TL;DR Walkthrough of the TryHackMe MAL: Strings room, part of the Cyber Defense Pathway.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I have said it before, but maybe not on here, I found along the way of posting these that I actually enjoy technical writing. I like getting into the home lab, TryHackMe, a CTF, Slayer Labs, really anything hands on, finding the solution, and writing up how to do it.
I hate theory. I truly hate writing about theory. That was always a struggle for me back when we were working on a Bachelors degree and continues to this day. Maybe eventually I’ll get over it, but I doubt it.
We ran through this room and banged out this writeup while taking another break from writing about theory for college.
But enough about that, let’s get to the answers and how to find them :)
On an admin note, the sources to find the answers to the questions involving research are in the references at the end.
— — Task 1 — -
What is the name of the account that had the passcode of “12345678” in the intellian example discussed above?
intellian
What is the CVE entry disclosed by the company “Teradata” in their “Viewpoint” Application that has a password within a string?
CVE-2019–6499
According to OWASP’s list of “Top Ten IoT” vulnerabilities, name the ranking this vulnerability would fall within, represented as text.
One
— — Task 2 — -
What is the correct username required by the “LoginForm”?
We know that the username is 7 characters thanks to THM’s *s in the answer box, so:
strings LoginForm.exe | grep -E ‘^.{7}$’cmnatic
What is the required password to authenticate with?
The password is 18 characters, so:
strings LoginForm.exe | grep -E ‘^.{18}$’TryHackMeMerchWhen
What is the “hidden” THM{} flag?
strings LoginForm.exe | grep -E ‘THM{‘THM{Not_So_Hidden_Flag}
— — Task 3 — -
We knew these already, but the answers are in THM’s explanation.
What is the key term to describe a server that Botnets recieve instructions from?
Command and Control
Name the discussed example malware that uses “strings” to store the bitcoin wallet addresses for payment
Wannacry
— — Task 4 — -
List the number of total transactions that the Bitcoin wallet used by the “Wannacry” author(s)
Just follow THM’s link to the given Bitcoin address “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”.
143
What is the Bitcoin Address stored within “ComplexCalculator.exe”
This just takes a little cleverness to find very quickly.
xfreerdp /v:10.10.193.120 /u:Administrator /p:tryhackme123! /dynamic-resolutionPowerShell.exe
.\Desktop\SysinternalsSuite\strings.exeThis ‘breaks’ the interactive popup with terms that you have to agree to and we can then utilize Strings.exe from PowerShell_ISE. Nice. I should have thought of that in the last room. Oh well, live and learn.
$address = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
$address.Length
.\Desktop\SysinternalsSuite\strings.exe .\Desktop\SysinternalsSuite\ComplexCalculatorv2.exe | Where-Object {$_.Length -eq 34}Or simply:
$address = “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” ; .\Desktop\SysinternalsSuite\strings.exe .\Desktop\SysinternalsSuite\ComplexCalculatorv2.exe ; Where-Object {$_.Length -eq $address.Length}1LVB65imeojrgC3JPZGBwWhK1BdVZ2vYNC
— — Task 5 — -
What is the name of the toolset provided by Microsoft that allows you to extract the “strings” of an application?
Sysinterals
What operator would you use to “pipe” or store the output of the strings command?
Ok, I hate the verbiage of this question. In PowerShell you pipe with ‘ | ‘ and you “store the output” with ‘ > ‘ or ‘ >> ‘ if you want to append rather than overwrite. Of course ‘ >> ‘ is really just an alias for ‘ | Out-File .\Something.txt -Append ‘ and ‘ > ‘ is an alias for the same, but without the ‘ -Append ‘.
Hence I put | since I’d pipe to Out-File or Export-Csv, only for THM To immediately tell me I was wrong. The answer they are looking for is:
>
What is the name of the currency that ransomware often uses for payment?
Bitcoin
Summary
This was another good little, fun, educational room. I should probably get back to my root canal now, errr, I mean college paper.
References
CVE-2020–8000 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-8000
CVE-2019–6499 Details: https://nvd.nist.gov/vuln/detail/CVE-2019-6499
OWASP Top 10 IoT: https://owasp.org/www-chapter-toronto/assets/slides/2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
Details RE a specific Bitcoin wallet: https://live.blockcypher.com/btc/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94/
grep a specific # of characters: https://www.baeldung.com/linux/match-string-by-length
PowerShell find strings with specific length: https://shellgeek.com/string-length-of-variable-in-powershell/
