Glastopf
Warning this challenge contains some malware samples.
What was the most common src ip? What are the three most commonly requested url besides / get or post? (no slashes, all lowercase, alphabetical (1.ext, a.ext, b.ext))
What was the most common src ip?
tmp $ ls glastopf.log.2018-11-12 glastopf.log.2018-11-13 glastopf.log.2018-11-14 $ head glastopf.log.2018-11-12 2018-11-12 16:17:21,801 (glastopf.glastopf) Initializing Glastopf 3.1.3-dev using "/opt/glastopf" as work directory. 2018-11-12 16:17:22,185 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db 2018-11-12 16:17:22,320 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database. 2018-11-12 16:17:27,924 (glastopf.glastopf) Generating initial dork pages - this can take a while. 2018-11-12 16:17:28,040 (glastopf.glastopf) Glastopf started and privileges dropped. 2018-11-12 16:17:54,118 (glastopf.glastopf) 172.29.0.1 requested GET /server-status?auto on cf99cb71e92b:80 2018-11-12 16:17:54,142 (glastopf.glastopf) 172.29.0.1 requested GET /server-status?auto on cf99cb71e92b:80 2018-11-12 16:17:54,235 (glastopf.glastopf) 172.29.0.1 requested GET /stub_status on cf99cb71e92b:80 2018-11-12 16:17:54,246 (glastopf.glastopf) 172.29.0.1 requested GET /stub_status on cf99cb71e92b:80 2018-11-12 16:17:54,256 (glastopf.glastopf) 172.29.0.1 requested GET /status?full&json on cf99cb71e92b:80 $ cat glastopf.log* | grep 'requested' | awk '{print $4}' | sort | uniq -c | sort -nr 274 85.121.16.8 268 201.150.45.50 268 139.199.179.124 266 183.240.202.14 30 94.102.57.141 18 172.29.0.1 5 71.6.165.200 3 35.168.20.163 3 34.204.100.197 2 93.170.114.251 (snip)
FLAG1 : 85.121.16.8
What are the three most commonly requested url besides / get or post? (no slashes, all lowercase, alphabetical (1.ext, a.ext, b.ext))
$ cat glastopf.log* | egrep 'GET|POST' | awk '{print $7}' | sort | uniq -c | sort -nr 56 / 16 /qq.php 16 /confg.php 16 /1.php 12 /x.php 12 /test.php 12 /cmd.php (snip)