Investigation Report#

Tutorial Challenge - Security Incident Investigation Report#

Date: October 7, 2025
Investigator: MR. Umair
Case: Echo Response - Week 0 Tutorial
Difficulty: Easy
Category: Incident Response, Log Analysis, Encoding

Executive Summary#

This tutorial challenge introduces participants to the Echo Response series through two distinct exercises: decoding a Base64-encoded cybersecurity awareness message and analyzing web server logs for malicious activity.

Key Findings:

Successfully decoded Base64-encoded tutorial content containing security awareness poem
Identified successful path traversal attack targeting SSH private keys
Detected unauthorized access from IP address 192.168.1.101
Confirmed exfiltration of 1,678 bytes (SSH private key for user ‘dave’)
Attack succeeded with HTTP 200 status, indicating critical security breach

Severity: HIGH - SSH private key compromise enables unauthorized system access

Investigation Objectives#

Decode Base64-encoded content from tutorial.txt
Extract the exercise answer from decoded message
Analyze web server access logs for suspicious activity
Identify path traversal attacks and other security incidents
Document attack vectors, impact, and remediation steps

Evidence Collection#

Evidence Files#

File Name	Type	Size	Description
tutorial.txt	Text	~500 bytes	Base64-encoded cybersecurity poem
access.log	Log File	21 entries	Apache/Nginx web server access logs
question.txt	Text	~4 KB	Answer format instructions
instruction.txt	Text	58 bytes	Package password information

Chain of Custody#

Collection Date: November 17, 2025
Source: OffSec Echo Response Challenge Platform
Package Password: ThisIsAFunTutorial1#
Integrity: SHA256 hashes verified (if applicable)

Part 1: Base64 Decoding Analysis#

Encoded Content Analysis#

File: tutorial.txt
Encoding: Base64
Original Content:

1
TXVmZmluIHRoZSBjYXQgY2xpY2tlZCBvbiBhIGxpbmssCk5vdyBhbGwgaGlzIGZpbGVzIGJlZ2FuIHRvIHNocmluayEKSGUgc2hvdWxk4oCZdmUgY2hlY2tlZCB0aGUgc2VuZGVy4oCZcyBuYW1lLApCdXQgbm93IGhpcyBsYXB0b3AncyBub3QgdGhlIHNhbWUuCgpBIHBhc3N3b3JkIHN0cm9uZywgYSBmaXJld2FsbCB0aWdodCwKS2VlcHMgc25lYWt5IGhhY2tlcnMgb3V0IG9mIHNpZ2h0LgpTbyB0aGluayBiZWZvcmUgeW91IHN1cmYgYW5kIHBsYXnigJQKQ3liZXItc21hcnRzIHdpbGwgc2F2ZSB0aGUgZGF5IQoKVGhlIGFuc3dlciB0byB0aGlzIGV4ZXJjaXNlIGlzICJUcnlIYXJkZXIi

Decoding Process#

Method 1 - PowerShell:

1
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64String))

Method 2 - Python:

1
import base64
2
decoded = base64.b64decode(encoded_string).decode('utf-8')

Method 3 - Linux:

1
echo "$base64String" | base64 -d

Decoded Message#

1
Muffin the cat clicked on a link,
2
Now all his files began to shrink!
3
He should've checked the sender's name,
4
But now his laptop's not the same.
5

6
A password strong, a firewall tight,
7
Keeps sneaky hackers out of sight.
8
So think before you surf and play
9
Cyber-smarts will save the day!
10

11
The answer to this exercise is "TryHarder"

Security Awareness Lessons#

The decoded poem teaches fundamental cybersecurity principles:

Phishing Awareness
- “Muffin clicked on a link” Don’t click suspicious links
- “Should’ve checked the sender’s name” Verify email senders
- Impact: Ransomware infection (“files began to shrink”)
Defense in Depth
- “A password strong, a firewall tight” Multiple security layers
- Strong authentication + network security
- Principle of least privilege
Security Mindfulness
- “Think before you surf and play” User awareness is critical
- “Cyber-smarts will save the day” Education prevents breaches

Answer Extraction#

Exercise Answer: TryHarder

This aligns with the famous OffSec motto: “Try Harder” - encouraging persistence and problem-solving in cybersecurity challenges.

