hubertf's Writeup on TryHackMe's Advent of Cyber 2023 Side Quest 1: The Return of the Yeti Hubert Feyrer, December 2023

TryHackMe offers Cybersecurity training rooms for many tools and techniques. In December 2023, they compiled "Advent of Cyber", a collection with a daily task that gave an introduction to one of many Cybersecurity topics, followed by practical exercises using virtual machines provided. In addition, four side quests (SQs) were made available, which had to be found via QR codes, and then solved. This writeup explains how to find the side quests, and how to solve them. A central page with all my AoC writeups is available.

Getting into the side quest

1. Getting into the first side quest was intended to be easy. Each side quest is entered via a QR code, and for the first SQ, four parts of such a QR code needed to be found and put together.
2. The first part was easy, as it was given on the AoC's webpage itself.
3. The other three parts of the QR code were spreat across social media postings on many sites where TryHackMe is present, and the postings were within a few days only.
4. The second part of the QR code was posted on LinkedIn. Tricky as there was a second link that was also treated with a URL-shortener, so it was not that obvious.
5. After following the link, and also looking at the first part, it was apparant that the QR code parts were probably hosted somewhere around https://assets.tryhackme.com/additional/aoc2023/, which made searching other social media sites a bit easier - assuming no URL-shortener was used there.
6. Discord was the next site to check. Unfortunately, this mandated my phone number to be given - not so cool. After all, I found a posting by Lorestil on November 28th that had the right URL.
7. Twitter was the last site to check out, and also looking in the given time frame, there was another relevant posting
with an interesting link.
8. After that, assembling the four parts of the QR code was easy, even more so with the webpage given by TryHackMe to do so.

   

9. With all this together - voila! - the QR code was scanned and the URL for the first side quest appeared.

Objectives

1. Before diving right into the first side quest, it helps to look at the information given, and also what questions need to be answered in the end.
2. The briefing was given by the Bandit Yeti, and there were many words and little information as to what exactly to do. A WiFi connection was sniffed, and a PCAP(NG) file was made available for download.
3. The questions gave away more information, with questions about the WiFi name and access password, a tool for extracting something from a server, a CyberPolice case number and the content of a file that's important to the AoC, yetikey1.txt.

   

Solving the side quest

1. Finding the WiFi name was easy with Wireshark.
2. The Wifi was secured with WPA-PSK, so a key / password was needed.
3. aircrack-ng was started with a list of likely passwords: aircrack-ng -w /usr/share/dict/wordlist-probable.txt -b 22:c7:12:c7:e2:35 v2.pcap. In no time the password was found. A first success! Then again, the password was easy and obvious.
4. Looking at the decrypted Wifi dump, there was some lower-layer chatter, followed by some big transfer using the Remote Desktop Protocol, RDP. Encrypted.
5. So where to get the RDP session's decryption key?
6. Looking further into the stream, a second connection showed up, and following the TCP stream in wireshark revealed a PowerShell session, that helped answer the question about the tool that was used to extract the RDP session's key. Alongside with the key. Handy!
7. From here, things started to get interesting: how do you decrypt a RDP session, and - given it being a graphical session protocol - actually display it?
8. The answer took some time. Google was asked, several tools were found, tested and found non-working or even non-building / non-running due to various states of bitrot. Don't we all love Open Source? :-)
9. There was actually one very good tutorial on how to decrypt and replay RDP, which is basically what led to the next steps.
10. First the encryption key had to be be loaded into Wireshark. And for that, the export form the PowerShell session needed to be unpacked - and a password was needed. Practical tip: if you ever come across a certain tool to extract certificates, try the tool's name as standard password. There is a fine article with more details here, going into details of base64 & openssl.
11. Then, the Layer-7-data of the RDP session can be extracted from Wireshark, see the above tutorial for details.
12. The actual tool to show the RDP session was PyRDP. Installation in docker didn't really work for me, but running it natively on Kali Linux did the job.
13. Next step was to prepare the Layer-7 PCAP with the encryption key using pyrdp-convert: "pyrdp-convert -s 4491-03-RDP.key -f replay -o x VanSpy-3-ExportPDU-Type-Layer-7.pcap"
14. Last, the video of the RDP session was played: pyrdp-player ./x/20231125145052_10.0.0.2\:55510-10.1.1.1\:3389.pyrdp
15. As was expected, the answer to the questions about the CyberPolice's case number was easy to spot.

    

16. So what about the last question, the yetikey1.txt file? This was not visible in the video. But reading what else happened in the RDP session, also things like copying data to the clipboard was noted, and there it was!

    

Summary

1. aircrack-ng helped to find the Wifi password.
2. Then Wireshark helped to find the RDP session key.
3. After that, Unit 42's tutorial gave the direction on how to use PyRDP's pyrdp-convert and pyrdp-player commands to get all the information.
4. The room's rating was "hard", and that's definitely not overrated. It's easy if all the puzzle parts are in their place, but until then, this was somewhat of a challenge getting all the right pieces into the right place.