Learning Objectives
In this task, we will focus on the following vital learnings to assist Forensic McBlue in uncovering the potential incident:
- Revisiting log files and their importance.
- Understanding what a proxy is and breaking down the contents of a proxy log.
- Building Linux command-line skills to parse log entries manually.
- Analysing a proxy log based on typical use cases.
Questions:
How many unique IP addresses are connected to the proxy server?
Command
cut -d ' ' -f2 access.log | sort | uniq -c | sort -n | wc -l
Answer
9
How many unique domains were accessed by all workstations?
Command
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n | wc -l
Answer
111
What status code is generated by the HTTP requests to the least accessed domain?
Command
cut -d ' ' -f3,6 access.log | grep partnerservices
Answer
503
Based on the high count of connection attempts, what is the name of the suspicious domain?
Command
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n | tail -n 10
Answer
frostlings.bigbadstash.thm
What is the source IP of the workstation that accessed the malicious domain?
Command
cut -d ' ' -f2,3 access.log | grep frostlings
Answer
10.10.185.225
How many requests were made on the malicious domain in total?
Command
cut -d ' ' -f2,3 access.log | grep frostlings.big | wc -l
Answer
1581
Having retrieved the exfiltrated data, what is the hidden flag?
Command
grep frostlings.bigbadstash.thm access.log | cut -d ' ' -f5 | cut -d '=' -f2 | base64 -d | grep THM
Answer
THM{a_gift_for_you_awesome_analyst!}