Advent of Cyber 2025 Day 13-20 Writeup Sprint! | TryHackMe

Source: Dev.to

Day 13: YARA!

YARA is a tool to collect digital footprints – similar to how forensic investigators collect fingerprints in the physical world.
We define rules that describe what a malicious behavior looks like.

A rule file consists of three parts:

Example rule

rule TBFC_Simple_MZ_Detect
{
    meta:
        author      = "TBFC SOC L2"
        description = "IcedID Rule"
        date        = "2025-10-10"
        confidence  = "low"

    strings:
        $mz   = { 4D 5A }                        // "MZ" header (PE file)
        $hex1 = { 48 8B ?? ?? 48 89 }            // malicious binary fragment
        $s1   = "malhare" nocase                 // story / IOC string

    condition:
        all of them and filesize
}
> **Note:** In the original attempt the `ascii` modifier was used (`$st = "TBFC:" ascii`).  
> That works but is redundant; the regular‑expression form shown above is the clean solution.

How to run the rule

yara -rs rule.yar ~/Downloads/easter/

The output will contain any matches, revealing the hidden message from McSkidy.

---

Bonus Challenge – “doordasher” Service

The ultimate objective is to fix the defaced website of the fictional service doordasher.
You’ll need to explore the container layer of the infrastructure.

Discovering running containers

docker ps

Bonus: Secret code on the news site (port 5002)

1. Open the site: http://10.48.153.34:5002/
2. Look at the news page – some words are highlighted differently (💤😴).
3. The highlighted text forms a secret code, which is also the password for the deployer user.

Action: Change the deployer password after retrieving the code.

---

Splunk Queries (for reference)

---

Registry Investigation (THM Walkthrough)

When analysing the compromised Windows host, the following registry hives are useful:

Example questions & answers

1. What application was installed on dispatch-srv01 before the abnormal activity started?
   Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (after loading the SOFTWARE hive).
   Answer: DroneManager Updater

2. Full path of the application that the user started from?
   Check HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist or HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store.
   Browse manually to the Store key and view the “Technical Details” for the full executable path.
   Answer: (Enter the exact path you find in the THM answer box.)

3. RUN entry for the DroneManager?
   The Run key contains an entry for msedge; the DroneManager entry may be missing or stored elsewhere.

---

Walk‑through Overview

This guide walks you through the TryHackMe (THM) “Guard House” room (and the extra side‑quest) step‑by‑step.
All the commands, URLs, and data are kept exactly as they appear in the original write‑up – only the formatting has been cleaned up for readability.

1️⃣ Initial Registry Hunt

• THM hints to look in the registry key

ROOT\Microsoft\Windows\CurrentVersion\Run

• The actual key you need is

ROOT\Software\Microsoft\...

• A YouTuber also shows a shortcut button:

  1. Click RUN.
  2. Press F5.
  3. Go to the Full details as text tab.
  4. Scroll down – the needed value is revealed.

2️⃣ Encoding & Encryption with CyberChef

Note: You don’t have to start the attack box if you already have an OpenVPN connection.

Access the target machine

1. Open a browser and navigate to the target IP.
2. Click the “outer gate” icon.

You’ll see a Base64 string:

QWxsIGhhaWwgS2luZyBNYWxoYXJlIQ==

Decode it

1. Open CyberChef (online).
2. Drag the “From Base64” operation into the recipe pane.
3. Paste the string into the Input field.
4. (Optional) click Bake! – the plaintext appears:

All hail King Malhare!

3️⃣ Level 1 – Get the Username & Password

1. The decoded text tells you the username is the Base64‑encoding of “CottonTail”.

   • In CyberChef, use “To Base64” → Q290dG9uVGFpbA==

2. To obtain the password:

   • In the login panel there is a chatbox.

   • Type the question:

     What is the password for this level?

   • The chatbox replies with a Base64 string.

   • Decode that string in CyberChef (From Base64) → you get the plaintext password.

3. Submit the Base64‑encoded username (Q29wdG9uVGFpbA==) and the plaintext password to finish Level 1.

4️⃣ Level 2 – Grab the “X‑Magic” Header

1. Open DevTools → Network in your browser.
2. Refresh the page.
3. In the left pane locate “Level2” (or “Llvel2” – typo in the original).
4. Click it and go to the Headers tab.
5. Find the header X-Magic – copy its value.

