TryHackMe: Advent Of Cyber 2023 - Day 20

One of the main reasons the Best Festival Company acquired AntarctiCrafts was their excellent automation for building, wrapping, and crafting. Their new automation pipelines make it a much easier, faster, scalable, and effective process. However, someone has tampered with the source control system, and something weird is happening! It’s suspected that McGreedy has impersonated some accounts or teamed up with rogue Frostlings. Who knows what will happen if a malicious user gains access to the pipeline?

In this task, you will explore the concept of poisoned pipeline execution (PPE) in a GitLab CI/CD environment and learn how to protect against it. You will be tasked with identifying and mitigating a potential PPE attack.

A GitLab instance for AntarctiCrafts’ CI/CD automates everything from sending signals and processing Best Festival Company services to building and updating software. However, someone has tampered with the configuration files, and the logs show unusual behaviour. Some suspect the Frostlings have bypassed and gained access to our build processes.

Questions

What is the handle of the developer responsible for the merge changes?

• BadSecOps

What port is the defaced calendar site server running on?

• 9081

What server is the malicious server running on?

• Apache

What message did the Frostlings leave on the defaced site?

• Frostlings Rule

What is the commit ID of the original code for the Advent Calendar site?

• 986b7407

If you enjoyed today’s challenge, please check out the Source Code Security room.

• No answer needed

Detective Frosteau believes it was an account takeover based on the activity. However, Tracy might have left some crumbs.

• No answer needed