2024 TryHackMe (THM)Advent of Cyber (AoC) Day 3 Walkthrough | THM Writeup

Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it.

TryHackMe Advent of Cyber (AoC) 2024 version is here! Today is Day 3 of Advent of Cyber. The topic is Log Analysis. It is another day of using Elk SIEM and new tools and concepts such as RCE to find more vulnerabilities and discover and develop better cybersecurity practices.

BLUE: Where was the web shell uploaded to?

Answer format: /directory/directory/directory/filename.php

Flag: /media/images/rooms/shell.php

• On Elk SIEM, set the calendar in absolute mode to October 3, 2024 11:30 to October 3, 2024 12:00.
• Next, locate where the images are stored.
• Search for “shell.php” in the search bar; the directory will display the shell.php file location.
• If malicious users upload a web shell to a website's directory, this is bad news since they can run their shell live, compromise the website, and gain valuable information.
• This is also referred to as RCE (Remote Code Execution).

BLUE: What IP address accessed the web shell?