Advent of Cyber 2024

Lab link. Questions 1. What is the flag? mosquitto_pub -h localhost -t “d2FyZXZpbGxl/Y2hyaXN0bWFzbGlnaHRz” -m “on”

Lab link. Questions 1. Crack the hash value stored in hash1.txt. What was the password? To crack a hash, the first step is to identify its type. For this, we use the hash-id tool. This tool analyzes the provided hash and suggests possible hash types, which helps us choose the correct cracking method. Based on the …

Lab link. Questions 1. What is the name of the webshell that was used by Mayor Malware? The Kubernetes cluster is started using Minikube. The output shows that the cluster has been successfully started and configured by default. We check the status of the pods running in the ‘wareville’ namespace. It may be necessary to …

Lab link. Questions 1. What is the function name that downloads and executes files in the WarevilleApp.exe? DownloadAndExecuteFile 2. Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary? explorer.exe 3. What domain name is the one from where the file is downloaded after running …

Lab link. Questions 1. What was the first message the payload sent to Mayor Malware’s C2? ip.src == 10.10.229.217 system prompt 2. What was the IP address of the C2 server? 10.10.123.224 3. What was the command sent by the C2 server to the target machine? whoami 4. What was the filename of the critical …

Lab link. Questions 1. What is the OTP flag? If we run the command frida-trace ./TryUnlockMe -i ‘libaocgame.so!*’, it will automatically start tracing all the functions. The penguin is requesting a PIN code, which is handled by the _Z7set_otpi function. The _Z7set_otpi function manages the OTP process. We open the file in Visual Studio Code …

Lab link. Questions 1. What is the technical term for a set of rules and instructions given to a chatbot? system prompt 2. What query should we use if we wanted to get the “status” of the health service from the in-house API? Use the health service with the query: status 3. After achieving a …

Lab link. Questions 1. Extract all the events from the cctv_feed logs. How many logs were captured associated with the successful login? 642 2. What is the Session_id associated with the attacker who deleted the recording? rij5uu4gt204q0d3eb7jj86okt 3. What is the name of the attacker found in the logs, who deleted the CCTV footage?

Lab link. Questions 1. What is the password for backupware that was leaked? az ad user list –filter “startsWith(‘wvusr-‘, displayName)” R3c0v3r_s3cr3ts! 2. What is the group ID of the Secret Recovery Group? 7d96660a-02e1-4112-9515-1762d0cb66b7 3. What is the name of the vault secret? az account clearaz login -u wvusr-backupware@aoc2024.onmicrosoft.com -p R3c0v3r_s3cr3ts! az keyvault list az keyvault …

Lab link. Questions 1. On what day was Glitch_Malware last logged in? Answer format: DD/MM/YYYY 07/11/2024 2. What event ID shows the login of the Glitch_Malware user? 4624 3. Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users? notepad “$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt” Get-ADUser -Filter * -Properties …