Vulnerable VM service

CTF Online

Advent Of Cyber

This is a challege put on in December each year at

Day 1

Use Firefox’s Inspector to see the cookies on the network request.

Answer: auth

Just know this, I suppose?

Answer: hexadecimal

Again, just familiarity with computers. The give away is the {"": ""} format.

Answer: json

I changed the username I was using to santa then reencoded it with CyberChef.

Answer: 7b22636f6d70616e79223a22546865204265737420466573746976616c20436f6d70616e79222c2022757365726e616d65223a2273616e7461227d

What flag are you given when the line is fully active?

I used the Firefox console to enter document.cookie="auth=7b22...227d", then reloaded the page. This exposed toggles for the assembly line items.

Answer: THM{MjY0Yzg5NTJmY2Q1NzM1NjBmZWFhYmQy}

Day 2

What string of text needs adding to the URL to get access to the upload page?

The ID is given in the text, but you’re suppose to see that it needs to be assigned to the id query parameter after visiting the site.

Answer: ?id=ODIzODI5MTNiYmYw

What type of file is accepted by the site?

I uploaded shell.jpg.php as suggested by the text.

Answer: image

In which directory are the uploaded files stored?

I just guessed at /uploads/ This is probably in dirbuster’s and rockyou wordlists.

Answer: /uploads/

What is the flag in /var/www/flag.txt?

I visited the reverse shell to get it to trigger, /uploads/shell.jpg.php.

Once the shell opened for me, I ran cat /var/www/flag.txt


Day 3 - Christmas Chaos

What is the flag?

  1. I put the suggested usernames, one line at a time, into user.lst and the passwords, one line at a time, into pass.lst.
  2. I visited the site, enabled javascript, and tried a random username and password. This gave me a web request.
  3. I copied the web request “as cURL” from Firefox and pasted it into a terminal.
  4. I changed curl in the command to ffuf. I removed --compressed and changed --data-raw to -d.
  5. I added -w user.lst:USER and -w pass.lst:PASS to the command. I changed the random username to USER and the random password to PASS.

This gave me a command similar to the following:

ffuf -u 'http://10.10.x.x/login' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin:' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer:' -H 'Upgrade-Insecure-Requests: 1' -d 'username=USER&password=PASS'

A lot of these headers, -H ... aren’t needed, but don’t hurt.

ffuf gives output like the following:

[Status: 302, Size: 96, Words: 5, Lines: 1]
    * USER: user                                                               
    * PASS: root                                                               

[Status: 302, Size: 96, Words: 5, Lines: 1]
    * USER: root                                                               
    * PASS: 12345                                                              

[Status: 302, Size: 60, Words: 5, Lines: 1]
    * USER: admin                                                              
    * PASS: 12345                                                              

Looking at this output, only one response is a different size, 60 bytes, while the others are 96 bytes. We probably would have seen the Content-Length: 96 value in Firefox if we were paying attention. We can make this prettier in ffuf by using the -fs 96 argument to remove those responses.

Answer: THM{885ffab980e049847516f9d8fe99ad1a}

Day 4 - Santa’s watching

Given a url, what’s the wfuzz command?

I copied the placeholder text into VIM, then lined up my answer underneath to make sure I got the location of everything right.

Answer: wfuzz -c -z file,big.txt

What file is found in the API directory?

I used fuff instead and used the following command:

ffuf -u http://$IP/FUZZ -w /pentest/seclists/Discovery/Web-Content/big.txt

Answer: site-log.php

Fuzz the date parameter, what’s the flag?

I used fuff again.

ffuf -u http://$IP/api/site-log.php?date=FUZZ -w /tmp/aoc/wordlist

Answer: THM{D4t3_AP1}

Day 5 - Someone stole Santa’s gift list!

What’s Santa’s secret login panel?

This question was dumb.

Answer: /santapanel

How many entries?

For the username, enter admin' or 1=1-- to bypass the authentication. Next, use a wildcard % to return all entries.

Answer: 22

What did Paul ask for?

Answer: github ownership

What is the flag?

For the and the last question, sqlmap needed to be run. After failing a few times, I finally figured out the --level needed to be increased from 1 to 2.

sqlmap --cookie="session=eyJhdXRoIjp0cnVlfQ.X9Ahow.rJJ_RbhdlCsnTlwe4oNKWyKma_k" -u http://$IP:8000/santapanel?search=1 --all --level 3

Answer: thmfox{All_I_Want_for_Christmas_Is_You}

What is admin’s password?

This answer was in the output from the previous question.

