Open in app

Sign in

Write

Sign in

TryHackMe: Advent of Cyber 2023 (Day 13) To the Pots, Through the Walls

Samantha
4 min readDec 21, 2023

--

“The proposed merger and suspicious activities have kept all teams busy and engaged. So that the Best Festival Company’s systems are safeguarded in the future against malicious attacks, McSkidy assigns The B Team, led by McHoneyBell, to research and investigate mitigation and proactive security.

The team’s efforts will be channelled into the company’s defensive security process. You are part of the team — a security researcher tasked with gathering information on defence and mitigation efforts.”

Q1: Which security model is being used to analyse the breach and defence strategies?

If you read through the materials for today, you can see that the Diamond Model is being used.

Q2: Which defence capability is used to actively search for signs of malicious activity?

Again, just read through the materials and find that Threat Hunting is used to actively search for signs of malicious activity in an environment.

Q3: What are our main two infrastructure focuses? (Answer format: answer1 and answer2)

Another answer that can be found in the materials; Firewall and Honeypot.

Q4: Which firewall command is used to block traffic?

You would use deny for this. In this example I have blocked all traffic coming from port 22.

Q5: There is a flag in one of the stories. Can you find it?

I did an nmap scan and found a website on port 8090.

This is not the normal port, obviously. But if you did the exercises for today, you saw that port 8080 was actually turned into a honeypot.

Here is what happens when you visit the site:

And the resulting intrusion detection alert:

At this point I did simply just scroll down and read the stories on the real website to find the flag.

This was not the intended solution of today’s room, but the firewall was inactive, so it was not blocking any public traffic to the website when I visited.

It does say, “Your task is to update the firewall rules to expose the website to the public and find a hidden flag.” With it being completely turned off, that website is definitely exposed.

These were the firewall rules that would have been in place if it was active when I visited:

At this point I felt guilty, so I enabled all the rules to solve it the correct way:

And now I was finally blocked from the real webpage:

To fix this, I allowed traffic on port 8090 and regained my access.

Advent Of Cyber 2023
Intrusion Detection
Honeypot
Firewall
Tryhackme

--

--

Samantha
Samantha

Written by Samantha

775 Followers
6 Following

CTF writeups to facilitate cyber education and help me earn CPEs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams