Tags: iis grep logs awk access 

Rating:

## 2 - Investigation

> Thanks for finding the RFI vulnerability in our FAQ. We have fixed it now, but we don't understand how the attacker found it so quickly.
> We suspect it might be an inside job, but maybe they got the source another way. Here are the logs for the month prior to the attack, can you see anything suspicious?
> Please submit the attackers IP as the flag as follow, DO{x.x.x.x}

What characters would a suspicious request contain (maybe looking for a [path transversal attack](https://en.wikipedia.org/wiki/Directory_traversal_attack))?

```shell
$ grep "\.\." more.log | (head -3; tail -1)
2021-08-03 08:55:00 45.85.1.176 GET ../..//passwords.bckp - 443 - 200.13.84.124 Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36 - 404 0 0 27
2021-08-03 08:55:00 45.85.1.176 GET ..//configuration.3 - 443 - 200.13.84.124 Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36 - 404 0 0 22
2021-08-03 08:55:00 45.85.1.176 GET ../../..//db_config.1 - 443 - 200.13.84.124 Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36 - 404 0 0 25
2021-08-03 08:55:08 45.85.1.176 GET ../..//admin.txt - 443 - 200.13.84.124 Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36 - 404 0 0 30
```

So we compose the flag with the client IP:

`DO{200.13.84.124}`

Original writeup (https://scavengersecurity.com/posts/digitaloverdose-loganalysis/#2---investigation).