First Strike


There was a cyber attack on ESU's website on July 27th. ESU IT staff collected data from the attack and need your help sifting through it.

What IP Address did the attack originate from? Submit the flag as: flag{ip_address}. Example: flag{}.


The provided access.log file was a typical web server access log in the Combined Log Format. The columns of interest for this challenge are:

  • col 1: source IP address
  • col 4: timestamp of the request
  • col 9: the source's User-Agent - - [27/Jul/2022:14:13:37 +0000] "GET / HTTP/1.0" 301 570 "-" "-" - - [27/Jul/2022:14:13:44 +0000] "GET / HTTP/1.0" 400 5729 "-" "-" - - [27/Jul/2022:14:13:52 +0000] "GET / HTTP/1.1" 200 6225 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;"

The timestamp at the beginning of the log already aligns with the date of July 27th given in the challenge description, so the User-Agent is the next column of interest. Given that the User-Agent is related to the network scanning tool nmap we can make an assumption that this is not normal web traffic and most likely related to the attack.

The accepted flag was: flag{}



Leave a comment