AoC3: Advent of Cyber 2021 (#1-5)

A simple walk-through of the Advent of Cyber challenge, hosted over on TryHackMe. This CTF built up over December 2021, with new challenges getting added everyday. It mainly focused on web exploitation and network attack vectors.

I didn’t get to participate live, but it’s still an excellent room that gets considerably harder from start to finish. Completing it on time meant you were in with a chance to win some of the ~$20,000 prizes up for grabs.

This Advent challenge starts off so easy, there isn’t much to follow up on the writing. However I expect later day challenges will get pretty complicated so I wanted to have Day 1 to Day 25 documented.

Day 1 Web Exploitation: Save The Gifts

Not much to write up for this one. Could all be done in the browser window for the challenge. A simple IDOR that involved tweaking the user_id field and answering a bunch of questions.

Day 2 Web Exploitation: Elf HR Problems

We head over to the daily challenge website and create ourselves a new user.

Advent of Cyber 2021 - Web exploitation Elf HR problems

I used the browser inspected to view the cookie that gets created.

To find the encoding method, I dropped the cookies value into CyberChef and used the Magic operator. It detected two possible encodings in use, one of which produces a meaningful output.

Knowing the encoding, we modify the values and encode back. We then drop this value into the cookie and reload the homepage to get admin access.

Once you’re in as admin, its a few simple questions to complete Day 2 of the CTF.

Day 3 Web Exploitation: Christmas Blackout

After firing up the target machine, I hit the site with gobuster and dirbuster’s small directory file. This finds the hidden folder.

To try some default credentials, I fired up Hydra. I wasn’t sure if they wanted you to automate this process, but why not…

hydra -l administrator -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/{hiddenDirectory}/:username=^USER^&password=^PASS^:F=invalid"

…turns out that was overkill. The page doesn’t actually posted the values, it’s prevent by some javascript.

The authentication is done locally, and is easily guessable. If you can’t guess it, you’re over thinking this Advent of Cyber challenge.

Still stuck – check the source code from the webpage.

Day 4 Web Exploitation: Santa’s Running Behind

Firing up today’s web exploitation capture the flag challenge, we see we’re accessing Santa’s Travel Itinerary.

We use Santa as the username. (Supplied by the challenge)

I used BurpSuite to fuzz my way through the very short, TryHackMe supplied password list. The attack itself is almost instantaneous, so its a bit of a faff waiting for and configuring BurpSuite for this challenge. Never mind.

Day 4 – TryHackMe’s CTF complete

I was again tried Hydra over this challenge too, however I think there was some caching or cookie-ing going on and the script never found the password… from the supplied password list.

Either way, using BurpSuite worked and we’re on to challenge 5.

Day 5 Web Exploitation: Pesky Elf Forum

Not much difficulty to this challenge, the CTF brief explains exactly what to do. Goes to show how easy a XSS exploit can be though, and dangerous.

Mr Grinch has been compromised

With Mr Grinch’s account compromised – we complete the 5th day for Advent of Cyber 2021.

Further day’s of the Advent of Cyber will be linked to here; Day 6 has been written up and includes log poisoning, RCE and local file inclusions.

Leave a Reply

Your email address will not be published. Required fields are marked *