TryHackMe: Advent of Cyber 2022 (Day 4) Scanning through the snow

3 min readDec 9, 2022


“During the investigation of the downloaded GitHub repo (OSINT task), elf Recon McRed identified a URL that is probably used by all the elves with admin privileges to add or delete gifts on the Santa website. The website has been pulled down for maintenance, and now Recon McRed is scanning the server to see how it's been compromised. Can you help McRed scan the network and find the reason for the website compromise?”

Question #1: What is the name of the HTTP server running on the remote host?

You can run nmap and see that it is an Apache server.


Question #2: What is the name of the service running on port 22 on the QA server?

Using those same nmap results, you can see that port 22 is running SSH as usual:


Question #3: What flag can you find after successfully accessing the Samba service?

You can also see from the same results that they are using samba. You can get there using your file explorer. That admins folder looks enticing.

  • Username: ubuntu
  • Password: S@nta2022

These are the credentials from yesterday’s OSINT activity:

After you log in you can see “flag.txt”


Question #4: What is the password for the username santahr?

Notice that there is also a “userlist.txt” file in the admins folder. If you open it up you can see more username/password combos.

After finding all this, it’s really not surprising they were hacked. They aren’t even strong passwords, among so many other problems.