lotte/ChamplainTechJournals
1
Code Activity

migrate to git.charlotte.sh

Browse source
This commit is contained in:
Charlotte Croce 2025-04-19 23:42:08 -04:00
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
automation-sys320/week15/IOC.txt Normal file
View file

@ -0,0 +1,6 @@
etc/passwd
cmd=
/bin/bash
/bin/sh
1=1#
1=1--

20
automation-sys320/week15/access.log Normal file
View file

@ -0,0 +1,20 @@
10.0.17.5 - - [04/Mar/2024:13:28:46 -0500] "GET /index.html HTTP/1.1" 404 295 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:13:29:21 -0500] "GET /index.html HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:42:42 -0500] "GET /index.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:43:07 -0500] "GET /index.php HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:43:21 -0500] "GET /index.php?a=1&b=2 HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:43:50 -0500] "GET /index.php?cmd=etc/passwd HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:44:19 -0500] "GET /index.php?cmd=cat+etc/passwd HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:44:52 -0500] "GET /index.php?cmd=/bing/bash+myscript.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:45:01 -0500] "GET /index.php?cmd=/bin/bash+myscript.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:45:19 -0500] "GET /index.php?cmd=/bin/sh+simplebackdoor.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:45:31 -0500] "GET /index.php?/bin/sh+simplebackdoor.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:46:03 -0500] "GET /index.php?a=1+OR+1=1-- HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:46:12 -0500] "GET /index.php?a=1+OR+1=1- HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:46:27 -0500] "GET /index.php?a=1+OR+1=1 HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.5 - - [04/Mar/2024:14:46:47 -0500] "GET /index.php?word=Hello+World HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
10.0.17.6 - - [04/Mar/2024:14:48:39 -0500] "GET / HTTP/1.1" 200 758 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"
10.0.17.6 - - [04/Mar/2024:14:48:40 -0500] "GET /favicon.ico HTTP/1.1" 404 295 "http://10.0.17.5/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"
10.0.17.6 - - [04/Mar/2024:14:48:50 -0500] "GET /index.html HTTP/1.1" 200 758 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"
10.0.17.6 - - [04/Mar/2024:14:49:44 -0500] "GET /index.html?command=/bin/bash/+reverseshell.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"
10.0.17.6 - - [04/Mar/2024:14:50:24 -0500] "GET /index.html?command=/bin/bash/+midtermcheatdetector.bash HTTP/1.1" 200 758 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"

21
automation-sys320/week15/finalC1.bash Normal file
View file

@ -0,0 +1,21 @@
#! /bin/bash
# This is the link we will scrape
link="10.0.17.6/IOC.html"
# get it with curl and tell curl not to give errors
fullPage=$(curl -sL "$link")
# Utilizing xmlstarlet tool to extract table from the page
toolOutput=$(echo "$fullPage" | \
xmlstarlet format --html --recover 2>/dev/null | \
xmlstarlet select -n --template --copy-of \
"//html//body//table//tr//td[1]")
# Processing HTML with sed
echo "$toolOutput" | sed -e 's/<td[^>]*>//g' | sed -e 's/<\/td>/;/g' | \
tr ';' '\n' | sed '/^$/d' > IOC.txt

4
automation-sys320/week15/finalC2.bash Normal file
View file

@ -0,0 +1,4 @@
#!/bin/bash
cat access.log | cut -d' ' -f1,4,7 | tr -d '[' | \
egrep -i -f IOC.txt > report.txt

16
automation-sys320/week15/finalC3.bash Normal file
View file

@ -0,0 +1,16 @@
#!/bin/bash
# turn report.txt into an html report
echo -e "<html>\n<head>\n\t<style>\n\t\ttd {border: 1px solid black;}\n\t</style>\n</head>\n<body>\n<h3>Access logs with IOC indicators:</h3>\n<table>" > report.html
cat report.txt | while read -r line; do
echo -e "\t<tr>\n" >> report.html
for element in $line; do
echo -e "\t\t<td>$element</td>" >> report.html
done
echo -e "\t</tr>" >> report.html
done
echo -e "</table>\n</body>\n</html>" >> report.html
cp report.html /var/www/html/report.html

66
automation-sys320/week15/report.html Normal file
View file

@ -0,0 +1,66 @@
<html>
<head>
<style>
td {border: 1px solid black;}
</style>
</head>
<body>
<h3>Access logs with IOC indicators:</h3>
<table>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:43:50</td>
<td>/index.php?cmd=etc/passwd</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:44:19</td>
<td>/index.php?cmd=cat+etc/passwd</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:44:52</td>
<td>/index.php?cmd=/bing/bash+myscript.bash</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:45:01</td>
<td>/index.php?cmd=/bin/bash+myscript.bash</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:45:19</td>
<td>/index.php?cmd=/bin/sh+simplebackdoor.bash</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:45:31</td>
<td>/index.php?/bin/sh+simplebackdoor.bash</td>
</tr>
<tr>
<td>10.0.17.5</td>
<td>04/Mar/2024:14:46:03</td>
<td>/index.php?a=1+OR+1=1--</td>
</tr>
<tr>
<td>10.0.17.6</td>
<td>04/Mar/2024:14:49:44</td>
<td>/index.html?command=/bin/bash/+reverseshell.bash</td>
</tr>
<tr>
<td>10.0.17.6</td>
<td>04/Mar/2024:14:50:24</td>
<td>/index.html?command=/bin/bash/+midtermcheatdetector.bash</td>
</tr>
</table>
</body>
</html>

9
automation-sys320/week15/report.txt Normal file
View file

@ -0,0 +1,9 @@
10.0.17.5 04/Mar/2024:14:43:50 /index.php?cmd=etc/passwd
10.0.17.5 04/Mar/2024:14:44:19 /index.php?cmd=cat+etc/passwd
10.0.17.5 04/Mar/2024:14:44:52 /index.php?cmd=/bing/bash+myscript.bash
10.0.17.5 04/Mar/2024:14:45:01 /index.php?cmd=/bin/bash+myscript.bash
10.0.17.5 04/Mar/2024:14:45:19 /index.php?cmd=/bin/sh+simplebackdoor.bash
10.0.17.5 04/Mar/2024:14:45:31 /index.php?/bin/sh+simplebackdoor.bash
10.0.17.5 04/Mar/2024:14:46:03 /index.php?a=1+OR+1=1--
10.0.17.6 04/Mar/2024:14:49:44 /index.html?command=/bin/bash/+reverseshell.bash
10.0.17.6 04/Mar/2024:14:50:24 /index.html?command=/bin/bash/+midtermcheatdetector.bash