DEV Community: Mochammad Farros Fatchur Roji

Computer Types | TryHackMe Write-up

Mochammad Farros Fatchur Roji — Sat, 21 Mar 2026 00:00:00 +0000

This is my write-up for the TryHackMe room on Computer Types. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.

Task 1: Introduction

Sophia discovers that computers are not limited to traditional laptops and phones; they are also hidden inside everyday objects like smart refrigerators. The goal of this section is to help you identify and differentiate between direct-use computers (laptops, smartphones) and indirect ones (servers, IoT devices, embedded systems) based on their purposes.

Ready to find the hidden computers?

No answer needed

Task 2: Sophia’s Summer of Hidden Computers – Month 1

Sophia learns that computers are built differently depending on their intended use. Laptops offer portability but struggle with sustained performance due to cooling limitations. Desktops provide steady, sustained performance at a fixed location. Workstations are specialized for precision and reliability in professional tasks. Finally, Servers operate entirely without screens or keyboards, running continuously to provide services to multiple users over a network.

Which computer type usually runs without a dedicated screen and keyboard?

Server

What kind of computer with specialized components would one buy to carry out precision work?

Workstation

Task 3: Sophia’s Summer of Hidden Computers – Month 2

Millions of computers hide in plain sight inside everyday objects. Smartphones are the most popular pocket-sized computers, while tablets offer a touch-first experience. The main difference between IoT and Embedded systems is connectivity: IoT devices (like smart doorbells) connect to a network for single-purpose tasks, whereas embedded computers (found inside coffee machines or automatic doors) operate silently inside a machine and often never connect to the internet.

What is the currently most popular pocket-sized computer?

Smartphone

What kind of computer would you expect to find in a coffee machine?

Embedded computer

Task 4: Why Computers Come in Different Flavors

Computers come in different types because every design involves trade-offs. Making a device mobile means sacrificing sustained power, while making a system highly reliable increases the cost due to redundancy (extra power supplies and disks). There is no single "best" computer; the design is entirely shaped by its specific purpose.

Go through the attached static site and get the flag.

Workstation: edit 4K video all day.
Server: Host a website 24/7.
Embedded: Ring when button pressed.

Why do laptops throttle more than desktops?

Less cooling space

What does server redundancy prevent?

Single point of failure

Why do smartphones last longer on battery than laptops?

Optimized for efficiency

Which feature is more common in workstations?

ECC RAM and certified drivers

In many smart homes, what coordinates devices?

Hub or cloud service

THM{8_computer_types}

Task 5: Summary

Sophia concludes her internship by realizing that computers are everywhere, often running silently in the background to keep daily life functioning (like opening doors or flying planes). The module covered eight distinct types of computers and the specific trade-offs involved in choosing the right tool for a given job.

Room complete!

No answer needed

Thanks for reading. See you in the next lab.

Exploring Medusa JS for Scalable B2B Commerce

Mochammad Farros Fatchur Roji — Sat, 07 Feb 2026 23:03:00 +0000

Why I’m Looking Beyond Traditional Platforms

When building a B2B e-commerce platform , the challenges are usually not about themes or plugins, but about architecture :

Custom pricing logic2
Flexible product structures
Integration with internal systems
Scalability without vendor lock-in

Popular platforms like Magento are mature and powerful, but also come with complexity and operational overhead. For newer projects where flexibility and long-term maintainability matter, I started exploring Medusa JS.

What Is Medusa JS?

Medusa JS is an open-source, headless commerce backend. Conceptually, it sits in a similar space to Shopify—but instead of a hosted SaaS, Medusa is self-hosted and API-first.

In practice, this means:

You own the backend
You control the data
You design the frontend freely

This makes it particularly interesting for custom B2B workflows.

Architecture Overview

At a high level, the setup looks like this:

Backend : Medusa JS (Node.js)
Database : PostgreSQL
Frontend : Next.js (or any framework consuming APIs)
Optional : Redis for caching and background jobs

The backend exposes clean APIs, while business logic is organized into services, entities, subscribers, and plugins. From an architectural standpoint, this separation is a big plus for long-term maintenance.

Early Observations (Pros & Cons)

What Looks Promising

JavaScript-first stack : Easier onboarding for modern web teams
API-driven design : Clean separation between frontend and backend
Modular extensibility : Plugins and custom services feel natural
PostgreSQL as a core dependency : Solid choice for transactional systems

Things to Be Careful About

The ecosystem is still young compared to Magento
Documentation is good, but real-world examples are limited
Requires more architectural decisions upfront
Not ideal for teams looking for a “click-and-deploy” solution

Current Status: Testing & Validation

Right now, I’m still in the early-stage testing phase , running Medusa on a VPS and validating:

Deployment stability
Data modeling for B2B use cases
Integration patterns with a custom frontend
Operational complexity in real environments

This is not about replacing mature platforms blindly, but about understanding where Medusa fits best.

Final Thoughts

Medusa JS is not a silver bullet , but for teams that:

need full control,
value open-source,
and are comfortable designing their own architecture,

…it’s a very compelling option.

I’ll be sharing more findings once the testing phase progresses.

Resources

Docs & Quick Start: https://docs.medusajs.com
GitHub: https://github.com/medusajs/medusa

n8n: CVE-2025-68613 | TryHackMe Write-Up

Mochammad Farros Fatchur Roji — Thu, 25 Dec 2025 00:00:00 +0000

Here i want to share about my write-up for the room n8n: CVE-2025-68613, Learn how adversaries can exploit the CVE-2025-68613 vulnerability in n8n. Hope it is useful for learning about cybersecurity.

Task 1: Introduction

CVE-2025-68613 is a critical vulnerability (CVSS 9.9) in the n8n workflow automation platform, published in December 2025. This vulnerability is a Remote Code Execution (RCE) flaw found in the workflow expression evaluation system, affecting versions 0.211.0 through 1.120.3. It allows authenticated attackers to execute system-level commands by injecting malicious JavaScript code. Users are strongly advised to update to patched versions (1.120.4, 1.121.1, or 1.122.0) to secure their instances.

Let’s dive into the technical details.

