## 2 - Investigation

> Thanks for finding the RFI vulnerability in our FAQ. We have fixed it now,
> but we don't understand how the attacker found it so quickly.  
> We suspect it might be an inside job, but maybe they got the source another
> way. Here are the logs for the month prior to the attack, can you see
> anything suspicious?  
> Please submit the attackers IP as the flag as follow, DO{x.x.x.x}

What characters would a suspicious request contain (maybe looking for a [path
transversal
attack](https://en.wikipedia.org/wiki/Directory_traversal_attack))?

```shell  
$ grep "\\.\\." more.log | (head -3; tail -1)  
2021-08-03 08:55:00 45.85.1.176 GET ../..//passwords.bckp - 443 -
200.13.84.124
Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36
- 404 0 0 27  
2021-08-03 08:55:00 45.85.1.176 GET ..//configuration.3 - 443 - 200.13.84.124
Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36
- 404 0 0 22  
2021-08-03 08:55:00 45.85.1.176 GET ../../..//db_config.1 - 443 -
200.13.84.124
Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36
- 404 0 0 25  
2021-08-03 08:55:08 45.85.1.176 GET ../..//admin.txt - 443 - 200.13.84.124
Mozilla/5.0+(Windows+NT+5.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36
- 404 0 0 30  
```

So we compose the flag with the client IP:

`DO{200.13.84.124}`

Original writeup (https://scavengersecurity.com/posts/digitaloverdose-
loganalysis/#2---investigation).