Day 13: YARA!
YARA is a tool to collect digital footprints, like in physical world where forensic people use tools to collect fingerprints.
We define the rules about what a malicious behavior should be.
A rule file consists of several parts: meta, strings, condition. meta is for the author, in case there are 100s of files to maintain. strings are what yara will look for in the malware files; we can use regex here. condition is how yara should look for them.
rule TBFC_Simple_MZ_Detect
{
meta:
author = "TBFC SOC L2"
description = "IcedID Rule"
date = "2025-10-10"
confidence = "low"
strings:
$mz = { 4D 5A } // "MZ" header (PE file)
$hex1 = { 48 8B ?? ?? 48 89 } // malicious binary fragment
$s1 = "malhare" nocase // story / IOC string
condition:
all of them and filesize < 10485760 // < 10MB size
}
The task is this:
It's time to complete the practical task! The blue team has to search for the keyword TBFC: followed by an ASCII alphanumeric keyword across the /home/ubuntu/Downloads/easter directory to extract the message sent by McSkidy. Can you help decode the message sent by McSkidy?
We have to:
- Make a yara rule to search for the string TBFC:
rule search_for_TBFC
{
meta:
author = "mahin THM Day13"
strings:
$st = "TBFC:" ascii
condition:
$st
}
My strings section is not correct, 'ascii' is redundent, but it does the job! the question required this: $st = /TBFC:[A-Za-z0-9]+/
- Next step is to apply this yara rule:
yara -rs rule.yar ~/Downloads/easter/
This screenshot has the answer to the last question "What is the message sent by McSkidy?"
Day 14 Containers
Goal is the fix the defaced website of the fictional service named 'doordasher'. We have to explore the container layer of the infrastructure.
docker ps command shows the table with all the apps that are running. Notice the image column highlighted in yellow. There are three app containers that are running.
5001 port hosts the doordash app. 5002 port hosts the news app wareville-times, part of the bonus question.
Bonus question:
There is a secret code contained within the news site running on port 5002; this code also happens to be the password for the deployer user! They should definitely change their password. Can you find it?
The clue is in the question. Go to the website http://10.48.153.34:5002/ and look at the news page. Notice that some words are highlighted differently. π€π΄
Day 15 Web Attack Forensics in Splunk(again...)
Room Link
Turn on the TargetBox and go to this address in you local laptop: TargetMachineIpAddress:8000/en-US/app/search/search
-
index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression") | table _time host clientip uri_path uri_query statussearches the web access logs for any HTTP requests that include signs of command execution attempts, such as cmd.exe, PowerShell, or Invoke-Expression -
index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error")checks for Apache error logs for signs of execution attempts or internal failures caused by malicious requests - What if the attacker tried to create suspicious processes?
index=windows_sysmon ParentImage="*httpd.exe"
The hints are in the THM walkthrouh really.
"the encoded payload (such as the βMuahahahaβ message) never ran."
=> The base64 decoded string says: TοΏ½hοΏ½iοΏ½sοΏ½ οΏ½iοΏ½sοΏ½ οΏ½nοΏ½oοΏ½wοΏ½ οΏ½MοΏ½iοΏ½nοΏ½eοΏ½!οΏ½ οΏ½MοΏ½UοΏ½AοΏ½HοΏ½AοΏ½AοΏ½HοΏ½AοΏ½AοΏ½ (aka This is now mine muhahauah) which attempted to run from powershell.exe, seen from Splunk results.
Day 14
Room Link
In this room we have to deep dive into 'registry explorer' tool.
-
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` : It stores information on recently accessed applications launched via the GUI. -
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` : It stores all the paths and locations typed by the user inside the Explorer address bar. HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths It stores the path of the applications. -
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` : It stores all the search terms typed by the user in the Explorer search bar. HKLM\Software\Microsoft\Windows\CurrentVersion\Run It stores information on the programs that are set to automatically start (startup programs) when the users logs in. -
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs: It stores information on the files that the user has recently accessed. -
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName: It stores the computer's name (hostname). -
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall: It stores information on the installed programs.
