Advent of Cyber 2023 — Day 7

How many unique IP addresses are connected to the proxy server?

cut -d “ “ -f2 access.log | sort | uniq -c | sort -n | wc -l

9

How many unique domains were accessed by all workstations?

cut -d “ “ -f3 access.log | cut -d ":" -f1 | sort | uniq -c | sort -n | wc -l

111

What status code is generated by the HTTP requests to the least accessed domain?

cut -d “ “ -f3 access.log | cut -d ":" -f1 | sort | uniq -c | sort -n

503

Based on the high count of connection attempts, what is the name of the suspicious domain?

one of the domain is using “.thm” which seems to be the right answer

frostlings.bigbadstash.thm

What is the source IP of the workstation that accessed the malicious domain?

cut -d " " -f2,3 access.log | cut -d ":" | sort | uniq -c | sort -n | tail -1

10.10.185.225

How many requests were made on the malicious domain in total?

we know this from the previous command

1581

Having retrieved the exfiltrated data, what is the hidden flag?

grep frostlings.bigbadstash.thm access.log | cut -f " " -f5 | cut -d "=" -f2 | base64 -d

THM{a_gift_for_you_awesome_analyst!}

That’s it | Visit mansoorbarri.com for other hacking & IT related articles.