Notes from Advent of Cyber 2024 of TryHackMe
Posted on January 4, 2025 • 11 minutes • 2342 words
Table of contents
- TryHackMe Platform
- The Advent of Cyber 2024
- Authors and Creators
-
Notes from the Tasks
- 1. Operational Security
- 2. Log Analysis in SIEM
- 3. Log Analysis
- 4. Atomic Red Team
- 5. XXE (XML External Entity)
- 6. Sandboxes:
- 7. AWS Log Analysis
- 8. Shellcodes
- 9. GRC: Governance, Risk, and Compliance
- 10. Phishing
- 11. Wi-Fi Attacks
- 12. Web timing attacks
- 13. Websockets
- 14. Certificate Mismanagement
- 15. Active Directory
- 16. Azure
- 17. Log Analysis with Splunk
- 18. Prompt Injection to LLMs
- 19. Game Hacking:
- 20. Traffic Analysis with Wireshark
- 21. Reverse Engineering
- 22. Kubernetes DFIR (Digital Forensics and Incident Response)
- 23. Hash Cracking:
- 24. Communication Protocols: IoT
- Conclusion
TryHackMe Platform
TryHackMe is an excellent learning and training platform with various subjects and hands-on experience rooms. The training technique that is used in many rooms makes learning much more engaging and easy to remember and, most importantly, practice the related training while learning. While reading the example about the related topic in the room, for instance, about a phishing email analysis platform, e.g. Phistool, the teaching steps include doing practical cases to complete the training room. Even though I do not have any affiliation with that platform, I recommend it to anyone who wants to learn more about cybersecurity and get practical experience. It has many free-of-charge rooms. There is no need to subscribe to start learning.
The Advent of Cyber 2024
Lastly, TryHackMe announced their beginner-friendly “Advent of Cyber 2024” room, which is somewhat competitive for learners. It was split into 24 different topics, and throughout December 2024, it has become available daily for anyone who wants to join. I want to share some of the notes and tips I took from the Advent of Cyber 2024 in TryHackMe.
Authors and Creators
Before diving into the details, I’d like to thank every one of the contributors, authors and trainers of the room and walkthrough video creators:
tryhackme, ar33zy, cmnatic, Dex01, timtaylor, munra, hk, strategos, Fontaene, SecurityNomad, am03bam4n, umairalizafar, hadrian3689, melmols, Maxablancas, 1337rce, MartaStrzelec, DrGonz0, arebel, h4sh3m00, l000g1c, rePl4stic, Aashir.Masood, str3g4tt4, and krotovolb.
Notes from the Tasks
1. Operational Security
Certain OPSEC mistakes:
Reusing usernames, email addresses, or account handles across multiple platforms.
Using identifiable metadata in code, documents, or images, which may reveal personal information like device names, GPS coordinates, or timestamps.
Posting publicly on forums or GitHub with details that tie back to their real identity or reveal their location or habits.
Failing to use a VPN or proxy while conducting malicious activities allows law enforcement to track their real IP address.
2. Log Analysis in SIEM
- CyberChef of GCHQ is a Swiss knife for decoding texts for various algorithms.
3. Log Analysis
ELK stands for Elasticsearch, Logstash, and Kibana. These are three open-source tools that are commonly used together to collect, store, analyse, and visualise data.
Elastic is a SIEM similar to Splunk. Kibana Query Language (KQL) is used to analyse data in Elastic. Remote Code Execution, Web Shell Example: In some cases, vulnerable servers may lead to code execution remotely even accessing a shell in a web page.
4. Atomic Red Team
The Atomic Red Team library is a collection of red team test cases that are mapped to the MITRE ATT&CK framework. The Atomic Red Team library is a collection of red team test cases that are mapped to the MITRE ATT&CK framework. The library consists of simple test cases that can be executed by any blue team to test for detection gaps and help close them down. The library also supports automation, where the techniques can be automatically executed. However, it is also possible to execute them manually.
An example command of AtomicTest for T1566.001 in Powershell:
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
5. XXE (XML External Entity)
Burp Suite can be utilised to intercept and modify web requests.
6. Sandboxes:
(ProgramFilesDir). This path’s presence or absence helps the malware determine whether it’s running in a typical or virtualized environment, like a sandbox. … This directory is often absent on sandboxes or other virtualized environments, which could indicate that the malware is running in a sandbox.
YARA (Yet Another Ridiculous Acronym) Rules are used for malware analysis for indicator and behaviour detection.
