TryHackMe: Systems as Attack Vectors Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Systems as Attack Vectors room on TryHackMe. In this room we learn how attackers exploit vulnerable and misconfigured systems, and how you can protect them.

Room URL:
https://tryhackme.com/room/systemsattackvectors

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

Continue exploring the SOC role in protecting the digital world, now focusing on systems as attack vectors. In this room, you will learn what the systems are, why and how threat groups target them, and what you can do as a SOC analyst to keep your company secure.

Learning Objectives

• Learn the role of a system in a modern digital world
• Explore a variety of real-world attacks targeting systems
• Practice the acquired knowledge in two realistic scenarios

Prerequisites

• Complete the Junior Security Analyst room
• Complete the Humans as Attack Vectors room

Questions

I’m ready to learn!

Answer: No answer needed

Task 2: Definition of System

Imagine a castle with a superbly trained gatekeeper who can spot phishing and deepfakes — but the main gate is secured with a cheap, brittle padlock. The gatekeeper’s skills don’t matter if an attacker simply shoots an arrow through the lock: the enemy walks right in while no one’s watching. That’s the crux in cybersecurity: user-focused defenses (awareness, training) are valuable, but they won’t stop attackers who exploit weak systems directly.

What we mean by “system”
A system is where data actually lives — a physical server, a virtual machine, or a cloud platform (think Microsoft 365). Compromising a single user account is bad; compromising the system that hosts many accounts is catastrophic. Attackers prefer high-value targets where one breach scales into thousands.

Key takeaways

• Train users (the gatekeepers) — it reduces risk — but don’t stop there.
• Harden the locks: prioritize system security (patching, access controls, segmentation, secure configs).
• Focus on high-value systems first — attackers will always go where one compromise gives maximal payoff.
• Defense-in-depth: combine user awareness, strong system hardening, monitoring, and rapid response.

Use the castle image to remind reader

Questions

Can cyber attacks happen without victim intervention (Yea/Nay)?

Yea. Cyber attacks happen all the time without the victim even noticing it.

Answer: Yea

Can a breach of just a single system lead to disastrous consequences (Yea/Nay)?

Yea. This happens all the time as well. The attacker just needs a point of entry. Afterwards, the attacker will be moving from system to system. This is also called a cyber attacker performing lateral movement. This is a technique used to move through a network after gaining initial access, allowing the attacker to find valuable data, escalate privileges, and reach their ultimate target.

Answer: Yea

Task 3: Attacks on Systems

In nearly every major cyberattack, the first objective is the same – gain access to the target system. What happens afterward depends on the attacker’s goal: stealing data, deploying ransomware, or destroying information altogether. But the entry points are often familiar. Here are three of the most common ways attackers break in:

1. Human-Led Attacks

Users themselves often open the door for attackers.
It can start with:

• Plugging in a malicious USB found on the street
• Downloading infected software from pirated sites
• Reusing weak passwords across multiple accounts

In fact, 81% of breaches involve stolen or weak credentials. Something as simple as using “tryhackme” as a password can give attackers an easy win.

2. Vulnerabilities

Every software product has flaws — and attackers exploit them.
In 2024 alone, more than 40,000 vulnerabilities were published, and over 300 were actively exploited in real-world attacks. The problem worsens when IT teams misconfigure systems, leave default passwords unchanged, or expose legacy servers online.

Shodan scans still reveal tens of thousands of outdated Windows XP/2008 systems connected to the Internet — easy prey for attackers.

3. Supply Chain Attacks

Modern software depends on thousands of external components. If just one of those is compromised, the infection can spread to everyone using it. This is called a supply chain attack – where trusted software delivers the attacker’s payload.

Notorious examples include SolarWinds and 3CX, both of which affected thousands of organizations. Even TryHackMe experienced such an incident when a library (Lottie Player) used for animations was compromised.

These attacks are especially dangerous because you can’t control every library, dependency, or update your systems rely on.

Questions

What is the term for a security flaw that can be exploited to breach a system?

Another word for a security flaw that can be exploited is a vulnerability.

Answer: Vulnerability

What is the name of the attack when malware comes from a trusted app or library?

We call this a supply chain attack. Modern web solution build upon many different libraries, and just one vulnerability in one of these libraries can cause serious problems.

