DEV Community

Cover image for Advent of Cyber 2025: Day 3 Writeup Splunk | TryHackMe
Mahin Ahmad
Mahin Ahmad

Posted on

Advent of Cyber 2025: Day 3 Writeup Splunk | TryHackMe

#ctf #tryhackme #splunk

Day 3 Challenge: Splunk Basics - Did you SIEM?

Prelude:
Day 3 starts with an alarm in the SOC dashboard. What is SOC? Think of it as your country's Border Guards! Security Operations Center is a basically a team of cyber security experts who prevent all incoming attacks through monitoring, detection and coordinating responses to attacks. (read more). A sophisticated dashboard and analysis tools(e.g. Splunk here) are the minimum set of tools SOC teams utilize everyday.

In laymen's term, Splunk is a web-styled platform to analyze logs or any kind of machine data. Think journalctl but with more features and more diverse sources of data, in today's case: web traffics.

Jumping to the task, you are probably confused like me that there are no 'Start Attackbox' button and they tell you to click on Splunk! Dont skip reading the introduction task 😐. There is a web-link there. You dont need an Attackbox today.

Now, read and follow all the instructions in the second task. If you cannot get to step 6 below, then notice the arrow icon > adjacent to the Time column.

Splunk

  • When was the peak traffic in the logs? You can hover over the histogram to see the date.
    Splunk Peak Traffic

  • What is the count of Havij user_agent events? Run this query: index=main sourcetype=web_traffic user_agent=*Havij*

  • How many path traversal attempts to access sensitive files on the server were observed?

Approach:
I thought this query index=main sourcetype=web_traffic path="*..*" OR path="*redirect*" would do but when The answer 1291 is too big for the Answer field:
TryHackMe Answer Field
Focus on the "sensitive files" part and check the corresponding command they showed to us:
Find in Page Browser
Running the query in the picture returns 347 results, not the correct answer either. Ask yourself if backups and logs are sensitive, yes, but from the lessons we know another sensitive file bunnylock.bin. So I tried index=main sourcetype=web_traffic path=*bunnylock.bin* and its showed 833 results, still incorrect.

Our only clues are 'path traversal' and 'sensitive files'. Lets refocus on 'path traversal' here. But we already tried the query they taught us:
sourcetype=web_traffic client_ip="<REDACTED>" AND path="*..*" OR path="*redirect*"
... So lets try without the redirects? Result count is now 658βœ…. 'Dont beat around the bush' they say, so we beat around the correct bush!

  • Next question : How many bytes were transferred to the C2 server IP from the compromised web server?

Leverage the autocomplete, no need cram every column:
Splunk sum of bytes_transferred

Done!
These kinds of rooms are called walkthrough rooms.

Top comments (0)