First read the page and try to understand it yourself. If you stuck then look at the clues

Day 1: Maybe SOC-mas music, he thought, doesn’t come from a store?

Looks like the song.mp3 file is not what we expected! Run “exiftool song.mp3” in your terminal to find out the author of the song. Who is the author?

Answer: Tyler Ramsbey

The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?

Answer: http://papash3ll.thm/data

Who is M.M? Maybe his Github profile page would provide clues?

Answer: Mayor Malware

What is the number of commits on the GitHub repo where the issue was raised?

Answer: 1

Day 2: One man’s false positive is another man’s potpourri

What is the name of the account causing all the failed login attempts?

Answer: service_admin

How many failed logon attempts were observed?

Answer: 6791

What is the IP address of Glitch?

Answer: 10.0.255.1

When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS

Answer: Dec 1, 2024 08:54:39.000

What is the decoded command executed by Glitch to fix the systems of Wareville?

Answer: Install-WindowsUpdate -AcceptAll -AutoReboot

Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it

Where was the web shell uploaded to?

Answer: /media/images/rooms/shell.php

What IP address accessed the web shell?

Answer: 10.11.83.34

What is the contents of the flag.txt?

Answer: THM{Gl1tch_Was_H3r3}

Day 4: I’m all atomic inside!

What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

Answer: THM{GlitchTestingForSpearphishing}

What ATT&CK technique ID would be our point of interest?

Answer: T1059

What ATT&CK subtechnique ID focuses on the Windows Command Shell?

Answer: T1059.003

What is the name of the Atomic Test to be simulated?

Answer: Simulate BlackByte Ransomware Print Bombing

What is the name of the file used in the test?

Answer: Wareville_Ransomware.txt

What is the flag found from this Atomic Test?

Answer: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}

Day 5: SOC-mas XX-what-ee?

What is the flag discovered after navigating through the wishes?

Answer: THM{Brut3f0rc1n6_mY_w4y}

What is the flag seen on the possible proof of sabotage?

Answer: THM{m4y0r_m4lw4r3_b4ckd00rs}

Day 6: If I can’t find a nice malware to use, I’m not going

What is the flag displayed in the popup window after the EDR detects the malware?

Answer: THM{GlitchWasHere}

What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?

Answer: THM{HiddenClue}

Day 7: Oh, no. I’M SPEAKING IN CLOUDTRAIL!

What is the other activity made by the user glitch aside from the ListObject action?

Answer: PutObject

What is the source IP related to the S3 bucket activities of the user glitch?

Answer: 53.94.201.69

Based on the eventSource field, what AWS service generates the ConsoleLogin event?

Answer: signin.amazonaws.com

When did the anomalous user trigger the ConsoleLogin event?

Answer: 2024–11–28T15:21:54Z

What was the name of the user that was created by the mcskidy user?

Answer: glitch

What type of access was assigned to the anomalous user?

Answer: AdministratorAccess

Which IP does Mayor Malware typically use to log into AWS?

Answer: 53.94.201.69

What is McSkidy’s actual IP address?

Answer: 31.210.15.79

What is the bank account number owned by Mayor Malware?

Answer: 2394 6912 7723 1294

Day 8: Shellcodes of the world, unite!

What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.

Answer: AOC{GOT _MY_ACCESS_B@CK007}

Day 9: Nine o’clock, make GRC fun, tell no one

What does GRC stand for?

Answer: Governance, Risk, and Compliance

What is the flag you receive after performing the risk assessment?

Answer: THM{R15K_M4N4G3D}

Day 10: He had a brain full of macros, and had shells in his soul

What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

Answer: THM{PHISHING_CHRISTMAS}

Day 11: If you’d like to WPA, press the star key!

What is the BSSID of our wireless interface?

Answer: 02:00:00:00:02:00

What is the SSID and BSSID of the access point? Format: SSID, BSSID

Answer: MalwareM_AP, 02:00:00:00:00:00

What is the BSSID of the wireless interface that is already connected to the access point?

Answer: 02:00:00:00:01:00

What is the PSK after performing the WPA cracking attack?

Answer: fluffy/champ24

Day 12: If I can’t steal their money, I’ll steal their joy!

What is the flag value after transferring over $2000 from Glitch’s account?

Answer: THM{WON_THE_RACE_007}

Day 13: It came without buffering! It came without lag!

What is the value of Flag1?

Answer: THM{dude_where_is_my_car}

What is the value of Flag2?

Answer: THM{my_name_is_malware._mayor_malware}

Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!

What is the name of the CA that has signed the Gift Scheduler certificate?

