Advent of Cyber 2 | Day 1 - A Christmas Crisis | TryHackMe Walkthrough

Writeups Dec 11, 2020

Wow, it’s Christmas already - Mariah Carey on the radio, fairy lights on your neighbours’ porch, eggnog on the shelves on Tesco, and most importantly the TryHackMe Advent of Cyber room has dropped for this year.

If you're new to THM or you didn't take part in Advent of Cyber last year, it’s basically a CTF challenge room with new challenges dropping each day leading up to Christmas. Completing each challenge gets you a ticket in a raffle drawn on the 26th. There are more than 50 prizes up for grabs, including OSCP vouchers, HAK5 gear, and TryHackMe subscriptions.

Before attempting the challenges, have a good read of the tutorial and story pages, they give you a good base knowledge of what to expect and set a humorous and seasonal mood for the tasks. In the interest of not spoiling the fun of solving the challenge yourself, I will list all the steps required to solve the respective flag but I won’t publish any flags on this blog.

The first challenge, A Christmas Crisis, follows after a hacker has compromised Santa’s account for the Christmas control panel and you have been tasked to recover access. The challenge requires some basic web exploitation experience, but this challenge along with some creative googling proves a good testing ground even if you have no experience with web ex before.

First of all, deploy the box and connect to the THM network either via OpenVPN or using the AttackBox in the browser. When you deploy the box, a dialogue will appear above the list of tasks which shows an IP address. Make note of this IP as it will be useful shortly. Note, the IP shown in the image below will be different from the IP when you deploy the machine and if you terminate the machine and recreate it at a later date it will be different again.

TryHackMe Deployed Box Dialogue
TryHackMe Deployed Box Dialogue

Opening a web browser (If using the AttackBox, Firefox is installed by default), navigate to the box IP address. When you do, the Christmas Control Centre should appear. If it doesn't, make sure you have typed the IP address correctly and if you are using OpenVPN you have correctly connected to the THM network.

Screenshot of Christmas Control Centre logon page, showing username and password fields along with Log In! and Register! buttons
Screenshot of Christmas Control Centre logon page

The first question requires us to register an account. To do this enter any username or password into the text boxes and click the Register button.

admin:admin

After doing this you will then be able to log into the platform using the same credentials. The question asks about an attribute - name - of the cookie. This information isn’t typically available to users of websites but can be found in the developer tools.

Cookies are stored locally on the device so we will be able to find it by looking under the storage tab of dev tools. Expand the cookies section if it isnt already and select the cookie present. Here we see the newly generated cookie and its respective attributes. The answer to this question is available here in this table (covered in the image below.)

Screenshot of cookie in dev tools, showing attributes of the selected cookie.
Screenshot of cookie in dev tools

The remaining questions refer to the value in the cookie:

7b22636f6d70616e79223a22546865204265737420466573746976616c20436f6d70616e79222c2022757365726e616d65223a2261646d696e227d

If you’re experienced, you may have some hunches as to how this was encoded already just by looking at it and noticing it uses numbers 0-9 and no letters greater than f. This pattern matches hexadecimal encoding, aka base 16. Another way of checking this if you have no idea is pasting the string into Cyber Chef and letting it auto-detect (or even searching for magic in the operations tab.)

Cyber Chef screenshot when decoding the hash
Cyber Chef screenshot when decoding the hash

After determining it is in fact hex, we can decode the output as

{"company":"The Best Festival Company", "username":"admin"}

This is a type of data structure commonly used on the web. This is a simple JavaScript object, featuring two key-value pairs. The first string is the key and the value comes after the colon. This format, often called JSON (JavaScript Object Notation) is used as a lightweight way to store data in flat files (.json) and when sending data between servers and clients, i.e. in cookies such as this one.

{"key":"value"}

{"speed": 55
"model": "alpha",
"size": [15, 8.5, 12]
}
Simple example of JSON formatted data.

Now we have this information we can build upon it to try and regain access to Santa's account on the platform. Considering how the JSON is formatted for our account, we can reasonably assume that the cookie for the santa account would be the same except swapping out the value for the username with “santa”.

Cyber Chef screenshot when encoding the new hash
Cyber Chef screenshot when encoding the new hash

Then we need to convert this JSON string into a hex value. If you're using Cyber Chef to perform this, make sure to set the delimiter box to None, or else the string won't be formatted correctly. Then try sending it to the server by refreshing the page.

After doing this we should be presented with a similar page to what we got earlier using an account we created, except we now have the ability to toggle the switches on the page. If you look carefully you may also notice a string of text appears at the bottom of the page, that is the final flag we need to complete the Day 1 challenge.

Find my walkthrough of the Day 2 challenge here.

Josh Caulfield

FullStack Python / InfoSec

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.