Advent of Cyber: Dec 1st

- 4 mins read

Introduction

This was an interesting event. We didn’t end up completing the ‘sidequest’ but some of it was fun; a few parts were tedious. The sidequest after getting the egg was, by far, more interesting but it got late and never got around to completing more calendar days nor the sidequest. Doing all that work just for a PNG of an egg that unlocks more work was fun in its own respect and gave us a good laugh lol.

The Event

From: mcskidy

To: whoever finds this

I had a short second when no one was watching. I used it. I’ve managed to plant a few clues around the account. If you can get into the user below and look carefully, those three little “easter eggs” will combine into a passcode that unlocks a further message that I encrypted in the /home/eddi_knapp/Documents/ directory. I didn’t want the wrong eyes to see it. Access the user account: username: eddi_knapp password: S0mething1Sc0ming There are three hidden easter eggs. They combine to form the passcode to open my encrypted vault.

Clues (one for each egg):

  1. I ride with your session, not with your chest of files. Open the little bag your shell carries when you arrive.
  1. The tree shows today; the rings remember yesterday. Read the ledger’s older pages.
  1. When pixels sleep, their tails sometimes whisper plain words. Listen to the tail.

Find the fragments, join them in order, and use the resulting passcode to decrypt the message I left. Be careful — I had to be quick, and I left only enough to get help. ~ McSkidy

  • part 2 is found in .secret_git by recovering the deleted file

  • Finally we get the password: 3ast3r-1s-c0M1nG

  • Then we can finally decrypt the mcskidy.txt.gpg file using this password and the option --pinentry-mode=loopback

  • Then we see the file contents:

gpg: AES256.CFB encrypted data gpg: encrypted with 1 passphrase Congrats — you found all fragments and reached this file. Below is the list that should be live on the site. If you replace the contents of /home/socmas/2025/wishlist.txt with this exact list (one item per line, no numbering), the site will recognize it and the takeover glitching will stop. Do it — it will save the site. Hardware security keys (YubiKey or similar) Commercial password manager subscriptions (team seats) Endpoint detection & response (EDR) licenses Secure remote access appliances (jump boxes) Cloud workload scanning credits (container/image scanning) Threat intelligence feed subscription Secure code review / SAST tool access Dedicated secure test lab VM pool Incident response runbook templates and playbooks Electronic safe drive with encrypted backups A final note — I don’t know exactly where they have me, but there are lots of eggs and I can smell chocolate in the air. Something big is coming. — McSkidy

When the wishlist is corrected, the site will show a block of ciphertext. This ciphertext can be decrypted with the following unlock key: UNLOCK_KEY: 91J6X7R4FQ9TQPM9JX2Q9X2Z To decode the ciphertext, use OpenSSL. For instance, if you copied the ciphertext into a file /tmp/website_output.txt you could decode using the following command: cat > /tmp/website_output.txt openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in /tmp/website_output.txt -out /tmp/decoded_message.txt -pass pass:‘91J6X7R4FQ9TQPM9JX2Q9X2Z’ cat /tmp/decoded_message.txt Sorry to be so convoluted, I couldn’t risk making this easy while King Malhare watches. — McSkidy

  • after following all that shit..

Well done — the glitch is fixed. Amazing job going the extra mile and saving the site. Take this flag THM{w3lcome_2_A0c_2025}

NEXT STEP: If you fancy something a little…spicier….use the FLAG you just obtained as the passphrase to unlock: /home/eddi_knapp/.secret/dir

That hidden directory has been archived and encrypted with the FLAG. Inside it you’ll find the sidequest key.

decrypt using -d --pinentry-mode=loopback dir.tar.gz.gpg | tar xvzf -and the password

now we see an egg

egg.png

The Great Disappearing act

NMAP

80: http - broken log in 8080: http - log in that seems to screen for username password 13400: Facility Video Portal 13402: nginx 13403: tcp 13404: tcp 21337: tcp

port 80: paste this in the console to bypass:

document.getElementById("loginWindow").style.display = "none";
document.getElementById("mapScreen").style.display = "block";

Cell Storage.png Looking at the code for this we see it is trying to reach out using the unlockCell() function to const /cgi-bin/key_flag.sh?door=hopper.

We saw that the login.sh exists on the current port but not the first. trying to reach this link on port 8080 returns a JSON with the first flag.

Next we need to get the Psych ward password. This calls the submitDoorSecret() function.

checking /cgi-bin/exit_check.sh we get the error that is causing the server error. expecting ',' or '}' Psych Ward.png

This login prompt does not have a server error on 8080

And we stopped.