daffainfo
/
ctf-writeup
mirror of https://github.com/daffainfo/ctf-writeup.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ctf-writeup/24h@CTF 2023/Blue's Clues 5 Initial Access
History
Muhammad Daffa 4e7a80ea43 fix: wrong link and wrong title 2023-07-20 20:29:37 +07:00
..
images feat: added 24h@CTF 2023 2023-04-17 10:19:13 +07:00
README.md fix: wrong link and wrong title 2023-07-20 20:29:37 +07:00

README.md

Blue's Clues 5/8: Initial Access

The web server?? How did the threat actor get access to the web server? Surely we have logs for that... It hosts a simple PHP website, nothing complex.

Find the malicious file.

Flag format: .

Example: mywebshell.aspx

About the Challenge

We need to find the name of the webshell

How to Solve?

Im using this KQL syntax because I want to find the URL that using PHP extension and the HTTP response code returned 200 OK

url.extension : php and http.response.status_code : 200

And then I searched the log one by one until I found this weird PHP file

flag

ce52790629679d930ca16c39a4f619c3.php