Statement: Looks like there’s been a bruteforce/password spray attempt against the website!

What’s the contact email for the ISP of the attacker’s IP?

Flag format: Email address, case insensitive


The challenge provides a JSON file containing logs.

These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.

In these logs, I notice several points:

  • Many POST requests on login page
  • The user-agent value set to curl
  • Recurrence of requests
{
    "_time": "2021-01-01T09:14:01.000+0000",
    "origin": "58.164.62.91",
    "site": "shop.downunderctf.com",
    "method": "POST",
    "referer": "null",
    "useragent": "curl/7.64.1",
    "url": "shop.downunderctf.com/login",
    "logSource": "Http:Web"
} {
    "_time": "2021-01-01T09:14:02.000+0000",
    "origin": "58.164.62.91",
    "site": "shop.downunderctf.com",
    "method": "POST",
    "referer": "null",
    "useragent": "curl/7.64.1",
    "url": "shop.downunderctf.com/login",
    "logSource": "Http:Web"
}

We can also see a little earlier the attempted XSS exploit with the same IP:

{
    "_time": "2021-01-01T09:12:14.000+0000",
    "origin": "58.164.62.91",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "shop.downunderctf.com/product?id=%3Cscript%3Ealert%28%22Hacked%22%29%3C%2Fscript%3E",
    "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.36 Safari/537.36",
    "url": "shop.downunderctf.com/login",
    "logSource": "Http:Web"
}

I perform a whois on the malicious IP 58.164.62.91 and I get the contact email address of the ISP.

Flag: abuse@telstra.net