TryHackMe: Advent of Cyber 2023 (Day 7) ’Tis the season for log chopping!

“To take revenge for the company demoting him to regional manager during the acquisition, Tracy McGreedy installed the CrypTOYminer, a malware he downloaded from the dark web, on all workstations and servers. Even more worrying and unknown to McGreedy, this malware includes a data-stealing functionality, which the malware author benefits from!

The malware has been executed, and now, a lot of unusual traffic is being generated. What’s more, a large bandwidth of data is seen to be leaving the network.

Forensic McBlue assembles a team to analyse the proxy logs and understand the suspicious network traffic.”

Q1: How many unique IP addresses are connected to the proxy server?

Q2: How many unique domains were accessed by all workstations?

Q3: What status code is generated by the HTTP requests to the least accessed domain?

I modified my last command to actually list out all the domains with access counts and saw that “partnerservices.getmicrosoftkey.com” is the least accessed domain with only 78.

Side note, I do see a pretty sketch looking site near the bottom with the most visited URLs, here:

Anyways, looks like 503 is the most common status code.

Q4: Based on the high count of connection attempts, what is the name of the suspicious domain?

This is that weird domain we saw earlier.

Q5: What is the source IP of the workstation that accessed the malicious domain?

Q6: How many requests were made on the malicious domain in total?

Q7: Having retrieved the exfiltrated data, what is the hidden flag?

Looks like there are numerous little Base64 encoded strings. You can further cut these out.

Keep in mind that is only the first 5 of them, but there are many more. You can decode them all like this:

If you look through them all you will eventually see a flag.

❤