TryHackMe: Advent of Cyber 2023 (Day 8) Have a Holly, Jolly Byte!

“The drama unfolds as the Best Festival Company and AntarctiCrafts merger wraps up! Tracy McGreedy, now a grumpy regional manager, secretly plans sabotage. His sidekick, Van Sprinkles, hesitantly kicks off a cyber attack — but guess what? Van Sprinkles is having second thoughts and helps McSkidy’s team bust McGreedy’s evil scheme!”

For this challenge we will be working with FTK Imager to perform forensic analysis on a malicious USB drive.

Q1: What is the malware C2 server?

I read through the tutorial for setting everything up and then started exploring the contents of the device.

I quickly found a text file which mentioned the server.

Q2: What is the file inside the deleted zip archive?

Q3: What flag is hidden in one of the deleted PNG files?

If you view by Hex and then do Ctrl+F for THM{ you can find the flag.

Q4: What is the SHA1 hash of the physical drive and forensic image?

Go to File>Verify Drive/Image to get the hash.

❤