# 1_logs

We're given a pcap file and a bunch of logs, and asked to find the IP address of an attacker, the open ports they found, and the names of the web server files they found on the server.

First of all, we need to find the IP address of the server. Because we know that it is running a web server, we can assume that there's going to be a lot of HTTP traffic associated with it. We can apply an HTTP filter and see where all of the traffic is going and originating from.

```
http
```


We can clearly see that a lot of HTTP (forward) traffic is going to `10.0.80.17`. We can therefore make the conclusion that a web server is running on this host, and that this therefore must be the victim host.

We also see a suspiciously high amount of GET requests from `10.187.195.95` in extremely rapid succession for commonly named web resources. Due to the nature of these packets, we can assume that `10.187.195.95` is scanning the website for resources, and must therefore be our attacker.

Now that we know our victim and attacker IP addresses, we can apply a filter for them to filter out irrelevant traffic. We can do this using the `ip.src` and `ip.dest` filters.

Next, we need to find out which ports the attacker found open. First of all, let's confirm that a port scan was conducted by the attacker in the first place. The source will be the attacker's IP address, and the destination will be the victim's IP address, since the attacker is performing a scan on the victim. Additionally, the type of traffic will be TCP traffic since it is a port scan.

```
( ip.src == 10.187.195.95 ) and ( ip.dst == 10.0.80.17 ) and tcp
```

After a bit of scrolling, we run into a large amount of TCP packets sent from our attacker to our destination, all with different destination ports. We can conclude that a port scan was indeed conducted.


Now, we need to find out which ports were open. If the port was open, then that means that the victim IP will have returned a SYN/ACK. Thus, because the victim is returning the message now, the source is the victim and the destination is the attacker. The flag for a SYN/ACK packet is `0x12`, so we'll also be adding this to our filter.

```
( ip.src == 10.0.80.17 ) and ( ip.dst == 10.187.195.95 ) and tcp and ( tcp.flags == 0x12 )
```


We find TCP ports 22 and 80 return a SYN/ACK. They therefore must be the ports open.

Finally, we need to find the names of the web files that they found on the server. While we could do this in Wireshark, I find it much easier to look at the Apache2 logs.


The file that we're interested in is `access.log`.

```
$ less access.log
```


Okay, that's a lot of data. Let's filter out only relevant data with `grep`. Each line contains an originating IP address. We're going to filter to only include our attacker IP address. Also, we're only looking for HTTP 200s (OKs), which means that the resource was indeed successfully found. We can specify the two of these with the following `grep`, and then pipe it into `less` to scroll through.

```
$ grep "10.187.195.95.* 200 " acces.log | less
```


Bingo.

```
about.html
adminlogin.html
adminlogin.php
contact.html
gallery.html
index.html
services.html
typo.html
`

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/DriveByInc/1_logs.md).