Find a coldplay song password used in Brute force attempt ( Boss Of The SOC walkthrough)

• Referring to Cyber-defenders Lab Boss Of The SOC 
• one of the challenges is to find a 6-chars password used in a brute force attack 
• hint : password is a Coldplay song 😮 


• with the aid of splunk Lookups , u can solve this mystery .

First we need to gather a list of cold play songs (enough in wiki) 

  https://en.wikipedia.org/wiki/List_of_songs_recorded_by_Coldplay

After some text magic & Refining , adding  new term called "check" with value "found" for all Lines and saved in a CSV Format  , we can extract a List.csv as follows  

coldplay List

Going to Splunk Lookups and Load our "List.csv" :  Lookups » Lookup table files » Add new

lookup addition

Then using Splunk Query:

host="splunk-02" sourcetype=stream:http form_data="*username*passwd*" | rex field=form_data "passwd=(?<pwd>\w+)" | eval lenpword=len(pwd) | search lenpword=6 | lookup List.csv song as pwd OUTPUT check | search check=* | table check pwd

And here we go : 

    our song | password is "yellow" , That's it 😎. 

By:Mohamed Ghifary

Reference:

https://cyberdefenders.org/labs/15