Lab Icon

Log Hunter

Challenge 06 Dec 2025 Free Access Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
79%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

Log Hunter - Complete Solution Walkthrough

Understanding Web Server Log Analysis

Web server log analysis is a critical skill in cybersecurity that involves examining HTTP access logs to:

  • Detect Security Incidents: Identify attack patterns and suspicious activity
  • Investigate Breaches: Understand what attackers accessed and when
  • Monitor Traffic: Analyze user behavior and system performance
  • Compliance: Meet regulatory requirements for logging and monitoring

Step 1: Initial Log Analysis

Start by examining the access.log file structure and identifying different types of requests:

# Count total log entries
wc -l access.log

# View first few entries
head -10 access.log

# Look for unique HTTP status codes
awk '{print $9}' access.log | sort | uniq -c

# Find unique user agents
awk -F'"' '{print $6}' access.log | sort | uniq

Step 2: Identifying Suspicious Patterns

Look for common indicators of malicious activity:

  1. Attack Attempts: SQL injection, XSS, and path traversal attempts
  2. Scanner Traffic: Requests for common vulnerable files (.env, wp-admin, etc.)
  3. Successful Access: 200 status codes from suspicious sources
  4. Suspicious User Agents: Automated tools and scanners
# Find potential SQL injection attempts
grep -i "union\|select\|drop\|insert" access.log

# Look for XSS attempts
grep -i "script\|alert\|javascript" access.log

# Find scanner/tool requests
grep -E "(wp-admin|phpmyadmin|\.env|backup)" access.log

# Look for successful requests (200 status) from suspicious sources
grep " 200 " access.log | grep -i "scanner\|tool\|bot"

Step 3: Finding Successful Attacker Access

The key is to find files that attackers successfully accessed (200 status code). Let's examine suspicious entries more closely:

# Look for successful requests from suspicious user agents
grep " 200 " access.log | grep -E "(Scanner|Tool|Bot)"

# Find requests with suspicious referers
grep "attacker" access.log

# Look for successful access to sensitive files
grep " 200 " access.log | grep -E "(backup|config|admin|debug)"

After extensive analysis, you'll find that out of 129 total requests from the attacker (172.16.0.88), only ONE was successful. The key entry revealing successful attacker access:

172.16.0.88 - - [22/Jul/2025:08:32:44 +0000] "GET /backup.txt HTTP/1.1" 200 42 "https://attacker.com/tools" "SecScanner/1.0"

This single successful request is hidden among 128 failed attempts (404/403 status codes), making this a realistic example of how attackers conduct reconnaissance scans.

Step 4: Accessing the Discovered File

From the log analysis, we discover that the attacker successfully accessed /backup.txt. The request shows:

  • Status Code: 200 (successful access)
  • File Size: 42 bytes
  • User Agent: SecScanner/1.0 (security scanner)
  • Referer: https://attacker.com/tools (suspicious source)

Since the attacker was able to access this file, we should investigate what it contains:

# Access the file that the attacker found
curl https://target-site.com/backup.txt
# OR download it from the challenge page
wget backup.txt

Step 5: Extracting the Flag

When examining the contents of backup.txt, we find:

FLAG: 1e3e1e7c-6b64-4727-b4bb-6e9945edd9b7

The flag is: 1e3e1e7c-6b64-4727-b4bb-6e9945edd9b7

Step 6: Analysis of the Security Incident

The security incident reveals several critical findings:

  • Attacker IP: 172.16.0.88 (internal network - possible insider threat or compromised host)
  • Attack Vector: Automated scanning using SecScanner/1.0
  • Discovery Method: Systematic enumeration of common backup file locations
  • Exposed File: backup.txt containing sensitive flag information
  • Impact: Successful data exfiltration (42 bytes downloaded)
  • Attribution: Referer header points to attacker infrastructure

Step 7: Understanding the Attack Timeline

By analyzing the complete log timeline, we can see the attacker's reconnaissance pattern:

  1. 08:21:05 - Attempted /admin/login.php (404)
  2. 08:30:51 - Attempted /.env file (404)
  3. 08:32:44 - Successfully accessed /backup.txt (200) ← FLAG OBTAINED
  4. 08:35:39 - Attempted /phpmyadmin/ (404)
  5. 08:37:23 - Attempted /config.php.bak (404)
  6. 08:39:45 - Attempted /backup/ directory (403)
  7. 09:00:44 - Attempted /backup.sql (404)

This shows a systematic approach where the attacker found success with a simple backup.txt file.

Step 8: Security Lessons Learned

This incident demonstrates several security issues:

  • Exposed Backup Files: Sensitive backup files left in web-accessible directories
  • Insufficient Access Controls: No authentication required for backup.txt
  • Poor Security Hygiene: Backup files not properly secured or removed
  • Internal Threat: Attack originated from internal network
  • Inadequate Monitoring: Successful data exfiltration occurred undetected

Real-World Remediation Steps

Based on this analysis, recommended actions include:

  1. Immediate: Remove or secure all backup files from web directories
  2. Access Control: Implement proper authentication for sensitive files
  3. Network Security: Investigate the compromised internal host (172.16.0.88)
  4. Monitoring: Enhance alerting for sensitive file access
  5. Policy: Establish secure backup procedures and file retention policies
  6. Training: Educate staff on secure file handling practices