No answer needed

Task 2: Technical Background

n8n is built on Node.js and uses an Expression Evaluation System to process dynamic user input wrapped in {{ }}. The vulnerability exists because this system lacks proper sandboxing. An attacker can escape the intended context by using this to access the global Node.js object. The exploit chain typically involves accessing this.process.mainModule, loading the child_process module via require(), and finally executing system commands (e.g., execSync('id')). This demonstrates a fundamental breach of security boundaries where user expressions gain access to the underlying runtime environment.

In this exploit, what is the name of the module that allowed us to execute system commands?

child_process

Task 3: Exploitation

To exploit this vulnerability, an attacker logs into the n8n dashboard (e.g., using tryhackme@thm.local) and creates a new workflow. The method involves adding a "Manual Trigger" connected to an "Edit Fields (Set)" node. Inside the "Edit Fields" node, the attacker adds a new field and pastes the malicious JavaScript payload (containing the sandbox escape code) into the value field. Upon clicking "Execute step," the code runs on the server, and the output of the system command (such as the id command) is displayed in the interface.

Landing page after logging into the n8n dashboard.

Creating a new workflow by selecting Start from scratch.

Choosing Manual Trigger as the first workflow step.

Adding the Edit Fields (Set) node to the workflow.

Injecting the malicious JavaScript expression into a new field.

Executing the workflow step to trigger server-side command execution.

Successful execution of the id command, confirming RCE.

Reading the flag file (flag.txt) directly from the server.

What is the flag?

THM()

Task 4: Detection

Since n8n's native logging is limited, detection is best achieved by using a proxy (like Nginx) to log web request bodies. Security teams can use Sigma rules to scan these logs for specific patterns in POST requests to /rest/workflows, looking for keywords like this.process.mainModule, execSync, and child_process. Additionally, it is critical to monitor the operating system for suspicious process creation events—such as reverse shells or reconnaissance commands—to identify post-exploitation activity.

Depending on your environment, ensure that your security solutions are detecting threats targeting your web applications and infrastructure.

No answer needed

Task 5: Conclusion

This vulnerability highlights the severe risks associated with insecure expression evaluation and flawed trust boundaries between user input and the application runtime. Understanding this exploit helps in developing better detection strategies that focus on context escalation patterns. The most effective mitigation is to ensure the n8n server is upgraded to a secure, patched version immediately.

If you enjoyed this room, consider checking other rooms in the Recent Threats module.

No answer needed

Splunk | Advent of Cyber 2025 Day 3 Write-Up

Mochammad Farros Fatchur Roji — Sun, 21 Dec 2025 21:31:00 +0000

Here i want to share about my write-up for the room Splunk | Advent of Cyber 2025 (Day 3).

Here is the extracted material formatted according to your requirements.

Task 1: Introduction

The story begins in Wareville, where The Best Festival Company (TBFC) is preparing for Christmas. However, a ransom message from King Malhare appears, threatening to turn the holiday into "EAST-mas." With the network under attack and McSkidy missing, the SOC team must utilize Splunk to investigate the ransomware infiltration and stop the plan.

The learning objectives for this task include ingesting custom log data, creating field extractions, using Search Processing Language (SPL), and conducting a forensic investigation. The environment contains a pre-configured Splunk instance with the necessary logs.

I successfully have access to the Splunk instance!

No answer needed

Task 2: Log Analysis with Splunk

In this task, we investigate the incident using two pre-ingested datasets: web_traffic (web server logs) and firewall_logs (traffic allowed/blocked). The investigation process follows these steps:

Initial Triage: querying index=main reveals a massive spike in traffic. Using timechart, we can pinpoint the exact day of the attack.
Anomaly Detection: Analyzing the user_agent field shows suspicious tools (unlike standard Mozilla/Chrome browsers). Filtering out benign traffic reveals a single attacker IP address.
Tracing the Attack Chain:

Reconnaissance: The attacker used tools like curl and wget to probe for configuration files (e.g., /.env, /.git).
Enumeration: Path traversal attempts (../../) were detected to access system files.
Exploitation: SQL Injection attacks were identified via user agents like sqlmap and Havij.
Exfiltration: Large files (backup.zip, logs.tar.gz) were downloaded.
Ransomware Staging: A web shell (shell.php) was used to execute a ransomware binary (bunnylock.bin), confirming Remote Code Execution (RCE).

C2 Correlation: By pivoting to firewall_logs, we confirmed the compromised server (10.10.1.5) established an outbound connection to the attacker's IP, transferring a significant volume of data.

What is the attacker IP found attacking and compromising the web server?

index=main sourcetype=web_traffic

198.51.100.55

Which day was the peak traffic in the logs?

index=main sourcetype=web_traffic

2025-10-12

What is the count of Havij user_agent events found in the logs?

index=main sourcetype=web_traffic user_agent=Havij

993

How many path traversal attempts to access sensitive files on the server were observed?

index=main sourcetype=web_traffic path="../../"

658

Examine the firewall logs. How many bytes were transferred to the C2 server IP from the compromised web server?

index=main sourcetype=firewall_logs action=ALLOWED| stats sum(bytes_transferred)

126167

If you enjoyed today's room, check out the Incident Handling With Splunk room to learn more about analyzing logs with Splunk.

No answer needed

Phising | Advent of Cyber 2025 Day 2 Write-Up

Mochammad Farros Fatchur Roji — Sun, 21 Dec 2025 06:35:00 +0000

Here i want to share about my write-up for the room Phising | Advent of Cyber 2025 (Day 2).

Task 1: Introduction

This section introduces the scenario: The Best Festival Company (TBFC) has faced security threats, prompting a Red Team assessment. You are working with "Recon McRed" and others to execute a phishing campaign to test employee diligence. The objective is to learn about social engineering, types of phishing, creating fake login pages, and using the Social-Engineer Toolkit. This task also involves initializing the necessary AttackBox and Target VM environments.

I have successfully started the AttackBox and the target machine!

