Mission description
You are a Security Analyst at West Tech, a classified defense and R&D contractor. Early this morning, internal monitoring systems flagged unusual network activity originating from the workstation of senior researcher Oliver Deer. Upon accessing the machine, a ransom note was discovered on the desktop, suggesting that sensitive project data had been exfiltrated and encrypted. Your job is to investigate the incident: identify how the attacker gained access, trace their actions, recover any stolen data, and neutralise the threat.
Resource access
We get the following SSH credentials to access the file system:
- Username: o.deer
- Password: TryHackMe!
Furthermore we have access to an AI security assistant at a web interface: http://10.114.156.127:7860/?__theme=light
Preparation
To start, I connected to the target machine using the provided credentials:
ssh o.deer@10.114.156.127I provided the password: TryHackMe!
And the connection was successful! There is only one flag, that is need to be captured. The room gives the following hint for it:
The Attacker made some mistakes of their own, they exfilled their working notes for the attack; the fragments of which can be found in a pcap file, this contains the KEY to retrieving the encrypted files
According to this it will be important to find a pcap file, where this "KEY" can be found.
Initial investigation
To begin, I looked around in the folder of the compromised person:
ls -laOther than the normal folders I found the encrypted project files:
(...)
-rw-r--r-- 1 root root 8197 Jun 18 2025 westtech_projects_encrypted.zipI also discovered the ransom note on the Desktop:
ls -la Desktop/Only the ransom note was there:
-rw-r--r-- 1 root root 1258 Jun 18 2025 pwned.txtI read the message:
cat Desktop/pwned.txtIt contained all of Oliver's corporate data, and a message from the attacker:
(…) Your AI was very helpful. Unfortunately, it also has a big mouth. Might want to patch that memory leak :')
Maybe be more careful next time when clicking email attachments :') You left a password in one of those files I encrypted, can you remember which one? Public release in 48 hours if conditions unmet.
Don't test me. This isn't the first time I've made something disappear from a company's reputation overnight. (…)
According to this we can tell the following:
- The attacker managed to exploit a vulnerability in an AI of the company, developed by Oliver. This may be related to the fact that the attacker gained access to the system.
- The files might have been encrypted because Oliver clicked on an attachment in a phishing email.
Investigation of the pcap file
The room's hint mentions, that there is a pcap file, that contains the working notes of the attacker, so I searched through the system to find pcap files:
find / -name *.pcap 2>/dev/nullSeveral results were found:
(...)
/home/o.deer/Documents/pcap_dumps/2025-06-15/session_9698_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-15/session_2566_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-15/session_1637_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1221_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1071_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1193_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1969_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1356_dump.pcap
/home/o.deer/Documents/pcap_dumps/2025-06-18/session_1164_dump.pcap
(...)It seems, there are a lot of pcap files separated by dates in the /home/o.deer/Documents/pcap_dumps/ folder.
I tried to examine one of them with tshark:
tshark -r /home/o.deer/Documents/pcap_dumps/2025-06-18/session_1071_dump.pcapOnly a few network packets were inside:
1 0.000000 5e:0d:a0:1a:e3:9d → 37:4e:63:4a:26:60 0x4d37 42 Ethernet II
2 0.000000 cc:84:97:9d:b6:15 → 80:d4:71:62:24:98 0xbc44 42 Ethernet II
3 0.000000 f6:74:cb:08:6f:3a → e0:ac:0b:89:69:42 0x45c2 42 Ethernet III decided not to try to examine all of them on the CLI one by one, so I used scp to copy the files to my "attacker" machine:
scp -r o.deer@10.114.156.127:/home/o.deer/Documents/pcap_dumps/* .In the output something caught my attention:
(...)
session_7231_dump.pcap 100% 198 2.8KB/s 00:00
session_1267_dump.pcap 100% 198 1.9KB/s 00:00
session_4444_dump.pcap 100% 2262 42.8KB/s 00:00
session_5968_dump.pcap 100% 198 3.9KB/s 00:00
session_1286_dump.pcap 100% 198 4.1KB/s 00:00
session_1221_dump.pcap 100% 198 4.0KB/s 00:00
(...)All files had the same size, accept the session_4444_dump.pcap. I opened it in Wireshark for analysis. This file contained a short TCP communication, and there was one packet with a lot of text data inside:
I selected it, then with Right Click, and Follow -> TCP Stream I examined the data further. Inside it there was a lot of different data, and it took me a while to realize, that they are actually the working notes of the attacker. They contained the following:
- Basic information about the target.
- Attempts to exploit prompt injection vulnerability on the AI developed by Oliver.
- Draft of the phishing email.
- Other notes of the attacker for himself.
