TryHackMe || Advent of Cyber 2023 Day 7: ’Tis the season for log chopping! || WalkThrough
Today’s task involves ‘Log Analysis’ and a story is behind using this technique. To take revenge for the company demoting him to the regional manager during the acquisition, Tracy McGreedy installed the CrypTOYminer, a malware he downloaded from the dark web, on all workstations and servers. Even more worrying and unknown to McGreedy, this malware includes a data-stealing functionality, which the malware author benefits from!
The malware has been executed, and a lot of unusual traffic is being generated. What’s more, a large data bandwidth is seen to be leaving the network.
So, we will learn and use the manual log analysis techniques using various Linux commands. We are using a proxy server, So we’ll analyze the log file of the proxy server. We are given a log file named ‘access.log.’ We will perform all the actions on this file to get all the details.
Q/A
How many unique IP addresses are connected to the proxy server?
Hint: use the command cut -d ‘ ’ -f2 access.log | sort | uniq | wc -l
Answer: 9
How many unique domains were accessed by all workstations?
Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -nr | wc -l
Answer: 111
What status code is generated by the HTTP requests to the least accessed domain?
Hint: use the command grep partnerservices.getmicrosoftkey.com access.log | cut -d ‘ ’ -f6
Answer: 503
Based on the high count of connection attempts, what is the name of the suspicious domain?
Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -n | tail -n 10
Answer: frostlings.bigbadstash.thm
What is the source IP of the workstation that accessed the malicious domain?
Hint: use the command grep frostlings.bigbadstash.thm access.log | head -n 3
Answer: 10.10.185.225
How many requests were made on the malicious domain in total?
Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -n | tail -n 10
Answer: 1581
Having retrieved the exfiltrated data, what is the hidden flag?
Hint: use the command grep frostlings.bigbadstash.thm access.log | cut -d ‘=’ -f2 | cut -d ‘ ’ -f1 | base64 -d
Answer: THM{a_gift_for_you_awesome_analyst!}
If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/
Happy Learning