🎄Advent of Cyber 4 (2022)

Get started with Cyber Security in 24 Days - learn the basics by doing a new, beginner-friendly security challenge every day leading up to Christmas.

Room Attributes	Value
Subscription Required	False [Free]
Type	Walkthroughs
Difficulty	Easy
Tags	beginner, christmas, challenge, advent

Task 6 [Day 1] Frameworks Someone's coming to town!

Your task is to help the Elves solve a puzzle left for them to identify who is trying to stop Christmas. Click the View Site button at the top of the task to launch the static site in split view. You may have to open the static site on a new window and zoom in for a clearer view of the puzzle pieces.

Puzzle Solutions

Puzzle 1/3

Puzzle 2/3

Puzzle 3/3

Once you complete the puzzles you'll be presented with defaced site containing the flag and a calling card from the malicious actor:

Who is the adversary that attacked Santa's network this year?

Reveal Flag 🚩

🚩The Bandit Yeti

What's the flag that they left behind?

Reveal Flag 🚩

🚩THM{IT'S A Y3T1 CHR1$TMA$}

Looking to learn more? Check out the rooms on Unified Kill Chain, Cyber Kill Chain, MITRE, or the whole Cyber Defence Frameworks module!

No answer needed

Task 7 [Day 2] Log Analysis Santa's Naughty & Nice Log!

Ensure you are connected to the deployable machine in this task.

No answer needed

Use the ls command to list the files present in the current directory. How many log files are present?

HINT: The directory needs to be /home/elfmcblue. You can use cd to change to this cd /home/elfmcblue

Reveal Flag 🚩

🚩2

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

HINT: You can use the lscommand to list the files present in the directory.

Reveal Flag 🚩

🚩webserver.log

Begin investigating the log file from question #3 to answer the following questions.

No answer needed

On what day was Santa's naughty and nice list stolen?

HINT: This answer is looking for a day in the week.

Reveal Flag 🚩

🚩Friday

What is the IP address of the attacker?

HINT: The attacker only made one request to the web server.

Reveal Flag 🚩

🚩10.10.249.191

What is the name of the important list that the attacker stole from Santa?

Reveal Flag 🚩

🚩santaslist.txt

Look through the log files for the flag. The format of the flag is: THM{}

HINT: Using grep recursively allows you to quickly look through a bunch of log files for a value.

Reveal Flag 🚩

🚩THM{STOLENSANTASLIST}

Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.

No answer needed

Task 8 [Day 3] OSINT Nothing escapes detective McRed

What is the name of the Registrar for the domain santagift.shop?

HINT: Check the who.is/whois website to find WHOIS information.

All the information you need can be found on https://who.is/whois/santagift.shop

Reveal Flag 🚩

🚩NAMECHEAP INC

Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

HINT: Use the same search terms that Recon McRed used on github.com to find the leaked source code.

All the information you need can be found on https://github.com/muhammadthm/SantaGiftShop

Reveal Flag 🚩

🚩{THM_OSINT_WORKS}

What is the name of the file containing passwords?

HINT: Check the file containing sensitive credentials.

config.php contains several secrets in code that are publicly readable in source code:

Reveal Flag 🚩

🚩config.php

What is the name of the QA server associated with the website?

Reveal Flag 🚩

🚩qa.santagift.shop

What is the DB_PASSWORD that is being reused between the QA and PROD environments?

Reveal Flag 🚩

🚩S@nta2022

Check out this room if you'd like to learn more about Google Dorking!

No answer needed

Task 9 [Day 4] Scanning Scanning through the snow

What is the name of the HTTP server running on the remote host?

HINT: Try nmap -sV MACHINE_IP in the AttackBox.

Reveal Flag 🚩

🚩Apache

What is the name of the service running on port 22 on the QA server?

Reveal Flag 🚩

🚩ssh

What flag can you find after successfully accessing the Samba service?

HINT: It is located in the admins folder.

Reveal Flag 🚩

🚩{THM_SANTA_SMB_SERVER}

What is the password for the username santahr?

Reveal Flag 🚩

🚩santa25

If you want to learn more scanning techniques, we have a module dedicated to Nmap!

No answer needed