Advent of Cyber 4 (2022): Day 2 Write-up [TryHackMe]

Welcome to Day 2 of Advent of Cyber 4 (2022) write-up. To check the room, click here.

If you haven’t solved Day 1, click here.

[Day 2] Log Analysis Santa’s Naughty & Nice Log

Day 2 covers the concept of logging and log analysis. Today we will discuss various log files in Windows and Linux. We will also cover a few tools and methods to analyze logs to solve the challenge.

Learning Objectives

In today’s task, you will:

• Learn what log files are and why they’re useful
• Understand what valuable information log files can contain
• Understand some common locations these logs file can be found
• Use some basic Linux commands to start analyzing log files for helpful information
• Help Elf McBlue track down the Bandit Yeti APT!

What Are Log Files and Why Are They Useful

Log files contain historical records of events and other data from an application. Some common examples of events that you may find in a log file:

• Login attempts or failures
• Traffic on a network
• Things (website URLs, files, etc.) that have been accessed
• Password changes
• Application errors (used in debugging)
• and many, many more

By making a historical record of events that have happened, log files are critical pieces of evidence when investigating:

• What has happened?
• When has it happened?
• Where has it happened?
• Who did it? Were they successful?
• What is the result of this action?

Grep 101

Grep is a command that searches for a given text in a file. Grep takes a given input (a text or value) and explores the entire file for any text that matches our input.

Command:

grep (string to find)

Grep options

If you want to read further, you can refer to Day 2 of Advent of Cyber 4.

Let’s get started!

1. Ensure you are connected to the deployable machine in this task.

Click on the “Start Machine” button and then click “Show Split Screen.”

Answer: No answer needed

2. Use the ls command to list the files present in the current directory. How many log files are present.

Enter the ls command, and you will see two log files.

Answer: 2

3. Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

From the previous output, we learned that a web server generates webserver.log.

Answer: webserver.log

4. Begin investigating the log file from question #3 to answer the following questions.

Answer: No answer needed

5. On what day was Santa’s naughty and nice list stolen?

Using the following command:

grep -i -r "santa" webserver.log

You’ve found that using a GET request; the santaslist.txt was fetched on 18/Nov/2022. By checking the calendar, you can see that this occurred on Friday.

Answer: Friday

6. What is the IP address of the attacker?

The previous output shows that GET requests for the santaslist.txt occurred using the 10.10.249.191 IP address.

Answer: 10.10.249.191

7. What is the name of the important list that the attacker stole from Santa?

Answer: santaslist.txt

8. Look through the log files for the flag. The format of the flag is: THM{}

Using the following command:

grep -r "THM”

Answer: THM{STOLENSANTASLIST}

9. Interested in log analysis? We recommend the Windows Event Logs room or the Endpoint Security Monitoring Module.

Answer: No answer needed

Closure

This task covered the basics of logging and different log files. We also discussed Grep, which is beneficial for logging and making our work easier. We got to know using logging, and we can analyze the incidents and events in a system.

Well done!
You did a great job. It is just the beginning; keep it up!
To learn more and get the upcoming write-ups, follow me on Medium and stay tuned!

Follow me on LinkedIn: https://www.linkedin.com/in/farhadanwari/

For Day 3, click here.

Thank you for reading.