MAL: Strings TryHackMe Walkthrough

Rich
4 min readNov 19, 2023

TL;DR Walkthrough of the TryHackMe MAL: Strings room, part of the Cyber Defense Pathway.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I have said it before, but maybe not on here, I found along the way of posting these that I actually enjoy technical writing. I like getting into the home lab, TryHackMe, a CTF, Slayer Labs, really anything hands on, finding the solution, and writing up how to do it.

I hate theory. I truly hate writing about theory. That was always a struggle for me back when we were working on a Bachelors degree and continues to this day. Maybe eventually I’ll get over it, but I doubt it.

We ran through this room and banged out this writeup while taking another break from writing about theory for college.

But enough about that, let’s get to the answers and how to find them :)

On an admin note, the sources to find the answers to the questions involving research are in the references at the end.

— — Task 1 — -

What is the name of the account that had the passcode of “12345678” in the intellian example discussed above?

intellian

What is the CVE entry disclosed by the company “Teradata” in their “Viewpoint” Application that has a password within a string?

CVE-2019–6499

According to OWASP’s list of “Top Ten IoT” vulnerabilities, name the ranking this vulnerability would fall within, represented as text.

One

— — Task 2 — -

What is the correct username required by the “LoginForm”?

We know that the username is 7 characters thanks to THM’s *s in the answer box, so:

strings LoginForm.exe | grep -E ‘^.{7}$’

cmnatic

What is the required password to authenticate with?

The password is 18 characters, so:

strings LoginForm.exe | grep -E ‘^.{18}$’

TryHackMeMerchWhen

What is the “hidden” THM{} flag?

strings LoginForm.exe | grep -E ‘THM{‘

THM{Not_So_Hidden_Flag}

— — Task 3 — -

We knew these already, but the answers are in THM’s explanation.

What is the key term to describe a server that Botnets recieve instructions from?

Command and Control

Name the discussed example malware that uses “strings” to store the bitcoin wallet addresses for payment

Wannacry

— — Task 4 — -

List the number of total transactions that the Bitcoin wallet used by the “Wannacry” author(s)

Just follow THM’s link to the given Bitcoin address “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”.

143

What is the Bitcoin Address stored within “ComplexCalculator.exe”

This just takes a little cleverness to find very quickly.

xfreerdp /v:10.10.193.120 /u:Administrator /p:tryhackme123! /dynamic-resolution
PowerShell.exe

.\Desktop\SysinternalsSuite\strings.exe

This ‘breaks’ the interactive popup with terms that you have to agree to and we can then utilize Strings.exe from PowerShell_ISE. Nice. I should have thought of that in the last room. Oh well, live and learn.

$address = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"

$address.Length

.\Desktop\SysinternalsSuite\strings.exe .\Desktop\SysinternalsSuite\ComplexCalculatorv2.exe | Where-Object {$_.Length -eq 34}

Or simply:

$address = “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” ; .\Desktop\SysinternalsSuite\strings.exe .\Desktop\SysinternalsSuite\ComplexCalculatorv2.exe ; Where-Object {$_.Length -eq $address.Length}

1LVB65imeojrgC3JPZGBwWhK1BdVZ2vYNC

— — Task 5 — -

What is the name of the toolset provided by Microsoft that allows you to extract the “strings” of an application?

Sysinterals

What operator would you use to “pipe” or store the output of the strings command?

Ok, I hate the verbiage of this question. In PowerShell you pipe with ‘ | ‘ and you “store the output” with ‘ > ‘ or ‘ >> ‘ if you want to append rather than overwrite. Of course ‘ >> ‘ is really just an alias for ‘ | Out-File .\Something.txt -Append ‘ and ‘ > ‘ is an alias for the same, but without the ‘ -Append ‘.

Hence I put | since I’d pipe to Out-File or Export-Csv, only for THM To immediately tell me I was wrong. The answer they are looking for is:

>

What is the name of the currency that ransomware often uses for payment?

Bitcoin

Summary

This was another good little, fun, educational room. I should probably get back to my root canal now, errr, I mean college paper.

References

CVE-2020–8000 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-8000

CVE-2019–6499 Details: https://nvd.nist.gov/vuln/detail/CVE-2019-6499

OWASP Top 10 IoT: https://owasp.org/www-chapter-toronto/assets/slides/2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf

Details RE a specific Bitcoin wallet: https://live.blockcypher.com/btc/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94/

grep a specific # of characters: https://www.baeldung.com/linux/match-string-by-length

PowerShell find strings with specific length: https://shellgeek.com/string-length-of-variable-in-powershell/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.