
First read the page and try to understand it yourself. If you stuck then look at the clues
Day 1: Maybe SOC-mas music, he thought, doesn’t come from a store?
Looks like the song.mp3 file is not what we expected! Run “exiftool song.mp3” in your terminal to find out the author of the song. Who is the author?
Answer: Tyler Ramsbey
The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Answer: http://papash3ll.thm/data
Who is M.M? Maybe his Github profile page would provide clues?
Answer: Mayor Malware
What is the number of commits on the GitHub repo where the issue was raised?
Answer: 1
Day 2: One man’s false positive is another man’s potpourri
What is the name of the account causing all the failed login attempts?
Answer: service_admin
How many failed logon attempts were observed?
Answer: 6791
What is the IP address of Glitch?
Answer: 10.0.255.1
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Answer: Dec 1, 2024 08:54:39.000
What is the decoded command executed by Glitch to fix the systems of Wareville?
Answer: Install-WindowsUpdate -AcceptAll -AutoReboot
Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it
Where was the web shell uploaded to?
Answer: /media/images/rooms/shell.php
What IP address accessed the web shell?
Answer: 10.11.83.34
What is the contents of the flag.txt?
Answer: THM{Gl1tch_Was_H3r3}
Day 4: I’m all atomic inside!
What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Answer: THM{GlitchTestingForSpearphishing}
What ATT&CK technique ID would be our point of interest?
Answer: T1059
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Answer: T1059.003
What is the name of the Atomic Test to be simulated?
Answer: Simulate BlackByte Ransomware Print Bombing
What is the name of the file used in the test?
Answer: Wareville_Ransomware.txt
What is the flag found from this Atomic Test?
Answer: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
Day 5: SOC-mas XX-what-ee?
What is the flag discovered after navigating through the wishes?
Answer: THM{Brut3f0rc1n6_mY_w4y}
What is the flag seen on the possible proof of sabotage?
Answer: THM{m4y0r_m4lw4r3_b4ckd00rs}
Day 6: If I can’t find a nice malware to use, I’m not going
What is the flag displayed in the popup window after the EDR detects the malware?
Answer: THM{GlitchWasHere}
What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
Answer: THM{HiddenClue}
Day 7: Oh, no. I’M SPEAKING IN CLOUDTRAIL!
What is the other activity made by the user glitch aside from the ListObject action?
Answer: PutObject
What is the source IP related to the S3 bucket activities of the user glitch?
Answer: 53.94.201.69
Based on the eventSource field, what AWS service generates the ConsoleLogin event?
Answer: signin.amazonaws.com
When did the anomalous user trigger the ConsoleLogin event?
Answer: 2024–11–28T15:21:54Z
What was the name of the user that was created by the mcskidy user?
Answer: glitch
What type of access was assigned to the anomalous user?
Answer: AdministratorAccess
Which IP does Mayor Malware typically use to log into AWS?
Answer: 53.94.201.69
What is McSkidy’s actual IP address?
Answer: 31.210.15.79
What is the bank account number owned by Mayor Malware?
Answer: 2394 6912 7723 1294
Day 8: Shellcodes of the world, unite!
What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.
Answer: AOC{GOT _MY_ACCESS_B@CK007}
Day 9: Nine o’clock, make GRC fun, tell no one
What does GRC stand for?
Answer: Governance, Risk, and Compliance
What is the flag you receive after performing the risk assessment?
Answer: THM{R15K_M4N4G3D}
Day 10: He had a brain full of macros, and had shells in his soul
What is the flag value inside the
flag.txt
file that’s located on the Administrator’s desktop?
Answer: THM{PHISHING_CHRISTMAS}
Day 11: If you’d like to WPA, press the star key!
What is the BSSID of our wireless interface?
Answer: 02:00:00:00:02:00
What is the SSID and BSSID of the access point? Format: SSID, BSSID
Answer: MalwareM_AP, 02:00:00:00:00:00
What is the BSSID of the wireless interface that is already connected to the access point?
Answer: 02:00:00:00:01:00
What is the PSK after performing the WPA cracking attack?
Answer: fluffy/champ24
Day 12: If I can’t steal their money, I’ll steal their joy!
What is the flag value after transferring over $2000 from Glitch’s account?
Answer: THM{WON_THE_RACE_007}
Day 13: It came without buffering! It came without lag!
What is the value of Flag1?
Answer: THM{dude_where_is_my_car}
What is the value of Flag2?
