Hi, little hint for the: There is a file named neutrinogootkit.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Neutrino exploit kit sending Gootkit malware. Enter the x509.log field name that includes the “MyCompany Ltd.” trace as your answer.
The question is not about something exact again, so after triggering a Zeek query (based on the previous section), a set of .log files will be created in directory.
One of these would be the mentioned log, the output is not clearly the answer, and it doesn’t contain proper answer phrase. Once again students have to discover what lab’s creator had on his mind. So CN= OU= and so on, are related to certain SSL field or part.
Answer format is “xxxxxxxxxxx.xxxxxxx” without quotation marks, separated by dot.
Most likely if someone is familiar with SSL certs he will know how to answer, otherwise it’s not too obvious.
The thing here is not about the values, it’s related with certificate and its section, so it’s rather word.word, you won’t find the answer in the file.
For those still stuck, try matching up the fields and their corresponding values. Note that fields and values are both separated by spaces. Hint: The first field is ts and corresponds to value 1467993481.526112.