Agents of Chaos

Challenge:

What is the first user agent of the second scanning tool used by the attacker? Submit the flag as flag{user agent string}.

Use the files from First Strike.

Solution:

Scrolling through access.log until there is a transition from the Nmap User-Agent to a another tool identifies the web server scanner Nikto as the second scanning tool:

165.227.73.138 - - [27/Jul/2022:14:13:56 +0000] "OPTIONS / HTTP/1.1" 200 6225 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
165.227.73.138 - - [27/Jul/2022:14:13:56 +0000] "GET / HTTP/1.0" 301 570 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:13:56 +0000] "GET / HTTP/1.0" 400 5729 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:13:56 +0000] "GET / HTTP/1.1" 301 551 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:13:57 +0000] "GET / HTTP/1.1" 200 6206 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:15:13 +0000] "GET / HTTP/1.1" 200 6262 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)"

The accepted flag was: flag{Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)}