Skip to content

AoC3 Day 8: Log Analysis & Shellbags

If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

Types of Challenges

The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:

Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

Clicking “Save File”

And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.

TryHackMe; Advent of Cyber 3; Day 8 Walkthrough

Day 8 diverges from the previous challenges in this year’s Advent of Cyber, transitioning from web exploitation concepts to the digital forensics side of cybersecurity. Today focuses specifically on the analysis of PowerShell transcription logs and shellbags – what they are, how to find them, and what they mean.

This is the first challenge where I might recommend using TryHackMe’s built-in machine, as you may run into some issues attempting to RDP into it using your own attack box/VM. After launching it, THM will open the Windows machine in the right half of your browser Window. We’ll start out by opening the “SantasLaptopLogs” folder located on the desktop.

Let’s open the first log entry, where we will find the operating system of the machine which transcript logs we are reading:

Now we’ll return to the logs folder, where I’d recommend clicking “Date modified” to organize them in chronological order. We’ll then open the second entry, which should have a “Date modified” value of 11/28/2021 6:36 PM.

Look through the logs for a command starting with “net user” and ending with “/add”, which indicates another user account being added to the Windows machine. The syntax of that command would provide that the “backdoor” account being created has a username of “s4nta” and a password of “grinchstolechristmas”

We’ll return to the logs folder, and begin looking through the third and fourth files for a sign that the perpetrator copied a file to their “s4nta” user Desktop, for which the full path can be seen below.

Next, we need to find usage of a “Living Off The Land binary” (LOLbin), which can be described as a native Windows binary or executable being used for malicious purposes – a tactic employed by attackers in order fly under the radar of traditional AV. We see this sort of usage in our logs with the “certutil.exe” executable, which is being used to encode the UsrClass.dat file for santa’s (real) account.

This encoding can easily be reversed, so let’s copy the output of that command and throw it into CyberChef, a shortcut to which is on the desktop, and decode it from Base64.

If your THM machine is being slow, I’ve found the quickest way to do this is to delete all the text up to and including “—START CERTIFICATE—” and starting with “—END CERTIFICATE—“, and then highlighting it all with “Ctrl” + “A”. The start and end of your text should like similar to this:

Paste it into the input box on the right-hand side of CyberChef, and drag “From Base64” to your “Recipe”. It will automatically start processing, after which you can download the file

The default filename is fine:


Now we’ll launch the ShellBagsExplorer utility from within its eponymous folder, located on the Desktop:

Click “File” > “Load offline hive” and choose the “download.dat” file we decoded earlier.

We can now start expanding folders to see all the artifacts of folders that were on this machine when the UsrClass.dat file was gathered. This will reveal the folder that may be home to publicly accessible software hosted on a code-sharing platform, as well as the name of the file found in the “Bag of Toys” folder.


We’re now tasked with figuring out which user owns the “SantaRat” repository, which a quick Google search for “santarat github” should reveal.

Clicking the username, and then “Overview”, we can see their other repositories, including one that seems especially pertinent to our investigation.

We now need to return to our PowerShell transcription logs to find the name of the executable that installed a unique utility to collect the bag of toys. This particular entry can be found in the fourth log file, if they are ordered chronologically. Downloading from the internet using PowerShell is commonly done with the “Net.WebClient” class, which we can see occurring the screenshot below, along with the name of the executable.

We’ll now return to the transcription logs folder and open the fifth and final log, in which we can find the contents of the “malicious” files that our attacker created within the “Bag of Toys” directory.

We’ll now revert back to our browser and Github, in which we’ll visit the “operation-bag-of-toys” repository under the “Grinchiest” account.

Then at the commit messages:

And finally at the second commit.

It’s here we find the password to the original bag_of_toys.uha archive.

And finally, we’ll open the “bag_of_toys.uha” archive stored on our desktop, and use the password we found on Github to unlock it to find out how many original files were present in Santa’s Bag of Toys.