Answer: THM

Look inside the POST requests in the HTTP history. What is the password for the snowballelf account?

Answer: c4rrotn0s3

Use the credentials for any of the elves to authenticate to the Gift Scheduler website. What is the flag shown on the elves’ scheduling page?

Answer: THM{AoC-3lf0nth3Sh3lf}

What is the password for Marta May Ware’s account?

Answer: H0llyJ0llySOCMAS!

What is the flag shown on the admin page?

Answer: THM{AoC-h0wt0ru1nG1ftD4y}

Day 15: Be it ever so heinous, there’s no place like Domain Controller.

On what day was Glitch_Malware last logged in?

Answer: 07/11/2024

What event ID shows the login of the Glitch_Malware user?

Answer: 4624

What was the command that was used to enumerate Active Directory users?

Answer: Get-ADUser -Filter * -Properties MemberOf | Select-Object Name

What was Glitch_Malware’s set password?

Answer: SuperSecretP@ssw0rd!

What is the name of the installed GPO?

Answer: Malicious GPO — Glitch_Malware Persistence

Day 16: The Wareville’s Key Vault grew three sizes that day

What is the password for backupware that was leaked?

Answer: R3c0v3r_s3cr3ts!

What is the group ID of the Secret Recovery Group?

Answer: 7d96660a-02e1–4112–9515–1762d0cb66b7

What is the name of the vault secret?

Answer: aoc2024

What are the contents of the secret stored in the vault?

Answer: WhereIsMyMind1999

Day 17: He analyzed and analyzed till his analyzer was sore!

How many logs were captured associated with the successful login?

Answer: 642

What is the Session_id associated with the attacker who deleted the recording?

Answer: rij5uu4gt204q0d3eb7jj86okt

What is the name of the attacker found in the logs, who deleted the CCTV footage?

Answer: mmalware

Day 18: I could use a little AI interaction!

What is the technical term for a set of rules and instructions given to a chatbot?

Answer: system prompt

What query should we use if we wanted to get the “status” of the health service from the in-house API?

Answer: Use the health service with the query: status

After achieving a reverse shell, look around for a flag.txt. What is the value?

Answer: THM{WareW1se_Br3ach3d}

Day 19: I merely noticed that you’re improperly stored, my dear secret!

What is the OTP flag?

Answer: THM{one_tough_password}

What is the billionaire item flag?

Answer: THM{credit_card_undeclined}

What is the biometric flag?

Answer: THM{dont_smash_your_keyboard}

Day 20: If you utter so much as one packet…

What was the first message the payload sent to Mayor Malware’s C2?

Answer: I am in Mayor!

What was the IP address of the C2 server?

Answer: 10.10.123.224

What was the command sent by the C2 server to the target machine?

Answer: whoami

What was the filename of the critical file exfiltrated by the C2 server?

Answer: credentials.txt

What secret message was sent back to the C2 in an encrypted format through beacons?

Answer: THM_Secret_101

Day 21: HELP ME…I’m REVERSE ENGINEERING!

What is the function name that downloads and executes files in the WarevilleApp.exe?

Answer: DownloadAndExecuteFile

What is the name of the binary?

Answer: explorer.exe

What domain name is the one from where the file is downloaded after running WarevilleApp.exe?

Answer: mayorc2.thm

what is the name of the zip file?

Answer: CollectedFiles.zip

What is the name of the C2 server where the stage 2 binary tries to upload files?

Answer: anonymousc2.thm

Day 22: It’s because I’m kubed, isn’t it?

What is the name of the webshell that was used by Mayor Malware?

Answer: shelly.php

What file did Mayor Malware read from the pod?

Answer: db.php

What tool did Mayor Malware search for that could be used to create a remote connection from the pod?

Answer: nc

What IP connected to the docker registry that was unexpected?

Answer: 10.10.130.253

At what time is the first connection made from this IP to the docker registry?

Answer: 29/Oct/2024:10:06:33 +0000

At what time is the updated malicious image pushed to the registry?

Answer: 29/Oct/2024:12:34:28 +0000

What is the value stored in the “pull-creds” secret?

Answer: {“auths”:{“http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}

Day 23: You wanna know what happens to your hashes?

Crack the hash value stored in hash1.txt. What was the password?

Answer: fluffycat12

What is the flag at the top of the private.pdf file?

Answer: THM{do_not_GET_CAUGHT}

Day 24: You can’t hurt SOC-mas, Mayor Malware!

What is the flag?

Answer: THM{Ligh75on-day54ved}

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Ankan Roy
Ankan Roy

No responses yet

Write a response