No answer needed

Task 2: Phishing Exercise for TBFC

This task dives into the mechanics of social engineering and phishing. It defines Social Engineering as manipulating humans into making security mistakes by exploiting psychology (urgency, curiosity, authority), and Phishing as a subset of this using communication mediums like email.

The task outlines the S.T.O.P. method for defense (Suspicious, Telling, Offering, Pushing) and guides the user through a Red Team attack simulation:

Building the Trap: A fake TBFC login page script (server.py) is provided. When run, it hosts a web server on port 8000 to capture credentials.
Delivery: Using the Social-Engineer Toolkit (SET) (setoolkit), the attacker configures a "Mass Mailer Attack".
Configuration: The email is spoofed to look like it comes from "Flying Deer" (updates@flyingdeer.thm) and is sent to factory@wareville.thm via the internal SMTP server. The body contains the link to the malicious server (http://<IP>:8000).
Exploitation: Once the target clicks the link and logs in, the credentials are captured in the attacker's terminal.

What is the password used to access the TBFC portal?

unranked-wisdom-anthem

Browse to http://10.49.171.168 from within the AttackBox and try to access the mailbox of the factory user to see if the previously harvested admin password has been reused on the email portal. What is the total number of toys expected for delivery?

1984000

If you enjoyed today's room, feel free to check out the Phishing Prevention room.

No answer needed

Linux CLI | Advent of Cyber 2025 Day 1 Write-Up

Mochammad Farros Fatchur Roji — Sat, 20 Dec 2025 15:40:00 +0000

Here i want to share about my write-up for the room Linux CLI | Advent of Cyber 2025 (Day 1).

Task 1: Introduction

The narrative begins with the kidnapping of McSkidy, leaving Wareville's defenses vulnerable to King Malhare. The investigation centers on tbfc-web01 , a Linux server responsible for processing Christmas wishlists. The goal is to use the Linux command-line interface (CLI) to find clues about the attack. Users are instructed to start the attached virtual machine and can connect via the browser-based split view or SSH using the provided credentials (mcskidy / AoC2025!).

I have successfully started my virtual machine!

No answer needed

Task 2: Linux CLI

This task provides a crash course in using the Linux CLI for investigation.

Basic Commands & Navigation:

echo "text" : Prints text to the terminal.
ls : Lists directory contents.
cat filename : Displays the contents of a file.
cd Directory : Changes the current directory.
Hidden Files : Files starting with a dot (e.g., .guide.txt) are hidden. They can be viewed using ls -la.

Investigation Steps:

Grepping Logs: The guide instructs users to look into /var/log/ for security events. The grep command is used to filter large log files, specifically looking for "Failed password" in auth.log to identify unauthorized login attempts.
Finding Files: The find command (e.g., find /home/socmas -name *egg*) is used to locate specific files, revealing a malicious script named eggstrike.sh.
Analyzing Scripts: The malicious script utilizes special shell features:

Pipe (|): Sends the output of one command to another (e.g., sort | uniq).
Redirect (>): Overwrites a file with output.
Logic (&&): Runs the next command only if the previous one succeeds.

System Administration:

Root User : The superuser with full permissions. Users can switch to root using sudo su and verify their identity with whoami.
Bash History : A history of executed commands is stored in .bash_history. Checking the root user's history reveals the attacker's activities, including the flag.

Which CLI command would you use to list a directory?

ls

Complete on machine

THM{}

Which command helped you filter the logs for failed logins?

grep

Complete on machine

THM{}

Which command would you run to switch to the root user?

sudo su

Finally, what flag did Sir Carrotbane leave in the root bash history?

THM{}

For those who consider themselves intermediate and want another challenge, check McSkidy's hidden note in /home/mcskidy/Documents/ to get access to the key for Side Quest 1! Accessible through our Side Quest Hub!

No answer needed

Enjoyed investigating in a Linux environment? Check out our Linux Logs Investigations room for more like this!

No answer needed

Advent of Cyber Prep Track | TryHackMe Write-Up

Mochammad Farros Fatchur Roji — Sat, 20 Dec 2025 00:00:00 +0000

Here i want to share about my write-up for the room Advent of Cyber Prep Track. Get ready for the Advent of Cyber 2025 with the "Advent of Cyber Prep Track", a series of warm-up tasks aimed to get beginners ready for this year's event.

Task 1: Welcome to Advent of Cyber 2025

This task introduces the Advent of Cyber 2025 event. The story is set in Wareville, where the "SOC-mas" tradition is threatened by King Malhare. The event features daily beginner-friendly security challenges. Participants can win from a $150,000 prize pool (including MacBooks, iPhones, and Flipper Zeros) by completing rooms by December 31, 2025. Strict rules prohibit cheating, bot usage, and attacking other users or infrastructure. A certificate is awarded for completing all rooms.

Got it!

No answer needed

Task 2: How to use TryHackMe

This section explains the technical interface of TryHackMe. It details how to use the "AttackBox" (a web-based Ubuntu VM) and how to deploy standard Virtual Machines (VMs) for tasks. It covers the split-screen view feature, direct links for specific tools, and alternative connection methods using OpenVPN or direct remote connections (RDP/SSH/VNC) when credentials are provided.

Got it!

No answer needed

Task 3: Join our community

This task encourages participants to join the TryHackMe social channels for updates and support. It highlights the Discord server (with over 326,000 members) as the main hub for connecting with other hackers and getting help. Links are provided for LinkedIn, X (Twitter), Instagram, Facebook, Reddit, and TikTok. It also mentions available Advent of Cyber swag.

Got it!

No answer needed

Task 4: Introduction

The narrative begins with snow falling in Wareville at The Best Festival Company (TBFC). Systems are glitching due to suspected interference by King Malhare. Before the main event starts, users are tasked with 10 short "warm-up" missions to practice essential cybersecurity skills. The interface instruction explains how to use the "View Site" button to open challenges in split-screen.

Warm me up!

No answer needed

Task 5: Challenge 1 — Password Pandemonium

McSkidy's workstation has flagged weak passwords. This challenge focuses on the importance of strong passwords as a defense mechanism. The objective is to create a secure password that meets specific criteria: at least 12 characters, including uppercase, lowercase, numbers, and symbols, and ensuring it does not appear in a breach database.

