Dear diary, today I have failed on a paid pentest task, and it’s making me feel down. And here I was so happy to get chosen for what looked like such a straightforward job… Well, no use crying over split milk, so here we go: Advent of Cyber - Day 2!
This day opens with “Log Analysis” written all over it, and looks like today there’s quite a lot that needs to get done, so we’ll start by spinning up the machine and getting Kali ready locally. The walkthrough video today is provided by CMNatic, and we’ll be taking a look at that later on.
Use the ls command to list the files present in the current directory. How many log files are present?
Logging into the remote system the first task is rather simple: run ls and count the files.
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Easy tasks continue, not too many options here so moving swiftly on!
Begin investigating the log file from question #3 to answer the following questions.
On what day was Santa’s naughty and nice list stolen?
Being the lazy person I am, I made the assumption that since all the log entries are from one day it must also be the day which is the correct answer to this question, so a quick glance at the calendar to see what day that was solved the riddle. Now for a more realistic and sensible approach we’d grep for something relevant, like “santa” in this case, and what do you know? Only a handful of options, one which looks like a perfect match!
What is the IP address of the attacker?
Since we know that the attacker took the list, and probably littered all over our logs with gobuster as well, we can safely say that the IP for the log entries belongs to them.
What is the name of the important list that the attacker stole from Santa?
This would be the aforementioned list we found, including the file format extension.
Look through the log files for the flag. The format of the flag is: THM{}
Since we’re given the format, not that we didn’t know it already, it’s very easy to see that grepping for either “THM” or “{“ should lead us to the right result, and sure enough with the correct log file selected that is what happens.
Interested in log analysis?
In fact I am, it’s a nice way to look like you’re doing something! Err, I mean, actually dig something useful up. I’ve done both of the rooms listed already, but they’re definitely worth checking out! Anyhow, thanks for one extra point, and see you tomorrow!