TryHackMe — Advent of Cyber 2 — Day 20
Good morning everyone,
Today starts the Blue team exercises/challenges. We will be using Powershell to view files and contents among a few other things from the reading. Haven’t done much with Powershell, so hopefully this will be a good learning exercise for me. Anyhow, today’s intro:
“Someone is mischievous at The Best Festival Company. The contents within the stockings have been removed. A clue was left in one of the stockings that hints that the contents have been hidden within Elfstation1. McEager moves quickly and attempts to RDP into the machine. Yikes! He is unable to log in.
Luckily, he has been learning PowerShell, and he can remote into the workstation using PowerShell over SSH.
Task: Use the PowerShell console to navigate throughout the endpoint to find the hidden contents to reveal what was hidden in the stockings.”
Again, like I did in a prior challenge, instead of remoting into the machine and using the remote connection, I will try and download the files because my connection is unstable.
With today’s task, it doesn’t appear that I will be able to do this sadly, as there is hidden files in random directories we need to search for in the filesystem.
Question 1: Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?
Once we list the contents of the Documents folder looking for hidden files, we see a few.
If we look at the 2 files, one hidden, one not. Notice the difference in filenames.
Question 2: Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants?
Should be easy enough, navigate to desktop, look for a hidden folder instead of file and read the file in the folder..
Question 3: Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder?
Searched for hidden folders and looked inside the folders for anything related to Elf 3, we had no luck. Had to get a little Hint from the challenge info for this one. Built out the string to use, got into the Windows folder and let it run for a while.
Get-ChildItem -Directory -Hidden -Recurse -Filter '*3*' -ErrorAction SilentlyContinue
We got our hidden folder. Let’s take a look inside.
Question 4: How many words does the first file contain?
All we need to do is a Measure-Object piped in from a Get-Content(cat)
Question 5: What 2 words are at index 551 and 6991 in the first file?
Well, that one is easy enough using index’s with Get-Content
Question 6: This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want?
We can just search the 2nd text file for the string. I had to play around with it at first, then realized after some syntax issues there is no spaces in the file. Which life easier for me.
Select-String -Path '2.txt' -Pattern 'Redryder' -AllMatchesAs usual, I’ll consider this the flag and leave that last portion up to you to find it. Besides the utter crap connection on my end or the VM itself being slow, it was taking near 2 seconds for the end to respond to my typing. This was a good learning experience for me.
As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,
-3lduderino
