TryHackMe || Advent of Cyber 2023 Day 7: ’Tis the season for log chopping! || WalkThrough

TheCyberWarrior
3 min readDec 8, 2023

--

Day 7 Logo

Today’s task involves ‘Log Analysis’ and a story is behind using this technique. To take revenge for the company demoting him to the regional manager during the acquisition, Tracy McGreedy installed the CrypTOYminer, a malware he downloaded from the dark web, on all workstations and servers. Even more worrying and unknown to McGreedy, this malware includes a data-stealing functionality, which the malware author benefits from!

The malware has been executed, and a lot of unusual traffic is being generated. What’s more, a large data bandwidth is seen to be leaving the network.

So, we will learn and use the manual log analysis techniques using various Linux commands. We are using a proxy server, So we’ll analyze the log file of the proxy server. We are given a log file named ‘access.log.’ We will perform all the actions on this file to get all the details.

Q/A

How many unique IP addresses are connected to the proxy server?

Hint: use the command cut -d ‘ ’ -f2 access.log | sort | uniq | wc -l

Answer: 9

How many unique domains were accessed by all workstations?

Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -nr | wc -l

Answer: 111

What status code is generated by the HTTP requests to the least accessed domain?

Hint: use the command grep partnerservices.getmicrosoftkey.com access.log | cut -d ‘ ’ -f6

Answer: 503

Based on the high count of connection attempts, what is the name of the suspicious domain?

Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -n | tail -n 10

Answer: frostlings.bigbadstash.thm

What is the source IP of the workstation that accessed the malicious domain?

Hint: use the command grep frostlings.bigbadstash.thm access.log | head -n 3

Answer: 10.10.185.225

How many requests were made on the malicious domain in total?

Hint: use the command cut -d ‘ ’ -f3 access.log | cut -d ‘:’ -f1 | sort | uniq -c | sort -n | tail -n 10

Answer: 1581

Having retrieved the exfiltrated data, what is the hidden flag?

Hint: use the command grep frostlings.bigbadstash.thm access.log | cut -d ‘=’ -f2 | cut -d ‘ ’ -f1 | base64 -d

Answer: THM{a_gift_for_you_awesome_analyst!}

If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/

Happy Learning

--

--