Day 7 of Advent of cyber 2023
Back story
In response to being demoted to regional manager during a company acquisition, Tracy McGreedy sought revenge by deploying a malicious software called CrypTOYminer. This malware, acquired from the dark web, was intended to disrupt the company's operations. Unbeknownst to McGreedy, the malware also had a data-stealing feature, benefiting its creator.
Following the malware's activation, the network experienced a surge in unusual traffic, and a significant amount of data was observed leaving the network. Forensic McBlue has mobilized a team to examine proxy logs and decipher the nature of the suspicious network activity.
What is dark web ?
The dark web is a concealed segment of the internet, inaccessible through standard browsers. It prioritizes user anonymity, requiring specialized tools like Tor for access. While it serves legitimate purposes, such as secure communication, it is also associated with illegal activities like the sale of drugs and hacking tools.
Learning objectives:
In this assignment, our emphasis will be on essential skills to aid Forensic McBlue in identifying potential incidents:
Reviewing the significance of log files.
Grasping the concept of proxies and dissecting proxy log contents.
Developing proficiency in Linux command-line operations for manual log entry parsing.
Analyzing proxy logs through real-world scenarios.
| Field | Value | Description |
| Source IP Address | 158.32.51.188 | The source (computer) that initiated the HTTP request. |
| Timestamp | [25/Oct/2023:09:11:14 +0000] | The date and time when the event occurred. |
| HTTP Request | GET /robots.txt HTTP/1.1 | The actual HTTP request made, including the request method, URI path, and HTTP version. |
| Status Code | 200 | The response of the web application. |
| User Agent | curl/7.68.0 | The user agent used by the source of the request. It is typically tied up to the application used to invoke the HTTP request. |
What is a proxy server?
A proxy server is an intermediary server that acts as a gateway between a user's device and the internet. When a user requests a service or resource, the proxy server forwards the request on behalf of the user to the destination server. The response from the destination server is then relayed back to the user through the proxy.
Proxy servers serve several purposes, including improving security by acting as a buffer between users and the internet, enhancing performance by caching frequently accessed resources, and providing anonymity by masking the user's IP address. They can be used for content filtering, access control, and to bypass geographical restrictions. Proxy servers play a crucial role in network management, ensuring efficient and secure communication between users and the internet.
| Attack Technique | Potential Indicator |
| Download attempt of a malicious binary | Connection to a known malicious URL binary |
| Data exfiltration | High count of outbound bandwidth due to file upload |
| Continuous C2 connection | High count of outbound connections to a single domain in regular intervals |
Accessing the Dataset
Before proceeding, review the tasks outlined in the connection card for Day 7, instructing to start the Target Machine and utilize the split-screen view for the target.
Forensic McBlue emphasizes the importance of understanding log contents and introduces a hands-on approach. Click the "Start Machine" button to initiate the virtual machine, and navigate to the /home/ubuntu/Desktop/artefacts directory to find the proxy log file named access.log.
Chopping Down the Proxy Log
Log entries follow the format configured by McBlue using the Squid proxy server. Each entry includes a timestamp, source IP, domain:port, HTTP method, HTTP URI, status code, response size, and user agent. Using the Linux cut command, log entries can be split into columns for analysis, taking into account potential challenges with space and double quotes in the User-Agent column.
Linux Pipes
Introducing Linux pipes, connecting multiple commands for seamless collaboration. Examples include using grep and head to filter connections made by a specific IP and employing sort, uniq, and cut to list unique domains, count connections, and sort the results.
Hunting Down the Malicious Traffic
Armed with log analysis skills, the focus shifts to identifying suspicious traffic. A command sequence is provided to list top domains accessed, revealing potentially anomalous connections. A specific domain raises concerns, leading to the extraction and decoding of encoded strings, uncovering sensitive data for AntarctiCrafts. This hints at a data exfiltration scenario.
Conclusion
Congratulations on completing the investigation through log analysis. The discovered stolen data suggests a case of data exfiltration. The next steps for Forensic McBlue's team involve applying mitigation measures, such as blocking the malicious domain, to prevent further impact.
Task 1:
How many unique IP addresses are connected to the proxy server?
Answer: 9
Task 2
How many unique domains were accessed by all workstations?
Answer: 111
Task 3
What status code is generated by the HTTP requests to the least accessed domain?
Answer: 503
Task 4
Based on the high count of connection attempts, what is the name of the suspicious domain?
Answer: frostlings.bigbadstash.thm
Task 5
What is the source IP of the workstation that accessed the malicious domain?
Answer: 10.10.185.225
Task 6
How many requests were made on the malicious domain in total?
Answer: 1581
Task 7
Having retrieved the exfiltrated data, what is the hidden flag?
Answer: THM{a_gift_for_you_awesome_analyses)