TryHackMe: Advent of Cyber 2023 (Day 12) Sleighing Threats, One Layer at a Time

5 min readDec 21, 2023

“With the chaos of the recent merger, the company’s security landscape has turned into the Wild West. Servers and endpoints, once considered fortresses, now resemble neglected outposts on the frontier, vulnerable to any attacker.

As McHoneyBell sifts through the reports, a sense of urgency gnaws at her. “This is a ticking time bomb,” she mutters to herself. It’s clear they need a strategy, and fast.

Determined, McHoneyBell rises from her chair, her mind racing with possibilities. “Time to suit up, team. We’re going deep!” she declares, her tone a blend of resolve and excitement. “Defence in Depth isn’t just a strategy; it’s our lifeline. We’re going to fortify every layer, from the physical servers in the basement to the cloud floating above us. Every byte, every bit.”

In this task, we will be hopping into McHoneyBell’s shoes and exploring how the defence in depth strategy can help strengthen the environment’s overall security posture.”

Q1: What is the default port for Jenkins?

It tells you right in the TryHackMe learning material that the default port for Jenkins is 8080.

You could also do an nmap scan to easily find that.

Q2: What is the password of the user tracy?

Once you access the Jenkins interface via browser, head to Manage Jenkins>Script Console and you will see you can input scripts for admin maintenance tasks.

TryHackMe provides a script you can input here to create a reverse shell:

After you input it, don’t press run yet. Instead open a new terminal and setup a netcat listener.

Now you can go back and press “Run”

Go back to your listener and you will have a connection.

After you get in you will notice that you do not have permission to change into any of the user home directories:

But if you explore around you will come across a script that has Tracy’s username and password.

Q3: What's the root flag?

The backup script shows that Tracy can use ssh. So let’s do that.

This shows that Tracy can run all commands with sudo on Jenkins, as if she was an admin.

So just type sudo su and you will become root:

From here you can easily find the flag by navigating to the root directory:

Q4: What is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?

Next we can harden the system a bit by removing Tracy from the sudo group.

After that, open a new terminal (don’t close the first one because that still has admin privileges), and test it out:

Q5: What's the SSH flag?

Using the terminal that still has admin privileges, head over to /etc/ssh and open up the sshd_config file. Scroll through and you will eventually see the flag.

To harden this layer, open the file in a text editor and and replace the “yes” with “no” after PasswordAuthentication. Make sure you also remove the #.

This will disallow password login via ssh, so there has to be an alternative login solution in place for admins.