~$ Advent of Cyber 2022 - Day 2

Posted on Dec. 2nd, 2022. | Est. reading time: 2 minutes

Blue Team: Log Analysis

Question 1

Ensure you are connected to the deployable machine in this task.

Answer: No answer needed

Question 2

Use the ls command to list the files present in the current directory. How many log files are present?

A screenshot of the terminal output of the 'ls' command, revealing two files titled 'SSHD.log' and 'webserver.log'A few logs for the fire.

By typing ls, we can see 2 files: SSHD.log and webserver.log

Answer: 2

Question 3

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

Answer: webserver.log

Question 4

Begin investigating the log file from question #3 to answer the following questions.

Answer: No answer needed

Question 5

On what day was Santa's naughty and nice list stolen?

If we just use the more webserver.log command, we can see the contents of the log. head webserver.log would have worked too, and printed the first 10 lines of the file

A screenshot of a few lines of logs, with the date (November 18th 2022) highlighted.Convenient!

One date is prevalent: 18/Nov/2022. If we look at a calendar, that was a Friday.

Answer: Friday

Question 6

What is the IP address of the attacker?

At the same line as the question above, we can see an IP address.


Question 7

What is the name of the important list that the attacker stole from Santa?

For this one we can simply use grep with a special string that works for 200 OK status codes (ie. the server succeeded in returning some content).

Command: grep " 200 " webserver.log

Why the space? Because otherwise we'll get all of the endpoints with the number 200 in them, and we don't want that.

A successful request on a file titled 'santaslist.txt'Ooooh, success

Answer: santaslist.txt

Question 8

Look through the log files for the flag. The format of the flag is: THM{}

Here we can just grep for the flag format, like so: grep "THM{" *.log

A screenshot of the 'grep' result, showing the flag.It's easier when you know what your're looking for.