TryHackMe: Advent of Cyber 2 [Day 1] A Christmas Crisis

Room: Advent of Cyber 2

Difficulty: Beginner

“The Best Festival Company’s brand new OpenVPN server has been hacked. This is a crisis!

The attacker has damaged various aspects of the company infrastructure — including using the Christmas Control Centre to shut off the assembly line!

It’s only 24 days until Christmas, and that line has to be operational or there won’t be any presents! You have to hack your way back into Santa’s account (blast that hacker changing the password!) and getting the assembly line up and running again, or Christmas will be ruined!”

  • After giving you the assignment, McSkidy hands you the following dossier of important information for the task. Before reading it, you press the big green “Deploy” button to start the Control Centre, as well as the “Start AttackBox” button at the top of the page *

First things first, pull up the IP address you were assigned in a browser:

Question #1 What is the name of the cookie used for authentication?

To find that, first register for an account with the Christmas Control Center, and then log in:

From here, you can see the authentication cookie by checking out the developer tools. Right-click anywhere on the page and choose Inspect Element.

The cookies can be found in the storage tab:

Here you can see that the name is simply “auth”.

Question #2 In what format is the value of this cookie encoded?

In the value position, you can copy the whole cookie:


Using a Cipher Identifier, like THIS one, you can see that this is stored in Hexadecimal Code.

Question #3 Having decoded the cookie, what format is the data stored in?

I used Cyber Chef to decode it:

For this one, I checked out the hint. It says that the data format is very common and often associated with JavaScript. That pointed towards JSON.

Question #4 What is the value of Santa’s cookie?

To get the value of Santa’s cookie, you just have change your username to “santa” and then turn it back into hexadecimal code. Make sure you are using a lowercase “s”:

Question #5 What is the flag you’re given when the line is fully active?

For this one, head back over to the developer tools. Where you copied the original cookie value from, paste in the new one with Santa’s username, hit enter, and then refresh the page:

You should now have control of the console, where you can switch everything on:

Happy Hacking! ❤

CTF Writeups to facilitate cyber education.