Answer: EhCNSWzzFP6sc7gB

Day 6 - Be careful with what you wish on a Christmas night

What vulnerability type?

This one was also formatted poorly.

Answer: stored crossite scripting

What query string can be abused?

This was formatted weird. The query parameter was in question.

Answer: q

How many XSS alerts?

Answer: 2

Day 7 - The Grinch Really Did Steal Christmas

I solved some of these with tcpdump.

What IP initiates an ICMP/ping?

I used:

/sbin/tcpdump -r pcap1.pcap icmp


Filter to only see HTTP GET requests

This answer was in the text.

Answer: http.request.method == GET

What is the name of the article that the IP address visited?

I used wireshark for this since it can ungzip the HTTP responses. This question was actually asking about the URL slug, not the <title> of the post.

Answer: reindeer-of-the-week

What password was leaked?

I used wireshark and the filter ‘ftp’.

Answer: plaintext_password_fiasco

What is the name of the protocol that’s encrypted?

I guessed.

Answer: ssh

What is on Elf McSkidy’s wishlist?

After finding the stream with GET /, then use File -> Export Objects -> HTTP, then select the file and extract it.

Answer: Rubber Ducky

Day 8 - What’s Under the Christmas Tree?

When was snort created?

Answer: 1998

What ports are open?

I like to scan with the following command line:

nmap -vv -O -sV --script=vuln,default -vv -p- -oA $IP $IP

Scans sometimes take a long time, so it’s important to use -oA to save the results to files in different formats on disk. Don’t keep scanning the same thing waiting for something new.

Answer: 80,2222,3389

What Linux Distribution?

The answer is in the scan results above.

Answer: Ubuntu

What is the HTTP-TITLE?

The answer is in the scan results above.

Answer: blog

Day 9 - Anyone can be Santa!

Name of Directory that has data accessible by “anonymous” ?

Answer: public

What script gets executed in this directory?

The only script there.


What movie did santa have on his christmas shopping list?

Look at the only line in shoppinglist.txt

Answer: The Polar Express

Contents of /root/flag.txt?

Answer: THM{even_you_can_be_santa}

Day 10 - Don’t be sElfish!

How many users?

Just run enum4linux $IP against the target.

Answer: 3

How many shares?

It’s in the enum4linux results. IPC$ counts as one of the shares.

Answer: 4

Which share doesn’t require a password?

The command I used was:

smbclient -n //$IP/tbfc-santa

Answer: tbfc-santa

What directory was left for santa?

Using ls inside the smbclient command above yields the answer.

Answer: jingle-tunes

Day 11 - The Rogue Gnome

What type of privilege escalation involves using a user account?

The text talks about Horizontal and Vertical escalation.

  • Horizontal: user to user
  • Vertical: user to admin/system

Answer: Vertical

What is the name of the file with the list of users who are in the sudo group?

Technically, this is /etc/groups, but that’s not the right answer here.

Answer: sudoers

What is the contents of /root/flag.txt?

I used find / -perm /6000 -ls 2>/dev/null to find anything with the suid bits set. This could be further refined by only searching for files owned by the root user with -user root and not crossing filesystem boundries with -xdev

Answer: thm{2fb10afe933296592}

Day 12 - Ready, set, elf.

What’s the version number of the web server?

The title of the page has the version.

Answer: 9.0.17

What CVE can be used to create a Meterpreter entry onto the machine?

You have to go to and search for the server type. It’s not in exploitdb so you can’t find it with searchsploit (as of this writting).

Answer: CVE-2019-0232

What are the contents of flag1.txt ?

The vulnerable file is /cgi-bin/elfwhacker.bat.

Answer: thm{whacking_all_the_elves}

Day 13 - Coal for Christmas

What old, deprecated protocol and service is running?

I cheated and looked at the next question.

Answer: telnet

What credential was left for you?

Do what the question says and connect with telnet, the answer is on the screen.

Answer: clauschristmas

What distribution of Linux and version number is this server running?

I use cat /etc/*release.

Answer: ubuntu 12.04

Who got here first?

Again, just do what the question asks.

Answer: grinch

What is the verbatim syntax you can use to compile, taken from the real C source code comments?

This is a dumb question because you have to go through all of the example POCs until you find out the one they want you to use is

Answer: gcc -pthread dirty.c -o dirty -lcrypt

What “new” username was created?

The code has this:

Answer: firefart

What is the MD5 hash output?

Just run touch coal then tree | md5sum. This challenge is harder than it should be.

Answer: 8b16f00dd3b51efadb02c1df7f8427cc