DownUnderCTF : Shop-I'm just looking!

Statement: We’ve seen some vulnerability scanning activity against us!

What was the name of the tool used?

Flag format: Name of the tool used, case insensitive

The challenge provides a JSON file containing logs.

These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.

Looking at the logs, I notice that an IP is performing an automated file scan:

{
    "_time": "2021-01-01T09:01:12.000+0000",
    "origin": "194.163.140.128",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "null",
    "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    "url": "shop.downunderctf.com/wp-content/uploads/simple-file-list/nuclei.php",
    "logSource": "Http:Web"
} {
    "_time": "2021-01-01T09:01:13.000+0000",
    "origin": "194.163.140.128",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "null",
    "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    "url": "shop.downunderctf.com/CFIDE/administrator/enter.cfm",
    "logSource": "Http:Web"
} {
    "_time": "2021-01-01T09:01:14.000+0000",
    "origin": "194.163.140.128",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "null",
    "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    "url": "shop.downunderctf.com/cgi-bin/test/test.cgi",
    "logSource": "Http:Web"
} {
    "_time": "2021-01-01T09:01:15.000+0000",
    "origin": "194.163.140.128",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "null",
    "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    "url": "shop.downunderctf.com/favicon.ico",
    "logSource": "Http:Web"
} {
    "_time": "2021-01-01T09:01:16.000+0000",
    "origin": "194.163.140.128",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "null",
    "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    "url": "shop.downunderctf.com/nuclei.txt",
    "logSource": "Http:Web"
}

We can see that the attacker uses a predefined wordlist with his scan tool and that the requests are made at 1 second intervals.

The nuclei value comes up frequently, which makes me think that the attacker is using the nuclei tool with the default wordlist

Flag: nuclei