7. AWS Log Analysis
AWS CloudWatch is a monitoring and observability platform that gives us greater insight into our AWS environment by monitoring applications at multiple levels.
CloudTrail: Actions can be those taken by a user, a role (granted to a user giving them specific permissions) or an AWS service and are recorded as events in AWS CloudTrail.
8. Shellcodes
msfvenom can be used to create a reverse shell.
9. GRC: Governance, Risk, and Compliance
Reserve Banks create and impose some Regulations on their members to increase their resilience. SWIFT CSP (Customer Security Programme) also serves a similar purpose.
10. Phishing
Phishtool is a sandbox platform for analysing suspicious emails and is a handy tool for digital forensic analysts.
11. Wi-Fi Attacks
Evil twin attack: In this attack, the attacker creates a fake access point that has a similar name to one of your trusted Wi-Fi access points.
Rogue access point: This attack’s objective is similar to that of the evil twin attack. In this attack, the attacker sets up an open Wi-Fi access point near or inside the organisation’s physical premises to make it available to users with good signal strength.
WPS attack: Wi-Fi Protected Setup (WPS) was created to allow users to connect to their Wi-Fi using an 8-digit PIN without remembering complex passwords. However, this 8-digit PIN is vulnerable in some networks due to its insecure configuration.
WPA/WPA2 cracking: Wi-Fi Protected Access (WPA) was created to secure wireless communication. It uses a strong encryption algorithm. However, the security of this protocol is heavily influenced by the length and complexity of the Pre-Shared Key (PSK). While cracking WPA, attackers start by sending de-authentication packets to a legitimate user of the Wi-Fi network. Once the user disconnects, they try to reconnect to the network, and a 4-way handshake with the router takes place during this time. Meanwhile, the attacker turns its adaptor into monitor mode and captures the handshake. After the handshake is captured, the attacker can crack the password by using brute-force or dictionary attacks on the captured handshake file.
12. Web timing attacks
…we can force the web application to perform an unintended action by sending specific inputs.
…a web timing attack means we glean information from a web application by reviewing how long it takes to process our request. By making tiny changes in what we send or how we send it and observing the response time, we can access information we are not authorised to have.
Race conditions are a subset of web timing attacks that are even more special. With a race condition attack, we are no longer simply looking to gain access to information but can cause the web application to perform unintended actions on our behalf.
Burp Suite can be used again for those attack techniques.
13. Websockets
WebSockets let your browser and the server keep a constant line of communication open. Once that connection is set up, the client and server can talk back and forth without all the extra requests.
WebSockets are great for live chat apps, real-time games, or any live data feed where you want constant updates. After a quick handshake to get things started, both sides can send messages whenever.
While WebSockets can boost performance, they also come with security risks that developers need to monitor. Since WebSocket connections stay open and active, they can be taken advantage of if the proper security measures aren’t in place. Here are some common vulnerabilities:
Weak Authentication and Authorisation: Unlike regular HTTP, WebSockets don’t have built-in ways to handle user authentication or session validation. If you don’t set these controls up properly, attackers could slip in and get access to sensitive data or mess with the connection.
Message Tampering: WebSockets let data flow back and forth constantly, which means attackers could intercept and change messages if encryption isn’t used. This could allow them to inject harmful commands, perform actions they shouldn’t, or mess with the sent data.
Cross-Site WebSocket Hijacking (CSWSH): This happens when an attacker tricks a user’s browser into opening a WebSocket connection to another site. If successful, the attacker might be able to hijack that connection or access data meant for the legitimate server.
Denial of Service (DoS): Because WebSocket connections stay open, they can be targeted by DoS attacks. An attacker could flood the server with a ton of messages, potentially slowing it down or crashing it altogether.
14. Certificate Mismanagement
Self-signed certificates are used for internal communication purposes.
Public and Private keys are necessary for asymmetrical encryption. It has benefits against encryption cracking attacks.
Certificate Authorities issue certificates to platforms; if they have been breached, they lose their trust in the face of customers and users irreversibly.
15. Active Directory
Common Active Directory Attacks
Golden Ticket Attack: A Golden Ticket attack allows attackers to exploit the Kerberos protocol and impersonate any account on the AD by forging a Ticket Granting Ticket (TGT).
Pass-the-Hash: This type of attack steals the hash of a password and can be used to authenticate to services without needing the actual password. This is possible because the NTLM protocol allows authentication based on password hashes.
Kerberoasting is an attack targeting Kerberos in which the attacker requests service tickets for accounts with Service Principal Names (SPNs), extracts the tickets and password hashes, and then attempts to crack them offline to retrieve the plaintext password.
