Advent of Cyber 2021 — [Day 1] Save The Gifts

“Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.”

Room found here: https://tryhackme.com/room/adventofcyber3

If you are interested in the story behind the entire thing, you can read it here:

It’s the eve of 30th November — McSkidy sits in her large office with a cup of hot cocoa, reminiscing over her stressful times at the Best Festival Company. Since her management of the Christmas Monster’s cyber attacks last December, she’d been promoted to Chief Information Security Office (CISO) and has managed to build a world-class security team. She made a promise to never let Christmas get affected by cyber incidents and has done everything in her power to prepare the best festival company for any incidents, and assist Santa in delivering presents globally with no disruptions!

As she grins to herself “After all we’ve done, what could go wrong”, Elf McAssistant runs into her office and gasps “All our security analysts have missed their last shift and no security personnel can be found in the building”. McSkidy jumps out of her chair and spills her hot cocoa all over herself “WHAT”.

She swiftly moves over to the Elf Security Center housing the security personnel and looks over the large area filled with empty desks. Where did everyone go on the eve of the most important time for the Best Festival Company. She rushes over to the desk of the head of her security analyst team, Elf McLeader, and notices the desk is surprisingly clean. For someone so messy, how is his work area completely empty? As she started theorising in her head, she noticed a small piece of paper hidden at the back of the desk behind the screen. As she made sense of what was on the paper, her eyes widened — why did McProfessional book a one-way flight ticket away on this exact day!

Before she had time to make any assumptions, a loud, grumpy voice was resonating across the security center from the internal announcement systems “Grinch Enterprises will never let Christmas succeed. It would be a shame if your world-class security team just suddenly disappeared”

“THIS WAS ALL PLANNED — HOW DID THEY ACCESS OUR INTERNAL SYSTEMS” cried McSkidy. Their intelligence team had prepared for this exact scenario but it didn’t help that the security center was completely empty!

“This needs to stop happening” sighed McSkidy and dragged herself to the office to save Christmas

Please note, tasks are released daily and will vary in difficulty (although will always be aimed at a beginner level)

Let’s get started with Day 1!

Question 1: After finding Santa’s account, what is their position in the company?

Looks like there are a few tabs to choose from in the Inventory Management System. If you choose “Your Activity” you can see your own user profile information:

We need to find Santa’s profile, so I just assumed he would be User 1. You can navigate there by simply changing the user id in the URL:

The Boss!

Question 2: After finding McStocker’s account, what is their position in the company?

Use the same technique and you can find McStocker as User 3:

Build Manager

Question 3: After finding the account responsible for tampering, what is their position in the company?

Moving upwards numerically, you will eventually come to this profile:

It seems the Grinch has been tampering with inventory data.

Mischief Manager

Question 4: What is the received flag when McSkidy fixes the Inventory Management System?

You can fix the inventory system by clicking revert on all the SKU Changes made by the Grinch. Upon doing so, you will be presented with the flag:

THM{AOC_IDOR_2B34BHI3}

That’s all for today. It was a simple challenge to get warmed up for Advent of Cyber. Happy Holidays everyone!

--

--

--

CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Fidelity Bank employees stole millions from customer accounts?

{UPDATE} Top Bike-Best Motorcycle Stunt Hack Free Resources Generator

Here’s Why You Should Never Give Money to Randos From Dating Apps

Using Transpact for domain escrow? Beware of the extra fees, hiccups, and risks.

What Is Steganography?

Finding One Billion Ghosts

Partnership Notice : UFOSwap

Warning: GG18/20-Based Attack Towards MPC Threshold Signature

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samantha

Samantha

CTF Writeups to facilitate cyber education.

More from Medium

Yogosha Christmas Challenge 2021

picoCTF: Nice netcat…

Hackthebox — Devzat Walkthrough