The first 5 tasks are just introducing the challenges and the platform so we will skip them.


Task 6 - Someone’s coming to town!

When you open up the website from the challenge and read through the information about the Security Frameworks you can solve the puzzles.

Puzzle 1

Reconnaissance -> Weaponisation -> Delivery -> Social Engineering -> Exploitation -> Persistence -> Defence Evasion -> Command & Control

Puzzle 2

Pivoting -> Discovery -> Privilege Escalation -> Execution -> Credential Access -> Lateral Movement

Puzzle 3

Access -> Collection -> Exfiltration -> Impact -> Objectives

Answers

  • Who is the adversary that attacked Santa’s network this year?

    The Bandit Yeti

  • What’s the flag that they left behind?

    THM{IT'S A Y3T1 CHR1$TMA$}

Task 7 - Santa’s Naughty & Nice Log

Start the machine and SSH into the machine IP address with provided credentials.

Answers

  • Use the ls command to list the files present in the current directory. How many log files are present?

    2

  • Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

    webserver.log

  • On what day was Santa’s naughty and nice list stolen?

    Run

    grep -i "santa" webserver.log

    on 18/Nov/2022 the list was stolen which is a Friday.

    Friday

  • What is the IP address of the attacker?

    10.10.249.191

  • What is the name of the important list that the attacker stole from Santa?

    santaslist.txt

  • Look through the log files for the flag. The format of the flag is: THM{}

    Run

    grep -E -i "thm" SSHD.log

    THM{STOLENSANTASLIST}

Task 8 - Nothing escapes detective McRed

Answers

  • What is the name of the Registrar for the domain santagift.shop?

    Search the domain santagift.shop on who.is

    Namecheap Inc

  • Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

    https://github.com/muhammadthm/SantaGiftShop

    {THM_OSINT_WORKS}

  • What is the name of the file containing passwords?

    config.php

  • What is the name of the QA server associated with the website?

    qa.santagift.shop

  • What is the DB_PASSWORD that is being reused between the QA and PROD environments?

    S@nta2022

Task 9 - Scanning through the snow

Answers

  • What is the name of the HTTP server running on the remote host?

    Run nmap on the IP and see the HTTP server running on port 80.

    Apache

  • What is the name of the service running on port 22 on the QA server?

    ssh

  • What flag can you find after successfully accessing the Samba service?

    Connect to the admins Samba share as shown in the tutorial. There is a flag.txt inside.

    {THM_SANTA_SMB_SERVER}

  • What is the password for the username santahr?

    The admins Samba share also has a list of users and their passwords. Find the password for santahr among them.

    santa25

Task 10 - He knows when you’re awake

Answers

  • Use Hydra to find the VNC password of the target with IP address 10.10.101.209. What is the password?

    Run hydra on the IP without the username as VNC server do not have a username.

    hydra -P /usr/share/wordlists/rockyou.txt 10.10.101.209 vnc -V

    Password -

    1q2w3e4r

  • Using a VNC client on the AttackBox, connect to the target of IP address 10.10.101.209. What is the flag written on the target’s screen?

    Open Remmina and enter the IP Address of the machine with the VNC protocol. Enter the password on connecting to the machine and this screen would be displayed.

    Task 10 VNC

    THM{I_SEE_YOUR_SCREEN}

Task 11 - It’s beginning to look a lot like phishing

Answers

  • What is the email address of the sender?

    chief.elf@santaclaus.thm

  • What is the return address?

    murphy.evident@bandityeti.thm

  • On whose behalf was the email sent?

    chief elf

  • What is the X-spam score?

    3

  • What is hidden in the value of the Message-ID field?

    Base64 Decode the Message-ID value

    AoC2022_Email_Analysis

  • Visit the email reputation check website provided in the task. What is the reputation result of the sender’s email address?

    Enter the senders email address on https://emailrep.io/

    risky

  • Check the attachments. What is the filename of the attachment?

    Division_of_labour-Load_share_plan.doc

  • What is the hash value of the attachment?

    Run the following command on the email attachment

    sha256sum Division_of_labour-Load_share_plan.doc

    0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

  • Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?

    Defense Evasion

  • Visit the InQuest website and use the hash value to search. What is the subcategory of the file?

    macro_hunter