TryHackMe: Advent of Cyber 2022 (Day 2) Santa’s Naughty & Nice Log

3 min readDec 7, 2022

“Santa’s Security Operations Center (SSOC) has noticed one of their web servers, has been hijacked by the Bandit Yeti APT group. Elf McBlue’s task is to analyse the log files captured from the web server to understand what is happening and track down the Bandit Yeti APT group.”

Just a side note here, the Attack Box they provide for use with this room is adorable. See how the elves have either red or blue outfits on to show if they are on the red or blue team, lol:

Question #1: Use the ls command to list the files present in the current directory. How many log files are present?

I started by using ssh to connect to the web server:

From there you just need to use the ls command to see two log files:


Question #2: Elf McSkidy managed to capture the logs generated by the web server. What is the name of this log file?

In this screenshot we can see the answer:


Question #3: On what day was Santa's naughty and nice list stolen?

From here we begin digging into the log file. I opened it up and right away I can see that someone was using Gobuster to scan for directories on the webserver.

Anyways, the log file is pretty big, so that’s where grep comes in handy. I searched for “naughty” in the webserver log:

Here you can see that James is apparently on the naughty list? But this did return a 404 error, so it’s not necessarily something that was on the webserver.

Anyways all of the entries here happened on November 18th, 2022, which was a Friday.


Question #4: What is the IP Address of the attacker?

You can see the IP address just by using cat on the file, on the very left of every entry:

Question #5: What is the name of the important list that the attacker stole from Santa?

When I searched for “list” there were still a lot of entries:

Searching for “.txt” reduced the results somewhat:

If you look through those results you can see that the attacker was able to retrieve “santaslist.txt” from the server (notice the 200 response code, instead of 404).


Question #6: Look through the log files for the flag. The format of the flag is: THM{}

I figured I could just search for “THM”, but that didn’t work:

That is until I searched in the other log:





CTF writeups to facilitate cyber education and help me earn CPEs