DEADFACE2022 Logo

Author(s):

  • syyntax

Category:

  • Forensics

Points:

  • 10

File(s):

  • access.log
  • error.log

Hint(s):

  • None

First Strike

Challenge:

There was a cyber attack on ESU's website on July 27th. ESU IT staff collected data from the attack and need your help sifting through it.

What IP Address did the attack originate from? Submit the flag as: flag{ip_address}. Example: flag{192.168.1.1}.

Solution:

The provided access.log file was a typical web server access log in the Combined Log Format. The columns of interest for this challenge are:

  • col 1: source IP address
  • col 4: timestamp of the request
  • col 9: the source's User-Agent
165.227.73.138 - - [27/Jul/2022:14:13:37 +0000] "GET / HTTP/1.0" 301 570 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:13:44 +0000] "GET / HTTP/1.0" 400 5729 "-" "-"
165.227.73.138 - - [27/Jul/2022:14:13:52 +0000] "GET / HTTP/1.1" 200 6225 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

The timestamp at the beginning of the log already aligns with the date of July 27th given in the challenge description, so the User-Agent is the next column of interest. Given that the User-Agent is related to the network scanning tool nmap we can make an assumption that this is not normal web traffic and most likely related to the attack.

The accepted flag was: flag{165.227.73.138}

Published:

Updated:

Leave a comment