Pass-the-Ticket: In a Pass-the-Ticket attack, attackers steal Kerberos tickets from a compromised machine and use them to authenticate as the user or service whose ticket was stolen.
Malicious GPOs: Adversaries are known to abuse Group Policy to create persistent, privileged access accounts and distribute and execute malware by setting up policies that mimic software deployment across entire domains. With escalated privileges across the domain, attackers can create GPOs to accomplish goals at scale, including disabling core security software and features such as firewalls, antivirus, security updates, and logging. Additionally, scheduled tasks can be created to execute malicious scripts or exfiltration data from affected devices across the domain. To mitigate against the exploitation of Group Policy, GPOs need to be regularly audited for unauthorised changes. Strict permissions and procedures for GPO modifications should also be enforced.
Skeleton Key Attack: In a Skeleton Key attack, attackers install a malware backdoor to log into any account using a master password. The legitimate password for each account would remain unchanged, but attackers can bypass it using the skeleton key password.
To get all group policies in powershell: PS C:\Users\Administrator> Get-GPO -All
Powershell Command History: “On a Windows Server, this history file is located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt”
16. Azure
Azure Key Vault is an Azure service that allows users to securely store and access secrets.
Entra ID is an identity and access management (IAM) service.
Azure Cloud Shell is a browser-based command-line interface that provides developers and IT professionals a convenient and powerful way to manage Azure resources.
17. Log Analysis with Splunk
Splunk is a Security Information and Event Management platform. SIEM platforms can be used to create alert policies for anomalous activies to detect related suspicious activities using various log sources.
18. Prompt Injection to LLMs
Exploitations of AI (LLMS)
Data Poisoning: As we discussed, an AI model is as good as the data it is trained on. Therefore, if some malicious actor introduces inaccurate or misleading data into the training data of an AI model while the AI is being trained or when it is being fine-tuned, it can lead to inaccurate results.
Sensitive Data Disclosure: If not properly sanitised, AI models can often provide output containing sensitive information such as proprietary information, personally identifiable information (PII), Intellectual property, etc. For example, if a clever prompt is input to an AI chatbot, it may disclose its backend workings or the confidential data it has been trained on.
Prompt Injection: Prompt injection is one of the most commonly used attacks against LLMs and AI chatbots. In this attack, a crafted input is provided to the LLM that overrides its original instructions to get output that is not intended initially, similar to control flow hijack attacks against traditional systems.
Remote code execution can also be a risk for LLM platforms.
19. Game Hacking:
Frida is a powerful instrumentation tool that allows us to analyze, modify, and interact with running applications.
20. Traffic Analysis with Wireshark
Wireshark is a network traffic analyser. It can be used for various purposes, including digital forensics.
21. Reverse Engineering
Disassembling a binary shows the low-level machine instructions the binary will perform (you may know this as assembly). Because the output is translated machine instructions, you can see a detailed view of how the binary will interact with the system at what stage. Tools such as IDA, Ghidra, and GDB can do this.
Decompiling, however, converts the binary into its high-level code, such as C++, C#, etc., making it easier to read. However, this translation can often lose information such as variable names. This method of reverse engineering a binary is useful if you want to get a high-level understanding of the application’s flow.
PEStudio, is a software designed to investigate potentially malicious files and extract information from them without execution.
ILSpy, is a tool to decompile the binary code into different programming languages.
22. Kubernetes DFIR (Digital Forensics and Incident Response)
Kubernetes is a container orchestration system. In Kubernetes, containers run in pods; these pods run on nodes, and a collection of nodes makes up a Kubernetes cluster.
Kubernetes Runtime Security Room in TryHackMe can be found here.
23. Hash Cracking:
John the Ripper is a free and open-source password-cracking tool. It can crack passwords stored in various formats, including hashes, passwords, and encrypted private keys. It can be used to test passwords’ security and recover lost passwords.
24. Communication Protocols: IoT
MQTT stands for Message Queuing Telemetry Transport. It is a language very commonly used in IoT devices for communication purposes. It works on a publish/subscribe model, where any client device can publish messages, and other client devices can subscribe to the messages if they are related to a topic of interest. An MQTT broker connects the different clients, publishing and subscribing to messages.
Conclusion
As I mentioned at the beginning, the way of teaching implemented in those rooms is encouraging learners to practice, not only following or reading the materials. I find that teaching techniques are beneficial for learners in gaining new practical skills. If you want practical experiences, that platform includes many free rooms. Lastly, I’d like to thank every contributor for creating that insightful and beginner-friendly room.