A Linux web server was breached. The attacker attempted to cover their tracks but made critical mistakes. The server logs were collected before the machine was wiped. Reconstruct the full attack timeline and recover the flag the attacker deliberately left on the server.

Download the ZIP and extract it. You’ll find 5 log files from a compromised Linux server:

• auth.log — SSH login attempts and sessions
• apache_access.log — Web server access log
• bash_history — Commands run during the intrusion
• syslog — System events
• .flag.txt — A file the attacker created on the server

Investigation tasks:

1. What IP address conducted the attack?
2. How did the attacker gain initial access? (Which account, what method?)
3. What scanning tool did they use against the web application?
4. What did the attacker write to /var/www/html/.flag.txt?
5. Decode the content of .flag.txt to get the real flag

Tools needed: Any text editor. A Base64 decoder (online: base64decode.org or CyberChef).