Open in app

Sign in

Write

Sign in

ItsyBitsy THM writeup

Mahmoud Elfawair
3 min readJan 26, 2024

--

Put your ELK knowledge together and investigate an incident.

Hello you, In the introduction they announce that there is an alert by the Intrusion Detection System (IDS) regarding a potential C2 communication.

From the scenario you understand that an analyst called John observed an alert on an IDS solution indicating suspicious activity from a user called Browne from the HR department. and a malicious file was accessed containing THM{____} (obviously the flag). a week-long HTTP connection logs have been pulled to investigate, and the logs are ingested into an index called connection_logs in kibana.

Let’s Start

1. How many events were returned for the month of March 2022?

I used the time filter to filter for March of 2022 and this was the number of hits

You can see it is 1482

2. What is the IP associated with the suspected user in the logs?

There is two IPs

TBH with you I searched for the user Browne and I found nothing, I thought it would lead me to the suspicious IP, and then searched for THM as a literal string, I tried to find a reason in order to select an IP but there is none, That is why I tried them both and the second worked.

IP is 192.166.65.54

3. The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?

Now we know the IP address we can filter the hits (documents) based on that IP, luckily for us, there are only two documents.

click on the plus button to filter based on that IP

It is asking for theuser's machine so we must look for the user_agent

It is called bitsadmin

4. The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?

I looked for the host because it is asking for the site it was connected to

site is pastebin.com

5. What is the full URL of the C2 to which the infected host is connected?

Now that we know the domain name, we just need to search for the URI

URI is /yTg0Ah6a , so the full URL would be pastebin.com/yTg0Ah6a

6. A file was accessed on the filesharing site. What is the name of the file accessed?

In order to get the name and file itself we need to visit the URL

you can see that the name of the file is secret.txt and you can see the flag in the text section, which is THM{SECRET_CODE}

That is it guys thanks for reading

Siem
Tryhackme

--

--

Mahmoud Elfawair
Mahmoud Elfawair

Written by Mahmoud Elfawair

33 Followers
14 Following

reverse engineering and linux enthusiast

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams