This is our write-up for the TryHackMe room on ContAInment. Written in 2026, we hope this write-up helps others learn and practice cybersecurity.

Task 1: Challenge

As a Security Analyst at West Tech, you are tasked with investigating a ransomware incident on a senior researcher's workstation. Your objective is to identify the breach vector, trace the attacker's actions, recover exfiltrated data, and mitigate the threat. To accomplish this, you will use SSH to access the compromised machine and leverage a specialized, locally-deployed AI Incident Response assistant equipped with custom security tools.

Initial Access & Exploration

We began by establishing an SSH connection to the compromised workstation and initializing the AI Incident Response assistant. We explored the filesystem and the available security tools to understand our environment.

Phishing Detection

We used the phishing_email_detector tool to scan the /home/o.deer/Mail directory. For some reason, the tool did not generate an output initially, but upon retry, it successfully flagged a suspicious email.

Prompt: Can you search the files in the /home/o.deer/Mail directory for signs of phishing emails using phishing_email_detector?

The analysis revealed that the breach originated from a targeted phishing email containing a malicious attachment.

Attachment: invoice_payload.scr

Network Traffic Analysis

Next, we used the pcap_file_reassembler tool to analyze a network capture found in the researcher's documents. This allowed us to summarize the traffic and identify the attacker's activity.

Prompt: Can you summarize what is covered in /home/o.deer/Documents/pcap_dumps/2025-06-17/session_4444_dump.pcap using pcap_file_reassembler?

Credential Recovery & Flag Hunting

By analyzing the captured sessions, we were able to recover the victim's password and began searching for the final flags using the liberty_prime tool.

Password: westtechvictim1

Troubleshooting & Final Capture

We encountered an issue where the file was located at /home/o.deer/westtech_projects/thm_flags.txt instead of the expected nested path. We then moved the file using mkdir and mv, and proceeded with the final check.

Prompt: Use liberty_prime to check /home/o.deer/westtech_projects/thm_flags.txt and identify the flag.

Can you contAIn the threat and find the flag?

thm{23,82,20,17,53}

Thanks for reading. See you in the next lab.