There was a row among the notes, that looked like a reminder for a specific phrase:
This looked like a password, but I could not decide, which characters are actually part of it. After a couple of attempts I found, that the password contains no special characters, not even "_" underscores, only alphanumeric ones.
I figured it out by trying to extract the zip file. I managed to unzip it with the password, I extracted from the pcap file:
unzip westtech_projects_encrypted.zipIt extracted the following content:
home/o.deer/westtech_projects/vault_tek_collab_agenda.doc password:
inflating: home/o.deer/westtech_projects/vault_tek_collab_agenda.doc
inflating: home/o.deer/westtech_projects/internal_security_incident_233.json
inflating: home/o.deer/westtech_projects/thm_flags.txt
inflating: home/o.deer/westtech_projects/prototype_plasma_launcher_test_logs.log
inflating: home/o.deer/westtech_projects/email_export_april2025.eml
inflating: home/o.deer/westtech_projects/thm_flags_guide.txt
inflating: home/o.deer/westtech_projects/project_chimera_specs.txt
inflating: home/o.deer/westtech_projects/fusion_cell_mk3_blueprints.pdfLater I decided to transfer the archive to the "attacker" machine, so I can use the GUI to see the files:
scp o.deer@10.114.156.127:/home/o.deer/westtech_projects_encrypted.zip .I extracted the files on my machine too, using the same password, and I started to analyze them.
Finding the correct flag
I used my text editor to open the files, extracted from the archive. It turned out, that Oliver was working on several projects in designing advanced weapons. No wonder, the company has enemies. The file called thm_flags_guide.txt contained the solution for finding the flags. It described, that the solution of the room is inside the thm_flags.txt file. It contains 500 base64-encoded flags in a format thm{n1,n2,n3,n4,n5}, where n1-n5 are all two-digit numbers. The actual solution is the flag with exactly 3 prime numbers. I could write a script, that extracts the solution, or as the guide suggests, I could use the [liberty_prime] function of the AI assistant to find the correct flag.
At this point I had to restart the virtual machine, because I had lunch before moving on with the examination of the contents of the archive. But after restart, the web page with AI assistant was not loaded. So I decided to write a python script instead, that extracts the flag. I wrote the following script:
#!/usr/bin/python3
import base64 # For base64 decoding
import sys # For argument parsing
# Parse arguments
try:
path = sys.argv[1]
except:
# If the file path is not provided, explain usage and exit
# Get the file path and extract the script name from it:
scriptName = __file__.split("/")[-1]
print('ERROR: You have to provide the path of "thm_flags.txt"!\nUsage: [python3 ' + scriptName + ' thm_flags.txt]')
sys.exit()
# List of prime numbers between 10 and 99 (reference: https://gist.github.com/B45i/652e54adafa3aabed7518c6809ac24c0):
primes = [11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97]
# Extract correct flag
success = False
for line in open(path, "r").readlines():
# Base64 decode the line to get the flag:
flag = base64.b64decode(line).decode("utf-8")
# Extract the numbers from the flag:
numbers = flag[flag.index("{") + 1:flag.index("}")].split(",")
primeCount = 0
for nr in numbers: # Count the number of primes
if int(nr) in primes:
primeCount += 1
if primeCount == 3: # If the number of primes is exactly 3, print the flag
print("Correct flag found: " + flag)
success = True
# Print error message if no correct flag is found
if not(success):
print('No correct flag is found! Make sure to provide the correct "thm_flags.txt" file!')Later I found out, that the AI assistant was only not loaded, because I forgot to restart OpenVPN, so I made extra work for myself. I admit, it probably would have been faster to try to make the AI assistant solve the job for me, but at least the python script was 100% reliable, and I could practice python programming until I made it. After it was done, I executed the script and it found the correct flag:
With this the mission is complete! And I didn't use the AI assistant at all!
Summary
To summarize, I investigated the incident with the following steps:
- Discovery of the ransom note, and the stolen project files.
- Finding the special pcap file, that contain the notes of the attacker.
- Analysis of the pcap file, and finding the KEY to the archive.
- Extraction and inspection of the project files.
- Writing the python script that extracts the correct flag (instead of using the function of the AI assistant).
- Claiming the flag using the python script.
With all of this done, the mission is completed!
P.S.: The usage of AI for this task
I actually tried to use the AI assistant while trying to find the solution, but I didn't have much success with it. I also tried to use public AI tools to find the flag, but ChatGPT and Gemini require authentication for file upload (and I did not want to sign up just for that), and Microsoft Copiot could not solve the flag extraction, so none of them could help me. I believe, that these AI-s can help in solving tasks, but so far, they never , succeeded in helping with any of my challenges. Maybe one day they will, but not today.
