DAY 1 :
The Bandit Yeti
THM{IT'S A Y3T1 CHR1$TMA$}
Use the ls command to list the files present in the current directory. How many log files are present?
2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
webserver.log
On what day was Santa's naughty and nice list stolen?
Friday
What is the IP address of the attacker?
10.10.249.191
What is the name of the important list that the attacker stole from Santa?
santaslist.txt
Look through the log files for the flag. The format of the flag is: THM{}
THM{STOLENSANTASLIST}
=====DAY 3 =====
What is the name of the Registrar for the domain santagift.shop?
NAMECHEAP INC
Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
{THM_OSINT_WORKS}
What is the name of the file containing passwords?
config.php
What is the name of the QA server associated with the website?
qa.santagift.shop
What is the DB_PASSWORD that is being reused between the QA and PROD environments?
S@nta2022
===== DAY 4 =====
What is the name of the HTTP server running on the remote host?
apache
What is the name of the service running on port 22 on the QA server?
ssh
What flag can you find after successfully accessing the Samba service?
{THM_SANTA_SMB_SERVER}
What is the password for the username santahr?
santa25
===== DAY 5 =====
Use Hydra to find the VNC password of the target with IP address 10.10.208.109. What is the password?
1q2w3e4r
Using a VNC client on the AttackBox, connect to the target of IP address 10.10.208.109. What is the flag written on the target’s screen?
THM{I_SEE_YOUR_SCREEN}
===== DAY 6 =====
What is the email address of the sender?
[email protected]
What is the return address?
[email protected]
On whose behalf was the email sent?
chief elf
What is the X-spam score?
3
What is hidden in the value of the Message-ID field?
AoC2022_Email_Analysis
Visit the email reputation check website provided in the task. What is the reputation result of the sender's email address?
risky
Check the attachments. What is the filename of the attachment?#
Division_of_labour-Load_share_plan.doc
What is the hash value of the attachment?
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?
Defense Evasion
Visit the InQuest website and use the hash value to search. What is the subcategory of the file?
macro_hunter
===== DAY 7 =====
What is the version of CyberChef found in the attached VM?
9.49.0
How many recipes were used to extract URLs from the malicious doc?
10
We found a URL that was downloading a suspicious file; what is the name of that malware?
mysterygift.exe
What is the last defanged URL of the bandityeti domain found in the last step?
hxxps[://]cdn[.]bandityeti[.]THM/files/index
What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)
THM_MYSTERY_FLAG
===== DAY 8 =====
What flag is found after attacking the provided EtherStore Contract?
flag{411_ur_37h_15_m1n3}

The Bandit Yeti
THM{IT'S A Y3T1 CHR1$TMA$}
Use the ls command to list the files present in the current directory. How many log files are present?
2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
webserver.log
On what day was Santa's naughty and nice list stolen?
Friday
What is the IP address of the attacker?
10.10.249.191
What is the name of the important list that the attacker stole from Santa?
santaslist.txt
Look through the log files for the flag. The format of the flag is: THM{}
THM{STOLENSANTASLIST}
=====DAY 3 =====
What is the name of the Registrar for the domain santagift.shop?
NAMECHEAP INC
Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
{THM_OSINT_WORKS}
What is the name of the file containing passwords?
config.php
What is the name of the QA server associated with the website?
qa.santagift.shop
What is the DB_PASSWORD that is being reused between the QA and PROD environments?
S@nta2022
===== DAY 4 =====
What is the name of the HTTP server running on the remote host?
apache
What is the name of the service running on port 22 on the QA server?
ssh
What flag can you find after successfully accessing the Samba service?
{THM_SANTA_SMB_SERVER}
What is the password for the username santahr?
santa25
===== DAY 5 =====
Use Hydra to find the VNC password of the target with IP address 10.10.208.109. What is the password?
1q2w3e4r
Using a VNC client on the AttackBox, connect to the target of IP address 10.10.208.109. What is the flag written on the target’s screen?
THM{I_SEE_YOUR_SCREEN}
===== DAY 6 =====
What is the email address of the sender?
[email protected]
What is the return address?
[email protected]
On whose behalf was the email sent?
chief elf
What is the X-spam score?
3
What is hidden in the value of the Message-ID field?
AoC2022_Email_Analysis
Visit the email reputation check website provided in the task. What is the reputation result of the sender's email address?
risky
Check the attachments. What is the filename of the attachment?#
Division_of_labour-Load_share_plan.doc
What is the hash value of the attachment?
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?
Defense Evasion
Visit the InQuest website and use the hash value to search. What is the subcategory of the file?
macro_hunter
===== DAY 7 =====
What is the version of CyberChef found in the attached VM?
9.49.0
How many recipes were used to extract URLs from the malicious doc?
10
We found a URL that was downloading a suspicious file; what is the name of that malware?
mysterygift.exe
What is the last defanged URL of the bandityeti domain found in the last step?
hxxps[://]cdn[.]bandityeti[.]THM/files/index
What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)
THM_MYSTERY_FLAG
===== DAY 8 =====
What flag is found after attacking the provided EtherStore Contract?
flag{411_ur_37h_15_m1n3}