What's the flag?

THM(REDACTED)

Task 6: Challenge 2 — The Suspicious Chocolate.exe

A mysterious USB labeled "SOCMAS Party Playlist" contains a suspicious file named chocolate.exe. This task simulates using a malware analysis tool (like VirusTotal). The user must scan the file to review its report and determine if it is safe or malicious based on the scan results.

What's the flag?

THM(REDACTED)

Task 7: Challenge 3 — Welcome to the AttackBox

This task introduces the AttackBox environment and the command line interface (CLI). It emphasizes that defenders must be comfortable with the CLI. The objective is to use basic Linux commands: ls to list files, cd to navigate directories, and cat to read a text file named welcome.txt to find the hidden message.

What's the flag?

THM(REDACTED)

Task 8: Challenge 4 — The CMD Conundrum

McSkidy's workstation shows signs of tampering with logs wiped and strange folders created. The task focuses on using the Windows Command Prompt to investigate. The user is required to use the dir command to list files and specifically dir /a to reveal hidden files, then use type to read the content of a hidden flag file.

What's the flag?

THM(REDACTED)

Task 9: Challenge 5 — Linux Lore

Delivery drones are glitching, and an investigation points to a login from a Linux server. This challenge highlights the importance of navigating Linux filesystems. The objective is to find a hidden message in McSkidy’s home directory by entering the folder and using ls -la to reveal hidden "dotfiles" (like .secret_message).

What's the flag?

THM(REDACTED)

Task 10: Challenge 6 — The Leak in the List

There are rumors of a data leak at TBFC. This task simulates using a breach checking tool (similar to Have I Been Pwned). The objective is to check McSkidy’s email address (mcskidy@tbfc.com) against a database to see if the account has been compromised in any known data breaches.

What's the flag?

THM(REDACTED)

Task 11: Challenge 7 — WiFi Woes in Wareville

Drones are behaving erratically because someone logged into the company router using default credentials. This task emphasizes the security risk of leaving default passwords active. The user must log into the router using admin/admin, navigate to security settings, and update the password to a secure one.

What's the flag?

THM(REDACTED)

Task 12: Challenge 8 — The App Trap

McSkidy's social account is posting strange messages due to a suspicious third-party application. The task teaches how to manage and review app permissions to prevent data leaks. The objective is to identify a connected app with excessive permissions (such as access to a password vault) and revoke its access.

What's the flag?

THM(REDACTED)

Task 13: Challenge 9 — The Chatbot Confession

The AI assistant, FestiveBot, has been leaking internal secrets. This task focuses on the risks of AI oversharing sensitive data. The user must review the chatbot's conversation history to identify specific lines where the bot revealed private information, such as internal URLs or passwords.

What's the flag?

THM(REDACTED)

Task 14: Challenge 10 — The Bunny’s Browser Trail

Web servers are experiencing heavy traffic with a suspicious log entry. This task introduces log analysis and "User Agent" strings. The user needs to review HTTP logs to distinguish between standard browser traffic (Chrome, Firefox, Edge) and identifying a suspicious entry coming from "BunnyOS".

What's the flag?

THM(REDACTED)

Task 15: The Finish Line

This final task wraps up the Prep Track. It confirms that the user has completed the warm-up challenges, covering topics from Linux CLI to Prompt Injection. The user is now familiar with the key tools needed for the main event and is ready to participate in Advent of Cyber 2025 to help save SOC-mas.

Bring on Advent of Cyber 2025!

No answer needed

Threat Modelling | TryHackMe Write-Up

Mochammad Farros Fatchur Roji — Wed, 17 Dec 2025 00:00:00 +0000

Here i want to share about my write-up for the room Threat Modelling (Premium Room), building cyber resiliency and emulation capabilities through threat modelling.. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Threat modelling is a proactive approach to identifying vulnerabilities, prioritising threats, and implementing security measures to safeguard critical assets. In the modern cyber security landscape, relying solely on reactive measures is insufficient against sophisticated threat actors.

Learning Objectives:

Understand the significance of threat modelling for organisational resiliency.
Learn the fundamentals of modelling significant threats.
Explore frameworks such as MITRE ATT&CK , DREAD , STRIDE , and PASTA.

Prerequisites: It is recommended to have knowledge of Threat Emulation and Principles of Security before starting this module.

Let's start modelling threats!

No answer needed

Task 2: Threat Modelling Overview

What is Threat Modelling? It is a systematic approach to identifying, prioritising, and addressing potential security threats. By simulating attack scenarios and assessing vulnerabilities, organisations can reduce risk exposure and allocate resources effectively.

Key Definitions (The "House" Analogy):

Threat: Potential occurrence or actor (e.g., a burglar).
Vulnerability: A weakness or flaw (e.g., broken locks).
Risk: The likelihood of compromise (e.g., living in a high-crime area).

High-Level Process:

Define Scope: Identify systems/networks.
Asset Identification: Diagram architecture and identify critical data.
Identify Threats: pinpoint potential attacks (cyber, physical, social engineering).
Analyse Vulnerabilities & Prioritise Risks: Assess impact and likelihood.
Countermeasures: Design and implement controls.
Monitor & Evaluate: Continuously test effectiveness.

Attack Trees:

An attack tree is a graphical representation used to analyse threats. The root node represents the attacker's goal (e.g., "Gain unauthorised access"), while branches represent the techniques and paths used to achieve that goal.

What is a weakness or flaw in a system, application, or process that can be exploited by a threat?

vulnerability

Based on the provided high-level methodology, what is the process of developing diagrams to visualise the organisation's architecture and dependencies?

Asset Identification

What diagram describes and analyses potential threats against a system or application?

attack tree

Task 3: Modelling with MITRE ATT&CK

The Framework: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a global knowledge base of adversary behaviour. It is organised into a matrix of Tactics (high-level objectives) and Techniques (methods used).

Components of a Technique Page:

Description: Details of the technique.
Procedure Examples: Real-world usage by threat actors.
Mitigations: Recommended security measures.
Detections: Strategies/indicators to identify the technique.

