๐Advent of Cyber 4 (2022)
Get started with Cyber Security in 24 Days - learn the basics by doing a new, beginner-friendly security challenge every day leading up to Christmas.
| Room Attributes | Value |
|---|---|
Subscription Required | False [Free] |
Type | Walkthroughs |
Difficulty | Easy |
Tags | beginner, christmas, challenge, advent |
Task 6 [Day 1] Frameworks Someone's coming to town!
Your task is to help the Elves solve a puzzle left for them to identify who is trying to stop Christmas. Click the View Site button at the top of the task to launch the static site in split view. You may have to open the static site on a new window and zoom in for a clearer view of the puzzle pieces.
Once you complete the puzzles you'll be presented with defaced site containing the flag and a calling card from the malicious actor:
Who is the adversary that attacked Santa's network this year?
What's the flag that they left behind?
Looking to learn more? Check out the rooms on Unified Kill Chain, Cyber Kill Chain, MITRE, or the whole Cyber Defence Frameworks module!
No answer needed
Task 7 [Day 2] Log Analysis Santa's Naughty & Nice Log!
Ensure you are connected to the deployable machine in this task.
No answer needed
Use the ls command to list the files present in the current directory. How many log files are present?
ls command to list the files present in the current directory. How many log files are present?HINT: The directory needs to be /home/elfmcblue. You can use cd to change to this cd /home/elfmcblue
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
HINT: You can use the lscommand to list the files present in the directory.
Begin investigating the log file from question #3 to answer the following questions.
No answer needed
On what day was Santa's naughty and nice list stolen?
HINT: This answer is looking for a day in the week.
What is the IP address of the attacker?
HINT: The attacker only made one request to the web server.
What is the name of the important list that the attacker stole from Santa?
Look through the log files for the flag. The format of the flag is: THM{}
HINT: Using grep recursively allows you to quickly look through a bunch of log files for a value.
Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.
No answer needed
Task 8 [Day 3] OSINT Nothing escapes detective McRed
What is the name of the Registrar for the domain santagift.shop?
santagift.shop?HINT: Check the who.is/whois website to find WHOIS information.
All the information you need can be found on https://who.is/whois/santagift.shop
Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
HINT: Use the same search terms that Recon McRed used on github.com to find the leaked source code.
All the information you need can be found on https://github.com/muhammadthm/SantaGiftShop
What is the name of the file containing passwords?
HINT: Check the file containing sensitive credentials.
config.php contains several secrets in code that are publicly readable in source code:
What is the name of the QA server associated with the website?
What is the DB_PASSWORD that is being reused between the QA and PROD environments?
Check out this room if you'd like to learn more about Google Dorking!
No answer needed
Task 9 [Day 4] Scanning Scanning through the snow
What is the name of the HTTP server running on the remote host?
HINT: Try nmap -sV MACHINE_IP in the AttackBox.
What is the name of the service running on port 22 on the QA server?
What flag can you find after successfully accessing the Samba service?
HINT: It is located in the admins folder.
What is the password for the username santahr?
If you want to learn more scanning techniques, we have a module dedicated to Nmap!
No answer needed
Last updated
