TAMUctf 19 Writeup Honeypot Glastopf

Glastopf

Warning this challenge contains some malware samples.

What was the most common src ip? What are the three most commonly requested url besides / get or post? (no slashes, all lowercase, alphabetical (1.ext, a.ext, b.ext))

What was the most common src ip?

tmp $ ls
glastopf.log.2018-11-12  glastopf.log.2018-11-13  glastopf.log.2018-11-14

$ head glastopf.log.2018-11-12
2018-11-12 16:17:21,801 (glastopf.glastopf) Initializing Glastopf 3.1.3-dev using "/opt/glastopf" as work directory.
2018-11-12 16:17:22,185 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2018-11-12 16:17:22,320 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
2018-11-12 16:17:27,924 (glastopf.glastopf) Generating initial dork pages - this can take a while.
2018-11-12 16:17:28,040 (glastopf.glastopf) Glastopf started and privileges dropped.
2018-11-12 16:17:54,118 (glastopf.glastopf) 172.29.0.1 requested GET /server-status?auto on cf99cb71e92b:80
2018-11-12 16:17:54,142 (glastopf.glastopf) 172.29.0.1 requested GET /server-status?auto on cf99cb71e92b:80
2018-11-12 16:17:54,235 (glastopf.glastopf) 172.29.0.1 requested GET /stub_status on cf99cb71e92b:80
2018-11-12 16:17:54,246 (glastopf.glastopf) 172.29.0.1 requested GET /stub_status on cf99cb71e92b:80
2018-11-12 16:17:54,256 (glastopf.glastopf) 172.29.0.1 requested GET /status?full&json on cf99cb71e92b:80

$ cat glastopf.log* | grep 'requested' | awk '{print $4}'  | sort | uniq -c | sort -nr
    274 85.121.16.8
    268 201.150.45.50
    268 139.199.179.124
    266 183.240.202.14
     30 94.102.57.141
     18 172.29.0.1
      5 71.6.165.200
      3 35.168.20.163
      3 34.204.100.197
      2 93.170.114.251
(snip)

FLAG1 : 85.121.16.8

What are the three most commonly requested url besides / get or post? (no slashes, all lowercase, alphabetical (1.ext, a.ext, b.ext))

$ cat glastopf.log* | egrep 'GET|POST' | awk '{print $7}'  | sort | uniq -c | sort -nr
     56 /
     16 /qq.php
     16 /confg.php
     16 /1.php
     12 /x.php
     12 /test.php
     12 /cmd.php
(snip)

FLAG2 : 1.php, confg.php, qq.php