Skip to content

Insufficient Logging and Monitoring⚓︎

Difficulty:
Direct link: TryHackMe - OWASP

Objective⚓︎

Task 30

Inspect the logs for clues

Hints⚓︎

Hint 1

Check for common actions in a short sequence of time

Hint 2

Trying combinations of usernames and passwords to gain access to users' accounts.

Solution⚓︎

This task attempts to emphasize the importance of logging for incident responses. After reading through the task, download the log file and read the contents with cat.

log file
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
cat login-logs_1595366583422.txt 
200 OK           12.55.22.88 jr22          2019-03-18T09:21:17 /login
200 OK           14.56.23.11 rand99        2019-03-18T10:19:22 /login
200 OK           17.33.10.38 afer11        2019-03-18T11:11:44 /login
200 OK           99.12.44.20 rad4          2019-03-18T11:55:51 /login
200 OK           67.34.22.10 bff1          2019-03-18T13:08:59 /login
200 OK           34.55.11.14 hax0r         2019-03-21T16:08:15 /login
401 Unauthorised 49.99.13.16 admin         2019-03-21T21:08:15 /login
401 Unauthorised 49.99.13.16 administrator 2019-03-21T21:08:20 /login
401 Unauthorised 49.99.13.16 anonymous     2019-03-21T21:08:25 /login
401 Unauthorised 49.99.13.16 root          2019-03-21T21:08:30 /login

Task 30.1

What IP address is the attacker using?

Attacker

A simple visual inspection can show that there is only one repeating IP address. Put that into the answer field.

Task 30.2

What kind of attack is being carried out?

Type of Attack

Look at the log file, it appears that the attacker is attempting to log in to a different profile every five minutes. Technically, this would be a 'Password Spraying Attack' but since the answer field wont accept that, we can use the more umbrella term: "brute force".

Wrap Up⚓︎

This was the end of the TryHackMe OWASP Top 10 room. One of the biggest takeaways for me is how each of these top 10 vulnerabilities routinely found are, by and large, relatively easy to execute. Some of them are easier with a deeper knowledge of the technology involved, but none of them really required it for a basic representation of the vulnerability. No one is perfect though, and the folks writing code for real are just people, doing their best, who are going to make mistakes.