TryHackMe: Advent of Cyber 2023 (Day 20) Advent of Frostlings

4 min readDec 28, 2023

“One of the main reasons the Best Festival Company acquired AntarctiCrafts was their excellent automation for building, wrapping, and crafting. Their new automation pipelines make it a much easier, faster, scalable, and effective process. However, someone has tampered with the source control system, and something weird is happening! It’s suspected that McGreedy has impersonated some accounts or teamed up with rogue Frostlings. Who knows what will happen if a malicious user gains access to the pipeline?

In this task, you will explore the concept of poisoned pipeline execution (PPE) in a GitLab CI/CD environment and learn how to protect against it. You will be tasked with identifying and mitigating a potential PPE attack.

A GitLab instance for AntarctiCrafts’ CI/CD automates everything from sending signals and processing Best Festival Company services to building and updating software. However, someone has tampered with the configuration files, and the logs show unusual behaviour. Some suspect the Frostlings have bypassed and gained access to our build processes.”

Q1: What is the handle of the developer responsible for the merge changes?

I started off by logging into their GitLab server.

I then navigated to the merge requests.

If you scroll down into the comments after opening the “Update .gitlab-ci.yml” request, you can see Frostino @BadSecOps has asked for admin permissions to quickly process some things, and that Delf Lead just gave it to them “based on their word”.

Q2: What port is the defaced calendar site server running on?

I went to the jobs section, opened up the first one (#322), looked through the code, and saw that the defaced website was running on port 9081.

Here’s a closer look.

You can verify that by navigating there with your browser.

Q3: What server is the malicious server running on?

You can get this answer from that same screenshot from earlier. It’s not the most intuitive question.

Q4: What message did the Frostlings leave on the defaced site?

Again, we have already found this, it is “Frostlings Rule”.

Q5: What is the commit ID of the original code for the Advent Calendar site?

To find this, search through the commits by the legitimate user, Delf Lead.

You can see the commit ID in the right corner. We can now take this original code and add back into production to fix the defacement.

Open it up, then click on View File in the top right.

On the next page you can copy all the file contents easily.

Go back to the main page and click on “.gitlab-ci.yml”

We are going to edit it by pasting the original code back over the malicious code.

Then we can commit the changes.

You’ll notice that you can now go to the correct port and see the real advent calendar.




CTF writeups to facilitate cyber education and help me earn CPEs