ADVENT OF CYBER 2024
Day 1 — Maybe SOC-mas music, he thought, doesn't come from a store?
Q1
Run "exiftool song.mp3" to find the author. Who is the author?
Answer
Tyler Ramsbey
Q2
What is the URL of the C2 server?
Answer
http://papash3ll.thm/data
Q3
Who is M.M? (Check the GitHub profile.)
Answer
Mayor Malware
Q4
Number of commits on the repo with the issue?
Answer
1
Day 2 — One man's false positive is another man's potpourri.
Q1
Name of the account causing all failed login attempts?
Answer
Q2
How many failed logon attempts were observed?
Answer
Q3
What is the IP address of Glitch?
Answer
Q4
When did Glitch successfully logon to ADM-01? (MMM D, YYYY HH:MM:SS.SSS)
Answer
Q5
Decoded command executed by Glitch to fix systems of Wareville?
Answer
Q6
Optional reference room: Investigating with ELK 101 — link or hint.
Answer
Day 3 — Even if I wanted to go, their vulnerabilities wouldn't allow it.
BLUE
Where was the web shell uploaded to?
Answer
/media/images/rooms/shell.php
BLUE
What is the IP address that accessed the web shell?
Answer
10.11.83.34
RED
What is the contents of the flag.txt?
Flag
THM{Gl1tch_Was_H3r3}
Day 4 — I’m all atomic inside!
Q1
Flag found in the .txt file in same directory as PhishingAttachment.xlsm?
Flag
THM{GlitchTestingForSpearphishing}
Q2
ATT&CK technique ID of interest?
Answer
T1059
Q3
ATT&CK subtechnique ID for Windows Command Shell?
Answer
T1059.003
Q4
Name of the Atomic Test to simulate?
Answer
Simulate BlackByte Ransomware Print Bombing
Q5
Name of the file used in the test?
Answer
Wareville_Ransomware.txt
Q6
Flag found from this Atomic Test?
Flag
THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}