Q1: A misconfiguration exposed an internal Helios Research web application to the public internet, allowing an external threat actor to discover and target it. What is the source IP address that initiated the automated reconnaissance scan against this server?

When analyzing web server access logs for reconnaissance activity, one of the most common indicators of an attack is a directory brute-forcing or enumeration scan. This type of attack is characterized by a massive spike in HTTP requests directed at various endpoints on a web server in a very short period of time. Because the attacker is guessing directory and file names, the vast majority of these requests will result in HTTP 404 (Not Found) errors. To identify the attacker's initial IP address, we begin our investigation by analyzing the NGINX access logs from the external-facing web server (WEB-01). By ingesting these logs into a SIEM platform like Splunk, we can easily aggregate the data and spot anomalies, such as an unusually high volume of traffic from a single source. Looking at the Splunk results, we observe a massive concentration of requests originating from a single IP address. The statistics reveal that the IP 35.159.91.39 generated thousands of events, vastly outnumbering the traffic from any other source. Further analysis of this traffic confirms it was generated by the gobuster directory brute-forcing tool, solidifying that this was the origin of the initial reconnaissance phase.


Q2: The attacker successfully identified two valid endpoints during the automated scan. What is the URI of the endpoint that was later e

Unlock Your Full Learning Experience with BlueYard Labs

Sign up to track your progress, unlock exclusive labs, and showcase
your achievements—begin your journey now!
Join for Free