With December once again upon us, I decided to wade into the litany of advent challenges that inevitably fill up my inbox each year. This year, one of the advent activities I chose to take on was TryHackMe’s ‘Advent of Cyber’, a set of 25 beginner level, Christmas-themed CTF challenges which mainly focussed on web applications, network exploitation, OSINT and blue teaming. Below are my brief thoughts and learnings from each day

Day 1

This challenge consisted of a pretty basic IDOR exploitation, checking the user activity page of the provided website revealed a URL parameter named user_id, changing the value of this parameter allowed me to view the user activity pages of other users. Checking through various IDs from 1-20 would reveal the users of particular interest to us, along with the answers to the provided questions.

Day 2

Fairly simple authentication bypass by altering cookies. One interesting aspect of this challenge was the the cookies provided were encoded in hex, which is something I’d never seen before, luckily the Cyber Chef magic function made it fairly easy to work this out and saved me the trouble of going through each encoding option myself. Not too much of a challenge thus far.

Day 3

Challenge ramped up a bit today with some directory recon, I took this as an opportunity to try my hand at using gobuster. In the past I’ve always used dirb, but after having read a number of CTF write-ups I’ve noticed that gobuster seems to be the more popular tool. I executed the following command:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.212.132/

And was able to find the directory of interest pretty quickly. The page I found had a login screen which could be bypassed using the credentials ‘administrator:administrator’. For this particular part of the challenge, the TryHackMe write-up provided some fairly interesting techniques for finding default credentials, the most notable being to identify the type of CMS being used and then discover the default credentials via OSINT.

Day 4

Today the challenge consisted of some bruteforcing of an web login form. The write-up provided by TryHackMe suggested using Burp Suite intruder to complete this challenge, so I initially did it as follows:

Intercept the request and right click to send to intruder
Clear $ and then select the password field and add $
In payloads, select a wordlist and load it
Hit start attack and then check for a response with a differing length

This approach was fairly new to me and was certainly interesting to learn about, but I also found it to be frustratingly slow. I instead gave it another crack using the Python requests library:

import requests

password = 'santa'

wordlist = open('wordlist.txt', 'r')
words = wordlist.read().split('\n')

for word in words:
	contents = {
		'username': 'santa',
		'password': word,
		'submit': 'Login',
	}
	r = requests.post('http://10.10.75.195/', data=contents, cookies={'PHPSESSID': '***'})
	print(f'{word}: {len(r.content)}')

Frankly, this wasn’t as fast as I had anticipated, but I still found it to be a nice refresher for my Python and requests library skills.

Day 5

Involved a fairly basic stored XSS attack against a forum in order to force a user to change their password. Took me a second to refresh myself on XSS, but eventually figured out the following payload:

<script>fetch('/settings?password=pass123')</script>

Day 6

Today was a fairly interesting challenge relating to LFI. I’ve been aware of what LFI is and ways to exploit it for a while, but wasn’t aware of was the potential for it to be leveraged into RCE when exploited with PHP.

The first neat little hacker trick I learnt was PHP filtering in order to access PHP files via base64:

?var=php://filter/convert.base64-encode/resource=/etc/passwd

Learning about PHP DATA was also very interesting, using something akin to the following payload I was actually able to execute phpinfo() in order to view the web server’s hostname.

?var=data://text/plain;base64,Cjw/cGhwIHBocGluZm8oKTs/Pgo=

I tried using this same method to open a PHP reverse shell, but was unsuccessful, I suspect the challenge may have been using a filter to prevent reverse shells from being set up.

Another interesting technique raised was the ability to inject PHP into user session files. Places where said files may be located include:

c:\Windows\Temp
/tmp/
/var/lib/php5
/var/lib/php/session

Day 7

Another really interesting challenge, this time looking into noSQL databses, particularly MongoDB. The following are some commands I used while using the Mongo shell.

mongo

show databases

use newdb

db.createCollection("users")

db.getCollectionNames()

db.users.insert({id:"1", username: "admin", email: "admin@thm.labs", password: "idk2021!"})

db.users.find()

db.users.update({id:"2"}, {$set: {username: "tryhackme"}});

db.users.remove({'id':'2'})

db.users.drop()

I also learnt how to inject noSQL payloads, one key example was sending a post request with data user=admin&password[$ne]=admin, allowing me to select records with username admin and a password that is not admin.

Day 8

A particularly relevant challenge today, given I have recently completed a digital forensics course. The first thing I learnt from this challenge was an easy way to connect to an RDP server running on a machine:

xfreerdp /u:Administrator /p:grinch123! /v:MACHINE_IP

I also learnt about using ShellBags explorer to view the contents of ShellBags files. Alongside this was some fairly basic analysis of PowerShell transcripts alongside some investigation of a Github repositiory.

Day 9

Some more forensics work today, this time making use of Wireshark to analyse packet captures. Again, a fairly relevant challenge owing to my recent experiences, I found I was able to complete it without too much trouble after I had brushed up on some basic Wireshark search queries.

Day 10

This challenge provided a fairly basic overview of nmap, there wasn’t too much that was new to me here, but I did find a few things notable. The use of the -p- flag to scan all ports after my initial scan was fairly new, although I did find it took quite a large amount of time so I don’t know if it’s something I’d employ regularly. This challenge also introduced the practise of searching up service version numbers to find vulnerabilities, although it didn’t include the exploitation of these vulnerabilities it was still interesting to actually practise this kind of OSINT for a CTF as many of the activities I have done so far generally haven’t involved having to do much self-research.

Advent of Cyber 2021, Days 1-10

My Learnings and Thoughts