Andrew Dickinson

Andrew Dickinson

Technical Consultant, Team Leader, Cyber Security Specialist

TryHackMe: Advent of Cyber - Day 8 - Santa’s Bag of Toys

2 minute read

This is a write up for the Day 8 - Santa’s Bag of Toys challenge in the Advent of Cyber room on TryHackMe. Some tasks may have been omitted as they do not require an answer.

What operating system is Santa’s laptop running (“OS Name”)?

Open the first log file and look for a line starting with OS Name.

Answer: Microsoft Windows 11 Pro

What was the password set for the new “backdoor” account?

In the second log file, we can see the net user command which shows the password.

Answer: grinchstolechristmas

In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?

The third log file shows the copy command.

Answer: C:\Userse\santa\AppData\Local\Microsoft\Windows\UsrClass.dat

The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

This can be found in the third log file.

Answer: certutil.exe

Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

Opening the SantaRat folder shows a version control folder.

Answer: .github

Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?

Answer: bag_of_toys.zip

What is the name of the user that owns the SantaRat repository?

The GitHub repository is located here: https://github.com/Grinchiest/SantaRat

Answer: Grinchiest

Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?

The following repository is of interest: https://github.com/Grinchiest/operation-bag-of-toys

Answer: operation-bag-of-toys

What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?

The third log file shows the user installing a utility.

Answer: uharc-cmd-install.exe

What are the contents of these “malicious” files (coal, mold, and all the others)?

The fourth log file shows the values being overridden by a value of GRINCHMAS.

Answer: GRINCHMAS

What is the password to the original bag_of_toys.uha archive?

The user accidentally committed the bag_of_toys.uha file which also included the password in the commit message.

https://github.com/Grinchiest/operation-bag-of-toys/commit/41615462e4fdc0ceeb4ef1bec693ec3de1125ed2

Answer: TheGrinchiestGrinchmasOfAll

How many original files were present in Santa’s Bag of Toys?

Opening the bag_of_toys.uha file with the discovered password show us the total number of files.

Answer: 228

Recap

In this task we learnt:

  • Windows Forensics
  • LOLbin encoding
  • Base64 decodes via CyberChef
  • Uses for ShellBagsExplorer
  • GitHub OSINT

Updated: