Another year has passed by 🍁 autumn leaves are beginning to... leave :) and whatever cringe poetry Shakespeare did or did not say!
Advent of Cyber takes its name from Advent of Code. If you are more of a programmer rather than a security/networking/linux enthusiast, then stay still! See if this stuff looks interesting, and then go the advent of code!
This is the home page for Advent of Cyber 2025
First things first for the uninitiated, each page in THM is called a room. Look for this green equal-ish icon > Look for green "Start Machine" button and you will have access to a ubuntu box for 1 hour. Click on the expand icon to move to a new tab comfortably. Other ways to access exist. Dont stress about the 1 hour limit, they allow 'adding another hour' for free.
Day 1 is easy. Just follow the instructions and run the commands. Tryhackme is monitoring your machine. The end! Don't scroll further until you've read the task notes.
We will focus on the last task in this blog. There are two ways you can see bash history: history command or checking the hidden .bash_history text file located in /home/username/ directory with the command cat ~/.bash_history. Note that tilde character(~) is an alias for this path: /home/username_whois_logged_in_rightnow. If we are already in that directory(we usually are) then just use cat .bash_history
The question mentions root bash history. Either use sudo su - or sudo su root and then use history command to find the THM{} formatted flag!
Rest of this guide is for the dreaded SideQuest. The first skill required is read between the lines and relax... otherwise it will take you 3 hours like me! Also, utilize the lightbulb icon in the THM page's tasks to find more hints, its ok🙄
For those who consider themselves intermediate and want another challenge, check McSkidy's hidden note in
/home/mcskidy/Documents/to get access to the key for Side Quest 1!
Go to above path and find these 3 clues that lead to 3 password fragments:
Access the user account:
username: eddi_knapp
password: S0mething1Sc0ming
There are three hidden easter eggs.
They combine to form the passcode to open my encrypted vault.
Clues (one for each egg):
1) I ride with your session, not with your chest of files.
Open the little bag your shell carries when you arrive.
2) The tree shows today; the rings remember yesterday.
Read the ledger’s older pages.
3) When pixels sleep, their tails sometimes whisper plain words.
Listen to the tail.
Find the fragments, join them in order, and use the resulting passcode
to decrypt the message I left.
1. bashrc
That came to me instantly, something that shell carries with its session. You have to switch to user eddi_knapp then more ~/.bashrc find the PASSFRAG1
2. tree, ledger?
First I thought the tree and rings were easter hunt cultural jargons. The ledger and hint about finding yesterday's records immediately took me to /var/log/ dirctory to check the auth.log syslog files and journalctl logs for 'yesterday' events. I used more auth.log | grep "2025-11-30", did the same for journalctl and scoured through the lines, no PASSFRAG anywhere!
Then ls -aR on eddi's home directory and there was an awful lot of git files and backups. I used git log and this is where I really stuck.
Did not know what else to do here. Tried to read the binary logs under head directory but all gibberish. Then I tried to use git reset commitID to see if any text files appear. No use, entire directory is a desert.
I had to google other people's solution to take a hint. Discovered that git show command exists! and it shows more information than git log.
git show commitID reveals file the changes and the files.
- The competition has just started so I better not reveal everything....
3. pixel refer to.. pictures.
Among all the pictures located in eddi's Picture dir, its a hassle. Then I read the hints again and rightfully misinterpreted this line:
3) When pixels sleep, their tails sometimes whisper plain words.
Listen to the tail.
This is the hint you’re looking for: Once you have the final flag, use it to unlock the hidden png. Where is it? Thats a .secret!
Hidden png? ls -aR ~/Pictures reavealed a hidden .easter_egg picture -_-
tail .easter_egg command reveals the flag.
All 3 fragments lead to this password: 3ast3r-5s-g01nG (this is not the actual password, remember my last note about not revealing too much stuff)
SO whats next, what files do i decrypt with this password, no idea, had to check another article, there are 2 gpg files in the machine it seems! How am I supposed to know that 😶
eddi_knapp@tbfc-web01:~/.secret_git$ find ~ -name "*gpg*"
/home/eddi_knapp/.secret/dir.tar.gz.gpg
/home/eddi_knapp/Documents/mcskidy_note.txt.gpg
$
$ file /home/eddi_knapp/Documents/mcskidy_note.txt.gpg
/home/eddi_knapp/Documents/mcskidy_note.txt.gpg: PGP symmetric key encrypted data - AES with 256-bit key salted & iterated - SHA256 .