Integration into Threat Modelling: MITRE ATT&CK is mapped after the "Identify Threats" phase. By mapping threats to specific ATT&CK techniques, security teams can derive specific mitigations and detection strategies. It aids in developing threat scenarios, identifying attack paths, and prioritising vulnerability remediation based on real-world threat group data.

What is the technique ID of "Exploit Public-Facing Application"?

T1190

Under what tactic does this technique belong?

Initial Access

Task 4: Mapping with ATT&CK Navigator

ATT&CK Navigator: This is an open-source, web-based tool designed to visualise and navigate the MITRE ATT&CK matrix. It allows users to create custom layers to map techniques relevant to their specific environment.

Key Features:

Selection Controls: Search and select techniques by keywords, threat groups (e.g., APT41), or software.
Layer Controls: Filter by platform (Windows, Linux, etc.), sort, and export data (JSON, Excel, SVG).
Technique Controls: Annotate specific techniques with scores, background colours, comments, and metadata to highlight risks.

Scenario: In a financial services context using GCP and web apps, an analyst can map threat groups like APT28 or FIN7 to the matrix. This helps prioritise critical vulnerabilities such as Exploit Public-Facing Application (T1190) or Data from Cloud Storage (T1530).

How many MITRE ATT&CK techniques are attributed to APT33?

31

Upon applying the IaaS platform filter, how many techniques are under the Discovery tactic?

13

Task 5: DREAD Framework

Overview: Developed by Microsoft, DREAD is a risk assessment model used for qualitative risk analysis. It prioritises threats based on the average score (1-10) of five categories.

The DREAD Categories:

Damage: How bad would the attack be? (e.g., data loss, downtime).
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How much work/skill is required to launch the attack?
Affected Users: How many people are impacted?
Discoverability: How easy is it to find the vulnerability?

Guidelines: To reduce subjectivity, organisations should establish standardised scoring definitions, encourage team collaboration for scoring justification, and use DREAD alongside other methodologies.

What DREAD component assesses the potential harm from successfully exploiting a vulnerability?

Damage

What DREAD component evaluates how others can easily find and identify the vulnerability?

Discoverability

Which DREAD component considers the number of impacted users when a vulnerability is exploited?

Affected Users

Task 6: STRIDE Framework

Overview:** STRIDE is a threat modelling methodology used primarily in software development and system design. It identifies threats by categorising them into six types, each violating a specific aspect of the CIA Triad** (Confidentiality, Integrity, Availability) or related security policies.

The Categories:

Spoofing: Impersonating a user/system (Violates: Authentication).
Tampering: Modifying data/code (Violates: Integrity).
Repudiation: Denying actions due to lack of logging (Violates: Non-repudiation).
Information Disclosure: Unauthorised access to data (Violates: Confidentiality).
Denial of Service: Disrupting availability (Violates: Availability).
Elevation of Privilege: Gaining unauthorised access levels (Violates: Authorisation).

Implementation: The process involves decomposing the system, applying STRIDE categories to each component, assessing the risk, and developing specific countermeasures (e.g., using DMARC to prevent email spoofing).

What foundational information security concept does the STRIDE framework build upon?

CIA Triad

What policy does Information Disclosure violate?

Confidentiality

Which STRIDE component involves unauthorised modification or manipulation of data?

Tampering

Which STRIDE component refers to the disruption of the system's availability?

Denial of Service

Insecure web application search functionality leading to SQL injection.

Tampering
Information Disclosure

Insecure AWS Infrastructure (EC2, S3, RDS) without load balancers.

Information Disclosure
Denial of Service

Mail server with no logging enabled.

Spoofing

Unpatched employee workstations.

Tampering
Elevation of Privilages

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 7: PASTA Framework

Overview:** PASTA** (Process for Attack Simulation and Threat Analysis) is a risk-centric, seven-step framework. It aligns threat modelling with business objectives and technical requirements.

The Seven-Step Methodology:

Define Objectives: Establish scope and compliance requirements.
Define Technical Scope: Inventory assets and understand architecture.
Decompose Application: Map data flows, trust boundaries, and components.
Analyse Threats: Identify threat sources (internal/external).
Vulnerabilities Analysis: Scan for weaknesses (static analysis, pentesting).
Analyse Attacks: Simulate attack scenarios to verify risks.
Risk and Impact Analysis: Develop countermeasures based on risk tolerance.

Benefits: PASTA is highly adaptable, fosters collaboration between developers/architects/business stakeholders, and ensures security efforts directly support business goals.

In which step of the framework do you break down the system into its components?

Decompose the Application

During which step of the PASTA framework do you simulate potential attack scenarios?

Analyse the Attacks

In which step of the PASTA framework do you create an inventory of assets?

Define the Technical Scope

Process Flow Diagram

Strategic Planning
System Architecture
Software Development
Information Security
Strategic Planning

Quiz Questions and Answers

What should be the top priority for the online banking platform, as mentioned by the Business Analyst?

Protecting customers’ personal and financial data, securing transactions, and ensuring service availability.

According to the System Architect, what are the primary technical assets of the online banking system?

Amazon EC2, RDS, and S3 services

What components of the application did the Lead Developer highlight during the 'Decompose the Application' phase?

User registration, account management, fund transfers, bill payments, and account statements

According to the Security Engineer, which type of threat is NOT considered for the online banking platform?

Social engineering attacks

Which vulnerability was mentioned by the Security Engineer as a potential issue for the online banking platform?

Cloud Infrastructure Misconfigurations

According to the Security Engineer, which mitigation strategy does match the identified threats?

Account lockouts

In the "Risk and Impact Analysis" phase, what potential consequence of a successful attack was mentioned by the Business Analyst?

Financial loss and significant reputational damage

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 8: ConclusionWe have covered four distinct frameworks, each with unique applications

MITRE ATT&CK: Best for mapping real-world adversary tactics and testing existing controls.
DREAD: Best for numerical prioritisation of risks based on damage and exploitability.
STRIDE: Best for software development, focusing on categorising threats (Spoofing, Tampering, etc.).
PASTA: Best for a holistic, risk-centric approach that aligns with business objectives.

