TryHackMe: Advent of Cyber [Day 3] Evil Elf

Room: Advent of Cyber

Difficulty: Beginner

“An Elf-ministrator, has a network capture file from a computer and needs help to figure out what went on! Are you able to help?”

This challenge starts out by providing a small .pcap file for download, which can then be opened using Wireshark.

Wireshark is a popular network protocol analyzer. If you don’t already have it (and you certainly should), you can download it HERE.

Question #1: What’s the destination IP on packet number 998?

The first question is rather easy, to find the answer, simply make sure that the packets are arranged by number, and scroll down to find #998.

Question #2: What item is on the Christmas list?

To find this answer, let’s sort the packets by protocol. We are looking to see if any unencrypted protocols were used, so that hopefully we can read some data in plain text.

Here at the bottom I notice that Telnet was used to transfer some data. Telnet is definitely not secure. Let’s right-click on one of the packets, click Follow, then click TCP Stream.

This will open up the stream of data associated with those packets.

Wow, looks we just uncovered a lot of information. At the top, we can see that the user remotely executed some commands utilizing Telnet. They used echo to write something to a text file called christmas_list.txt, which is exactly what we are looking for.

After that, it appears that they used the cat command to show the contents of the /etc/shadow file. This file contains the user account details for Linux operating systems. This all looks interesting, so let’s copy and paste the whole thing into a text editor for later use.

Question #3: Crack buddy’s password!

Going over all of the information we just found, we can see there is a user named “buddy” on the system. Next to buddy’s username there is a password hash that we can crack using a tool like Hashcat on Linux.

We will also need to make sure we have a wordlist to help Hashcat. Wordlists are just a very long list of plain text words that password crackers scan through to see if your password hash matches any of them. A very popular wordlist is called rockyou.txt, which can be downloaded HERE.

Before we let Hashcat start cracking, we need to find out exactly what type of hash this is so that we can set the mode. This link HERE has a list of all the different types of hash modes that Hashcat can handle.

Notice the hash we collected starts with $6.


We can look through the link provided to see if we can find any hash examples that look the same.

A short ways down we see that the hash appears to be sha512crypt, which is mode 1800.

Create a text file on your Linux machine and title it something like “hash.txt”. This is where Hashcat will go to grab your hash.


Copy and paste just the bold portion of the hash above into the “hash.txt” file you just made, hit save.

Run this command: hashcat -m 1800 <hash file location> <wordlist file location>


Hashcat will then work her magic. It’s usually pretty fast, but sometimes it may take a little while. Your output will look something like this:

That’s it! We successfully helped Elf-ministrator!

I hope you had some fun and learned a few things, especially NOT TO USE TELNET if you have other options.

Happy Hacking! ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.