gokupwn | Blog

Advent Of Cyber | Day-2- Santa's Naughty & Nice Log - Log File Analysis

Posted on Dec 4, 2022
tl;dr: Log File Analysis

Use the ls command to list the files present in the current directory. How many log files are present?

ssh elfmcblue@<ip_address> -p tryhackme!

Explanation

elfmcblue@day-2-log-analysis:~$ ls *.log | wc -l

2

Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

webserver.log

On what day was Santa’s naughty and nice list stolen?

  • Based on the result, we can conclude that the attacker led brute force directory against the site to gather available directories.
  • ("gobuster/3.0.1") gobuster is a directory/file, DNS and VHost busting tool written in Go.
elfmcblue@day-2-log-analysis:~$ grep "santa" webserver.log

10.10.249.191 - - [18/Nov/2022:12:28:16 +0000] "GET /santa HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:28:17 +0000] "GET /santa_claus HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:28:17 +0000] "GET /evilsanta HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:28:18 +0000] "GET /santana HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:28:18 +0000] "GET /santabarbara HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:34:39 +0000] "GET /santaslist.txt HTTP/1.1" 200 133872 "-" "Wget/1.19.4 (linux-gnu)"
10.10.249.191 - - [18/Nov/2022:12:35:18 +0000] "GET /santafe HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:18 +0000] "GET /jasonsantamar-20 HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:18 +0000] "GET /santa_maria_maggiore HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:18 +0000] "GET /santa-clara-county HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:20 +0000] "GET /texas-santa-barbara HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:21 +0000] "GET /topicsantafe HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:22 +0000] "GET /jasonsantamaria HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
10.10.249.191 - - [18/Nov/2022:12:35:27 +0000] "GET /carlossantana_75 HTTP/1.1" 404 437 "-" "gobuster/3.0.1"
  • Yeah i am crazy :P:
elfmcblue@day-2-log-analysis:~$ date -d "$(grep "santaslist.txt" webserver.log | cut -d' ' -f4 | sed 's/\[//g' | cut -d'/' -f1,2 | sed 's/\// /g')"  +%A

Friday

What is the IP address of the attacker?

elfmcblue@day-2-log-analysis:~$ grep "santaslist.txt" webserver.log | cut -d' ' -f1
10.10.249.191

What is the name of the important list that the attacker stole from Santa?

  • By filtering the data using the GREP and cut commands, we can examine the user agent for each saved query. The log entry with the Wget/1.19.4 (Linux-gnu) as a user agent caught my attention, mostly because its status code 200 indicates a successful http request.
  • According to this analysis, the filename is: santaslist.txt
elfmcblue@day-2-log-analysis:~$ echo "Request_type url_path http_status_code user_agent" && grep "santa" webserver.log | cut -d'"' -f2,3,6 | sed 's/"//g'

Request_type url_path http_status_code user_agent
GET /santa HTTP/1.1 404 437 gobuster/3.0.1
GET /santa_claus HTTP/1.1 404 437 gobuster/3.0.1
GET /evilsanta HTTP/1.1 404 437 gobuster/3.0.1
GET /santana HTTP/1.1 404 437 gobuster/3.0.1
GET /santabarbara HTTP/1.1 404 437 gobuster/3.0.1
GET /santaslist.txt HTTP/1.1 200 133872 Wget/1.19.4 (linux-gnu)
GET /santafe HTTP/1.1 404 437 gobuster/3.0.1
GET /jasonsantamar-20 HTTP/1.1 404 437 gobuster/3.0.1
GET /santa_maria_maggiore HTTP/1.1 404 437 gobuster/3.0.1
GET /santa-clara-county HTTP/1.1 404 437 gobuster/3.0.1
GET /texas-santa-barbara HTTP/1.1 404 437 gobuster/3.0.1
GET /topicsantafe HTTP/1.1 404 437 gobuster/3.0.1
GET /jasonsantamaria HTTP/1.1 404 437 gobuster/3.0.1
GET /carlossantana_75 HTTP/1.1 404 437 gobuster/3.0.1

Look through the log files for the flag. The format of the flag is: THM

elfmcblue@day-2-log-analysis:~$ grep "^THM{"  SSHD.log webserver.log

SSHD.log:THM{STOLENSANTASLIST}

Ending:

I hope you enjoyed this walkthrough and you learned something new ;).