Leveraging these frameworks helps enhance threat awareness, prioritise mitigation, and improve overall organisational resilience.

I have completed the Threat Modelling room.

No answer needed

Threat Modelling | THM Write-Up

Mochammad Farros Fatchur Roji — Wed, 17 Dec 2025 00:00:00 +0000

Task 1: Introduction

Learning Objectives:

Understand the significance of threat modelling for organisational resiliency.
Learn the fundamentals of modelling significant threats.
Explore frameworks such as MITRE ATT&CK , DREAD , STRIDE , and PASTA.

Prerequisites: It is recommended to have knowledge of Threat Emulation and Principles of Security before starting this module.

Let's start modelling threats!

No answer needed

Task 2: Threat Modelling Overview

Key Definitions (The "House" Analogy):

Threat: Potential occurrence or actor (e.g., a burglar).
Vulnerability: A weakness or flaw (e.g., broken locks).
Risk: The likelihood of compromise (e.g., living in a high-crime area).

High-Level Process:

Define Scope: Identify systems/networks.
Asset Identification: Diagram architecture and identify critical data.
Identify Threats: pinpoint potential attacks (cyber, physical, social engineering).
Analyse Vulnerabilities & Prioritise Risks: Assess impact and likelihood.
Countermeasures: Design and implement controls.
Monitor & Evaluate: Continuously test effectiveness.

Attack Trees:

What is a weakness or flaw in a system, application, or process that can be exploited by a threat?

vulnerability

Based on the provided high-level methodology, what is the process of developing diagrams to visualise the organisation's architecture and dependencies?

Asset Identification

What diagram describes and analyses potential threats against a system or application?

attack tree

Task 3: Modelling with MITRE ATT&CK

Components of a Technique Page:

Description: Details of the technique.
Procedure Examples: Real-world usage by threat actors.
Mitigations: Recommended security measures.
Detections: Strategies/indicators to identify the technique.

What is the technique ID of "Exploit Public-Facing Application"?

T1190

Under what tactic does this technique belong?

Initial Access

Task 4: Mapping with ATT&CK Navigator

Key Features:

Selection Controls: Search and select techniques by keywords, threat groups (e.g., APT41), or software.
Layer Controls: Filter by platform (Windows, Linux, etc.), sort, and export data (JSON, Excel, SVG).
Technique Controls: Annotate specific techniques with scores, background colours, comments, and metadata to highlight risks.

How many MITRE ATT&CK techniques are attributed to APT33?

31

Upon applying the IaaS platform filter, how many techniques are under the Discovery tactic?

13

Task 5: DREAD Framework

Overview: Developed by Microsoft, DREAD is a risk assessment model used for qualitative risk analysis. It prioritises threats based on the average score (1-10) of five categories.

The DREAD Categories:

Damage: How bad would the attack be? (e.g., data loss, downtime).
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How much work/skill is required to launch the attack?
Affected Users: How many people are impacted?
Discoverability: How easy is it to find the vulnerability?

What DREAD component assesses the potential harm from successfully exploiting a vulnerability?

Damage

What DREAD component evaluates how others can easily find and identify the vulnerability?

Discoverability

Which DREAD component considers the number of impacted users when a vulnerability is exploited?

Affected Users

Task 6: STRIDE Framework

The Categories:

Spoofing: Impersonating a user/system (Violates: Authentication).
Tampering: Modifying data/code (Violates: Integrity).
Repudiation: Denying actions due to lack of logging (Violates: Non-repudiation).
Information Disclosure: Unauthorised access to data (Violates: Confidentiality).
Denial of Service: Disrupting availability (Violates: Availability).
Elevation of Privilege: Gaining unauthorised access levels (Violates: Authorisation).

What foundational information security concept does the STRIDE framework build upon?

CIA Triad

What policy does Information Disclosure violate?

Confidentiality

Which STRIDE component involves unauthorised modification or manipulation of data?

Tampering

Which STRIDE component refers to the disruption of the system's availability?

Denial of Service

Insecure web application search functionality leading to SQL injection.

Tampering
Information Disclosure

Insecure AWS Infrastructure (EC2, S3, RDS) without load balancers.

Information Disclosure
Denial of Service

Mail server with no logging enabled.

Spoofing

Unpatched employee workstations.

Tampering
Elevation of Privilages

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 7: PASTA Framework

Overview:** PASTA** (Process for Attack Simulation and Threat Analysis) is a risk-centric, seven-step framework. It aligns threat modelling with business objectives and technical requirements.

The Seven-Step Methodology:

Define Objectives: Establish scope and compliance requirements.
Define Technical Scope: Inventory assets and understand architecture.
Decompose Application: Map data flows, trust boundaries, and components.
Analyse Threats: Identify threat sources (internal/external).
Vulnerabilities Analysis: Scan for weaknesses (static analysis, pentesting).
Analyse Attacks: Simulate attack scenarios to verify risks.
Risk and Impact Analysis: Develop countermeasures based on risk tolerance.

Benefits: PASTA is highly adaptable, fosters collaboration between developers/architects/business stakeholders, and ensures security efforts directly support business goals.

In which step of the framework do you break down the system into its components?

Decompose the Application

During which step of the PASTA framework do you simulate potential attack scenarios?

Analyse the Attacks

In which step of the PASTA framework do you create an inventory of assets?

Define the Technical Scope

Process Flow Diagram

Strategic Planning
System Architecture
Software Development
Information Security
Strategic Planning

Quiz Questions and Answers

What should be the top priority for the online banking platform, as mentioned by the Business Analyst?

Protecting customers’ personal and financial data, securing transactions, and ensuring service availability.

According to the System Architect, what are the primary technical assets of the online banking system?

Amazon EC2, RDS, and S3 services

What components of the application did the Lead Developer highlight during the 'Decompose the Application' phase?

User registration, account management, fund transfers, bill payments, and account statements

According to the Security Engineer, which type of threat is NOT considered for the online banking platform?

Social engineering attacks

Which vulnerability was mentioned by the Security Engineer as a potential issue for the online banking platform?

