Skip to content

TryHackMe Writeups

Yara aoc2025 q9w1e3y5u7

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
AIforcyber aoc2025 y9wWQ1zRgB
AIforcyber aoc2025 y9wWQ1zRgB
- AIforcyber aoc2025 y9wWQ1zRgB
HackfinityBattle
HackfinityBattle
- HackfinityBattle
ICS modbus aoc2025 g3m6n9b1v4
ICS modbus aoc2025 g3m6n9b1v4
- ICS modbus aoc2025 g3m6n9b1v4
Adenumeration
Adenumeration
- Adenumeration
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- WIP adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Adventofcyber24sidequest
Adventofcyber24sidequest
- Adventofcyber24sidequest
Adventofcyber25
Adventofcyber25
- Adventofcyber25
Adventofcyber25sidequest
Adventofcyber25sidequest
- Adventofcyber25sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Attacks on ecrypted files aoc2025 asdfghj123
Attacks on ecrypted files aoc2025 asdfghj123
- Attacks on ecrypted files aoc2025 asdfghj123
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Azuresentinel aoc2025 a7d3h9k0p2
Azuresentinel aoc2025 a7d3h9k0p2
- Azuresentinel aoc2025 a7d3h9k0p2
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Cloudenum aoc2025 y4u7i0o3p6
Cloudenum aoc2025 y4u7i0o3p6
- Cloudenum aoc2025 y4u7i0o3p6
Codeanalysis
Codeanalysis
- Codeanalysis
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Container security aoc2025 z0x3v6n9m2
Container security aoc2025 z0x3v6n9m2
- Container security aoc2025 z0x3v6n9m2
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Detecting c2 with rita aoc2025 m9n2b5v8c1
Detecting c2 with rita aoc2025 m9n2b5v8c1
- Detecting c2 with rita aoc2025 m9n2b5v8c1
Easyctf
Easyctf
- Easyctf
Encoding decoding aoc2025 s1a4z7x0c3
Encoding decoding aoc2025 s1a4z7x0c3
- Encoding decoding aoc2025 s1a4z7x0c3
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Exploitingad
Exploitingad
- Exploitingad
Fileinc
Fileinc
- Fileinc
First shift ctf
First shift ctf
- First shift ctf
Htapowershell aoc2025 p2l5k8j1h4
Htapowershell aoc2025 p2l5k8j1h4
- Htapowershell aoc2025 p2l5k8j1h4
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
idor aoc2025 zl6MywQid9
idor aoc2025 zl6MywQid9
- idor aoc2025 zl6MywQid9
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Lateralmovementandpivoting
Lateralmovementandpivoting
- Lateralmovementandpivoting
Linprivesc
Linprivesc
- Linprivesc
Linuxcli aoc2025 o1fpqkvxti
Linuxcli aoc2025 o1fpqkvxti
- Linuxcli aoc2025 o1fpqkvxti
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
malware sandbox aoc2025 SD1zn4fZQt
malware sandbox aoc2025 SD1zn4fZQt
- malware sandbox aoc2025 SD1zn4fZQt
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Networkservices aoc2025 jnsoqbxgky
Networkservices aoc2025 jnsoqbxgky
- Networkservices aoc2025 jnsoqbxgky
Obfuscation aoc2025 e5r8t2y6u9
Obfuscation aoc2025 e5r8t2y6u9
- Obfuscation aoc2025 e5r8t2y6u9
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks
Persistingad
Persistingad
- Persistingad
phishing aoc2025 h2tkye9fzU
phishing aoc2025 h2tkye9fzU
- phishing aoc2025 h2tkye9fzU
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
promptinjection aoc2025 sxUMnCkvLO
promptinjection aoc2025 sxUMnCkvLO
- promptinjection aoc2025 sxUMnCkvLO
Race conditions aoc2025 d7f0g3h6j9
Race conditions aoc2025 d7f0g3h6j9
- Race conditions aoc2025 d7f0g3h6j9
Redteamrecon
Redteamrecon
- Redteamrecon
Registry forensics aoc2025 h6k9j2l5p8
Registry forensics aoc2025 h6k9j2l5p8
- Registry forensics aoc2025 h6k9j2l5p8
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Splunkforloganalysis aoc2025 x8fj2k4rqp
Splunkforloganalysis aoc2025 x8fj2k4rqp
- Splunkforloganalysis aoc2025 x8fj2k4rqp
Spottingphishing aoc2025 r2g4f6s8l0
Spottingphishing aoc2025 r2g4f6s8l0
- Spottingphishing aoc2025 r2g4f6s8l0
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Webattackforensics aoc2025 b4t7c1d5f8
Webattackforensics aoc2025 b4t7c1d5f8
- Webattackforensics aoc2025 b4t7c1d5f8
Webhackingusingcurl aoc2025 w8q1a4s7d0
Webhackingusingcurl aoc2025 w8q1a4s7d0
- Webhackingusingcurl aoc2025 w8q1a4s7d0
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland
Xss aoc2025 c5j8b1m4t6
Xss aoc2025 c5j8b1m4t6
- Xss aoc2025 c5j8b1m4t6
Yara aoc2025 q9w1e3y5u7
Yara aoc2025 q9w1e3y5u7
- Yara aoc2025 q9w1e3y5u7 Yara aoc2025 q9w1e3y5u7
  Table of contents
  - Table of contents
    
    Yara Rules

YARA Rules - YARA mean one! Banner

YARA Rules - YARA mean one! Logo

YARA Rules - YARA mean one! | Advent of Cyber 2025 - Day 13

This guide contains the answer and steps necessary to get to them for the YARA Rules - YARA mean one! room.

Table of contents

Yara Rules

Yara Rules

How many images contain the string TBFC?

We will create our own YARA rule that will look for the specific string "TBFC". Since there is only one string, it can trigger for any of them.

rule TBFC_yara_rule
{
    meta:
        author = "Kevinovitz"
        description = "TBFC Rule"
        date = "2025-10-10"
        confidence = "low"

    strings:
        $s1 = “TBFC:”

    condition:
        any of them
}

Script1

Upon executing the YARA rule, we can see a number of files returned that contain the string.

yara -r rule.yar /home/ubuntu/Downloads/easter/

String1

Click for answer
5

What regex would you use to match a string that begins with TBFC: followed by one or more alphanumeric ASCII characters?

Next, we want to add a part to our search string. Using regex notation we can include one or more alphanumeric characters as follows:

rule TBFC_yara_rule
{
    meta:
        author = "Kevinovitz"
        description = "TBFC Rule"
        date = "2025-10-10"
        confidence = "low"

    strings:
        $s1 = /TBFC:[A-Za-z0-9]+/

    condition:
        any of them
}

Script2

Click for answer
/TBFC:[A-Za-z0-9]+/

What is the message sent by McSkidy?

Running this script (whilst outputting the found strings) will reveall the secret message we are looking for.
```
yara -r rule.yar /home/ubuntu/Downloads/easter/
```
Click for answer
Find me in HopSec Island