Part 2: Access Log Analysis#

Log File Overview#

Total Entries: 21
Date Range: October 1, 2025 (08:02:15 - 08:20:10)
Time Span: ~18 minutes
Unique IP Addresses: 10
Log Format: Apache/Nginx Combined Log Format

Normal Traffic Baseline#

1
192.168.1.10  - Homepage access (200 OK)
2
192.168.1.15  - Login page access (200 OK)
3
192.168.1.30  - Dashboard access + static assets (200 OK)
4
10.0.0.5      - API calls (200 OK, 204 No Content)
5
192.168.1.15  - Logout (302 Redirect)

Suspicious Activity Detection#

Critical Finding: Path Traversal Attack#

Log Entry (Line 16):

1
192.168.1.101 - - [01/Oct/2025:08:17:55 +0000] "GET /public/plugins/welcome/../../../../../../../../home/dave/.ssh/id_rsa HTTP/1.1" 200 1678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Attack Analysis:

Field	Value	Analysis
Source IP	192.168.1.101	Internal network range (192.168.1.x)
Timestamp	08:17:55 UTC	October 1, 2025
Method	GET	Read-only operation
Path	`/public/plugins/welcome/../../../../../../../../home/dave/.ssh/id_rsa`	8-level directory traversal
HTTP Version	HTTP/1.1	Standard protocol
Status Code	200 OK	Attack Successful
Response Size	1,678 bytes	SSH private key size
User Agent	Mozilla/5.0 (Windows NT 10.0)	Legitimate browser UA
Referrer	- (None)	Direct URL access

Attack Breakdown:

Legitimate Base Path: /public/plugins/welcome/
- Appears to be a valid application endpoint
- Likely intended for plugin management
Directory Traversal: ../../../../../../../../
- 8 levels of parent directory navigation
- Each ../ moves up one directory level
- Breaks out of web root directory
Target Path: /home/dave/.ssh/id_rsa
- User: dave
- File: SSH private key (RSA)
- Location: Standard Linux SSH key location
Success Indicators:
- HTTP 200 OK status
- 1,678 bytes returned (typical RSA key size)
- No error message or redirect

Vulnerability: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory

MITRE ATT&CK Mapping:

Tactic: T1083 - File and Directory Discovery
Tactic: T1552.004 - Unsecured Credentials: Private Keys
Technique: Path Traversal for credential access

Failed Authentication Attempt#

Log Entry (Line 3):

1
192.168.1.20 - - [01/Oct/2025:08:04:32 +0000] "POST /api/auth HTTP/1.1" 401 543 "-" "Mozilla/5.0 (X11; Linux x86_64)"

Analysis:

IP: 192.168.1.20
Status: 401 Unauthorized
Size: 543 bytes (error response)
User Agent: Linux Chrome browser

Successful Authentication#

Log Entry (Line 4):

1
192.168.1.20 - - [01/Oct/2025:08:04:40 +0000] "POST /api/auth HTTP/1.1" 200 1023 "-" "Mozilla/5.0 (X11; Linux x86_64)"

Analysis:

Same IP address (192.168.1.20)
8 seconds later - Successful login
Status: 200 OK
Size: 1,023 bytes (likely includes auth token)

Assessment: Likely legitimate user who mistyped password initially. Time gap (8 seconds) suggests manual retry, not brute force automation.

Error Responses#

1. Forbidden Access to Metrics Endpoint#

Log Entry (Line 13):

1
172.16.0.2 - - [01/Oct/2025:08:15:33 +0000] "GET /metrics HTTP/1.1" 403 350 "-" "curl/7.68.0"

Analysis:

IP: 172.16.0.2 (different subnet - 172.16.x.x)
Endpoint: /metrics (monitoring/observability)
Status: 403 Forbidden (access denied)
User Agent: curl (command-line tool)
Assessment: Proper security control - metrics endpoint protected

2. Internal Server Error on Upload#

Log Entry (Line 14):

1
172.16.0.2 - - [01/Oct/2025:08:16:45 +0000] "POST /api/upload HTTP/1.1" 500 1024 "-" "PostmanRuntime/7.32.0"

Analysis:

Same IP: 172.16.0.2
Endpoint: /api/upload
Status: 500 Internal Server Error
User Agent: Postman (API testing tool)
Assessment: Application error, not security issue (likely development/testing)

3. Missing Favicon#

Log Entry (Line 10):

1
192.168.1.99 - - [01/Oct/2025:08:11:57 +0000] "GET /favicon.ico HTTP/1.1" 404 490 "-" "Mozilla/5.0 (Windows NT 10.0)"

Analysis:

