Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa's flight mapping software. Block the 100 offending sources of information to guide Santa's sleigh through the attack. Submit the Route ID (βRIDβ) success value that you're given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.
The first think to do was log into https://srf.elfu.org. There was some useful information in
Quote
The default login credentials should be changed on startup and can be found in the readme in the ElfU Research Labs git repository.
I tried to access things like .git/HEAD and then realised that maybe I should try README.md as I was at github for another reason reading a README.md.
This was successful, but later I would find, from the Zeek logs, that someone else had found the README.md.
{
"ts": "2019-10-05T07:01:54-0800",
"uid": "Ci077n4ko3JP1V1b0h",
"id.orig_h": "42.103.246.130",
"id.orig_p": 50966,
"id.resp_h": "10.20.3.80",
"id.resp_p": 80,
"trans_depth": 1,
"method": "GET",
"host": "srf.elfu.org",
"uri": "/README.md",
"referrer": "-",
"version": "1.1",
"user_agent": "Mozilla/4.0 (compatible;MSIe 7.0;Windows NT 5.1)",
"origin": "-",
"request_body_len": 0,
"response_body_len": 654,
"status_code": 200,
"status_msg": "OK",
"info_code": "-",
"info_msg": "-",
"tags": "(empty)",
"username": "-",
"password": "-",
"proxied": "-",
"orig_fuids": "-",
"orig_filenames": "-",
"orig_mime_types": "-",
"resp_fuids": "FuQSDRXblFgDmKl2h",
"resp_filenames": "-",
"resp_mime_types": "text/html"
},
# Sled-O-Matic - Sleigh Route Finder Web API
### Installation
```
sudo apt install python3-pip
sudo python3 -m pip install -r requirements.txt
```
#### Running:
`python3 ./srfweb.py`
#### Logging in:
You can login using the default admin pass:
`admin 924158F9522B3744F5FCD4D10FAC4356`
However, it's recommended to change this in the sqlite db to something custom.
There was some hard graft involved in getting the offending source IP addresses.
I ran various queries and used other searches to remove entries so that I could manually review the log file.
At the end of the process, I came up with the following commands to get original offending IP's and then to pivot based on the user_agent, which was generally a 'broken' user agent string, to find other IP's.
cat http.log | \
jq '[.[] | select(.host|match("UNION")), select(.host|match("passwd")), select(.host|match("<script>"))| .["id.orig_h"]]' | \
sort -u | \
grep -v '\[' | \
grep -v '\]'| \
sed 's/^ "//' | \
sed 's/".*/\/32,/'
cat http.log | \
jq '[.[] | select(.status_code == 400), select(.user_agent|match("bash")), select(.uri|match("bash")), select(.username != "-")| .["id.orig_h"]]' | \
sort -u | \
grep -v '\[' | \
grep -v '\]'| \
sed 's/^ "//' | \
sed 's/".*/\/32,/'
# Now do other searches pivoting on the user_agent string to find other bad ip's
( cat http.log | \
jq '[.[] | select(.user_agent|match("bash")), select(.uri|match("bash"))| .user_agent]' | \
grep -v '\[' | \
grep -v '\]' | \
while IFS= read -r UA ; \
do \
new_ua=$(\
echo "$UA" | \
sed 's/,$//' | sed 's/^ //'
); \
cat http.log |
jq -r "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
sort -u | \
grep -v '\[' | \
grep -v '\]'; \
done \
) | \
sort | \
sed 's/^ "//' | \
sed 's/".*/\/32,/'
( cat http.log | \
jq '[.[] | select(.uri|match("/api/")) | select(.uri|match("UNION")), select(.uri|match("passwd")), select(.uri|match("id=<script>"))| .user_agent]' | \
grep -v '\[' | \
grep -v '\]' | \
while IFS= read -r UA ; \
do \
new_ua=$(\
echo "$UA" | \
sed 's/,$//' | \
sed 's/^ //'\
); \
cat http.log | \
jq -r "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
sort -u | \
grep -v '\[' | \
grep -v '\]'; \
done \
) | \
sort | \
sed 's/^ "//' | \
sed 's/".*/\/32,/'
( cat http.log | \
jq '[.[] | select(.uri|match("/logout")) | select(.uri|match("UNION")), select(.uri|match("passwd")), select(.uri|match("id=<script>"))| .user_agent]' | \
grep -v '\[' | \
grep -v '\]' | \
while IFS= read -r UA ; \
do \
new_ua=$(\
echo "$UA" | \
sed 's/,$//' | \
sed 's/^ //'\
); \
cat http.log | \
jq -r "[.[] | select(.user_agent == $new_ua)| .[\"id.orig_h\"]]"| \
sort -u | \
grep -v '\[' | \
grep -v '\]'; \
done \
) | \
sort | \
sed 's/^ "//' | \
sed 's/".*/\/32,/'
The grep commands are to remove the square brackets and the sed commands are used to massage the output so that it becomes comma delimited.
When I sourced this I ended up with 131 IP address.
I loaded these into firewall page and got a successful Route Calculation so that Santa did not fall out of the sky.
Answer
The Answer is β0807198508261964β