- What application was installed on the dispatch-srv01 before the abnormal activity started?
=> From the bullet points above we know we should look here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallBut first we have to import the relevant hive file: Ctrl+O and then select 'SOFTWARE'
Then go to Available Bookmarks tab and then browse for a 'CurrentVersion/Uninstall' folder because thats the end of the path we are looking for: 'DroneManager Updater' is the answer!
Question 2: Full path of the application that the user has started from!
=> We know that the installed path is not the only location of the executable. This registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist is supposed to "store information on recently accessed applications launched via the GUI."
But I could not find the UserAssist folder from the 3rd party "Registry Explorer" tool that we've been using. But another registry path is this:
ROOT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store according to the hint lightbulb! We also have to import this hive as well:
Now we can search for the last 2 folder names 'Compatibility Assistant' or 'Store' right? wrong! If we search for 'Compatibility Assistant' we get this result but we cannot expand on them to see 'Store'.
If we search 'Store' there are too many results. Best is to browse manually: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store. Right click on 'Store' > Techinical Details
Best to type it in the THM answer box.
Question 3:
I cannot find the RUN entry for the DroneManager but found the msedge one:
Which gives some insight on what the answer should be:
THM's hint lightbulb tells us to look in: ROOT\Microsoft\Windows\CurrentVersion\Run But we are looking in ROOT\Software\Microsoft....
Among the 3 hives this one matches ROOT/Microsoft but do not have RUN key.
Another way mentioned by a youtuber is this button.
Click on "RUN" and press F5 in keyboard. Go to "Full details as text" tab and scroll downnn... and voila π
Day 17: CyberChef Tool
Goal is to learn about encoding and encryption through the popular tool CyberChef available online; no need to start the attackbox if you have openvpn on.
Go to the target machine ip from a browser and click 'outer gate' icon.
We find a base64 string QWxsIGhhaWwgS2luZyBNYWxoYXJlIQ== we have to convert this from base64 to plaintext. Drag "from base64" in CyberChef, paste the encoded string in the Input field and see the plaintext output being produced(clicking bake! button is optional):
THM says to go to the debugger tab, but in Edge browser I don't have a debugger tab; Going to Sources tab and clicking on the yellow highlights from there.
Lets now find the username and password
username hint is: Username: This will decode to CottonTail. Meaning the encoded string of 'CottonTail'
To find the password:
- we can literally ask the chatbox besides the login panel! Go to CyberChef and pick "to base64" for this and paste the question:
What is the password for this level? - Insert the encoded question to the chatbox, you will get an encoded answer, this answer should be decoded from CyberChef again.
Paste the encoded username and the **plaintext password to pass level 1!**.
Press Enter or click on the "Bash" icon...
For level 2, same process,
Find the guards name, encode it. This is the username
For password:
- go to devtools > network. Then refresh the page. Then, from the left bar, click on "Llvel2". In the headers tab, look for the "X-Magic" header.
- Encode it from CyberChef("to base64"), ask the chat, decode the reply again and again, until you find the plaintext password.
Level 3: Guard House
What operation do we need to do now? THM tells use to ask "password please". Do that and after a minute you will get a reply. decode this "from base64" twice and apply XOR with key "Cyberchef"!
Use CyberChef all the way!
Level 4:
Ask for the password again to the chatbox. The reply decodes into an md5 hash, not base64. You will know it because it does not have a trailing equal character.
THM suggests CrackStation to see if this hash already been broken. passw0rd1 is the answer. Login successful!
Only one level left!
After asking for the password like before. Decode twice in CyberChef(from base64):
Note that,
Level 5 has a new header Recipe-id:
This recipe id is different for different people. Mine is R1. TryHackMe has mentioned four approaches for four kinds of id. My approach is this:
From Base64 β Reverse β ROT13
There is a search bar in CyberChef. Just place all the recipes like a chef and you get the answer.
