Iterations
Challenge:
What is the name of the tool that likely resulted in DEADFACE acquiring login credentials to ESU's website?
Submit the flag as
flag{tool}.Use the files from First Strike.
Solution:
We analyzed the unique User-Agent strings in access.log and created a rough timetable for the attack traffic:
| Start | End | Tool |
|---|---|---|
| 27/Jul/2022 14:13:52 | 27/Jul/2022 14:13:56 | Nmap |
| 27/Jul/2022 14:15:13 | 27/Jul/2022 14:25:14 | Nikto |
| 27/Jul/2022 14:25:39 | 27/Jul/2022 14:34:52 | dirb 1 |
| 27/Jul/2022 14:35:49 | 27/Jul/2022 14:37:23 | Hydra |
-
- The tool performing the web content scanning had a generic User-Agent of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" but was identified as dirb by its first two requests observed in the logs, /randomfile1 and /frand2, which are hardcoded into the tool.
Shortly after the brute-force activity from Hydra there was a successful login from the same IP that the attack traffic sourced:
27/Jul/2022:14:37:53 "POST /login.php"
27/Jul/2022:14:37:53 "GET /welcome.php"
This pattern of activity makes it likely that Hydra was successful in brute-forcing a set of valid credentials.
The accepted flag was: flag{hydra}
Leave a comment