BOTSv1 2.1: Staging Server IP (10 pts)
In Level 1, you found the staging server domain name (used to host the defacement file). Find that server's IP adddress.Hints:
- Search for HTTP GET events containing the target FQDN.
BOTSv1 2.2: Leetspeak Domain (10 pts)
Use a search engine (outside Splunk) to find other domains on the staging server. Search for that IP address. Find a domain with an name in Leetspeak (like "1337sp33k.com").
BOTSv1 2.3: Brute Force Attack (15 pts)
Find the IP address performing a brute force attack against "imreallynotbatman.com".Hints:
- Find the 15,570 HTTP events using the POST method.
- Exclude the events from the vulnerability scanner.
- Examine the form_data of the remaining 441 events.
BOTSv1 2.4: Uploaded Executable File Name (15 pts)
Find the name of the executable file the attacker uploaded to the server.Hints:
- Find the 15,570 HTTP events using the POST method.
- Exclude the events from the vulnerability scanner.
- Search for common Windows executable filename extensions.