Evil Corp's Child 3

Challenge:

What is the localityName in the Certificate Issuer data for HTTPS traffic to 37.205.9.252?

Use the file from Evil Corp's Child.

Solution:

Continuing to use the Zeek logs generated during "Evil Corp's Child 1 I extract the destination IP and the "subject" attribute from the SSL certificates (which will contain the locality attribute) and search for the provided IP.

$ cat ssl.log | /opt/zeek/bin/zeek-cut id.resp_h subject | grep -F "37.205.9.252"

37.205.9.252	CN=Inawe0deouna.pics,O=Bulloccea B.M.,L=Mogadishu,C=SO
37.205.9.252	CN=Inawe0deouna.pics,O=Bulloccea B.M.,L=Mogadishu,C=SO

The complete flag is flag{Mogadishu}