TBFC Cyber Security awareness teaches two anti phishing mnemonics
S.T.O.P. (from all things secured)
Suspicious?
Telling me to click something?
Offering me an amazing deal?
Pushing me to do something now?
S.T.O.P.
Slow down. Scammers run on your adrenaline.
Type the address yourself. Don’t use the message’s link.
Open nothing unexpected. Verify first.
Prove the sender. Check the real From address/number, not just the display name.
task files included the server files to set up the cred capture phishing page. gonna use setoolkit for email phishing. options used for task:
- 2. one-time use email template- subject of the email: factory@wareville.thm- send the message as html or plain? 'h' or 'p': p- enter body of the message: Dear elves, Kindly note that there have been significant changes to the shipping schedules due to increased shipping orders. Please confirm the new schedule by visiting http://192.168.150.115:8000 Best regards, Flying Deer END- How to deliver the email: Use your own server or open relay- From address: We know that the guys at the toy factory communicate regularly with Flying Deer, the shipping company, so that we will use `updates@flyingdeer.thm` as the source email address- From name: Flying Deer- Username for open-relay: We will leave it blank and just hit the Enter key- Password for open-relay: We will leave it blank and just hit the Enter key- SMTP email server address: We will deliver directly to the TBFC mail server by entering `10.48.169.181`.- Port number for the SMTP server: We leave the default value of `25` and just hit the Enter key
captured creds after 1-2 mins of sending the mail:
admin:unranked-wisdom-anthem
cant login to admin with creds but the pass has been reused for the factory user
factory:unranked-wisdom-anthem
one of two mails in the inbox of user factory:
Urgent: Production & Shipping Request — 1984000 Units (Next 2 Weeks)Contact photoFrom marta on 2025-10-10 09:34Details HeadersHi team,I hope everyone is well and caffeinated (or at least in possession of a reliable tea cup). I’m writing to confirm a high-priority request that landed on our desk this morning and to lay out the operational details so we can move quickly and cleanly.The request: the client has asked us to manufacture and ship 1984000 toys to a mix of retail partners and charitable distribution centers within the coming couple of weeks. I know — it’s a big number, but one we can handle if we coordinate across production, QC, packing, and logistics without dropping the ball.Why this matters (beyond revenue): we all know, and the client reiterated, how crucial these toys are. They’re not just products; they’re tools for learning, imagination, and early development. Play helps children build motor skills, emotional resilience, and social capacity. Some of these units are earmarked for under-resourced communities, where access to developmentally appropriate playthings can make a measurable difference in cognitive and social outcomes. So yes, it’s a big manufacturing ask — but it’s also important work. That human impact matters as much as any spreadsheet line.Operational summary and immediate asks:Production planningTarget output: ramp to sustained runs that will produce the requested volume across our three main production lines. We’ll need each line to hit overtime shifts where possible; please outline how many extra hours per line and how many additional operators we can realistically have on short notice.Materials check: procurement to confirm availability of plastics, fabrics, fasteners, and packaging stock. If any single supplier cannot cover the needed volume, procurement to list alternatives and lead times by EOD today.Molds & tooling: maintenance — ensure spare tooling is prepped and inspected. If any tooling requires rework, flag immediately so we can swap in backups and avoid downtime.Quality controlGiven scale, QC must be tightened, not loosened. We need a balance: maintain our safety and compliance thresholds while moving product fast.Propose a spot-check cadence of 1% per batch minimum, with a higher 3% check for first-run batches of any SKU that hasn’t run in the last 90 days.QA to prepare rapid-failure protocols for the assembly lines so a defect spike doesn’t propagate.Packing & labelingStandard retail pack vs. bulk charitable pack options. The client will take a mix; marketing will confirm the final split by tomorrow. Packaging materials must be pre-staged to avoid a bottleneck.Please confirm barcode/label templates and EAN assignment. If reprinting is needed, coordinate with print vendor immediately.Logistics & shippingThe client has requested shipment