[Day 7] Log analysis ‘Tis the season for log chopping!
How many unique IP addresses are connected to the proxy server?
cut -d ' ' -f2 access.log | sort | uniq | wc -l
> 9
How many unique domains were accessed by all workstations?
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq | wc -l
> 111
What status code is generated by the HTTP requests to the least accessed domain?
503
Based on the high count of connection attempts, what is the name of the suspicious domain?
frostlings.bigbadstash.thm
What is the source IP of the workstation that accessed the malicious domain?
cat access.log | grep "frostlings.bigbadstash.thm" | cut -d ' ' -f2 | uniq
> 10.10.185.225
How many requests were made on the malicious domain in total?
cat access.log | grep "frostlings.bigbadstash.thm" | wc -l
> 1581
Having retrieved the exfiltrated data, what is the hidden flag?
cat access.log | grep "frostlings.bigbadstash.thm" | cut -d '=' -f2 | cut -d ' ' -f1 > flag.txt && cat flag.txt | base64 -d | grep THM
> THM{a_gift_for_you_awesome_analyst!}