Splunk BOTSv2 Dataset – TryHackMe Splunk 2 CTF Walkthrough

In this exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly (a beer company) to assist them with their recent issues.

What Kinds of Events Do We Have?

The SPL (Splunk Search Processing Language) command metadata can be used to search for the same kind of information that is found in the Data Summary, with the bonus of being able to search within a specific index, if desired. All time-values are returned in EPOCH time, so to make the output user readable, the eval command should be used to provide more human-friendly formatting.

First part is related with detecting web activity

1. Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
   
   Queries for Splunk:
   index=”botsv2″ sourcetype=”pan:traffic” amber
   

The IP address is 10.0.2.101

Now I can query:

index=”botsv2″ 10.0.2.101 sourcetype=”stream:HTTP”

index=”botsv2″ 10.0.2.101 sourcetype=”stream:HTTP” | dedup site | table site

Dedup removes duplicated records

Answer: www.berk***

2. Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext

Query:

index=”botsv2″ 10.0.2.101 sourcetype=”stream:HTTP” www.berkbeer.com
| table uri_path

Answer: /images/ceo***

3. What is the CEO’s name? Provide the first and last name.

index=”botsv2″ sourcetype=”stream:SMTP”amber

index=”botsv2″ sourcetype=”stream:SMTP”aturing@froth.ly

index=”botsv2″ sourcetype=”stream:SMTP”aturing@froth.ly berkbeer

We need to check all 4 events to find out what is the CEO name.

5. After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

hbernhard@berkbeer.com – answer based on previous screenshots

6. What is the name of the file attachment that Amber sent to a contact at the competitor?

7. What is Amber’s personal email address?
I decided to go deep into this events.

“VGhhbmtzIGZvciB0YWtpbmcgdGhlIHRpbWUgdG9kYXksIEFzIGRpc2N1c3NlZCBoZXJlIGlzIHRo\r\nZSBkb2N1bWVudCBJIHdhcyByZWZlcnJpbmcgdG8uICBQcm9iYWJseSBiZXR0ZXIgdG8gdGFrZSB0\r\naGlzIG9mZmxpbmUuIEVtYWlsIG1lIGZyb20gbm93IG9uIGF0IGFtYmVyc3RoZWJlc3RAeWVhc3Rp\r\nZWJlYXN0aWUuY29tPG1haWx0bzphbWJlcnN0aGViZXN0QHllYXN0aWViZWFzdGllLmNvbT4NCg0K\r\nRnJvbTogaGJlcm5oYXJkQGJlcmtiZWVyLmNvbTxtYWlsdG86aGJlcm5oYXJkQGJlcmtiZWVyLmNv\r\nbT4gW21haWx0bzpoYmVybmhhcmRAYmVya2JlZXIuY29tXQ0KU2VudDogRnJpZGF5LCBBdWd1c3Qg\r\nMTEsIDIwMTcgOTowOCBBTQ0KVG86IEFtYmVyIFR1cmluZyA8YXR1cmluZ0Bmcm90aC5seTxtYWls\r\ndG86YXR1cmluZ0Bmcm90aC5seT4+DQpTdWJqZWN0OiBIZWlueiBCZXJuaGFyZCBDb250YWN0IElu\r\nZm9ybWF0aW9uDQoNCkhlbGxvIEFtYmVyLA0KDQpHcmVhdCB0YWxraW5nIHdpdGggeW91IHRvZGF5\r\nLCBoZXJlIGlzIG15IGNvbnRhY3QgaW5mb3JtYXRpb24uIERvIHlvdSBoYXZlIGEgcGVyc29uYWwg\r\nZW1haWwgSSBjYW4gcmVhY2ggeW91IGF0IGFzIHdlbGw/DQoNClRoYW5rIFlvdQ0KDQpIZWlueiBC\r\nZXJuaGFyZA0KaGVybmhhcmRAYmVya2JlZXIuY29tPG1haWx0bzpoZXJuaGFyZEBiZXJrYmVlci5j\r\nb20+DQo4NjUuODg4Ljc1NjMNCg0K\r\n\r\n–000_SN1PR18MB058979205875E88B06061480D4960SN1PR18MB0589namp\r\n”

Base64 decoded message shows:

Thanks for taking the time today, As discussed here is thvRF7VVBv2&VfW’&rF&&&ǒ&WGFW”FFRJhis offline. Email me from now on at ambersthebest@yeastivV&V7FR6F&W’7FV&W7DV7FV&V7FR6РЪFrom: hbernhard@berkbeer.com<mailto:hbernhard@berkbeer.covF&W&&D&W&&VW”6Х6VCg&FVwW7B
11, 2017 9:08 AM
To: Amber Turing <aturing@froth.ly<mailwFGW&tg&FǓХ7V&V7CV&W&&B6F7Bformation

Hello Amber,

Great talking with you todayrW&R2ג6F7Bf&FFRfRW’6
email I can reach you at as well?

Thank You

Heinz BvW&&@ЦW&&D&W&&VW”6FW&&D&W&&VW”:om>
865.888.7563

zO7S
ӟ=ݴ
ӭ:׏4z#u=|09ښ

I continue decoding next messages:

2nd part of questions is related with detecting SQL and XSS

1. What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

2. What is the public IPv4 address of the server running www.brewertalk.com?

3. Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

4. The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

index=”botsv2″ brewertalk.com src_ip=”45.77.65.211″

5. What SQL function is being abused on the URI path from the previous question?

index=”botsv2″ brewertalk.com src_ip=”45.77.65.211″ uri_path=”/member.php”

6. What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

index=”botsv2″ kevin cookie

6. What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

7. What brewertalk.com username was maliciously created by a spear phishing attack?

300 series and 400 series questions are pretty similar to previous questions and answer. All you have to do is to choose correct query and dig into logs to modify query and find the answer.