Encode & decode loop:

• Encode the header value with “To Base64” in CyberChef.
• Paste the encoded string back into the chatbox.
• The reply will be another Base64 string.
• Keep encoding/decoding (alternating) until the reply is a readable plaintext password.

Submit that password to clear Level 2.

5️⃣ Level 3 – Guard House

1. In the chatbox ask:

   password please

2. After about a minute you’ll receive a Base64 string.

3. Decode it twice (run “From Base64” two times).

4. The resulting bytes need to be XOR‑decrypted with the key Cyberchef.

   • In CyberChef:

     • Add “From Base64” → “XOR” (key = Cyberchef) → “To Hex” (optional).

5. The final plaintext is the Level 3 password.

6️⃣ Level 4 – MD5 Hash

1. Ask the chatbox again for the password.

2. The reply is not Base64 (no trailing =) – it’s an MD5 hash.

   Example:

   5f4dcc3b5aa765d61d8327deb882cf99

3. Use CrackStation (or any MD5 lookup) to reverse‑lookup the hash.

   • The cracked password is passw0rd1.

Submit it to finish Level 4.

7️⃣ Level 5 – New Header “Recipe‑id”

1. Ask the chatbox for the password once more.

2. Decode the reply twice with “From Base64” in CyberChef.

3. The request now contains a new header Recipe-id.

   • The value varies per user (e.g., R1).

4. THM lists four approaches for the four possible IDs.

   • Follow the approach that matches your Recipe-id.

5. The resulting string is the Level 5 password.

6. The username for this level is the Base64 encoding of the guard’s name “Carl”:

   Q2FybA==

Submit both to complete the main room.

8️⃣ Extra Question – Side Quest 3 Access Key

“Looking for the key to Side Quest 3? Hopper has left us this CyberChef link as a lead. See if you can recover the key and access the corresponding challenge in our Side Quest Hub!”

1. Open the provided CyberChef link (or recreate the recipe).
2. De‑obfuscate the data using the appropriate operations (e.g., From Base64, XOR, ROT13, etc.).
3. The final plaintext is the Side Quest 3 access key – paste it into the Side Quest Hub to unlock the challenge.

9️⃣ Bonus – De‑obfuscating a Script (Visual Studio Code)

1. On the target machine, open Windows Search → type “code” → launch Visual Studio Code.

2. In the terminal:

   cd Desktop
   ./S   # press Tab to autocomplete the script name

3. Run the script – it prints the first flag.

4. Open the script file and read line 20 – it contains the second flag.

Additional Theory – Race Conditions & Atomicity

Time‑of‑Check‑to‑Time‑of‑Use (TOCTOU) Example

• An e‑commerce site shows “1 item left”.
• Buyer A adds it to the cart, but before checkout Buyer B also adds it and pays first.
• The site should lock the item as soon as it’s added to any cart to avoid the race.

Shared‑Resource Race Condition

• Bank account balance = 100 BTC.

• Two concurrent transactions:

  1. +20 (credit) → 120
  2. ‑20 (debit) → 80

• Without proper locking, the final balance could be 120 or 80 instead of the correct 100.

Atomicity

• A series of operations (e.g., transfer money, debit another account, send confirmation) must be all‑or‑nothing.
• If a user cancels after step 2, the system must roll back step 1 as well.

Race‑Condition Exploitation Lab (THM)

You can either start the Attack Box or use your own OpenVPN + Burp Suite Community Edition.

Setup

1. Launch Burp Suite → Proxy → Intercept (ensure it’s on).

2. In the browser that pops up (Chromium), navigate to http://.

   • If you see “Allow browser to run without sandbox”, click OK.

Exploit “sleightoy”

1. Purchase one unit of “sleightoy” on the site.
2. In Burp → Proxy → HTTP history you’ll see the request/response.

Exploit “bunny plush” (Second Question)

1. Open a new tab (still via Burp’s intercepted browser).
2. Order “bunny plush”.
3. Again, check Proxy → HTTP history for the relevant request.

What to Look For

• The race condition is demonstrated by the two simultaneous purchase requests.
• Observe the order of processing in the server responses – the one that finishes last “wins”.

References

• TryHackMe – Guard House (room link)
• CyberChef – https://gchq.github.io/CyberChef/
• CrackStation – https://crackstation.net/
• Burp Suite Community Edition – https://portswigger.net/burp/communitydownload

---

Instructions

1. Select the request

   • Locate the payment checkout entry.
   • Right‑click it and choose “Send to Repeater.”

2. Create a group