Lab Instructions

Download the ZIP package. The password is "ThisIsAFunTutorial1#".

Read each question and answer it in the format specified.

In this exercise, you'll explore how to solve a Grimoire challenge and what it typically involves. Each Grimoire provides you with one or more files packaged in a ZIP archive. These files can include logs, user directories, network packet captures, executables, and more.

In some exercises, you'll focus on analyzing a single file such as a piece of malware. In others, you may need to examine files from multiple machines to determine which one was compromised and how the attack occurred.

During your investigation, you may come across URLs, domain names, email addresses, or other external resources. However, you should never access any of these external resources or interact with them in any way. To solve a Grimoire, only use the provided files.

To extract the ZIP archive for this tutorial, use the password:

ThisIsAFunTutorial1#

Inside the archive, open the file tutorial.txt. It contains the flag you'll need to submit as the answer for this exercise. You can ignore the other file for now, it'll become relevant in the final exercise of the tutorial

Answer :

"TryHarder"

This final exercise will test your understanding of all the information and guidelines covered in the previous challenges. Once you've completed it, you'll be ready to begin working on your first real Grimoire.

Analyze the file access.log in the Zip archive and determine how the attacker gained access to the web server. In your answer, specify the IP address the attacker connected from, explain how they extracted sensitive data, what sensitive data has been obtained by the attacker, and how it may be used to get interactive access to the web server.

Answer :

Source IP Address: 192.168.1.101 Malicious Request: GET /public/plugins/welcome/../../../../../../../../home/dave/.ssh/id_rsa HTTP/1.1 Target File: /home/dave/.ssh/id_rsa Attack Details: Timestamp: 01/Oct/2025:08:17:55 +0000 HTTP Method: GET Status Code: 200 (Successful - Attack succeeded!) Response Size: 1,678 bytes User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Directory Traversal Depth: 8 levels (../../../../../../../../) Authentication Failure: IP: 192.168.1.20 Request: POST /api/auth Status: 401 Unauthorized Timestamp: 01/Oct/2025:08:04:32 +0000 Note: Followed by successful authentication attempt 8 seconds later Server Errors: Upload Failure: IP: 172.16.0.2 Request: POST /api/upload Status: 500 Internal Server Error User Agent: PostmanRuntime/7.32.0 Forbidden Access: IP: 172.16.0.2 Request: GET /metrics Status: 403 Forbidden User Agent: curl/7.68.0 Missing Resource: IP: 192.168.1.99 Request: GET /favicon.ico Status: 404 Not Found