Answer: Supply Chain

Task 4: Vulnerabilities

Every piece of software contains flaws — some minor, others catastrophic. What makes them dangerous is how long they can remain undiscovered. Shellshock, for example, lurked in Linux systems since 1992 but wasn’t found until 2014.

When attackers find such a flaw before anyone else, it becomes a zero-day — a vulnerability with no available fix. Detecting these early often depends entirely on a SOC team’s ability to recognize suspicious behavior before it’s too late.

From Discovery to Exploitation: The CVE Race

Once a vulnerability is made public, it receives a CVE (Common Vulnerabilities and Exposures) identifier. From that moment, a race begins:

• Attackers develop and share exploits.
• Defenders scramble to patch systems and close the gap.

Windows has had this cycle for years — from EternalBlue (2017) to PrintNightmare (2021) and Follina (2022) – and new critical CVEs continue to appear annually.

How to Respond to Vulnerabilities

The definitive fix for a CVE is a patch — an update provided by the software vendor.
But when patches aren’t available yet (as with zero-days), defenders must hold the line by:

• Restricting access to trusted IPs only
• Applying vendor workarounds or temporary mitigations
• Blocking known attack patterns using firewalls, IPS, or WAF solutions

Questions

What is the CVE for the critical SharePoint vulnerability dubbed “ToolShell”?

We are going to need to search for this answer. Simply use your favorite search engine and write “ToolShell CVE”. The first result that came up is this one:

https://www.bitsight.com/blog/toolshell-threat-brief-sharepoint-rce-vulnerabilities-cve-2025-53770-53771-explained

There are mention two CVE numbers but the first one is the answer.

Answer: CVE-2025-53770

How would you respond to a detected vulnerability on your system?

When you find a detected vulnerability on your system you patch it as soon as possible!

Answer: patch

Task 5: Misconfigurations

Unlike software vulnerabilities, misconfigurations aren’t caused by code errors — they’re the result of human mistakes during setup. IT teams often make these errors unintentionally, usually in the name of convenience – using “1111” or “123456” instead of a secure password, for example. Unfortunately, these shortcuts can have massive consequences.

Real-World Examples

Misconfigurations have led to some of the biggest data breaches in history:

• McDonald’s job portal: A weak “123456” password exposed 64 million chat records.
• Capital One breach: A misconfigured AWS S3 bucket leaked data from 106 million bank customers.
• Smart appliances: Poorly configured IoT fridges have been hijacked to join large-scale botnets.

Even small configuration errors can be devastating. For instance, an IT admin might:

1. Set a weak database password
2. Accidentally expose it to the Internet
3. See it compromised within days by automated scanners

How to Respond to Misconfigurations

Unlike vulnerabilities, misconfigurations don’t need a software update — they just need a better setup. However, many SOC analysts discover them only after an attack has already occurred. In smaller organizations, you might also help prevent these issues by taking proactive steps such as:

• Penetration Testing: Hire ethical hackers to simulate attacks and report discovered flaws
• Vulnerability Scanning: Use tools to find default passwords, open ports, and outdated services
• Configuration Audits: Manually verify system settings against security standards like CIS Benchmarks

Questions

Can a system patch or software update fix the misconfigurations (Yea/Nay)?

Nay! Patching won’t help fix misconfigurations, such as weak passwords.

Answer: Nay

Which activity involves an authorized cyber attack to detect the misconfigurations?

This activity needs the assistance of a red teamer, which typically does something called penetration testing to test systems legally..

Answer: Penetration Testing

Task 6: Practice

Attackers don’t separate “human hacking” (phishing, social engineering) from “system hacking” (exploiting flaws or misconfigurations).

• One attack might be stopped by a software patch
• Another blocked by antivirus software
• A third detected by SOC analysts before damage occurs

But while you can train users to recognize threats, systems can’t learn – they rely entirely on how well they are built, configured, and maintained.

Common System Mitigation Measures

Practice

In the TryHackMe Systems at Risk lab, you’ll apply these principles hands-on.
Review the vulnerable systems, design a Remediation Plan, and decide which mitigation techniques best protect your organization.