So... which one to decrypt and how to decrypt?! Google says openssl.
used this useless big command: openssl enc -d -aes-256-cbc \ -salt \ -pbkdf2 \ -iter 1000000 \ -md sha256 \ -base64 \ -in ./dir.tar.gz.gpg \ -out ./plaintext
useless because gpg files cannot be decrypted using openssl, a gpg tool exists.
gpg -d file.gpg decrypts the file and outputs to stdout. Check man gpg search for \-d
Try prepending the command with sudo if you get a permission error. If sudo doesn't work(!) and you get error 'edii is not in the sudoer list' then try copying the file over to mcskidy's and switch user. Feel free to comment a more robust way.
The decrypted file is a set of instruction quite easy to follow. Just replace the file /home/socmas/2025/wishlist.txt with the text mentioned. Use an editor; or this nifty trick cat > wishlist.txt
Then in the VM box, look for firefox icon. Go to the address:
Copy the ciphertext that you see into a file (lets call it cipher) in whatever location, that file is to be decrypted with OpenSSL 😪
openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in ./cipher -out ./decoded_message.txt -pass pass:'91J6X7R4FQ9TQPM9JX2Q9X2Z'
You will get flag: THM{}
No its not done yet....
Remember there was 2 gpg files, We are gonna work with the one named dir* now.
NEXT STEP:
If you fancy something a little...spicier....use the FLAG you just obtained as the passphrase to unlock:
/home/eddi_knapp/.secret/dir*
That hidden directory has been archived and encrypted with the FLAG.
Inside it you'll find the sidequest key.
Read above messsage carefully, the directory has been archived, then encrypted.
- decrypt with
gpg -o dir.tar.gz -d dir.tar.gz.gpg - then unzip with
tar xfv dir.tar.gz - cd dir
-
strings sq1.pngThis one dont have anything inside, you have to see it from outside. - You can go to file explorer, just like you went to Firefox; or use the command
xdg-open sq1.png. This will open the file with the default application. If you assumed Nautilus is the default file explorer, you're wrong. I tried. - And finally, write down the message you see. This is the password to start working on the next SideQuest💀, here: https://tryhackme.com/room/sq1-aoc2025-FzPnrt2SAu
👉 Go to Day 02
Top comments (8)
"And finally, write down the message you see."
I'm not sure about it...
could plz give a hint like how to deal with the sq1.png
Oh, I meant when you open the picture file (like you normally do in your laptop), you will "see" the text. And by "write down" I just meant save the text you "see" in the picture in a notepad or whatever, in case you want to try the SideQuest.
when i open it using xdg-open, it shows a pixeleted image in cacaview (egg shaped when zooming out)
I was using the VM box from the tryhackme webpage; that is a GUI ubuntu environment.
What are you using? I think you are using a pure cli environment (e.g. ssh from windows terminal?). Or the only 'photo viewer app' available in your system is _cacaview _
You said "egg shaped when zooming out". Can you zoom out a bit more? you are very close, focus on the lower part of the image.
_cacaview _uses ascii characters to 'build' the image, its ~impossible to see writings in pictures. Use a different environment.
im using the machine provided with the Day 1 challenge (- -).
I gotta say, it is strange. I opened day01 machine again to check further
exitfrom eddi bash session to go back to mcskidy, then do an elaborate copy command to bring in the image from /home/eddi/pic(you wont have autocomplete feature). Then use xdg-open, you will hit permission issue again, then use sudo, this time it will work because you are mcskidy now.Another way is to use the GUI file explorer, but it opens /home/ubuntu, not /home/eddi. You have perform the copy operation to bring the image from eddi's to /home/ubuntu but in this case also you gotta have sudo priv like mcskidy :)
Thats All the support I can give!
If you inherently have issues with xdg-open or cacaview is not moving its cha-cha(i dont know what this means, dont sue me><), then use
eom. It is the command tool for the actual photo view app "Eye of MATE"got it, thanks bro
so the last flag "see" it just only keep for later? i thought is a flag for something