-
Notifications
You must be signed in to change notification settings - Fork 1
Writeup: Advent of Cyber 4 Day 2
Link: Advent Of Cyber 4 on TryHackMe
Ensure you are connected to the deployable machine in this task.
Answer: No answer needed
Use the
ls
command to list the files present in the current directory. How many log files are present?
By typing ls
, we can see 2 files: SSHD.log
and webserver.log
Answer: 2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Answer: webserver.log
Begin investigating the log file from question #3 to answer the following questions.
Answer: No answer needed
On what day was Santa's naughty and nice list stolen?
If we just use the more webserver.log
command, we can see the contents of the log.
head webserver.log
would have worked too, and printed the first 10 lines of the file
One date is prevalent: 18/Nov/2022
. If we look at a calendar, that was a Friday.
Answer: Friday
What is the IP address of the attacker?
At the same line as the question above, we can see an IP address.
Answer: 10.10.249.191
What is the name of the important list that the attacker stole from Santa?
For this one we can simply use grep
with a special string that works for 200 OK
status codes (ie. the server succeeded in returning some content).
Command: grep " 200 " webserver.log
Why the space? Because otherwise we'll get all of the endpoints with the number 200
in them, and we don't want that.
Answer: santaslist.txt
Look through the log files for the flag. The format of the flag is:
THM{}
Here we can just grep
for the flag format, like so: grep "THM{" *.log
Answer: THM{STOLENSANTASLIST}