Question 1

Ensure you are connected to the deployable machine in this task.

Answer: No answer needed

Question 2

Use the ls command to list the files present in the current directory. How many log files are present?

A few logs for the fire.

By typing ls, we can see 2 files: SSHD.log and webserver.log

Answer: 2

Question 3

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

Answer: webserver.log

Question 4

Begin investigating the log file from question #3 to answer the following questions.

Answer: No answer needed

Question 5

On what day was Santa's naughty and nice list stolen?

If we just use the more webserver.log command, we can see the contents of the log. head webserver.log would have worked too, and printed the first 10 lines of the file

Convenient!

One date is prevalent: 18/Nov/2022. If we look at a calendar, that was a Friday.

Answer: Friday

Question 6

What is the IP address of the attacker?

At the same line as the question above, we can see an IP address.

Answer: 10.10.249.191

Question 7

What is the name of the important list that the attacker stole from Santa?

For this one we can simply use grep with a special string that works for 200 OK status codes (ie. the server succeeded in returning some content).

Command: grep " 200 " webserver.log

Why the space? Because otherwise we'll get all of the endpoints with the number 200 in them, and we don't want that.

Ooooh, success

Answer: santaslist.txt

Question 8

Look through the log files for the flag. The format of the flag is: THM{}

Here we can just grep for the flag format, like so: grep "THM{" *.log

It's easier when you know what your're looking for.

Answer: THM{STOLENSANTASLIST}