Advent of Cyber and the TryHackMe Side Quest

December 28, 2024 The world is full of magic things, patiently waiting for our senses to grow sharper

A few years ago, I discovered TryHackMe, and it completely changed how I approached learning cybersecurity. The platform breaks down complex topics in a way that’s easy to understand and combines that with hands-on labs that simulate real-world scenarios. It doesn’t just focus on “hacking” either—there’s training for blue team strategies, reverse engineering, web application security, cryptography, OSINT, penetration testing, IoT security, malware analysis, and more. It’s one of the best tools I’ve come across for building practical skills in this field.

What really hooked me was how TryHackMe gamifies learning. I remember dedicating over three months of daily training to earn the coveted 90-day streak flame. That gamification was what kept me coming back every day—it made learning challenging topics feel fun and rewarding.

This December, I decided to jump back in and participate in their annual Advent of Cyber event. It’s a 24-day challenge where participants solve a new cybersecurity task each day, often inspired by real-world scenarios. This year, they added a bonus “hard mode” called the Side Quest, which involved finding four hidden keycards scattered throughout the main event. Naturally, I couldn’t resist giving it a try.

Finding the L1 Keycard

The first keycard, L1, was hidden in the challenges from Days 1 to 4. Here’s how I tracked it down:

Day 1’s Clues: The task centered around a malicious YouTube-to-MP3 converter site created by an attacker named “Mayor Malware.” The main event provided a starting point: a GitHub user linked to the attack. However, no other details were given. Using OSINT techniques, I explored the first GitHub user’s activity and noticed they had interacted with a second user. Digging into this second user’s repositories, I found one that contained source code for a Command-and-Control (C2) server.
Investigating the Code: The second user’s repository included default admin credentials and a Flask secret key used for signing session cookies. By comparing this repository with Mayor Malware’s forked version, I discovered an oversight: while the admin credentials had been updated, the original secret key had been left unchanged.
Exploiting the Oversight: Using the Flask secret key and a Python tool called flask-unsign, I generated an admin session cookie. After injecting the cookie into the browser, I gained admin access to the C2 server.
Finding the Keycard: With admin access, I navigated the server’s dashboard and data pages, uncovering sensitive stolen user data. Among this data was the L1 keycard and its password: vK5RMlvkGO3QlLU.
Unlocking the Side Quest ZIP File: Using the keycard’s password, I extracted the Side Quest ZIP file, which contained a packet capture (PCAP) file for the first Side Quest task.

The entire process was a reminder of how important it is to methodically investigate every angle. It was a great mix of OSINT, web application security, and even some cryptographic concepts like cookie forgery.

Progress and Reflections

After analyzing the packet capture from the ZIP file, I’ve managed to uncover two of the four answers needed to complete the first task. The remaining two answers are still a work in progress, but just finding the L1 keycard was a rush. It’s moments like these that remind me why I’m so passionate about cybersecurity. The thrill of the hunt and the satisfaction of piecing together clues make all the effort worthwhile.

Since completing the Advent of Cyber, I’ve been diving into other training on TryHackMe, including several one-off capture-the-flag challenges. A few years ago, my 90-day streak put me in the top 6% of TryHackMe users. Over time, I had fallen out of the top 10% and hovered somewhere around the 15-20% range (TryHackMe only shows exact rankings for users in the top 10%). Recently, though, I’ve climbed back into the top 6%, and I’m proud of that progress.

Cybersecurity is a constant challenge, and the field often feels like an uphill battle, but platforms like TryHackMe make the learning process rewarding. Whether you’re just starting out or looking to hone advanced skills, I can’t recommend it enough.

Vigilance in Action: How I Managed a Critical Security Incident in a Healthcare Setting

July 3, 2024 The world is full of magic things, patiently waiting for our senses to grow sharper

Facing a critical cybersecurity breach within a healthcare environment, I took immediate action to secure a network vulnerable to serious threats. This post details my journey through isolating threats, fortifying defenses, and enhancing protocols to protect sensitive patient data against future risks.

3CX Supply Chain Attack - My first experience on the front lines

April 15, 2023 The world is full of magic things, patiently waiting for our senses to grow sharper

A few weeks ago, I witnessed a significant cybersecurity incident: the 3CX Supply Chain attack. 3CX is a global communications software provider that offers voice and video calling solutions for businesses and has a substantial customer base, with more than 600,000 customers and 12 million users in 190 countries. While I won't divulge specific details about my company or job title, I was responsible for monitoring the infection across multiple organizations and delving into the issue when SentinelOne EDR alerts first emerged. This experience taught me valuable lessons about the importance of behavioral-based detection versus signature-based detection, and how to critically evaluate alerts when trying to determine if they are false or true positives.

