So welcome to day 2 of Advent of cyber 2022. I was waiting for day 2 since this afternoon but they released it around 8 pm. So without any delay, let's move to task 2.
Santa's Naughty & Nice Log
This room is mainly focused on some basic commands of Linux like ls, cd, and grep. I hope you are familiar with these commands. Let's first understand what is a log file. A log file contains all the records of events and data of some applications like login attempts, password changes, traffic etc. So whenever something suspicious happens, we can look at the log file to get the full details of the attack. In Linux, it is stored in /var/log.
Now log files contain hundreds and thousands of entries. So how would you find the entry you are looking for? Here comes the grep command. We can use the grep command to find the exact match of our input. You will get to know how much useful is grep command and log file are for an organisation in this task . Let's do this.
Question 1
You just need to start your attack box and machine.
Question 2
Very easy question. Use ls command and see how many log files are there.
Question 3
Yes, you guess it right. It is webserver.log file which is storing all the logs of a web server .
Question 4
Try to investigate this log file.
Question 5
While investigating this log file, you must have noticed a date.
18 November 2022. Search for this date on calendar. It was on Friday.
Question 6
All the IP address in this log file is same. 10.10.249.191 . This is the attacker's IP address.
Question 7
Here comes the use of the grep command. You need to find the name of the Santa's list. I thought why not use the word santa to find the name of list.
grep "santa" webserver.log
We got some results for our input "santa". Did you find the name of list? Correct! It is santaslist.txt .
Question 8
Now we need to find the flag. I tried to find the flag in webserver.log with the input THM but it was not there. Do you remember, there was another log file . Yes, SSHD.log. Let's try to find our flag in that file.
grep "THM" SSHD.log
Question 9
It is suggesting you to complete the Windows Event Logs room or the Endpoint Security Monitoring Module.
Congratulations !! we completed this task. New task will be added tomorrow. Till then you can follow me here for upcoming blogs on the advent of cyber 2022. In the end, you will get a certificate from tryhackme for completing this challenge.
Keep learning and keep spreading Knowledge.