windows within the next two weeks. Logistics to prepare multi-modal plans: palletized ocean freight for long-lead shipments plus expedited trucks for regional retail drops.Customs documentation needs to be queued now for the international consignments. Export compliance: customs forms and safety certification documents to be attached to each container manifest.We should provision for a buffer in our manifests to accommodate last-minute retailer changes — suggest holding 2–3% of production as immediate reserve stock.Staffing & shiftsHR: confirm overtime policies, temporary staffing SOWs, and health/safety briefings for new temps. Training materials for new joiners must be concise and focused on safety-critical tasks.Line supervisors: prepare line-specific checklists for ramp-up and shift handovers. Handoffs must be written and signed to reduce communication drift.Communication & client updatesWeekly cadence calls won’t cut it here. Let’s move to daily short stand-ups with the client points of contact until the major shipments clear.Sales/Account to draft a concise client update template so notifications are consistent (production %, shipments scheduled, any risks).Risk points (so we can be proactive)Components shortage: small critical components can cause line stops. Procurement must identify single-supplier risks today.Regulatory: any new country-specific safety regs not previously encountered could delay exports. Compliance to double-check all destination requirements.Quality spikes: if we see a defect cluster, be prepared to pause affected lines for root cause. This is preferable to shipping a recall risk.A few practical notes and suggestionsPlease prioritize SKUs that have the fewest unique components where possible; consolidation reduces changeover time.For packaging, use standardized pallet configurations to maximize container fill and minimize handling.Stagger load-out windows to avoid bottlenecks at the dock. If we can spread shipments across early mornings and late-night slots, port congestion risk reduces.Suggest we reserve one cross-dock facility near the main distribution hubs for rapid rework if a small percentage of product requires late-stage correction.On the human side: some real talkWe’re asking a lot of the floor teams, QA, packers, and drivers. A quick morale note: we’ll plan small daily briefings and a debrief at the end of the cycle to capture lessons and recognize the extraordinary effort. If anyone needs scheduled breaks or rotation adjustments to avoid fatigue, supervisors please let me know — safety first, always.Also, because we’ll have some units going to charity partners, we have a chance to tell a small, meaningful story about our brand. If Marketing can prepare a short insert explaining proper play use and safety — ideally printed on recyclable stock — it’d add real value for caregivers receiving these toys. A one-page insert could be the difference between a forgotten toy and one that’s actively used for learning.Immediate deliverables (by EOD today)Procurement: materials availability & alternate suppliers.Production managers (all lines): feasible overtime hours and operator availability.QA: proposed spot-check protocol and first-run higher-cadence checks.Logistics: preliminary shipping plan (by mode, estimated dates, customs actions).HR: temp staffing numbers and training plan.Repeat confirmation: the total requested to be manufactured and shipped is 1984000 units. Please treat that figure as the baseline for all downstream planning until the client tells us otherwise.If anyone sees an obstacle that I haven’t anticipated, flag it now. I want to avoid surprises mid-run. For transparency: I’ll consolidate your updates into a single action tracker and circulate it after the EOD check-ins.Thanks for jumping on this quickly. I know long runs like this are a grind, but they’re also the kind of challenge that shows what we can do when we’re coordinated and focused. Plus, imagine the kid who gets one of those toys and lights up — that’s the short version of why this matters. If we pull this off cleanly, it’s good for business, good for reputation, and frankly, it’s the kind of thing we can feel proud of at the end of a long week.Sign-off logisticsIf you’re owning a deliverable from the “Immediate deliverables” list, please reply-all with your yes/no and any immediate caveats.I’ll host a 15-minute sync at 08:30 tomorrow to walk through the procurement and logistics updates; calendar invite to follow.Thanks again — let’s get this moving.Best,Marta
also found 2 more email addresses which im too lazy to get into for now. maybe possible side quest???
