Skip to content

THM - Advent of Cyber 2022 - Day 7


Difficulty: ⭐⭐
Challenge Link
OS: Linux

Q: What is the version of CyberChef found in the attached VM?

We start by launching the Machine. Once in the Machine we can open the Browser and see that CyberChef is bookmarked. It's a local installation. The version is in the top left. We could have also seen this by looking in the Downloads folder and seeing it there.

Answer

9.49.0

Q: How many recipes were used to extract URLs from the malicious doc?

Following the steps through the module, which was quite interesting, we can count or see that a specific amount were used.

Answer

10

Q: We found a URL that was downloading a suspicious file; what is the name of that malware?

The first link is the initial malware downloaded. It wants the original malware name not the defanged version. Remove the [] from the name.

Answer

mysterygift.exe

Q: What is the last defanged URL of the bandityeti domain found in the last step?

The last link shown is what's being ask in it's defanged setup. If you followed module steps then you will see it.

Answer

hxxps[://]cdn[.]bandityeti[.]THM/files/index/

Q: What is the ticket found in one of the domains? (Format: Domain/)

See 2nd from last url.

Answer

THM_MYSTERY_FLAG