That would be the password and the username is of course the base64 encoding of the guard's name 'Carl'
Done!
In the extra question, there is a hint leading to Side Quest 3 access key:
Looking for the key to Side Quest 3? Hopper has left us this cyberchef link as a lead. See if you can recover the key and access the corresponding challenge in our Side Quest Hub!
Day 18 Obfuscation
Obfuscation is the practice of making data hard to read and analyze. Attackers use it to evade basic detection and delay investigations.
Its easy to debunk(de-obfuscate) obfuscated code once we know what algorithm has been used. If it's not obvious then CyberChef has a "Magic" button that tries to detect on its own:
Go to the Target Machine GUI > click on windows search type 'code' to open 'visual studio code'.
Open the SantaStealer.ps file and look at line 15 & 16. Fix line 16 from cyberchef above.
open powershell in the same way. cd Desktop and then ./S[TAB] to run the script, get the flag!
For 2nd flag, read from line 20.
Go to cyberchef, use XOR and HEX recipe, notice the delimiter.
And we are done!
Day 19: ICS/Modbus
You may not know about ICS or Modbus or PLC jargons even if you are in the cybersecurity field. These are some protocols used in industrial operational technology (OT) systems rather than IT systems.
This is called a 'walkthrough room'. There is nothing to solve except to follow the guidelines step by step. Run the python code to get the flag.
Note that start the machines only after you reach the actual task because the reading material will take proper time.
Day 20: Race Conditions(no, not an actual race!)
π Room Link
There are three types of race conditions:
- Time-of-Check to Time-of-Use: An ecommerce web server checks the database for an item, only 1 left, and shows it to a buyer. The buyer places it in the cart and proceeds to pay. A second buyer also visits this item, adds it to the cart, and buys it earlier than the first buyer! The website should have placed a condition to lock the last item as soon as someone adds it to their cart temporarily.
- Shared resource: A bank account(say 100 bitcoins!) is affected by two transactions: one credit(+20) and another debit(-20). If the system is very primitive logic then the result depends on which one finishes last, creating confusion. The credit transaction will add 20 to 100 = 120. The debit transaction will subtract 20 from 100 = 80. Hence The result will be either 120 or 80; though it should be just 100!
- Atomicity Validation: When a sequence of operations is considered part of a single transaction, it is supposed to be atomic. Meaning either all of them should successfully run without error or neither of the operations should run at all. Suppose in a business transaction, there are three database operations to be performed. For example:
- Adding an amount to a bank account
- Subtracting from another person's account
- Sending confirmation If someone presses cancel midway, say step2, then all steps should revert back to step 0. This is called atomicity. If the entire process does not revert back to square one, then we say 'the system does not have atomicity'.
Start the attack box. Alternatively, if you already have OpenVPN turned on and have the Burp Suite Community Edition, you don't need the attack box.
Start the Burp Suite, turn of intercepting and from burp suite open a browser.
If you get this dialog saying "Allow browser to run without sandbox". Do this:
A chromium browser will slowly pop up. THM tells us to open Firefox and go to machine.IP.address, but actually we have to this in this chromium browser we opened. Purchase one unit of 'sleightoy'. Then go to Proxy tab > 'http history' sub-tab in Burp Suite.
Read from the "Exploiting the Race Condition" section in THM room.
Second Question: Do the same for the item 'bunny plush'
- Start the browser from Burp Suite(already open)
- Make an order of 'bunny plush'
- Go to Proxy tab > HTTP History Tab
- Select 'payment checkout' > Right click and 'send to Repeater'
- Make a group with the tab.
- Duplicate the tab 20 times.
- Press the dropdown in orange 'Send button' > Click "Send group in parallel"
- Click again.
- Go to the browser again and see the flag.
Top comments (0)