got access to the splunk enterprise instance via the provided link in the room after starting the target machine
the data has been pre ingested for us to investigate
went into search and reportingand set the scope to All time and searched for index=main. 2 source types of data. web_trafficfirewall_logs
lets investigate the web traffic first. clicking on the blue web_traffic text automatically appends this query to the existing query in the search bar: sourcetype=web_traffic. this pattern continues for all blue texts :p so we can basically filter for anything we want. even works for specific values of parameters or parameters themselves which is pretty neat
green timeline above shows a wierd bump in web traffic between 10-10-2025 to 14-10-2025 with the peak amount of traffic being in 12-10-2025. lets investigate what happened
sqlmap and havij stands out like sore thumbs in the crowd of data from IP 198.51.100.55. its the attacker IP. lets see what hes been upto
damn broski has been busy. 658 attempts at path traversal too
a ton of upload logs too. dude looted like a freaking goblin ToT lets see what the firewall logs say
alot of looting happened with 285 events. lets see how many bytes got transferred by adding up all the values in the bytes_transferred parameter similar to how we do it in MS Excel by appending | stats sum(bytes_transferred) in the query and shifting to the stats tab from above the timeline :p
damn. thats the room completed. splunk seems like fun. gotta learn how to deploy my own instance with normal users generating generic traffic and attackers attacking malicious traffic from different subnets later after exams are over
has good sides and bad sides. must be used carefully as an addative thing to boost productivity and automate not as a crutch
example usecases:
generating quick exploit scripts to test stuff
automating long analysis and tedious blue team stuff
source code auditing as a SAST(Static Application Security Testing)/DAST(Dynamic Application Security Testing) scanner for scanning code and scanning running applications for vulns
c81e728d9d4c2f636f067f89cc14862c is just MD5 hashed 2 here as well. generated an MD5 hashed number list of 0 to 100 and set it as the payload and brute forced it in the intruder here too
malware analysis is the process of examining a malicious file to understand its functionality, operation, and methods for defence against it
two main branches of malware analysis:
static: analysing a file without executing it
dynamic: executing it and analysing its behaviour in real time
sandboxes are disposable isolated environmets to analyze/run malicious stuff in. use of sandboxes is part of the golden rule of malware analysis that being never run potentially dangerous stuff in devices you care about :P
sample file to analyse is HopHelper.exe. we’ll be doing both static and dynamic analysis on it
quick checks for static analysis:
get the checksum and see if its already detected online
do strings
check imports (imports are basically a list of libraries and functions the application imports)
example: CreateFileW is used to create files
check resources (resources are data like the icon and stuff. malware has been known to hide in resources.)
used pestudio to do static analysis
used regshot to do a before and after comparison of the registry to see what the malware changes as part of dynamic analysis
used procmon to capture process interaction while the malware runs and used the filter to filter out stuff we dont wanna see and found what the malware was doing. this room has a FUCK TON of DFIR tools that i wanna loot
gonna skip noting this down cuz who tf doesnt know generic nmap
Day 8: prompt injection
LLM - limited
agenting LLM - much smarter due to chain of thought (CoT) and being able to interact with stuff and pull realtime information and dynamically adapts to new information and loops between thought and action
lets get to exploiting an agent
in our case its an agent that manages a calendar. doesnt do anything unauthorised or reveal anything in the main prompt and wont reset the theme without a “secret token” but reveals its functions and the secret token in its CoT bubble where the thinking process happenes
reveals token TOKEN_SOCMAS further down the thinking bubble. apparently wont do shit without it
used said revealed token and told it use the reset_holiday function with it since it wont execute it without it and yaay socmas is back hqhqhqhq
passwords protect confidentiality only. doesnt stop someone with access to the file itself from guessing the pass (duh). so the protection is only as strong as the password itself :D
two most common types of password guessing:
dictionary attacks
wordlists basically. stuff people are likely to use
brute-force/mask attacks
brute-force by itself takes way too long. masks are used with them to reduce scope
two files to crack: flag.pdf and flag.zip. both password protected
fcrackzip isnt on the attackbox. common tryhackmeattackbox L. used zip2john and then john the ripper like before as well
ubuntu@tryhackme:~/Desktop$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zipCommand 'fcrackzip' not found, but can be installed with:sudo apt install fcrackzipubuntu@tryhackme:~/Desktop$ zip2john flag.zip | tee zip.hashflag.zip/flag.txt:$zip2$*0*3*0*db58d2418c954f6d78aefc894faebf54*d89c*1d*b8370111f4d9eba3ca5ff6924f8c4ff8636055dce00daec2679f57bde1*57445596ac0bc2a29297*$/zip2$:flag.txt:flag.zip:flag.zipubuntu@tryhackme:~/Desktop$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])Cost 1 (HMAC size [KiB]) is 1 for all loaded hashesWill run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, 'h' for help, almost any other key for statuswinter4ever (flag.zip/flag.txt) 1g 0:00:00:00 DONE (2025-12-31 21:43) 2.174g/s 8904p/s 8904c/s 8904C/s friend..saharaUse the "--show" option to display all of the cracked passwords reliablySession completed
pas was winter4ever
theres a sidequest key hidden somewhere in this vm but im too lazy for it
Amazon Security Token Service (sts) lets us use saved creds in said file. we can check info about our authenticated user by doing aws sts get-caller-identity. output:
blablabla everything’s similar to AD but aws themed (duh), whats an S3? its Simple Storage Service. basically an object storage service that stores objects :v
