Day 11

Today’s challenge involved accessing an MSSQL server and was an activity I ended up learning a fair amount from. The first part of this challenge that was new to me was the MSSQL client used to access the server.

sqsh -S {target} -U {user} -P {password}

Previously I had only been familiar with impacket-mssqlclient, but I found sqsh to be far easier to use. Either way, it’s always good to have more than one way of doing these things.

Through sqsh I also gained a better understanding of how to use xp_cmdshell in order to execute commands on a Windows system, something I was a bit confused about when I last interacted with MSSQL on Hack The Box’s Archetype machine.

Day 12

Another really interesting challenge that delved into a scenario I had never encountered before, that being the use of NFS or mountd. I learned a couple of key commands for dealing with this service.

showmount -e {target} #Check available shares
mount {target}:{file} {local_file}

Day 13

Today, yet another challenge that I found very educational, this time on privilege escalation in Windows. The guide mentioned some core privilege escalation vectors:

  • Stored Credentials
  • Windows Kernel Exploit
  • Insecure File/Folder Permissions
  • Insecure Service Permissions
  • DLL Hijacking
  • Unquoted Service Path
  • Always Install Elevated
  • Other Software

The guide suggested some interesting recon commands:

net users
systeminfo | findstr /B /C: "OS Name"/C: "OS Version"
wmic service list
# Presumably WinPEASS would also be of use

The exercise itself was fairly interesting, it involved using Iperius Backup to run a .bat file with administrative privileges, using the .bat file we were able to set up a reverse shell with the attacking machine.

My one frustration with this challenge is that it was a little opaque on how exactly Iperius Backup was identified as a vulnerable service, perhaps via WinPEASS? I’m not really sure, which made it a bit difficult to learn much with regards to identifying vectors.

Day 14

Today the challenge centred around CI/CD and DevOps, the guide mentioned some major risk factors including:

  • Access Security
  • Permissions
  • Keys and Secrets
  • User Security
  • Default Configurations

The challenge itself was fairly simple, mainly consisting of editing a .sh file that was being run by a privileged account in order to access restricted files.

Day 15

Careers quiz challenge.

Day 16

Delving into a bit of OSINT today, the guide alongside this challenge was quite an interesting read and taught me number of things:

Key objectives when analysing a target account

  • Identify real or personas
  • Identify email
  • Locate linked accounts
  • History
  • Information from posts

Google Dorking, a cheat sheet can be found here https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06

Web 3.0 and blockchain technology was also briefly touched on, it’ll be interesting to see whether this is something that becomes relevant outside of cryptocurrency transactions over the next few years.

Challenge itself was quite interesting and involved tracking down a Twitter account and then using that to gain other information such as a Bitcoin wallet address, Github account and personal email.

Day 17

Today the challenge delved into the world of cloud computing, an area that is still a bit of a mystery to me and that I am very keen to learn more about.

The challenge began with an overview of S3, a service used for hosting content. It taught a couple of key AWS CLI commands for interacting with s3:

# List contents of S3 bucket
aws s3 ls s3://irs-form-990/ --no-sign-request

# Download an object from S3 bucket
aws s3 cp s3://irs-form-990/201101319349101615_public.html

It also briefly went over permissions for buckets themselves and the objects in them.

The challenge also touched on IAM keys, including the Access Key ID and the Secret Access Key. Keys can be added to a profile using:

aws configure --profile PROFILENAME

Other reconnaissance techniques include:

# Finding Account ID belonging to an access key
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
# Determining the Username the access key you're using belongs to
aws sts get-caller-identity --profile PROFILENAME
# Listing all the EC2 instances running in an account
aws ec2 describe-instances --output text --profile PROFILENAME
# Listing all the EC2 instances running in an account in a different region
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME

The challenge itself involved access a wp-backup in a public S3 bucket. From there I was able to attain the AWS access key by grepping for ‘AKIA’. I then continued on gaining reconnaissance about the different services being run by the AWS account in question, including looking at their stored secrets which included a password to a database.

