3 minutes 590 Words
2022-12-22 19:00
Cyber Advent 2022 - Day 2 [Log Analysis] [Santa’s Naughty & Nice Log]
Day 2 of tryhackme’s Advent of Cyber for 2022! This challenge involves learning about grep and its basic capabilities. This task requires you to use grep in order to efficiently answer the questions.
Learning Objectives
In today’s task, you will:
- Learn what log files are and why they’re useful
- Understand what valuable information log files can contain
- Understand some common locations these logs file can be found
- Use some basic Linux commands to start analysing log files for valuable information
- Help Elf McBlue track down the Bandit Yeti APT!
Use the ls
command to list the files present in the current directory. How many log files are present?
Make sure your current working directory is /home/elfmcblue
. If you do not know, run this command: pwd
Count the number of files that are output to the terminal.
$ ls
SSHD.log webserver.log
Answer:
2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Make sure your current working directory is /home/elfmcblue
. If you do not know, run this command: pwd
We are looking for a webserver log file, conveniently, we notice webserver.log
exists within the /home/elfmcblue
directory.
$ ls
SSHD.log webserver.log
Answer:
webserrver.log
On what day was Santa’s naughty and nice list stolen?
Our first attempt with grep
. We chose the -i
option because we aren’t sure how the word stolen
will be written in the log files. Furthermore since we are interested in the webserver logs, we will grep through that file. We notice that the date is November 18th. Checking our calendar, that leads us to the answer. Another possible way to arrive to this conclusion is
$ grep -i "stolen" webserver.log
10.10.249.191 - - [18/Nov/2022:12:35:23 +0000] "GET /ReceivingStolenGoodsOnline HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:24 +0000] "GET /011003-new_uk_database_mkes_stolen_pho HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:27 +0000] "GET /alone_on_preikestoten HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
10.10.249.191 - - [18/Nov/2022:12:35:27 +0000] "GET /stolen_pc_holds_1 HTTP/1.1" 404 437 "-" "gobuster/3.O.1"
Answer:
Friday
What is the IP address of the attacker?
In the output of the above grep command, we notice that the IP address is shown in the logs. This IP address is particularly persistent in its requests to the webserver. Therefore we can infer that the IP address making these requests is from the attacker.
Answer:
10.10.249.191
What is the name of the important list that the attacker stole from Santa?
Knowing that the file we are looking for is a list
, we can infer that the most likely name format of this list would be something_list.txt
or someList.txt
. It is common practice to use a easily readable file format like .txt
extension. Therefore we use -i
to ignore the case in the event that the list is written in snake case or camel case. We could have used the -r
option instead of specifying the webserver.log
file in case there were more than 2 files in the current working directory. However, it was most likely going to be logged within the webserver.log
file so we chose that option instead.
$ grep -i "list.txt" webserver.log
10.10.249.191 - - [18/Nov/2022:12:34:39 +0000] "GET /santaslist.txt HTTP/1.1" 200 133872 "-" "Wget/1.19.4 (linux-gnu)"
Answer:
santaslist.txt
Look through the log files for the flag. The format of the flag is: THM
Using the -r
option, we recursively iterate through all of the files within the current working directory (pwd
) and search for the beginning portion of the flag format that consistantly remains the same: "THM{"
.
$ grep -r "THM{"
SSHD.log:THM{STOLENSANTASLIST}
Answer:
THM{STOLENSANTASLIST}