TryHackMe: Advent of Cyber 2022 (Day 3) Nothing escapes detective McRed

3 min readDec 9, 2022


“As the elves are trying to recover the compromised website, elf Recon McRed is trying to figure out how it was compromised in the first place. Can you help him in gathering open-source information against the website?”

Question #1: What is the name of the Registrar for the domain

If you use the website provided to look up WHOIS data, you can see the registrar information:


Question #2: Find the website’s source code (repository) on and open the file containing sensitive credentials. Can you find the flag?

If you use the same search term on Github, you can find the website’s source code repository:

You can open the config.php file in the repo to get the flag:


Question #3: What is the name of the file containing passwords?

In that same file you can see that a bunch of DB passwords are just laying here in plain text:


Question #4: What is the name of the QA server associated with the website?

You can find the answer to that under “Database hostname”.

Question #5: What is the DB_PASSWORD that is being reused between the QA and PROD environments?

Here you can see the QA environment:

And here you can see the PROD environment:

They are both using the same DB_PASSWORD, S@nta2022