Project URL: https://tryhackme.com/room/adventofcyber4

Working through the daily challenges from TryHackMe's Advent of Cyber.

As I have been working on my CompTIA CySA+ certification, I have been dedicating time to learning Blue Team techniques. I have enjoyed learning Red Team hacking techniques as well and believe that it is as important part of being a well-rounded security analyst, as it is important to be familiar in Red Team techniques to be aware of what to look for and how attackers will act.

Overview of days:

1. Frameworks
   1. Started the Advent of Cyber challenge by reviewing the NIST Cybersecurity Framework, ISO 27000 Series, MITRE ATT&CK Framework, Cyber Kill Chain, Unified Kill Chain.
2. Log Analysis
   1. Discovered the IP address of the attacker and the file the attackers were targeting for extraction from the web server's logs.
3. OSINT
   1. Located the Github repository the attackers used to access the web server with Google Dorking.
4. Scanning
   1. Used nmap to scan the hacked web server and found the web server had a known vulnerability and was running Sambra. Then I connected to the Sambra file service and found the user's passwords saved there.
5. Brute-Forcing
   1. Used THC Hydro to brute-force a password on a machine's SSH service. Then demonstrated the importance of not reusing password and password rotation by using the same password to connect to another machine running a VNC server.
6. Email Analysis
   1. Checked email headers to determine the source of a phishing email. Determined that a malicious document was sent in the email based on the hash value found of a document in the email.
7. CyberChef
   1. Used the CyberChef web-based application to analyze a malicious Microsoft Word document and extract the hidden PowerShell script.
8. Smart Contracts
   1. Saw how smart contracts in the blockchain set to execute buys and withdraws can be exploited. Tested scenarios where they are improperly programmed to monitor their balance and account for transactions that aren't yet finalized. This would allow exploitation of the accounts by allowing the entire cryptocurrency balance of an account to be withdrawn by an attacker.
9. Pivoting
   1. Worked with the Metasploit framework to gain access to a web server running in a Docker container through an vulnerability in it's development framework. Then used Meterpreter to pivot into the host machine with an SSH connection.
10. Hack a game
    1. Used the Chrome extension Cetus to view and modify variables in memory for a web-based game. Manipulate the character's input to find a variable's location in memory.
11. Memory Forensics
    1. Worked on isolating a malicious process in a memory dump using the Python Volatility CLI tool.
12. Malware Analysis
    1. Conducted static and dynamic analysis of a malicious file in a sandbox environment. After unpacking the binary, we could identify the registry and file changes and the network connections initiated by the malware.
13. Packet Analysis
    1. Used Wireshark to analyze the traffic between the infected host with the attacker's C2 server. Then recovered the file delivered by the attackers over an HTTP connection
14. Web Applications
    1. Exploited broken access control in a web application to manipulate the URL to access other user's profiles.
15. Secure Coding
    1. Exploited a unrestricted file upload vulnerability to upload a document to initiate a reverse shell. After, we worked on hardening the web application. We added file extension validation, file renaming, and malware scanning to validate the file upload before storing it on the server.
16. Secure Coding 2
    1. I was promoted to Elf McCode! Today we secured a new web application from SQL injections. We secured the application with data type validation where we wanted an integer, and with prepared statements when there were more complex SQL queries to be made.
17. Secure Coding 3
    1. Today's input validation focused on using regular expressions to check strings for valid usernames, email addresses, and websites.
18. Sigma
    1. Wrote Sigma rules for a SIEM to identify MITRE ATT&CK framework techniques of account creation, software discovery, and scheduled tasks. The rules we created were able to identify the attacker's user account, identify their query of applications running on a server, and scheduling a task to maintain persistence.
19. Hardware Hacking
    1. Learned about USART, SPI, and I2C protocols for communication between microcontrollers. Then used a capture from a logic analyzer to determine what communications were occurring between a microprocessor and ESP32 wireless chip that was left in Santa's workshop.
20. Firmware
    1. Used static analysis of the firmware captured from the device found in Santa's workshop. Once the firmware was determined to be encrypted, retrieved an early, unencrypted version of, from which we retrieved the public and private keys with the passphrase for the key to decrypt the unknown device's firmware.
21. MQTT
    1. Connected to the broker service for the webcam device found in Santa's workshop. We were able to confirm that this device was meant to spy of Santa. This lesson was also good to learn about security vulnerabilities in IOT devices when authentication is not required to connect to a broker, either to retrieve data or post data.
22. Attack Surface Reduction
    1. Elf McSkidy worked on reducing the attack surface for Santa's workshop after all we have found from the attack. Unnecessary ports were closed on the web server, phishing protection for email, and enforcing stricter password requirements including a lockout after 5 failed logon attempts.
23. Defense in Depth
    1. The final task stressed the importance of layering defenses on a computer network. Not only do you need a firewall to protect the perimeter of a network, but you need logging to know what is going on in the network, implementing the principle of least privilege to limit access to secure systems, and alerting so that when issues are detected, we can respond to the attack.