Difficulty: very-easy
Vulnerability Explored: reverse shells
Sticking point: Trying to copy and paste my flag from my attack machine to tryhackme.  Turns out you can access the attack machines clipboard in the left sidebar :)

only slightly spoiler-ish. The flag isn't shown.

The theme of day 2 is you the cyber security elf were able to get the systems online in day one, and now it's time to track down the culprit.  So a website is setup for other elves to upload pictures of suspicious characters. So now you must audit the site to make sure there won't be anymore security issues.

This challenge teaches you the concept of parameters in a URL as well as bypassing a forms security to upload a malicious script that can run a reverse shell.  In my picture above you can kind of see a couple of spoilers, I had named my reverse shell script shell.jpg.php although I should have named it santa.jpg.php because we know who the real culprit is.  The script itself is the default php reverse shell script in Kali and it only needed to have the IP and Port modified in the script to point to the attack machine.

Thematically day 2 wasn't as in-depth as day 1.  It feels more like a segue into day 3 or 4.  But I wasn't expecting to already be doing reverse shells on day 2 of the Christmas challenge. I was anticipating at least a few days before seeing the need to create a reverse shell.  This gets me excited for what challenges lay ahead that might teach me new things or fill in gaps for my foundational knowledge.

The creator of day 2 linked to some other rooms that I haven't done and should really follow up to.

Intro to Shells

Upload Vulnerabilities