 🚩hashtag

🚩The Bandit Yeti

hashtag
What's the flag that they left behind?

chevron-rightReveal Flag 🚩hashtag

🚩THM{IT'S A Y3T1 CHR1$TMA$}

hashtag
Looking to learn more? Check out the rooms on Unified Kill Chainarrow-up-right, Cyber Kill Chainarrow-up-right, MITREarrow-up-right, or the whole Cyber Defence Frameworksarrow-up-right module!

circle-check

No answer needed

hashtag
Task 7 [Day 2] Log Analysis Santa's Naughty & Nice Log!

hashtag
Ensure you are connected to the deployable machine in this task.

circle-check

No answer needed

hashtag
Use the ls command to list the files present in the current directory. How many log files are present?

circle-exclamation

HINT: The directory needs to be /home/elfmcblue. You can use cd to change to this cd /home/elfmcblue

chevron-rightReveal Flag 🚩hashtag

🚩2

hashtag
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

circle-exclamation

HINT: You can use the lscommand to list the files present in the directory.

chevron-rightReveal Flag 🚩hashtag

🚩webserver.log

hashtag
Begin investigating the log file from question #3 to answer the following questions.

circle-check

No answer needed

hashtag
On what day was Santa's naughty and nice list stolen?

circle-exclamation

HINT: This answer is looking for a day in the week.

chevron-rightReveal Flag 🚩hashtag

🚩Friday

hashtag
What is the IP address of the attacker?

circle-exclamation

HINT: The attacker only made one request to the web server.

chevron-rightReveal Flag 🚩hashtag

🚩10.10.249.191

hashtag
What is the name of the important list that the attacker stole from Santa?

chevron-rightReveal Flag 🚩hashtag

🚩santaslist.txt

hashtag
Look through the log files for the flag. The format of the flag is: THM{}

circle-exclamation

HINT: Using grep recursively allows you to quickly look through a bunch of log files for a value.

chevron-rightReveal Flag 🚩hashtag

🚩THM{STOLENSANTASLIST}

hashtag
Interested in log analysis? We recommend the Windows Event Logsarrow-up-right room or the Endpoint Security Monitoring Modulearrow-up-right.

circle-check

No answer needed

hashtag
Task 8 [Day 3] OSINT Nothing escapes detective McRed

hashtag
What is the name of the Registrar for the domain santagift.shop?

circle-exclamation

HINT: Check the who.is/whois website to find WHOIS information.

All the information you need can be found on https://who.is/whois/santagift.shoparrow-up-right

chevron-rightReveal Flag 🚩hashtag

🚩NAMECHEAP INC

hashtag
Find the website's source code (repository) on github.comarrow-up-right and open the file containing sensitive credentials. Can you find the flag?

circle-exclamation

HINT: Use the same search terms that Recon McRed used on github.com to find the leaked source code.

All the information you need can be found on https://github.com/muhammadthm/SantaGiftShoparrow-up-right

chevron-rightReveal Flag 🚩hashtag

🚩{THM_OSINT_WORKS}

hashtag
What is the name of the file containing passwords?

circle-exclamation

HINT: Check the file containing sensitive credentials.

config.phparrow-up-right contains several secrets in code that are publicly readable in source code:

chevron-rightReveal Flag 🚩hashtag

🚩config.php

hashtag
What is the name of the QA server associated with the website?

chevron-rightReveal Flag 🚩hashtag

🚩qa.santagift.shop

hashtag
What is the DB_PASSWORD that is being reused between the QA and PROD environments?

chevron-rightReveal Flag 🚩hashtag

🚩S@nta2022

hashtag
Check out this roomarrow-up-right if you'd like to learn more about Google Dorking!

circle-check

No answer needed

hashtag
Task 9 [Day 4] Scanning Scanning through the snow

hashtag
What is the name of the HTTP server running on the remote host?

circle-exclamation

HINT: Try nmap -sV MACHINE_IP in the AttackBox.

chevron-rightReveal Flag 🚩hashtag

🚩Apache

hashtag
What is the name of the service running on port 22 on the QA server?

chevron-rightReveal Flag 🚩hashtag

🚩ssh

hashtag
What flag can you find after successfully accessing the Samba service?

circle-exclamation

HINT: It is located in the admins folder.

chevron-rightReveal Flag 🚩hashtag

🚩{THM_SANTA_SMB_SERVER}

hashtag
What is the password for the username santahr?

chevron-rightReveal Flag 🚩hashtag

🚩santa25

hashtag
If you want to learn more scanning techniques, we have a module dedicated to Nmaparrow-up-right!

circle-check

No answer needed

PreviousBlueNextDifficulty: Medium

Last updated