Filter Out Poisoned Sources of Weather Data

Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa's flight mapping software. Block the 100 offending sources of information to guide Santa's sleigh through the attack. Submit the Route ID (“RID”) success value that you're given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.

The first think to do was log into https://srf.elfu.org. There was some useful information in elfuresearchlabssupersledomaticquickstartguidev1.2.pdf:

The default login credentials should be changed on startup and can be found in the readme in the ElfU Research Labs git repository.

I tried to access things like .git/HEAD and then realised that maybe I should try README.md as I was at github for another reason reading a README.md.

This was successful, but later I would find, from the Zeek logs, that someone else had found the README.md.

  {
    "ts": "2019-10-05T07:01:54-0800",
    "uid": "Ci077n4ko3JP1V1b0h",
    "id.orig_h": "42.103.246.130",
    "id.orig_p": 50966,
    "id.resp_h": "10.20.3.80",
    "id.resp_p": 80,
    "trans_depth": 1,
    "method": "GET",
    "host": "srf.elfu.org",
    "uri": "/README.md",
    "referrer": "-",
    "version": "1.1",
    "user_agent": "Mozilla/4.0 (compatible;MSIe 7.0;Windows NT 5.1)",
    "origin": "-",
    "request_body_len": 0,
    "response_body_len": 654,
    "status_code": 200,
    "status_msg": "OK",
    "info_code": "-",
    "info_msg": "-",
    "tags": "(empty)",
    "username": "-",
    "password": "-",
    "proxied": "-",
    "orig_fuids": "-",
    "orig_filenames": "-",
    "orig_mime_types": "-",
    "resp_fuids": "FuQSDRXblFgDmKl2h",
    "resp_filenames": "-",
    "resp_mime_types": "text/html"
  },

The README.md contained:

# Sled-O-Matic - Sleigh Route Finder Web API

### Installation

```
sudo apt install python3-pip
sudo python3 -m pip install -r requirements.txt
```

#### Running:

`python3 ./srfweb.py`

#### Logging in:

You can login using the default admin pass:

`admin 924158F9522B3744F5FCD4D10FAC4356`

However, it's recommended to change this in the sqlite db to something custom.

This allowed me to log into the server so that I would later be able to apply the firewall rules.

There was some hard graft involved in getting the offending source IP addresses.

I ran various queries and used other searches to remove entries so that I could manually review the log file.

At the end of the process, I came up with the following commands to get original offending IP's and then to pivot based on the user_agent, which was generally a 'broken' user agent string, to find other IP's.

cat http.log | \
jq '[.[] | select(.host|match("UNION")), select(.host|match("passwd")), select(.host|match("<script>"))| .["id.orig_h"]]' | \
sort -u | \
grep -v '\[' | \
grep -v '\]'| \
sed 's/^  "//' | \
sed 's/".*/\/32,/'

cat http.log | \
jq '[.[] | select(.status_code == 400), select(.user_agent|match("bash")), select(.uri|match("bash")), select(.username != "-")| .["id.orig_h"]]' | \
sort -u | \
grep -v '\[' | \
grep -v '\]'| \
sed 's/^  "//' | \
sed 's/".*/\/32,/'

# Now do other searches pivoting on the user_agent string to find other bad ip's 
( cat http.log | \
  jq '[.[] | select(.user_agent|match("bash")), select(.uri|match("bash"))| .user_agent]' | \
  grep -v '\[' | \
  grep -v '\]' | \
  while IFS= read -r UA ; \
  do \
    new_ua=$(\
      echo "$UA" | \
      sed 's/,$//' | sed 's/^  //'
    ); \
    cat http.log | 
    jq -r  "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
    sort -u | \
    grep -v '\[' | \
    grep -v '\]'; \
  done \
) | \
sort | \
sed 's/^  "//' | \
sed 's/".*/\/32,/'

( cat http.log | \
  jq '[.[] | select(.uri|match("/api/")) | select(.uri|match("UNION")), select(.uri|match("passwd")), select(.uri|match("id=<script>"))| .user_agent]' | \
  grep -v '\[' | \
  grep -v '\]' | \
  while IFS= read -r UA ; \
  do \
    new_ua=$(\
      echo "$UA" | \
      sed 's/,$//' | \
      sed 's/^  //'\
    ); \
    cat http.log | \
    jq -r  "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
    sort -u | \
    grep -v '\[' | \
    grep -v '\]'; \
  done \
) | \
sort | \
sed 's/^  "//' | \
sed 's/".*/\/32,/'

( cat http.log | \
  jq '[.[] | select(.uri|match("/logout")) | select(.uri|match("UNION")), select(.uri|match("passwd")), select(.uri|match("id=<script>"))| .user_agent]' | \
  grep -v '\[' | \
  grep -v '\]' | \
  while IFS= read -r UA ; \
  do \
    new_ua=$(\
      echo "$UA" | \
      sed 's/,$//' | \
      sed 's/^  //'\
    ); \
    cat http.log | \
    jq -r  "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
    sort -u | \
    grep -v '\[' | \
    grep -v '\]'; \
  done \
) | \
sort | \
sed 's/^  "//' | \
sed 's/".*/\/32,/'

The grep commands are to remove the square brackets and the sed commands are used to massage the output so that it becomes comma delimited.

When I sourced this I ended up with 131 IP address.

I loaded these into firewall page and got a successful Route Calculation so that Santa did not fall out of the sky.

The Answer is “0807198508261964”