I posted that I was thinking about the AdventOfCode this year, but wasn’t sure I’d spend the time. Someone then posted a link to the TryHackMe advent calendar.
I decided to give it a try.
There’s a fairly long (10min) video intro and then you sign up.
Day 1
One of the good things was that the video has some spoilers to help you solve the challenge. If you skipped the video, watch it now. Or try.
There are three questions we need answered, and we then have to fool the AI/ML chatbot. The video shows how, but essentially you need an email address, a server room password and a project name.
The interesting thing is this shows how a poorly secured and trained chatbot might disclose this information. For the email address, you just ask. For the password, you need to find an employee’s name and then tell the chatbot you’re that person and need the password. It seems silly, but I bet this works on some chatbots people have created with wizards or templates and not secured or limited the training data.
The last one is interesting, you ask the machine to go into maintenance mode and you get the name of a project. Getting into the maintenance side of applications or mainframes used to be a way to attack them. Unfortunately, too many people didn’t secure many early systems and this was too easy.
Day 2
Day 2 is about using Jupyter notebooks. A good portion of the tutorial is helping you understand how notebooks work. Hopefully you’ve read my article on notebooks. If not, this helps you figure out how to use them. It also has a short tutorial on some python that you use to perform data analysis on a csv. While many of us might like to do this in SQL, the experience in python isn’t bad.
This ends up helping you understand how to count, summarize, and group data in python.
Day 3
This day was interesting. Now we are learning about some security tools. In this case, we learn about hydra, which is a tool to brute force logins against a web page. This is a fantastic tutorial that should teach you that unlimited retries on a page without some timer is a bad idea. This should also help you understand that you need to track failed logins and do something about them, especially from weird IPs.
Day 4
Continuing on, we learn how to use cewl to create customized wordlists and then use those to brute force in a smarter way.
Again, scary for a non-security person. These tools are likely good for security folks, but terrifying in that perhaps criminals use them every day.
Summary
The first few days of the challenge were interesting and it was neat to spend some time thinking about the world from a cybersecurity point of view.