TryHackMe || Advent of Cyber 2023 Day 8: Have a Holly, Jolly Byte! || WalkThrough

TheCyberWarrior
3 min readDec 9, 2023

--

Day 8 Logo

Today’s task involves ‘Digital Forensics’ and the backdrop of today’s task is McGreedy, a grumpy regional manager, who secretly plans sabotage along with her sidekick and tries a sabotage using USB drives loaded with malware. An employee finds one in the parking and plugs it into her office laptop, inadvertently ending up unleashing a digital disaster crafted by the vengeful McGreedy.

But the sidekick of McGreedy felt guilty and sent a mail about the same to McSkidy. Now, we will find evidence to prove McGreedy guilty.

We will use the FTK Imager tool to find evidence, of this cybercrime, against McGreedy.

We will start the machine by clicking Start Machine. When the machine boots up, click on ‘FTK Imager’ and wait for a few seconds. When FTK Imager opens up, click on File > Add Evidence Item>Physical Drive and then select ‘\\PHYSICALDRIVE2 — Microsoft Virtual Disk [1GB SCSI]’ from the dropdown box. To verify the Drive, we will click File > Verify Drive/Image, and then the app will start verifying the USB drive.

What is the malware C2 server?

Hint: Double-click on the ‘DO_NOT_OPEN’ folder, and double-click on the ‘secretchat.txt’ file. On the bottom right pane, you will see the content of the file and there you find the answer.

Answer: mcgreedysecretc2.thm

Answer of Q1 : mcgreedysecretc2.thm

What is the file inside the deleted zip archive?

Hint: Double-click on the ‘DO_NOT_OPEN’ folder, and double-click on the ‘JuicyTomaTOY.zip’ file. On the bottom left pane, you will see the file.

Answer: JuicyTomaTOY.exe

Answer of Q2 : JuicyTomaTOY.exe

What flag is hidden in one of the deleted PNG files?

Hint: Select the Physical Drive and move to Hex preview mode(Bottom Right). Click in the Hex preview and click ‘Ctrl + F’ and type ‘THM{’, and you will get the answer.

Answer: THM{byt3-L3vel_@n4Lys15}

Answer of Q4: THM{byt3-L3vel_@n4Lys15}

What is the SHA1 hash of the physical drive and forensic image?

Hint: To verify the Drive, we will click File > Verify Drive/Image, and then the app will start verifying the USB drive. Then, a dialogue box will appear, it contains the SHA1 value for the image.

Answer: 39f2dea6ffb43bf80d80f19d122076b3682773c2

Answer of Q5: 39f2dea6ffb43bf80d80f19d122076b3682773c2

If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/

Happy Learning

--

--