Avatar

Labs / Log Hunter

  • Daily Challenge
  • Released 22 Jul 2025

Log Hunter

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
1
Points
Daily Challenge
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge

Log Hunter - Complete Solution Walkthrough

Understanding Web Server Log Analysis

Web server log analysis is a critical skill in cybersecurity that involves examining HTTP access logs to:

  • Detect Security Incidents: Identify attack patterns and suspicious activity
  • Investigate Breaches: Understand what attackers accessed and when
  • Monitor Traffic: Analyze user behavior and system performance
  • Compliance: Meet regulatory requirements for logging and monitoring

Step 1: Initial Log Analysis

Start by examining the access.log file structure and identifying different types of requests:

# Count total log entries
wc -l access.log

# View first few entries
head -10 access.log

# Look for unique HTTP status codes
awk '{print $9}' access.log | sort | uniq -c

# Find unique user agents
awk -F'"' '{print $6}' access.log | sort | uniq

Step 2: Identifying Suspicious Patterns

Look for common indicators of malicious activity:

  1. Attack Attempts: SQL injection, XSS, and path traversal attempts
  2. Scanner Traffic: Requests for common vulnerable files (.env, wp-admin, etc.)
  3. Successful Access: 200 status codes from suspicious sources
  4. Suspicious User Agents: Automated tools and scanners
# Find potential SQL injection attempts
grep -i "union\|select\|drop\|insert" access.log

# Look for XSS attempts
grep -i "script\|alert\|javascript" access.log

# Find scanner/tool requests
grep -E "(wp-admin|phpmyadmin|\.env|backup)" access.log

# Look for successful requests (200 status) from suspicious sources
grep " 200 " access.log | grep -i "scanner\|tool\|bot"

Step 3: Finding Successful Attacker Access

The key is to find files that attackers successfully accessed (200 status code). Let's examine suspicious entries more closely:

# Look for successful requests from suspicious user agents
grep " 200 " access.log | grep -E "(Scanner|Tool|Bot)"

# Find requests with suspicious referers
grep "attacker" access.log

# Look for successful access to sensitive files
grep " 200 " access.log | grep -E "(backup|config|admin|debug)"

After extensive analysis, you'll find that out of 129 total requests from the attacker (172.16.0.88), only ONE was successful. The key entry revealing successful attacker access:

172.16.0.88 - - [22/Jul/2025:08:32:44 +0000] "GET /backup.txt HTTP/1.1" 200 42 "https://attacker.com/tools" "SecScanner/1.0"

This single successful request is hidden among 128 failed attempts (404/403 status codes), making this a realistic example of how attackers conduct reconnaissance scans.

Step 4: Accessing the Discovered File

From the log analysis, we discover that the attacker successfully accessed /backup.txt. The request shows:

  • Status Code: 200 (successful access)
  • File Size: 42 bytes
  • User Agent: SecScanner/1.0 (security scanner)
  • Referer: https://attacker.com/tools (suspicious source)

Since the attacker was able to access this file, we should investigate what it contains:

# Access the file that the attacker found
curl https://target-site.com/backup.txt
# OR download it from the challenge page
wget backup.txt

Step 5: Extracting the Flag

When examining the contents of backup.txt, we find:

FLAG: 1e3e1e7c-6b64-4727-b4bb-6e9945edd9b7

The flag is: 1e3e1e7c-6b64-4727-b4bb-6e9945edd9b7

Step 6: Analysis of the Security Incident

The security incident reveals several critical findings:

  • Attacker IP: 172.16.0.88 (internal network - possible insider threat or compromised host)
  • Attack Vector: Automated scanning using SecScanner/1.0
  • Discovery Method: Systematic enumeration of common backup file locations
  • Exposed File: backup.txt containing sensitive flag information
  • Impact: Successful data exfiltration (42 bytes downloaded)
  • Attribution: Referer header points to attacker infrastructure

Step 7: Understanding the Attack Timeline

By analyzing the complete log timeline, we can see the attacker's reconnaissance pattern:

  1. 08:21:05 - Attempted /admin/login.php (404)
  2. 08:30:51 - Attempted /.env file (404)
  3. 08:32:44 - Successfully accessed /backup.txt (200) ← FLAG OBTAINED
  4. 08:35:39 - Attempted /phpmyadmin/ (404)
  5. 08:37:23 - Attempted /config.php.bak (404)
  6. 08:39:45 - Attempted /backup/ directory (403)
  7. 09:00:44 - Attempted /backup.sql (404)

This shows a systematic approach where the attacker found success with a simple backup.txt file.

Step 8: Security Lessons Learned

This incident demonstrates several security issues:

  • Exposed Backup Files: Sensitive backup files left in web-accessible directories
  • Insufficient Access Controls: No authentication required for backup.txt
  • Poor Security Hygiene: Backup files not properly secured or removed
  • Internal Threat: Attack originated from internal network
  • Inadequate Monitoring: Successful data exfiltration occurred undetected

Real-World Remediation Steps

Based on this analysis, recommended actions include:

  1. Immediate: Remove or secure all backup files from web directories
  2. Access Control: Implement proper authentication for sensitive files
  3. Network Security: Investigate the compromised internal host (172.16.0.88)
  4. Monitoring: Enhance alerting for sensitive file access
  5. Policy: Establish secure backup procedures and file retention policies
  6. Training: Educate staff on secure file handling practices