Tryhackme 2023 Day 20: DevSecOps - Advent of Frostlings
What is the handle of the developer responsible for the merge changes?
Under Merged Requests > Merged, we will see one approved merge with a comments button off to the right
Clicking on the comments button brings us to this section
Answer: BadSecOps
What port is the defaced calendar site server running on?
If we click on Repositories > Files, we find our yaml config file
Within, we find the Docker command with the port
Answer: 9081
What server is the malicious server running on?
Answer: Apache
What message did the Frostlings leave on the defaced site?
Answer: Frostlings Rules
What is the commit ID of the original code for the Advent Calendar site?
Once we click on this Commit, we find the ID
Answer: 986b7407
If you enjoyed today’s challenge, please check out the Source Code Security room.
hxxps://tryhackme[.]com/room/sourcecodesecurity
Detective Frosteau believes it was an account takeover based on the activity. However, Tracy might have left some crumbs.
Looks like Delf Lead granted higher permissions then necessary
Frostlino initially modified the rule, so the defaced site would not publish to Prod
Then the defaced file was merged
After this, the rule was changed back to Prod