Log Analysis using Splunk , Solving “Juicy Details TryHackMe”

Hi, it’s me Dipanshu Pandey and in this Blog I would be demonstrating how you can perform Log Analysis using Splunk Tool.

Splunk is a Tool which can be used for analysis and live monitoring logs.
It is a tool which every Threat Hunter and forensic Investigator should master to avoid any false-positives during their investigation.

Here i would be taking log files from TryHackMe room “Juicy Details” and would be answering their questions so that you can understand things clearly and systematically.In this Blog we would be taking 3 log files and would be investigating them to detect te threat.

Room Link -> https://tryhackme.com/room/juicydetails

Here i assume that you know what Splunk is but not very familier with using it.

Here i have downloaded Splunk and the log files .

Now i will show you how to add the log files to start searching for useful information.

Here you fill see option to add files or folders.

Now select the folders which contains all the 3 log files downloaded from TryHackMe.

Now click on “Search and Reporting “ to start searching through logs.

Above we see the Search Tab. Their you can see source of the logs which we have added. Here “ * “ in source field means that all the log files in that folder are added to the search. Also we can see various fields we can search in the Left Pane.

Task 2 Reconnaissance

Q1. What tools did the attacker use? (Order by the occurrence in the log)

Here, we know that most probabbly User-Agent contains the Information related to tools used. We used table command to make a table of User-Agent and time field. Then we use dedup command to remove duplicate fields. And since we need to find the tool names in order of time used so, we use sort command in relation with time to show results on basis of time.

So, Answer is nmap, hydra, sqlmap, curl, feroxbuster .

Q2. What endpoint was vulnerable to a brute-force attack?

Here you can see that we added the value of User-Agentto be the User-Agent of Hydra . As we know hydra is used for bruteforcing , So, now when we make the table of the User-Agent then we will only see the User-Agent of Hydra. Also in table command we entered uri . So, now our final table would contain all the URI assosiated to the Hydra User-Agent(we saw it’s User-Agent in question 1). Now when we run this search we see only 1 URI which is the answer.

Note: Also you would be thinking how i got to know that uri and useragent are the filters we can use. I got to know about them from left pane about which i have talked earlier.

Q3. What endpoint was vulnerable to SQL injection?

The question is similar to the previous one. The only thing is to modify the User-Agent. This time we will change User-Agent value to the User-Agent of sqlmap tool (we saw it’s User-Agent in question 1). When we run our search we can get our answer.

Q4. What parameter was used for the SQL injection?

Refer to the figure of question 3. After the /rest/product/search we can see the parameter where the SQL query is entered.

Q5. What endpoint did the attacker try to use to retrieve files? (Include the /)

We know that feroxbuster can be used to retrieve file. The question is same to Q3 and Q4 and only thing to change is User-Agent to feroxbuster User-Agent. This time i would encourage you to write query yourself. And i am only showing the answer.

Task 3 Stolen data

Q1. What section of the website did the attacker use to scrape user email addresses?

This one is bit logical question. I saw the hint and it was “Where can customers usually comment on a shopping website?”
So i included the word review* in my search and i got a URL which is the answer. The answer is — product reviews.
Here i added “*” as a wildcard in search because it allows me to serch for word review and other words which start with review like reviews , reviewabcd.

Q2. Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

Here we searched using User-Agent value of Hydra. Also i included a filter of status=200 i.e. status code 200. I only got 1 result which signify that attack was successful. If i click on that drop-down menu i could see the time at which attack was successful.

Q3. What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

Here i opned the access.log file in Notepad and searched through access.log. Their i searched manually and found that the attacker was selecting for field named email,password.

Q4. What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

This was a simple question. I already knew the endpoint to be /ftp(which we found in question5 Task 2). So i added a search on “uri” with value “ftp/*” . We have discused this wildcard(*) before also. And i only found 3 results from which last 2 are the file names.

Q5. What service and account name were used to retrieve files from the previous question? (service, username)

Here i opned vsftpd.log file in Notepad and i saw that it is FTP logs. We can see that the service is FTP, and the attacker is logged in by anonymous ftp . So the service is ftp and account is anonymous.

Q6. What service and username were used to gain shell access to the server? (service, username)

Here we opened auth.log to see authentiation attempts. We can figure out that the attacker is bruteforcing ssh service and the username is www-data.

So, This was the end of the Room. It was a very interesting exercise where i hoped you must have learned so many new things about log analysis and Splunk.

I hope that you would have liked the article and my way of explaining it through splunk to get and overview of Log Analysis with Splunk.

-Thank You