Day 18

Today’s challenge delved into Docker and the AWS Elastic Container Registry. Began by pulling a Docker image from ECR and then deployed it on my own machine using docker run. Checking the environment variables yielded an API key.

Then moved on to using docker save and inspecting the underlying files that make up our Docker image. This challenge and the last definitely push me outside of my comfort zone and were probably the first time in this series of advent challenges that I’ve felt a bit out of my depth. Docker and particularly cloud services are two areas that I’ve been keen to educate myself on, I think these challenges have reinforced the importance of doing that in the near future.

Day 19

A fairly simple challenge, involved analysing a phishing email for various malicious indicators. Also involved decoding a base64 encoded PDF file, all in all, fairly straight forward.

Day 20

Remnux File command Strings command Virustotal EICAR anti malware test file

Another foray into forensics today with some fairly rudimentary malware analysis. It was fairly interesting to see the approach towards this challenge offered by the guide and I learnt a couple of new things along the way.

In terms of commands, the use of file and strings was interesting to see, while I had known about these commands previously I had never really put two and two together to realise their usefulness in analysing potential malware.

The introduction of the EICAR anti malware test file was also very interesting, I had not previously heard about it and was intrigued to learn about its purpose in ensuring anti malware software on a system is functioning correctly. Taking the hash of this file and inputting it into Virustotal was also a bit of an eye opener, while I had never seen more consensus on a file hash than this one (61/65), it was still a bit odd to see vendors, including Malwarebytes, not picking up this file. I’m guessing this may be due to me only using the hash of the file, perhaps these other vendors require more in depth analysis before being able to identify this file.

Day 21

An introduction to yara made up the bulk of today’s challenge, the activity mainly consisted of building a basic yara rule to detect and EICAR test file. While I had been aware of yara previously, this was the first time I had ever actually used it for constructing rules and testing files, I learned the basic syntax for a rule as follows:

rule rulename
  {
    meta:
      author = "tryhackme"
      description = "test rule"
      created = "11/12/2021 00:00"
    strings:
      $textstring = "text"
      $hexstring = {4D 5A}
    conditions:
      $textstring and $hexstring
  }

Along with the basic command for checking a file against a rule:

yara [options] rule_file [target]

Day 22

More forensics work today, this time looking at OLE files and CyberChef. The exercise itself was fairly simple and involved dumping a suspicious macro from an OLE file and then running that macro through CyberChef to decode it. This was an interesting challenge as I had not previously performed forensic analysis on an OLE file using oledump.py, although I did find for the CyberChef decoding that I had to follow the instructions in the guide, I am not sure how I would’ve been able to figure out the exact recipe otherwise.

Day 23

More blue teaming today, this time using full event log tool to sift through some powershell logs in search of suspicious activity. Challenge itself was fairly straight forward, involved answering some questions about the malicious activity and then using a powershell script to decrypt a file that had been sent over an HTTP connection.

Day 24

Moved on to post exploitation and looked at using mimikatz to extract password hashes from the LSASS process, something I’d been wanting to look into for a little while now. The process of getting these hashes was a lot easier than I anticipated, all I really had to do was execute mimikatz.exe in powershell and then run the following commands:

# Check correct privileges
privilege::debug
# Get the passwords
sekurlsa::logonpasswords

Presumably, the real challenge in doing this would be getting administrative privileges in the first place, then perhaps avoiding Windows Defender, but overall I was surprised by how simple it was.

My next step was to use john in order to crack the retrieved NTLM hash, I did this as follows:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hash.txt

Which revealed the password fairly quickly and allowed me to complete the challenge.

Day 25: Reflections

The final day of AOC and we wrapped things up with a quick survey. Overall, I thoroughly enjoyed participating in AOC2021, over the first couple of days I thought that I would find the challenges pretty easy, but I actually found myself being quite challenged on some days and definitely learned a lot more than I expected to along the way. Massive props to the TryHackMe team for putting together a fantastic event.

Certificate