DEV Community

ayy lmao
ayy lmao

Posted on • Updated on

TryHackMe's Advent of Cyber 6-8

Three month hiatus aside.
TryHackMe seemed like a better place to start off than HackTheBox, and someone recommended I start off with the Advent of Cyber room they got. Basically a box for beginners of any experience with 30 different tasks, designed for a task per day. Tasks 1-4 is Kali and VPN setup, the actual tasks start at 6

Task 6: Inventory Management

Fairly barebones website. Click on the register button to make a fake account, can be anything you like. Once you create the account log in and you'll be taken to the inventory submission page.
Bring up the inspector and find the cookies section. In this case there's only one: authid, which is also the answer to the first question.

The supporting material hints pretty strongly at a base64 encoding, so we can take whatever we get in the value field for authid and paste it into a base64 decoder. In this case I have "bG9naW52NGVyOWxsMSFzcw%3D%3D" as my input string which gets us "loginv4er9ll1!ss" as the output. Since "login" is my username, I'm assuming the rest is the fixed part of the cookie. It's also the answer to the second question.

The supporting material also hints at setting your own cookie values. Since the value for the authid cookie is username + "v4er9ll1!ss", I'm assuming the value for mcinventory would be "mcinventoryv4er9ll1!ss". Using the same site above to encode the string into base64 we get "bWNpbnZlbnRvcnl2NGVyOWxsMSFzcw==", change the authid cookie's value into that and reload the page, and we're met with the Christmas inventory Approval List. Here we can see that the third answer is "firewall"

Learned: cookies, base64 encoding

Task 7: Arctic Forum

To start off, here's what the page for this task looks like:
Unlike the last task, there's no register option. I also tried putting in some obvious user/pass combos (like 'username' and 'password') to see if they work, no dice.

The supporting material requires you to use DirSearch, a open-source python that allows you to comb through a website with a wordlist, which is also provided. Running the command takes a while, but eventually you end up with a list of pages that your tool managed to find, one of them being /sysadmin, which is the answer to the first question.

If you visit and take a look through the page, there's a comment telling you to visit the Arctic Digital Design github. Go and visit that, and it'll bring you to a page with the default username and password (2nd answer) for the page's software.
After logging with the default user/pass, the third answer is revealed: bring your own eggnog!

Also had a lot of issues connecting to THM during this (extremely annoying) , if anyone else is having connection issues just generate a new ovpn file.

Learned: dictionary brute forcing, default user/pass combos

Task 8: Evil Elf

Instead of a web server to deploy, this time all you have is a download button for a packet capture or pcap file. This one is more follow the instructions than the other tasks.
Open the pcap file with wireshark, then the then find packet number 998 and read the destination IP for the first answer.

Filtering the packets with telnet and following the TCP stream, you see that the source sent two commands to the destination and received text back. The first command puts 'ps4' into christmas_list.txt, which is the second answer.

The source also received text from the server from the second command - the shadow file. In this case we're only interested in buddy's password, and his hash is "$6$3GvJsNPG$ZrSFprHS13divBhlaKg1rYrYLJ7m1xsYRKxlLh0A1sUc/6SUd7UvekBOtSnSyBwk3vCDqBhrgxQpkdsNN6aYP1:18233:0:99999:7:::". The rest of the instructions can be found in the source material, but using Hashcat with the rockyou wordlist yields 'rainbow' to be the password.

This one was a pretty cool task, felt like I was doing something that had the 'essence' of security. Wonder what the non-user entries in the shadow file were though - seems like applications? Why do they require an entry here?

Learned: network capture, wireshark, shadow file

Discussion (0)