Challenge 1 – The Return of the Yeti
The main room is available here.
Finding challenge one
Hey there folks, it’s been a while since I wrote a post (I was quite busy during the holiday season) but fortunately, I had time to complete TryHackMe’s AoC Sidequest Challenge 1 😀 .
So the base concept of these challenges was that you have to find the challenge room itself as part of extra tasks during the Advent of Cyber 2023. I have managed to find all of them but had only time to complete challenge 1 (but planning on doing the other too).
So how do we get to the first room? As it is stated in the main Sidequest room, there are a few QR code pieces (4 in total) that we have to find and it will give us the links. One of the pieces is given there and the other 3 have to be located in posts on their social media channels.
Location of the pieces:
- upper left: at the main challenge page.
- upper right: discord aoc-2023-side-quest channel pinned message.
- lower right: Twitter post.
- lower left: LinkedIn post.
When placing all of these together we get a QR code that gives us the following link. This takes us to challenge 1.
What’s the name of the WiFi network in the PCAP?
This was the easiest one of all the questions. All we had to do was download the file, unzip it, open it with Wireshark and then we could see what the SSID was.
What’s the password to access the WiFi network?
This one was a bit more tricky because I have never had to do things like these but I could find a utility that is designed for this kind of task. The utility is called aircrack-ng. After trying it I received an error stating that the file type was not correct. A bit of googling revealed that we got a .pcapng file and it can only work with .pcap files. This was not a big deal because I soon found a solution to the problem. We can convert .pcapng files to .pcap files pretty easily.
tshark -F pcap -r {pcapng file} -w {pcap file}When this was done we could run the tool on the recorded traffic.
aircrack-ng -a2 -b 22:c7:12:c7:e2:35 -w /usr/share/wordlists/rockyou.txt VanSpy.pcapAnd soon enough it revealed the password 😀 .
Now we have to add this password to the packet capture file. In wireshark click on Edit => preferences => Protocols => IEE 802.11 and add the password as wpa-pwd.
This tasks shows very well why public wifi and weak passwords are dangerous 😀
What suspicious tool is used by the attacker to extract a juicy file from the server?
Now this one should not have been as difficult as it was for me. In the previous step we added the password so we got some of the communication decrypted. This means that we see more protocols, used ports, communication etc.
After a few hours of wondering what could they mean, I figured out that I should look for suspicious used ports in the communication. This is how I found that something used port 4444. While this is not always the case metasploit payloads usually default to port 4444. This was enough for me to start investigating further. In Wireshark, we can filter for a certain port with the tcp.port == 4444 command. Then from here, we right-click one of the packets ( choose from a bit lower than the top to be sure that it is a whole stream of communication) and then select follow -> TCP stream. This is going to open up the unencrypted communication between the two hosts and we can find the name of the tool used here.
What is the case number assigned by the CyberPolice to the issues reported by McSkidy?
This question was the one I spent the most time on. I had no clue what they meant by case number (my hunch was that it was probably inside a communication).
Now in the previous task at the very end of the TCP stream we see the following.
This is the base64 encoded version of a .pfx key used to encrypt most probably an RDP communication. Copy-past it into a file and then run the following commands.
cat b64.txt | base64 -d > cert.pfxThis decodes the certificate and redirects the output to a .pfx file that we can use later.
The problem is that we need a .key file to decrypt the RDP communication. It was not really straightforward how to get from the starting point to where we have a working .key file however after a few hours I could find a way.
openssl pkcs12 -in server_certificate.pfx -nocerts -out server_key.pem -nodesWith this command created a .pem file from the .pfx file, this is still not the one we need, but we are one step closer to the solution.
openssl rsa -in server_key.pem -out server.keyThis command created the required .key file to decrypt the RDP communication.
Now what we can do is add the .key file and decrypt the communication in the following way: Edit => Preferences => Protocols => TLS => RSA keys list Edit… => add the key to the server IP with port 3389 and protocol TPKT.
This will enable us to follow the TLS stream (the same way as follow TCP stream but we select TLS) however, this will not take us close to the solution.
As we can see there are some readable parts but this will not give us what we need.
Here I got really stuck but then remembered something very important, RDP is NOT text!
What I mean by this is we do not want to read the text of a flow but rather see the actual communication, like a video 😀 .
This set me on a new path that took so long I dare not say but I ended up finding a tool called PyRDP. What I did is I followed their instructions to install the tool (I used the virtual environment setup) and then used pyrdp-convert. It is important to note that instead of ssl.log I used the .key file to decrypt and not convert to MP4 format but to the one that pyrdp-player can play. It took me a few tries but this tool with their exact documentation should work.
Unfortunately, I was not able to recover the video but the tool displays what was typed on the keyboard and what is on the clipboard too so I didn’t need it.
What is the content of the yetikey1.txt file?
For this one just continue watching the video we recovered from the previous step.
This is also the flag that has to be submitted on the main Sidequest page.
This was Challenge 1 of the Sidequests. I very much enjoyed solving it and hope I can participate next year too!
As I have written a few posts now I realised that I like doing it. I will try solving more THM challenges in the future and maybe walkthroughs as well. If you have any requests on what tasks to solve next don’t hesitate to contact me here in the comments or on Twitter! I am also considering creating videos for YouTube on these topics however I ain’t sure about that currently 😀 .
Thank you for following along! If you like my content you can check out more of my posts and write-ups here.
Thank you for reading!
Sincerely,
B4D4M.
Leave a Reply
You must be logged in to post a comment.