Writeup: Advent of Cyber 4 Day 2
Link: Advent Of Cyber 4 on TryHackMe
Ensure you are connected to the deployable machine in this task.
Answer: No answer needed
Use the ls command to list the files present in the current directory. How many log files are present?
By typing ls, we can see 2 files: SSHD.log and webserver.log
Answer: 2
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Answer: webserver.log
Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?
Answer: No answer needed
On what day was Santa's naughty and nice list stolen?
If we just use the more webserver.log command, we can see the contents of the log.
head webserver.log would have worked too, and printed the first 10 lines of the file
One date is prevalent: 18/Nov/2022. If we look at a calendar, that was a Friday.
Answer: Friday
What is the IP address of the attacker?
At the same line as the question above, we can see an IP address.
Answer: 10.10.249.191
What is the name of the important list that the attacker stole from Santa?
For this one we can simply use grep with a special string that works for 200 OK status codes (ie. the server succeeded in returning some content).
Command: grep " 200 " webserver.log
Why the space? Because otherwise we'll get all of the endpoints with the number 200 in them, and we don't want that.
Answer: santaslist.txt
Look through the log files for the flag. The format of the flag is: THM{}
Here we can just grep for the flag format, like so: grep "THM{" *.log
Answer: THM{STOLENSANTASLIST}