Statement: Looks like there’s been a bruteforce/password spray attempt against the website!
What’s the contact email for the ISP of the attacker’s IP?
Flag format: Email address, case insensitive
The challenge provides a JSON file containing logs.
These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.
In these logs, I notice several points:
- Many POST requests on login page
- The user-agent value set to curl
- Recurrence of requests
{
"_time": "2021-01-01T09:14:01.000+0000",
"origin": "58.164.62.91",
"site": "shop.downunderctf.com",
"method": "POST",
"referer": "null",
"useragent": "curl/7.64.1",
"url": "shop.downunderctf.com/login",
"logSource": "Http:Web"
} {
"_time": "2021-01-01T09:14:02.000+0000",
"origin": "58.164.62.91",
"site": "shop.downunderctf.com",
"method": "POST",
"referer": "null",
"useragent": "curl/7.64.1",
"url": "shop.downunderctf.com/login",
"logSource": "Http:Web"
}
We can also see a little earlier the attempted XSS exploit with the same IP:
{
"_time": "2021-01-01T09:12:14.000+0000",
"origin": "58.164.62.91",
"site": "shop.downunderctf.com",
"method": "GET",
"referer": "shop.downunderctf.com/product?id=%3Cscript%3Ealert%28%22Hacked%22%29%3C%2Fscript%3E",
"useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.36 Safari/537.36",
"url": "shop.downunderctf.com/login",
"logSource": "Http:Web"
}
I perform a whois on the malicious IP 58.164.62.91 and I get the contact email address of the ISP.
Flag: abuse@telstra.net