Skip to main content

Day 2 Advent of Cyber 2024 - TryHackMe Walkthrough

 Day 2: One man's false positive is another man's potpourri.

 

 

Welcome to Day 2 of the Advent of Cyber 2024 challenge by TryHackMe! Today’s challenge is all about analyzing logs to uncover suspicious activity and decode important details. Let's dive into the step-by-step walkthrough to solve the puzzle: “One man's false positive is another man's potpourri.”

Challenge Context

We are tasked with investigating suspicious login activities and commands related to Glitch, a key character in the Wareville storyline. By analyzing the logs, we aim to answer the given questions and understand how Glitch played a role in fixing the systems.

 

Step-by-Step Solution

Question 1: What is the name of the account causing all the failed login attempts?

  • Analysis: By scanning the provided logs, we observed repeated login failures.
  • Clue: The account responsible for the failed login attempts is consistently mentioned.
  • Answer: service_admin


Question 2: How many failed logon attempts were observed?

  • Analysis: The log entries included multiple failed attempts. By filtering the logs for failed login events, we counted all occurrences.
  • Answer: 6791

 

Question 3: What is the IP address of Glitch?

  • Analysis: Logs indicate the unique IP address associated with Glitch’s activities. Filtering the logs based on Glitch's successful login events revealed the IP address.
  • Answer: 10.0.255.1

 

Question 4: When did Glitch successfully log on to ADM-01?

  • Analysis: By reviewing the successful logon entries for Glitch on the ADM-01 system, the timestamp was revealed.
  • Answer: Dec 1, 2024 08:54:39.000

  •  

Question 5: What is the decoded command executed by Glitch to fix the systems of Wareville?

  • Analysis: Logs showed a command executed by Glitch. Decoding the command revealed its purpose in system repair.
  • Command: Install-WindowsUpdate -AcceptAll -AutoReboot


 

 

Explanation: This PowerShell command is used to install all pending Windows updates and automatically reboot the system once updates are applied.

Tools Used

  • Log Filtering Tools: For analyzing and extracting relevant log entries.
  • Regex and Grep: To filter and search specific keywords, IPs, and timestamps efficiently.
  • Decoding Commands: Used scripting knowledge to understand encoded commands.

Key Takeaways

  • Log analysis is a vital skill in cybersecurity.
  • Tools like grep, awk, and regex are your best friends for filtering and analyzing logs efficiently.
  • PowerShell commands play a crucial role in system administration and attack remediation.

Conclusion

Day 2 of Advent of Cyber 2024 emphasized the importance of analyzing logs to uncover and mitigate suspicious activities. This walkthrough showcases the step-by-step approach to solving the questions while enhancing your skills in log analysis and cybersecurity incident response.

Stay tuned for more daily walkthroughs as we continue to secure Wareville and uncover Glitch’s journey!

 

Thank YOU 

 

 

 

 

 

 

 

 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

TryHackMe | Advent of Cyber 2024 | Day 1 | by INDCRYPT

  Dive into the wonderful world of cyber security by engaging in festive beginner-friendly exercises every day in the lead-up to Christmas! Day 1: Maybe SOC-mas music, he thought, doesn't come from a store? Answer the questions below 1. Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author? 
Post a Comment
Read more

Exposing Login Page Vulnerabilities with Time-Based SQL Injection

In the realm of cybersecurity, SQL injection remains a notorious threat, with time-based SQL injection being one of the most elusive methods. This tutorial will guide you through exploiting a login page vulnerability using two powerful tools: SQLMap and Burp Suite. By the end of this demonstration, you’ll understand how these attacks work and learn crucial defense mechanisms to protect your web applications. The Basics of SQL Injection SQL injection is a technique where an attacker exploits improperly sanitized user inputs to execute arbitrary SQL commands on a database. In time-based SQL injection, the attacker leverages the database’s response time to infer whether the input was successful, without needing direct feedback from the application. vulnerable webpage Practical Demonstration: Lets dive into the practical demonstration: Step 1 : Open Burp Suite and navigate to the “Proxy” tab. Ensure the proxy is running. Step 2 : Configure your browser to use Burp Suite as a...
Post a Comment
Read more

Weak Registration Mechanism Vulnerability (P4)

The user registration and account verification process in the application is vulnerable due to a weak implementation of the verification link. Specifically, the verification link is sent via HTTP rather than the more secure HTTPS . This exposes the system to potential man-in-the-middle (MITM) attacks and account takeover risks . While this issue does not necessarily lead to immediate access to user accounts, attackers could intercept and manipulate the verification link, potentially gaining unauthorized access to accounts or causing data leakage .       Steps to Reproduce: Open the URL: example.com/signup . Complete the registration process to trigger the verification email. Open your inbox and locate the verification email. Right-click on the verification link and select "Copy link address." Paste the link into a text editor or directly into your browser's address bar. Check if the URL uses HTTP instead of HTTPS . Press Enter to open the link and observe the behavio...
Post a Comment
Read more