Cloud Infrastructure Misconfigurations

According to the Security Engineer, which mitigation strategy does match the identified threats?

Account lockouts

In the "Risk and Impact Analysis" phase, what potential consequence of a successful attack was mentioned by the Business Analyst?

Financial loss and significant reputational damage

Provide the flag for the simulated threat modelling exercise.

THM{_}

Task 8: ConclusionWe have covered four distinct frameworks, each with unique applications

MITRE ATT&CK: Best for mapping real-world adversary tactics and testing existing controls.
DREAD: Best for numerical prioritisation of risks based on damage and exploitability.
STRIDE: Best for software development, focusing on categorising threats (Spoofing, Tampering, etc.).
PASTA: Best for a holistic, risk-centric approach that aligns with business objectives.

Leveraging these frameworks helps enhance threat awareness, prioritise mitigation, and improve overall organisational resilience.

I have completed the Threat Modelling room.

No answer needed

Learning Astro, Offensive Security, and CI/CD

Mochammad Farros Fatchur Roji — Fri, 12 Dec 2025 00:00:00 +0000

Alhamdulillah for the blessing and opportunity in the form of skills, namely Astro Framework, Offensive Security, and CI/CD Workflow. Below are the details.

Astro Framework

Around 2 months were dedicated to learning Astro, starting from a simple question to an AI about what kind of web framework is very fast and secure, and the answer pointed to Astro. At first it was still doubtful, since among so many JS frameworks, choosing Astro felt unusual. After reading further, FreeCodeCamp, which once helped with learning responsive web design for free, also recommended Astro. That gave additional confidence.

During the learning process, it became clear that many large websites already use Astro, including Porsche. The community is also active and supportive. Joining the subreddit showed many people sharing the same surprise about how fast their sites become when built with Astro. More discussion about Astro Framework will probably come next time.

Offensive Security

Interest in cybersecurity has existed since college, even with a statistics background. Cybersecurity feels different, with a kind of adrenaline that makes learning exciting. Early 2025 became the moment to finally dedicate proper time to it. TryHackMe became one of the most visited platforms, recommended by both international and local communities such as Merdeka Siber. Its beginner friendly structure helped clarify many fundamentals. Even the OSI 7 layers, which used to be unclear, finally made sense and revealed how the web functions.

Further reading showed that cybersecurity is closely tied to write ups. One well known certification, OSCP, even allocates 12 hours for hacking and 12 hours for reporting, highlighting how important clear documentation is in the field.

CI/CD Workflow

CI/CD naturally followed after exploring Astro Framework. Hosting used to be confusing, especially coming from the usual WordPress plus shared hosting setup. Today, many providers offer free hosting even for SSR, such as Netlify and Cloudflare Pages. Netlify's 300 build minutes limit felt restrictive, especially when each build takes about a minute and content continues to grow.

GitHub Actions eventually became the preferred choice because it integrates directly with GitHub and offers more flexibility when the repository is public. Since making the repo public was not an issue, GitHub Actions became the main workflow, followed by purchasing a .com domain. A .dev domain was considered, but the scope of the work is broader than just development, so .com fit better.

Thank you for reading :)

Governance & Regulation | TryHackMe Write-Up

Mochammad Farros Fatchur Roji — Thu, 11 Dec 2025 00:00:00 +0000

Here i want to share about my write-up for the room Governance & Regulation. Explore policies and frameworks vital for regulating cyber security in an organisation. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

Cybersecurity is a rapidly evolving landscape where malicious actors constantly exploit vulnerabilities to cause damage and steal data. To combat this, a comprehensive approach to information security governance and regulation is essential, involving robust policies, monitoring, and enforcement. This room aims to teach the importance of GRC (Governance, Risk Management & Compliance), relevant international laws and standards (ISO 27001, NIST 800-53), and how to improve security posture.

I am ready to start the room.

No answer needed

Task 2: Why is it important?

This section defines key terminologies: Governance (managing systems to achieve objectives), Regulation (rules enforced by governing bodies), and Compliance (adhering to laws). It details Information Security Governance processes such as Strategy, Policies, Risk Management, and Performance Measurement. It also lists key benefits like a robust security posture and stakeholder confidence, and provides examples of regulations like GDPR (Data Privacy), HIPAA (Healthcare), PCI-DSS (Financial), and GLBA.

A rule or law enforced by a governing body to ensure compliance and protect against harm is called?

Regulation

Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?

Healthcare

Task 3: Information Security Frameworks

Information security frameworks consist of documents that govern how security is managed. These include Policies (high-level goals), Standards (mandatory requirements), Guidelines (recommendations), Procedures (step-by-step tasks), and Baselines (minimum security levels). The development process involves identifying scope, research, drafting, review, implementation, and periodic updates. Real-world examples include creating Password Policies and Incident Response Procedures.

The step that involves monitoring compliance and adjust the document based on feedback and changes in the threat landscape or regulatory environment is called?

Review and update

A set of specific steps for undertaking a particular task or process is called?

Procedure

Task 4: Governance Risk and Compliance (GRC)

GRC is a holistic framework integrating Governance (strategy/direction), Risk Management (identifying and mitigating risks), and Compliance (meeting legal obligations). Developing a GRC program involves defining scope, conducting risk assessments, establishing governance processes, implementing controls (like Firewalls, IPS, IDS), and continuously monitoring and improving performance. In the financial sector, this includes Anti-Money Laundering policies and fraud risk management.

What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?

Risk Management

Is it important to monitor and measure the performance of a developed policy? (yea/nay)

yea

Task 5: Privacy and Data Protection

This section covers regulations protecting Personally Identifiable Information (PII).

GDPR : An EU regulation requiring prior approval for data collection, data minimization, and protection. It has tiered fines for non-compliance (Tier 1 can be up to 4% of revenue).
PCI DSS : A standard for securing card transactions (Visa, MasterCard, etc.), requiring strict access control and encryption for Cardholder Data (CHD).

[Image of GDPR Key Principles]

What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?

