TryHackMe: Advent of Cyber 2 [Day 7] The Grinch Really Did Steal Christmas

4 min readJan 20, 2021


Room: Advent of Cyber 2

Difficulty: Beginner

It’s 6 AM and Elf McSkidy is clocking-in to The Best Festival Company’s SOC headquarters to begin his watch over TBFC’s infrastructure. After logging in, Elf McEager proceeds to read through emails left by Elf McSkidy during the nightshift.

More automatic scanning alerts, oh look, another APT group. It feels like it’s going to be a long, but easy start to the week for Elf McEager.

Whilst clearing the backlog of emails, Elf McEager reads the following: “URGENT: Data exfiltration detected on TBFC-WEB-01”. “Uh oh” goes Elf McEager. “TBFC-WEB-01? That’s Santa’s webserver! Who has the motive to steal data from there?!”. It’s time for the ever-vigilant Elf McEager to prove his salt and find out exactly what happened.

Unknowingly to Elf McEager, Elf McSkidy made this all up! Fortunately, this isn’t a real attack — but a training exercise created ahead of Elf McEager’s performance review.

Question #1 Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an ICMP/ping?

We are changing pace today with a networking challenge. Download the file provided and open up pcap1 in Wireshark.

From there, filter the requests by the ICMP protocol:

That first source address is what we are looking for,

Question #2 If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?

Use the following:

Question #3 Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of the article that the IP address "" visited?

If you check down near the bottom, you will see a post named “reindeer-of-the-week” was visited.

Question #4 Let's begin analysing "pcap2.pcap". Look at the captured FTP traffic; what password was leaked during the login process? There's a lot of irrelevant data here - Using a filter here would be useful!

Start by using a filter to just focus on the FTP (Port 21) traffic:

If you look a bit more closely you will see someone tried Elf Mcskidy’s password, plaintext_password_fiasco.

Question #5 Continuing with our analysis of "pcap2.pcap", what is the name of the protocol that is encrypted?

Looking at the traffic, you will see some SSH traffic at the very top that is plainly encrypted:

Question #6 Analyse “pcap3.pcag” and recover Christmas! What is on Elf McSkidy’s wishlist that will be used to replace Elf McEager?

Looking through the packets, you will see a file called “” was transferred.

In order to retrieve it, go up to the top and choose to export HTTP objects:

From here, you can highlight the object you want and save it as “” on your own computer:

After extracting, you will see multiple files included:

There’s a lot to go through here. A picture of a Christmas tree:

A confidential PDF document about “Operation Arctic Storm”:

A selfie of Santa:

A TryHackMe graphic for Advent of Christmas:

A TryHackMe logo:

And then finally, Elf Mcskidy’s wishlist:

Looks like he is wanting a “Rubber ducky” to replace Elf McEager! Rude!

Happy Hacking! ❤




CTF Writeups to facilitate cyber education.