The first SentinelOne alert I observed was at 11:30 PM ET on March 23, 2023. It not only detected the issue but also took decisive action, killing and quarantining all instances of the 3CXDesktopApp.exe process. Almost a week later, CrowdStrike made their initial attribution in a reddit post on /r/crowdstrike at 11:13 AM ET on March 29, 2023. In contrast, Microsoft Defender, which relies on virus definitions, only began taking action against the malicious version of the 3CX Desktop App around 7 PM ET on March 29, 2023.

The 3CX Supply Chain attack affected both Windows and macOS systems, underscoring the growing sophistication of cyber threats and the vital need for strong security measures. As an IT professional, this incident made me more vigilant in differentiating between false positives and true positives when examining alerts. Supply chain attacks, such as this one, can infiltrate trusted update procedures and exploit the established trust of the original, approved applications, as demonstrated by the infected builds of the 3CX Desktop App.

In this case, the compromised 3CX Desktop App was even signed by 3CX, which is usually an indication that an alert might be a false positive, especially if you're familiar with the process and trust the publisher. This experience further emphasized the value of behavioral-based detection solutions like SentinelOne, which can identify and respond to previously unknown threats by examining process behavior, system activities, and other patterns that might indicate a cyberattack. Recognizing the exact nature of supply chain attacks and how they can exploit the trust in established applications has reinforced my resolve to ensure robust security measures are in place and to be more discerning when evaluating alerts for potential threats.

The attack was initially linked to North Korean state-sponsored threat actors, specifically Lazarus or one of its subgroups, by Kaspersky and CrowdStrike. It appeared that the primary target was cryptocurrency companies, which is not surprising given North Korea's history of stealing large amounts of cryptocurrency to fund its objectives. The attackers compromised 3CX systems to push malware to its 600,000 customers. While the initial malware may have reached many of these customers, the more sophisticated secondary payload was only delivered to a select few victims of interest.

The events that unfolded during this incident emphasized the increasing prevalence of supply chain attacks in today's cybersecurity landscape. By exploiting trusted supply chains to distribute malicious payloads, attackers are underscoring the necessity for organizations to be consistently vigilant and frequently assess the security postures of their partners.

This entire ordeal served as a valuable learning experience, highlighting the advantages of behavioral-based detection, the ongoing need for vigilance in IT security, and the importance of a meticulous evaluation process when responding to alerts for potential threats. As cybersecurity threats continue to evolve and supply chain attacks gain prominence, it becomes increasingly crucial for IT professionals to stay informed, adapt to emerging challenges, and implement state-of-the-art security solutions to protect their clients' systems and data. For additional information, I have included a video and a link to an article below.

January 25, 2023 The world is full of magic things, patiently waiting for our senses to grow sharper

Recently I’ve been delving into cryptography in my free time. One of the things specifically I’ve been practicing, decoding encoded strings/scripts, ended up coming up at work. A cybersecurity researcher and teacher posted an encoded message without any context on twitter a few weeks ago that I was able to decode. The plaintext message was a url to his website with a coupon code to get one of his courses for free. I wasn’t really interested in his course I just took it as a personal challenge; I don’t even follow the guy.

So I learned a few things in the process of decoding that message. Here is the message:

This particular string is triple encoded with base 58. There are a few tools out there you can use for situations like this but the best one I have found is Cyber Chef. Feature rich but light weight enough to run in html.

So fast forward to a week later and I run into some malware at work. A lot of what I currently do in terms of cybersecurity is review antivirus alerts, 85% of which are false positives. I won’t go into too many details but I ran across an encoded powershell script which I’m not sure I’ve seen many times before. This was at least the first time I recognized it with any degree of understanding and curiosity. For the most part it just looks like a wall of text when you see the encoded string. Later on I’ll explore what can and can’t be done with encoding in powershell but for now, here is the plaintext, decoded from base 64:

If you have the plaintext in a notepad on a Windows machine with antivirus installed it will immediately detect it as a threat and try to quarantine it, just the text of the command! The plaintext script itself is pretty advanced and it’s full purpose isn’t immediately clear. As best I can tell it's fetching a powershell payload on internet, decrypting it $R $IV $K and executing it | IEX Pretty interesting stuff.