What is the name of the tool that likely resulted in DEADFACE acquiring login credentials to ESU's website?

Submit the flag as flag{tool}.

Use the files from First Strike.


We analyzed the unique User-Agent strings in access.log and created a rough timetable for the attack traffic:

Start End Tool
27/Jul/2022 14:13:52 27/Jul/2022 14:13:56 Nmap
27/Jul/2022 14:15:13 27/Jul/2022 14:25:14 Nikto
27/Jul/2022 14:25:39 27/Jul/2022 14:34:52 dirb 1
27/Jul/2022 14:35:49 27/Jul/2022 14:37:23 Hydra

  1. The tool performing the web content scanning had a generic User-Agent of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" but was identified as dirb by its first two requests observed in the logs, /randomfile1 and /frand2, which are hardcoded into the tool.

Shortly after the brute-force activity from Hydra there was a successful login from the same IP that the attack traffic sourced:

27/Jul/2022:14:37:53 "POST /login.php" 
27/Jul/2022:14:37:53 "GET /welcome.php"

This pattern of activity makes it likely that Hydra was successful in brute-forcing a set of valid credentials.

The accepted flag was: flag{hydra}



Leave a comment