Welcome back to the continuation of the NCL Preseason Posts! Today we will be covering the Log Analysis portion of the NCL Preseason game. If you don’t know what the NCL is, or what these posts are about, then I suggest you go back and read my Introduction Post which can be found here!

Also, if you missed my previous Cryptography write-up for the preseason, you can find that here.

Just a fair warning that this post will be fairly long - so let’s strap in, and get to it!

History:

For this challenge we are provided the following file: NCL-2016-Pre-Firefox.sqlite

You must download the file and open it up in a SQL database to solve the challenge. I used the SQLite Viewer online to access this information.

Once you have the SQL Database uploaded you will be presented with a page like so.

Once you are there, we need to navigate to the users browser history. So we will select moz_palces from the dropdown.

You will be presented with the screen below… When you arrive at that screen, we will now be able to look for the answers to our questions.

1. What did the user search for on craigslist?

Looking for “craiglist” in the url column, we see that line 244 will provide us with the answer.

Answer: bitcoin

2. What was the current price of bitcoin when the user was browsing?

All we have to look for here is a price in dollars. Line 246 will provide us that answer.

Answer: 239.5

3. What Bitcoin exchange did the user log in to?

The keyword here is “exchange” so we are looking for a site you can buy and sell Bitcoin, which will be in line 250.

Answer: coinbase

4. What is the email that was used to log into the exchange?

Since we don’t see any login data - let’s look for known emails. Line 268 shows us that he is logging into a gmail account. We can assume that he is using this to verify his bitcoin exchange.

Answer: b1gbird@gmail.com

5. What was the ID of the Bitcoin transaction that the user looked at?

Keyword here is “transaction” so let’s just look for that in the title - and line 292 should provide us with the answer.

Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7

6. What was the total value of all the inputs of the Bitcoin transaction?

For this one, we have to grab and navigate to the URL from our previous answer in line 292.

Our answer will be in the Inputs and Outputs section of the website.

Answer: 0.22616302

7. To which IP address did the majority of the Bitcoins in the transaction go?

For this one - back at the website - just click Visualize and you will be redirected to a map like page. Click the first transaction up top and you will get the IP Address.

Answer: 176.223.201.198

Nginx:

For this challenge we are provided the following file: NCL-2016-Pre-access.log

All of my work done with this log involved the use of the Linux CLI.

1. How many different IP addresses reached the server?

root@kali:~# cat NCL-2016-Pre-access.log | cut -d' ' -f 1 | sort | uniq -c | wc -l
47

Answer: 47

2. How many requests yielded a 200 HTTP status?

root@kali:~# cat NCL-2016-Pre-access.log | grep '" 200' | wc -l
19

Answer: 19

3. How many requests yielded a 400 HTTP status?

root@kali:~# cat NCL-2016-Pre-access.log | grep '" 400' | wc -l
38

Answer: 38

4. What IP address rang at the doorbell?

root@kali:~# cat NCL-2016-Pre-access.log | grep "bell" | cut -d' ' -f 1
186.64.69.141

Answer: 186.64.69.141

5. What version of the Googlebot visited the website?

root@kali:~# cat NCL-2016-Pre-access.log | grep "Googlebot"
66.249.67.130 - - [01/Oct/2015:03:08:10 -0400] "GET /robots.txt HTTP/1.1" 502 166 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
---snip---

Answer: 2.1

6. Which IP address attempted to exploit the shellshock vulnerability?

root@kali:~# cat NCL-2016-Pre-access.log | grep "/bin/bash" | cut -d' ' -f 1
61.161.130.241

Answer: 61.161.130.241

7. What was the most popular version of Firefox used for browsing the website?

root@kali:~# cat NCL-2016-Pre-access.log | grep "Firefox" | cut -d' ' -f 18 | sort | uniq -c 
      4 en-US;
      9 Firefox/31.0"
      1 Gecko/20100101
      2 rv:30.N)

Answer: 31

8. What is the most common HTTP method used?

root@kali:~# cat NCL-2016-Pre-access.log | cut -d' ' -f 6 | sort | uniq -c
      6 ""
     15 "CONNECT
     60 "GET
      1 "HEAD
      1 "POST
      1 "quit"
      4 "\x00"
      1 "\x04\x01\x00P\xC0c\xF660\x00"
      6 "\x04\x01\x00P\xC6\xCE\x0Eu0\x00"
      4 "\x05\x01\x00"

Answer: GET

9. What is the second most common HTTP method used?

root@kali:~# cat NCL-2016-Pre-access.log | cut -d' ' -f 6 | sort | uniq -c
      6 ""
     15 "CONNECT
     60 "GET
      1 "HEAD
      1 "POST
      1 "quit"
      4 "\x00"
      1 "\x04\x01\x00P\xC0c\xF660\x00"
      6 "\x04\x01\x00P\xC6\xCE\x0Eu0\x00"
      4 "\x05\x01\x00"

Answer: CONNECT

10. How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

root@kali:~# cat NCL-2016-Pre-access.log | cut -d' ' -f 6 | sort | uniq -c
      6 ""
     15 "CONNECT
     60 "GET
      1 "HEAD
      1 "POST
      1 "quit"
      4 "\x00"
      1 "\x04\x01\x00P\xC0c\xF660\x00"
      6 "\x04\x01\x00P\xC6\xCE\x0Eu0\x00"
      4 "\x05\x01\x00"

Answer: 6

Squid:

For this challenge we are provided the following file: NCL-2017-Pre-squid_access.log

1. In what year was this log saved?

With this question, let’s start by looking at the first line.

1286536308.779    180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain

We can see that the first few numbers represent the time. Since Squid is a Linux Proxy, this time is in Epoch. So all I did was go online to EpochConverter and converted the time. You should get something similar to what I have below.

Answer: 2010

2. How many milliseconds did the fastest request take?

Just eyeing the log we can see that at the end, on line 111 we have the fastest request.

1286536331.040      5 192.168.0.227 TCP_MISS/503 855 GET http://s2.youtube.com/s? - NONE/- text/html

Answer: 5

3. How many milliseconds did the longest request take?

Just eyeing the log we can see that at the end, on line 113 we have the longest request.

1286536351.746  41762 192.168.0.227 TCP_MISS/200 5340945 GET http://v15.lscache3.c.youtube.com/videoplayback? - DIRECT/122.160.120.150 video/x-flv

Answer: 41762

4. How many different IP addresses used this proxy service?

root@kali:~# cat NCL-2017-Pre-squid_access.log | cut -d'T' -f 1 | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq | wc -l
4

Answer: 4

5. How many GET requests were made?

root@kali:~# cat NCL-2017-Pre-squid_access.log | grep "GET" | wc -l
35

Answer: 35

6. How many POST requests were made?

root@kali:~# cat NCL-2017-Pre-squid_access.log | grep "POST" | wc -l
78

Answer: 78

7. What company created the antivirus used on the host at 192.168.0.224?

root@kali:~# cat NCL-2017-Pre-squid_access.log | grep "192.168.0.224"
1286536308.779    180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain
1286536308.910     37 192.168.0.224 TCP_MISS/200 4083 GET http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip - DIRECT/125.23.216.203 application/zip

Answer: symantec

8. What url is used to download an antivirus update?

root@kali:~# cat NCL-2017-Pre-squid_access.log | grep "192.168.0.224" | cut -d' ' -f 11
http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip

Answer: http://liveupdate.symantecliveupdate.com/streaming/…

That’s all for now, thanks for reading - and stay tuned for more!

Updated:

Leave a Comment