Advent of Cyber 2025 - Day 7

🎄 Day 7 – SOC-mas Write-Up

Hunting Down HopSec & the Three Bunny Keys

Introduction — The Incident

Christmas preparations at The Best Festival Company (TBFC) have come to a sudden halt.

The threat group HopSec has breached the QA environment and locked administrators out of the server tbfc-devqa01. The SOC-mas pipeline is frozen, and the system is slowly transforming into a corrupted EAST-mas node.

🎯 Mission Objectives

Our task as SOC analysts is to:

  • Track HopSec’s activity

  • Discover hidden and non-standard services

  • Recover all three Easter (Bunny) keys

  • Regain access and restore the QA server

This investigation focuses on network service discovery and enumeration.

🔎 Network Service Discovery

1️⃣ Initial Nmap Scan

We begin with a basic scan of the target system:

nmap 10.48.139.238

Open services identified:

  • 22/tcp — SSH

  • 80/tcp — HTTP

Visiting the web server reveals a defaced page, confirming that HopSec has already compromised the environment.

2️⃣ Full Port Scan

To uncover non-standard services, a full port scan is performed:

nmap -p- --script=banner 10.48.139.238

Additional services discovered:

  • 21212/tcp — FTP (vsFTPd 3.0.5)

  • 25251/tcp — TBFC maintd v0.2 (custom service)

These ports become our primary investigation targets.

🥚 Easter Key Recovery

🐰 Key Part 1 — FTP Service (Port 21212)

The FTP service allows anonymous access.

Steps:

  • Connect to the FTP service

  • List available files

  • Download the key file

Result:

📌 Key Part 1

3aster_

🐰 Key Part 2 — TBFC Maintenance Service (Port 25251)

Next, we interact with the custom TBFC service using Netcat:

nc -v 10.48.139.238 25251

Using the built-in help command reveals available actions. Requesting the key directly returns:

📌 Key Part 2

15_th3_

🛰️ 3️⃣ UDP Service Discovery

To ensure no services are missed, a UDP scan is conducted:

nmap -sU 10.48.139.238

Discovered service:

  • 53/udp — DNS

This strongly suggests hidden information stored in DNS records.

🐰 Key Part 3 — DNS TXT Record

Querying the DNS server for TXT records reveals the final key fragment:

dig @10.48.139.238 TXT key3.tbfc.local +short

📌 Key Part 3

n3w_xm45

🔐 Admin Access & Key Assembly

Combining all three recovered key fragments:

3aster_15_th3_n3w_xm45

Submitting this key into the admin console grants shell access to the compromised QA server.

🖥️ On-Host Service Enumeration

Once inside the system, local services are enumerated:

ss -tunlp

A MySQL database service is discovered:

  • 3306/tcp — MySQL (localhost only)

🏁 Final Flag Retrieval

Accessing the local database and querying the flags table reveals the final result:

mysql -D tbfcqa01 -e "SELECT * FROM flags;"

📌 Final Flag

THM{4ll_s3rvice5_d1sc0vered}

✅ Mission Complete

All hidden services have been identified, every bunny key recovered, and the QA environment successfully restored.

This challenge highlights the importance of:

  • Full port scanning

  • Enumerating non-standard services

  • Investigating both TCP and UDP protocols

  • Thinking beyond default ports

📦 Answer Summary

  • Defaced website message:
    Pwned by HopSec

  • Key Part 1 (FTP):
    3aster_

  • Key Part 2 (TBFC service):
    15_th3_

  • Key Part 3 (DNS):
    n3w_xm45

  • MySQL port:
    3306

  • Final Flag:
    THM{4ll_s3rvice5_d1sc0vered}

Comments

Post a Comment

Popular Posts