Answer: THM{my_name_is_malware._mayor_malware}
Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!
What is the name of the CA that has signed the Gift Scheduler certificate?
Answer: THM
Look inside the POST requests in the HTTP history. What is the password for the
snowballelf
account?
Answer: c4rrotn0s3
Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?
Answer: THM{AoC-3lf0nth3Sh3lf}
What is the password for Marta May Ware’s account?
Answer: H0llyJ0llySOCMAS!
What is the flag shown on the admin page?
Answer: THM{AoC-h0wt0ru1nG1ftD4y}
Day 15: Be it ever so heinous, there’s no place like Domain Controller.
On what day was Glitch_Malware last logged in?
Answer: 07/11/2024
What event ID shows the login of the Glitch_Malware user?
Answer: 4624
What was the command that was used to enumerate Active Directory users?
Answer: Get-ADUser -Filter * -Properties MemberOf | Select-Object Name
What was Glitch_Malware’s set password?
Answer: SuperSecretP@ssw0rd!
What is the name of the installed GPO?
Answer: Malicious GPO — Glitch_Malware Persistence
Day 16: The Wareville’s Key Vault grew three sizes that day
What is the password for backupware that was leaked?
Answer: R3c0v3r_s3cr3ts!
What is the group ID of the Secret Recovery Group?
Answer: 7d96660a-02e1–4112–9515–1762d0cb66b7
What is the name of the vault secret?
Answer: aoc2024
What are the contents of the secret stored in the vault?
Answer: WhereIsMyMind1999
Day 17: He analyzed and analyzed till his analyzer was sore!
How many logs were captured associated with the successful login?
Answer: 642
What is the Session_id associated with the attacker who deleted the recording?
Answer: rij5uu4gt204q0d3eb7jj86okt
What is the name of the attacker found in the logs, who deleted the CCTV footage?
Answer: mmalware
Day 18: I could use a little AI interaction!
What is the technical term for a set of rules and instructions given to a chatbot?
Answer: system prompt
What query should we use if we wanted to get the “status” of the health service from the in-house API?
Answer: Use the health service with the query: status
After achieving a reverse shell, look around for a flag.txt. What is the value?
Answer: THM{WareW1se_Br3ach3d}
Day 19: I merely noticed that you’re improperly stored, my dear secret!
What is the OTP flag?
Answer: THM{one_tough_password}
What is the billionaire item flag?
Answer: THM{credit_card_undeclined}
What is the biometric flag?
Answer: THM{dont_smash_your_keyboard}
Day 20: If you utter so much as one packet…
What was the first message the payload sent to Mayor Malware’s C2?
Answer: I am in Mayor!
What was the IP address of the C2 server?
Answer: 10.10.123.224
What was the command sent by the C2 server to the target machine?
Answer: whoami
What was the filename of the critical file exfiltrated by the C2 server?
Answer: credentials.txt
What secret message was sent back to the C2 in an encrypted format through beacons?
Answer: THM_Secret_101
Day 21: HELP ME…I’m REVERSE ENGINEERING!
What is the function name that downloads and executes files in the WarevilleApp.exe?
Answer: DownloadAndExecuteFile
What is the name of the binary?
Answer: explorer.exe
What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
Answer: mayorc2.thm
what is the name of the zip file?
Answer: CollectedFiles.zip
What is the name of the C2 server where the stage 2 binary tries to upload files?
Answer: anonymousc2.thm
Day 22: It’s because I’m kubed, isn’t it?
What is the name of the webshell that was used by Mayor Malware?
Answer: shelly.php
What file did Mayor Malware read from the pod?
Answer: db.php
What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
Answer: nc
What IP connected to the docker registry that was unexpected?
Answer: 10.10.130.253
At what time is the first connection made from this IP to the docker registry?
Answer: 29/Oct/2024:10:06:33 +0000
At what time is the updated malicious image pushed to the registry?
Answer: 29/Oct/2024:12:34:28 +0000
What is the value stored in the “pull-creds” secret?
Answer: {“auths”:{“http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}
Day 23: You wanna know what happens to your hashes?
Crack the hash value stored in
hash1.txt
. What was the password?
Answer: fluffycat12
What is the flag at the top of the
private.pdf
file?
Answer: THM{do_not_GET_CAUGHT}
Day 24: You can’t hurt SOC-mas, Mayor Malware!
What is the flag?
Answer: THM{Ligh75on-day54ved}
;HAPPY HACKING;
Follow Me:-
Support Me:-