What is the name of the tool that likely resulted in DEADFACE acquiring login credentials to ESU's website?
Submit the flag as
Use the files from First Strike.
We analyzed the unique User-Agent strings in access.log and created a rough timetable for the attack traffic:
|27/Jul/2022 14:13:52||27/Jul/2022 14:13:56||Nmap|
|27/Jul/2022 14:15:13||27/Jul/2022 14:25:14||Nikto|
|27/Jul/2022 14:25:39||27/Jul/2022 14:34:52||dirb 1|
|27/Jul/2022 14:35:49||27/Jul/2022 14:37:23||Hydra|
- The tool performing the web content scanning had a generic User-Agent of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" but was identified as dirb by its first two requests observed in the logs, /randomfile1 and /frand2, which are hardcoded into the tool.
Shortly after the brute-force activity from Hydra there was a successful login from the same IP that the attack traffic sourced:
27/Jul/2022:14:37:53 "POST /login.php" 27/Jul/2022:14:37:53 "GET /welcome.php"
This pattern of activity makes it likely that Hydra was successful in brute-forcing a set of valid credentials.
The accepted flag was:
Leave a comment