# CyberTalents >>FourOFour (Splunk) # FourOFour Writeup ## Introduction Ladies and gentlemen, tech-savvy explorers, and data enthusiasts, welcome to a thrilling expedition into the heart of **Splunk**! But don't be fooled; we won't be spelunking through dark caves or searching for hidden treasures (unless you count valuable insights as treasure). Instead, we're embarking on a journey through the labyrinthine world of data analysis, where **Splunk** serves as our trusty map and compass. So, strap on your headlamp, grab your keyboard like an adventurer's torch, and let's navigate the intricate tunnels of log analysis, searching for the gems of actionable information hidden deep within the digital caverns of information overload! ## Challenge Description Massive web bruteforce attack observed on our IIS server, Your lead has informed you to initiate some investigation to identify the following : X: The highest number of non existent URLs request sent by the attacker → Number Y: The Source IP → x.x.x.x Z: The attacker source country → xxx Flag format: flag{X:Y:Z} - [Challenge IP:54.193.116.106](#-) ## Solution I started by opening opening the IP Address provided above which led me to a **SPLUNK WEB VIEW.** From here i clicked on the **SEARCH & REPORTING** tab which allows me to search for the logs. ## Step 1 From the questions in the Description section we are asked to identify The highest number of non existent URLs request sent by the attacker. To accomplish this we need to use a search query that will allow us search for all **404 status** responses. The 404 status indicates that the resource you are searching for is not there. here is the query that i used to get the first ***flag: sc_status="404"*** what this does is that it gives us all the 404 resposnses This gives us 2119 events. ***2119*** is the number of non existent URLs request sent by the attacker. However we should keep on filtering the data to learn more  ### Step 2 The second question requires us to find The Source IP. When we expand one of the logs we see i field named **c_ip** which has a private IP address next to it. But because we are not interested in the private IP we have to search for the public IP associated with this. when we click on the drop down under c_ip we then find 2 ip addresses, one private & one public. ***Private ip: 192.168.2.50 Public ip: 40.80.148.42***  next to the PUBLIC IP we can see that there is a count of ***2009*** which indicates that this is the number of times that this ip address tried to access the resource. From this section we are fortunate to find two answers: ***The highest number of attempts : 2009 Source IP address : 40.80.148.42** To confirm that this is correct we will need to adjust the query to factor in the IP address. we are going to use the query below: **sc_status="404" c_ip="40.80.148.42"**  This confirms that the highest number of attempts is 2009 now we have flags X & Y. ***flag X : 2009 flag Y : 40.80.148.42** ### Step 3 Now that we have the source IP and Number of attempts we will now attemp to find The attacker source country. To achieve this we are going to use [**iplocation.net**](https://). but there are loads of websites you can use to find the location of any IP address. When we input the IP address into the search bar we learn that the source is in the USA. This forms the last part of our flag. ***flag Y : USA***  ### Step 4 After finding all the individual flags, we now need to piece them together to get the final flag. we need to use the following Flag format: flag{X:Y:Z} ***flag X : 2009 flag Y : 40.80.148.42** ***flag Y : USA*** ***flag{2009:40.80.148.42:USA}*** <<<<<<<<<<<<<END>>>>>>>>>>>>>> FYI: Cheers to ChatGPT for writing that dope opening intro section. TILL NEXT TIME, STAY CURIOUS --- **Author:** Gr3yW0lff **Date:** September 2023