July 1, 2026
ContAInment : AI Security Tryhackme
Your Mission
By Dilip Bindra
4 min read
Your Mission
You are a Security Analyst at West Tech, a classified defence and R&D contractor. Early this morning, internal monitoring systems flagged unusual network activity originating from the workstation of senior researcher Oliver Deer.
Upon accessing the machine, a ransom note was discovered on the desktop, suggesting that sensitive project data had been exfiltrated and encrypted.
Your job is to investigate the incident: identify how the attacker gained access, trace their actions, recover any stolen data, and neutralise the threat. Time is critical; the integrity of West Tech's most sensitive technologies may be at risk.
Set Up
A workstation environment. You have been granted SSH access to the affected employee's workstation. You can access this from the AttackBox via:
ssh o.deer@<machine-ip>
Password: Password
- A trusty AI IR security assistant, armed with "tools" built and designed specifically to help you with the heavy lifting in this challenge.
- They don't need to be manually triggered by yourself, our AI is a smart cookie and can intelligently determine when these tools should be triggered from prompt context.
- Some of the tools may provide hints as to when to engage the AI for help and are presented in the "available tools" section in chronological order in which they can be used throughout the investigation.
- You can simply use it as you would a chatbot. Another cool feature is that this AI is deployed on the same system as the workstation you are investigating and so has access to all the files you do, meaning you can give it file paths in your queries. The AI is accessible via: http://ip;port/?__theme=light
This challenge is built to reflect a real defensive scenario, where all tasks can be accomplished without the use of your AI companion and its tools, but can be done with far more efficiency when taken advantage of. And with that, you're all set to go! Can you help save the day and contAIn the threat?
Step To Solve :
Step 1 : Logging into ssh
Found 2 Important thing one is qwen-output -> A folder tied directly to system LLM environment wettech_project_encryption.zip -> encrypted archieve
Step 2:
On Navigating inside qwen-output we found that the current LLM environment is empty and Meanwhile zip needs a password.
On Looking at Ai chatbox we known the working of LLM.
So now we have to find the pcap file's. There's 2 way to do so.
- One via navigation through Docs, we get different date pcap file.
- Second via Searching -> find / -name "*.pcap" 2>/dev/null
Walking through each file will consume time so will try to list out the file size to pinpoint data-heavy transfers as we know the file was Exfiltrate
find / -name ".pcap" -exec ls -lh {} ; 2>/dev/null
pcap_dump/2025–06-17/session_4444_dump.pcap is the only one whose size is larger then anyone else, which makes it a perfect suspect of Exfiltratation.
Now we look into the pcap file by running the command : Strings /home/o.deer/Documents/pcap_dumps/2025–06–17/session_4444_dump.pcap
We can see an obfuscated string w#e@%s~t^t-e$c*h_v^i%ct_im_1 So Now we give this pcap file to chat Ai to remsemble it
So Now we can see the LLM environment get something in his folder and that is reassembled_data_dump.txt
We can see now there is a dump data in the qwen-output folder. On looking at we get the password : "westtechvictim1"
After unziping the folder we can see there is a flag_guide txt file and a flag txt file. First we understand the guide how the cryptography is used to hide the flag and then will extract the flag txt by providing the exact file path to the LLM chatBox.
Then to prevent the web AI from hitting directory parsing constraints, I audited the file's layout directly
head -5 /dev/shm/home/o.deer/westtech_projects/thm_flags.txt
After you can Extract the flag in 2 ways :
- Via give the flag path to LLM and telling him to use
liberty_primefunction to extract the flag. - Via create a python file to extract the file.
Thank You …