Skip to content

Advent of Cyber '24 Side Quest Banner

Advent of Cyber '24 Side Quest Logo

Advent of Cyber '24 Side Quest

This guide contains the answer and steps necessary to get to them for the Advent of Cyber '24 Side Quest room.

Table of contents

T1: Operation Tiny Frostbite

The keycard for the first challenge can be found in the following room (this was hinted in the questions section of this task.)

Day 1

In the hint we are led to the github repos we have been looking at for the AoC task. Before digging deeper there, I will run an nmap scan to see if we can find something.

sudo nmap -sS -Pn 10.10.156.173

Key Nmap

Besides ssh and the regular webpage, there seems to be another http server on port 8000.

Navigating there, we can see there is a hidden C2 server login page.

Key Login

We don't have any credentials, but this might be where the github repos come in. We can see another user that commented on the issue.

Key Github Issue

Looking on his profile page, we can see some repos. This C2 repo might be of interest.

Key Github Repo

In this repo there is a script used for the server in flask.

Key Github C2

In this script we can see various functions including a login function and several endpoints. It also includes default credentials and a secret.

Key Github Script

I already tried the default credentials, but this didn't work. However, since we have a secret key, we can try to force a session cookie using flask-unsign.

In the script we can see that the login function looks for two values:

  • "logged_in" = True
  • username

We can try with the admin user to forge a session cookie using the following command:

flask-unsign -s --cookie "{'logged_in': True, 'username':'admin'}" --secret "@09JKD0934jd712?djD"

Key Flask Command

In our browser we open the developer console and add a cookie whilst on the login page. Make sure to use the following values:

  • Name = session
  • value =
  • path = / (this enables the cookie for all endpoints)

Key Login Cookie

Now we simply reload the page and we should be able to look at the dashboard.

Key Dashboard

Success! Now we can look at the data page and get out keycard for the first challenge.

Key Card

References: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce https://flask.palletsprojects.com/en/stable/config/

  1. What is the password the attacker used to register on the site?

After opening the pcap file we can filter on the http traffic.

For the first question, we are looking for registration credentials. This is probably located on a register page. In our case, there is a register.php page. We will filter this on POST requests as well so we get data which has been POSTED to the server. 

http contains "POST" and http contains "register.php"

Registered Credentials

Click for answerQU9DMjAyNHtUaW55X1R

  1. What is the password that the attacker captured?

For this we can use a similar approach, but instead we will be looking at login requests rather than register requests. 

http contains "POST" and http contains "login.php"

Captured Credentials

Click for answerpbnlfVGlueV9TaDNsbF

  1. What is the password of the zip file transferred by the attacker?

We are looking for a zip archive. This wasn't found in the http objects unfortunately. I did find two interesting looking executables which my be of interest later on.

Http Objects

We could look for the magic bytes of a zip file. Which in this case would be 'PK' or '50 4B' in Hex form.

Signature

We can filter out the traffic from port 22 and 80 to make things more clear. In this filter we can look for the hex value of '50 4B'.

Archive Packet

We see something in packet 158339 coming from the host to the assumed attack machine via port 9002. It also contains something similar to an sql database called 'elves.sql'.

Database Name

To extract this archive we must follow the TCP stream. Then make sure to format the data in 'raw' format instead of 'ASCII'. Save it as a '.zip' file.

Extract Archive

Unfortunately, the zip archive is password protected which we don't have. Yet.

We do however, have two executable that we found were downloaded from the attack machine to the host machine: 'ff' and 'exp_file_credentials'. Running their has through virustotal gives us an idea of what we are working with. It seems to be some kind of Linux backdoor. More specifically (from the community notes), a Tinyshell backdoor. https://github.com/creaktive/tsh/

Now the next few steps were a bit lost on me (maybe if I put a little more time into it, I might understand), so I followed some steps in the following write-up.

The basic idea is that we have a copy of a malware executable as well as its source code. This source code tells us how it encrypts the data (i.e., the network traffic we logged on port 9001) and what we need to decrypt the data.

It starts with a secret and two initialization vectors. This secret is stored in the executable. Using a reverse-engineering program such as Binary Ninja we can look through the file and find the secret in the data header.

Secret

Now that we have the secret, we should use a script that performs the same steps as the malware to decrypt the data. This was also used from the above mentioned link. Take not that it is required to export the relevant entries to a text file using:

tshark -r traffic.pcap -Y "tcp.dstport == 9001" -T fields -e data > port_9001_data.txt

We can now run the script and we should see some of the commands that have been executed via the shell.

python3 extract-commands.py

Decrypted Commands

We can see the command that has been used to create the archive at then end (including the password). It also shows us some of the sql commands used which reveal the password we need for the next question. If this was not the case, however, we could use the archive password to open the database and look for the password inside.

Click for answer9jYW5fRW5jcnlwVF9iVXR

  1. What is McSkidy's password that was inside the database file stolen by the attacker?

With the password we can extract the database file and open it to find the password. Be sure to note, this isn't an actual database file. It is a dump file containing various commands. Simply opening it up in a text editor should be enough to find the password.

Password

Click for answerfaXRfSXNfTjB0X0YwMGxwcm8wZn0

T2: Yin and Yang

  1. What is the flag for YIN?

Click for answer

  1. What is the flag for YANG?

Click for answer

T3: Escaping the Blizzard

  1. What is the content of the file foothold.txt?

Click for answer

  1. What is the content of the file user.txt?

Click for answer

  1. What is the content of the file root.txt?

Click for answer

T4: Krampus Festival

  1. What is the content of flag.txt?

Click for answer

  1. What is the content of user.txt?

Click for answer

  1. What is the content of root.txt?

Click for answer

T5: An Avalanche of Web Apps

  1. What is the value of flag 1?

Click for answer

  1. What is the value of flag 2?

Click for answer

  1. What is the value of flag 3?

Click for answer

  1. What is the value of flag 4?

Click for answer

The End?

  1. What is the flag you get at the end of thesurvey? Please make sure to copy the flag before closing the tab!

Click for answer