Click View Site to open the dashboard, complete your tasks, and capture the flags – just as a real SOC analyst would when defending their fortress.

Questions

What flag did you receive after completing the “Systems at Risk” challenge?

Open the Systems at Risk challenge:

We are met by 4 question, which I will now cover in turn.

HQ-MAIL-02 at Risk: Action Required

The penetration team reported that our Exchange mail server is affected by CVE-2024-49040. They managed to breach the server thanks to that CVE and said anyone could do it since our server is Internet-exposed.

What action should be taken?

Ask IT to apply a patch and update Exchange!

While the other solutions do kind of remedy the problem, they are like a quick-fix but not solving the real problem. There is a vulnerability, and restricting access or changing passwords will only slow the attackers. We need to lock the gate.

Corporate Website at Risk: Action Required

The threat actors managed to brute-force an admin panel of our WordPress website and replaced the main page with malware links and gambling ads.

What action should be taken?

Change the admin’s password to a more secure one

Loading a backup doesn’t make our system any safer! Patching will be smart, but the real issue is that the admin page got brute-forced. This means the password was to weak. Change the password to a more secure one straight away.

Threat Intelligence Alert: Action Required

Our neighbour company was hit with ransomware attack a week ago. They say it started from an exploitation of their old Cisco firewall and advised us not to repeat their mistake and audit our Cisco devices.

What action should be taken?

Ensure all corporate firewalls are patched and do not have CVEs

This is the right decision. Before changing our equipment, we should try and patch any vulnerabilities.

LPT-01518 at Risk: Action Required

You observe an unusual spike of security events coming from the designer’s laptop: A trusted 3D design application suddenly starts running malicious CMD commands after the recent update. You need to quickly plan your next steps.

What action should be taken?

It is a new critical vulnerability in the design app
It is a supply chain attack coming with the recent update

The recent update must have brought in an vulnerability. The answers mention no solution, but I suggest rolling back the update, or uninstalling the application until an update gets pushed out. I wrongly guessed that the vulnerability was in the design app itself, but according to THM it is a supply chain attack. Anyway, I don’t think we can conclude this from the description, but there you go.

With all answers given we get the flag!

Answer: THM{patch_or_reconfigure?}

What flag did you receive after completing the “Remediation Plan” challenge?

Time for a new challenge. Open up the window:

Let’s go through the seven actions:

Patch Management Policy
Define a clear process for identifying, testing, and applying software patches

Big YES, we need a process to applying software patches.

Shared Accounts
Ask IT to use a single, shared account to simplify security monitoring

No! Quite the opposite exactly. We need individual accounts, which are way easier to manage.

Antivirus Protection
Install reliable antivirus software on all critical corporate systems

Yes. This is always a great idea.

Obscure Server Naming
Use random server names like X719I to confuse potential attackers

No. This will confuse everybody else as well.

Secure Password Policy
Enforce strong, autogenerated passwords for all admin and service accounts

Yes. Great idea with autogenerated passwords. This way we don’t end up with pass1234 etc.

Website Restrictions
Block public access to your company’s website to protect it from threats

NO! How are regular people going to visit your company?

Security Training for IT
Regularly train IT staff on common misconfigurations and how to avoid them

Definitely a good idea. To few IT personal know enough about security unfortunately.

Submit the answers now:

Approve and you will get the flag.

Answer: THM{best_systems_defender!}

Task 7: Conclusion

Even though SOC analysts don’t typically manage systems directly, understanding the common attacks and defenses, and sharing them with the IT department, is a key to broadening your cyber security perspective. If you want to grow quickly and be a strong team player, stay updated on the latest threats and always share the news with others!

• The DFIR Report: How Real Intrusions Happen
• CISA: Known Exploited Vulnerabilities Catalog
• BleepingComputer: Latest Supply Chain Attacks
• CheckPoint: Interactive Live Cyber Threat Map

Questions

Complete the room!

Answer: No answer needed.

Congratulations on completing Systems as Attack Vectors!!!

Congratulations on completing Systems as Attack Vectors!. This was a great follow-up on the previous room, on which I also did a walkthrough. I hope you now understand that we both need to focus on systems and humans to be a great SOC analyst.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other TryHackMe SOC Level 1 Path walkthroughs here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg