Compromised FTP - KnightCTF 2022
This challenge is a straight forward challenge.
Downloading the attached file will give us a log file of a FTP server.Opening the file We can see that someone was trying to login in but in seems like an bruteforce attack.Challenge was to "Find out the Compromised FTP account username & the attacker IP from the following." Removing the failed attempt Will show us the success message.We can do it in many ways mainly Manually and Automatic.
For automatic we'll use simple command line tool 'awk'.We'll match a string and remove that line from the line and save it on a new file. We can see That every failed attempt has one common word "FAIL LOGIN" we'll match this word to remove the line.So, the command for this will be "awk '!/FAIL LOGIN/' ftp.log > NewLog.log". This command will create a file called NewLog.log That doesn't contain failed attempt. opening the new file and reviewing line we came across this line " Mon Jan 3 15:24:12 2022 [pid 5412] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:13 2022 [pid 5414] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:13 2022 [pid 5416] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:13 2022 [pid 5399] [ftpuser] OK LOGIN: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:13 2022 [pid 5419] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:15 2022 [pid 5421] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:15 2022 [pid 5423] CONNECT: Client "::ffff:192.168.1.7" Mon Jan 3 15:24:19 2022 [pid 5425] CONNECT: Client "::ffff:192.168.1.7" " Hence the flag Will be KCTF{ftpuser_192.168.1.7}