4

In terms of PCI DSS, what does CHD stand for?

cardholder data

Task 6: NIST Special Publications

NIST 800-53 : A catalog of security and privacy controls for information systems (e.g., Program Management). Compliance best practices include Discovery, Mapping controls to assets, and Governance.
NIST 800-63B : Guidelines for digital identity practices, focusing on authentication, verification, and credential management (passwords, biometrics).

Per NIST 800-53, in which control category does the media protection lie?

Physical

Per NIST 800-53, in which control category does the incident response lie?

Administrative

Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?

Map

Task 7: Information Security Management and Compliance

This task contrasts IS Management (planning/execution of security) with Compliance.

ISO/IEC 27001 : An international standard for Information Security Management Systems (ISMS). Key components include Risk Assessment, Risk Treatment, and the Statement of Applicability (SoA).
SOC 2 : An auditing framework by AICPA for service organizations, assessing controls based on the CIA triad and privacy. It assures clients that their data is handled securely.

Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?

Risk treatment

In SOC 2 generic controls, which control shows that the system remains available?

Availability

Task 8: Conclusion

The room provided a comprehensive overview of governance and regulation frameworks used to protect organizational assets. It covered laws like GDPR and PCI DSS, the GRC framework, and enablers like ISO/IEC 27001 and NIST 800-53. The key takeaway is that while 100% security is unrealistic, robust policies and continuous improvement are essential for risk mitigation.

Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?

THM{REDACTED}

React2Shell: CVE-2025-55182 | TryHackMe Write-Up

Mochammad Farros Fatchur Roji — Wed, 10 Dec 2025 00:00:00 +0000

Here i want to share about my write-up for the room React2Shell: CVE-2025-55182, explore the CVE-2025-55182 vulnerability in React server components. I wrote this in 2025 and hope it is useful for learning about cybersecurity.

Task 1: Introduction

This task introduces CVE-2025-55182, dubbed "React2Shell," a critical vulnerability (CVSS 10.0) affecting React Server Components (RSC) and frameworks like Next.js. The flaw allows unauthenticated remote code execution via a specific HTTP request due to an unsafe deserialization issue. To mitigate this, users must update vulnerable packages (like react-server-dom-webpack) to patched versions (e.g., 19.0.1+).

Having outlined the basics, let’s now dive into the key technical notes.

No answer needed

Task 2: Understanding React Server Components and the Flight Protocol

This section explains the architecture of React Server Components (RSC), where components are rendered on the server for performance. The server-client communication relies on the React Flight protocol, which handles data serialization using specific markers like $@ (for chunk references) and $B (for Blob references). The vulnerability stems from the server processing these references without properly validating if the requested properties are legitimate exports.

What is the symbol that denotes a Blob reference?

$B

Task 3: The Core Vulnerability: Unsafe Deserialization

CVE-2025-55182 is identified as an unsafe deserialization vulnerability located in the requireModule function of the react-server-dom-webpack package. The flaw exists because the code uses bracket notation (moduleExports[metadata[2]]) without validation. This allows an attacker to traverse the prototype chain (e.g., accessing .constructor) and obtain a reference to the global Function constructor, enabling arbitrary code execution.

To deepen our understanding, let’s now study the exploitation chain through a proof-of-concept code analysis.

No answer needed

Task 4: The Exploitation Chain: From Deserialization to Remote Code Execution

This task breaks down the exploit into three stages:

Creating a Fake Chunk: The attacker constructs a malicious object that references itself via the then property.
Exploiting the Blob Handler: Using the $B reference, the exploit triggers a function call (_formData.get) on the malicious object, which has been polluted to point to the Function constructor.
Achieving Code Execution: The payload (e.g., a Node.js execSync command) is passed to the Function constructor, executing the arbitrary command on the system.

Let’s analyse an actual proof-of-concept exploit in the next task.

No answer needed

Task 5: Analysing an Actual Proof-of-Concept

The content analyzes the raw HTTP POST request used for the attack. It requires the Next-Action: x header to trigger server-side processing. The body uses multipart/form-data containing three specific parts: the fake chunk object with the payload, a reference to that object ($@0), and an empty array. This vulnerability is highly critical because it affects default Next.js configurations and requires no authentication.

It’s time to see the exploit in action.

No answer needed

Task 6: Exploitation

In this practical task, users are instructed to use Burp Suite to attack a target VM on port 3000. The goal is to send the malicious payload to execute remote commands. The provided payload uses execSync to run the id command and returns the output in the server's response. The user must then modify the payload to read a flag located in /etc.

Burp Suite is launched using a temporary project.

Burp Suite initializes and loads the project environment.

You can confirm that you can view the app’s home page by visiting [IP_ADRESS]:3000. Now, it is time to exploit it. At the time of writing, our preferred choice is a payload that allows us to view the command execution result in the server’s response, as obtained from https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478

A new Repeater tab is opened to craft the exploit request.

The malicious RSC payload is inserted into the request body.

The payload is modified to run ls /etc to search for the flag file.

The target IP and port (10.48.153.181:3000) are configured correctly.

What is the name of the user running the vulnerable app?

ubuntu

The server response reveals the user information from the id command.

Listing /etc shows the presence of flag.txt.

Reading the file with cat /etc/flag.txt reveals the final flag.

What is the flag in /etc?

THM{}

Task 7: Detection

This section provides methods for detecting React2Shell attacks. The primary indicators are the presence of the Next-Action header combined with multipart/form-data containing specific suspicious JSON keys (like "status": "resolved_model" or "$1: __proto__ :then"). A Snort rule is provided to detect these network signatures, and an OSQuery snippet is offered to scan endpoints for vulnerable versions of react-server-dom-* packages.

I've read and am aware of the various elements that can be used to detect this vulnerability within my environment.

No answer needed

Task 8: Conclusion

The conclusion reminds users to only perform penetration tests with explicit permission. It notes that many PoCs found online for this CVE are fake or broken. A valid PoC requires the specific vulnerable library versions (e.g., React 19.2.0, Next 16.0.6). The recommended mitigation is to run npm audit and upgrade servers to patched versions immediately.

If you enjoyed this room, consider checking other rooms in the Recent Threats module.

No answer needed