Status: 404 Not Found
Assessment: Cosmetic issue, no security impact

Timeline of Events#

1
08:02:15 - Normal activity begins (homepage access)
2
08:03:05 - User accesses login page
3
08:04:32 - Failed authentication attempt (192.168.1.20)
4
08:04:40 - Successful authentication (192.168.1.20)
5
08:06:12 - Dashboard access with static assets
6
08:10:01 - API data retrieval (10.0.0.5)
7
08:11:57 - Favicon 404 error
8
08:12:00 - Apache internal health check
9
08:13:22 - User logout
10
08:15:33 - Forbidden metrics access attempt (172.16.0.2)
11
08:16:45 - Upload API error (172.16.0.2)
12
08:17:17 - Logo image request
13
08:17:55 -  PATH TRAVERSAL ATTACK (192.168.1.101)
14
08:18:01 - Request timeout (408)
15
08:18:05 - User profile access
16
08:19:30 - Terms of service page
17
08:19:44 - User notifications API
18
08:20:10 - User settings API

Critical Incident: 08:17:55 UTC - SSH private key exfiltration

Impact Assessment#

Confidentiality Impact: HIGH#

Compromised: SSH private key for user ‘dave’
Risk: Unauthorized SSH access to systems where this key is authorized
Scope: All servers/systems trusting dave’s public key

Integrity Impact: MEDIUM#

If attacker gains SSH access, they can:
- Modify files and configurations
- Plant backdoors
- Tamper with logs (anti-forensics)
- Escalate privileges

Availability Impact: MEDIUM#

Potential for:
- Ransomware deployment
- Resource exhaustion
- Service disruption
- Data destruction

Overall Risk Rating: CRITICAL#

Reasoning:

Attack was successful (200 OK response)
SSH keys enable persistent access
No user interaction required for exploitation
Lateral movement opportunities
Difficult to detect post-compromise activity

Root Cause Analysis#

Vulnerability Details#

Type: Path Traversal (Directory Traversal)
CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
OWASP: A01:2021 - Broken Access Control

Why the Attack Succeeded#

Insufficient Input Validation
- Application didn’t sanitize ../ sequences
- No restriction on parent directory references
- Path normalization not implemented
Missing Access Controls
- No chroot jail or filesystem restrictions
- Web server process has excessive file read permissions
- No allow-list for accessible directories
Lack of Detection
- No WAF (Web Application Firewall) deployed
- No intrusion detection for path traversal patterns
- Logging exists but no real-time alerting

Vulnerable Code Pattern (Hypothetical)#

1
# VULNERABLE CODE (Example)
2
@app.route('/public/plugins/<path:plugin_path>')
3
def serve_plugin(plugin_path):
4
    # NO SANITIZATION - DANGEROUS!
5
    file_path = f'/var/www/public/plugins/{plugin_path}'
6
    return send_file(file_path)

Problem: Direct concatenation of user input into file path without validation.

Remediation Steps#

Immediate Actions (0-24 Hours)#

Incident Response

1
# Block malicious IP immediately
2
sudo iptables -A INPUT -s 192.168.1.101 -j DROP
3

4
# Check for unauthorized SSH sessions
5
sudo last -f /var/log/wtmp | grep dave
6
sudo journalctl -u ssh | grep 192.168.1.101

Credential Rotation

1
# Revoke compromised SSH key for user 'dave'
2
sudo su - dave
3
cd ~/.ssh
4
mv id_rsa id_rsa.COMPROMISED_$(date +%Y%m%d)
5
mv id_rsa.pub id_rsa.pub.COMPROMISED_$(date +%Y%m%d)
6

7
# Generate new key pair
8
ssh-keygen -t ed25519 -C "dave@company.com"
9

10
# Update authorized_keys on all servers
11
# Deploy new public key to authorized systems

Forensic Evidence Collection

1
# Preserve logs before they rotate
2
sudo cp /var/log/apache2/access.log /evidence/access.log.$(date +%Y%m%d_%H%M%S)
3
sudo cp /var/log/auth.log /evidence/auth.log.$(date +%Y%m%d_%H%M%S)
4

5
# Check for signs of key usage
6
sudo grep "192.168.1.101" /var/log/auth.log

System Audit

1
# Check for other compromised files accessed by this IP
2
sudo grep "192.168.1.101" /var/log/apache2/access.log
3

4
# Look for suspicious processes
5
sudo ps auxf | grep dave
6

7
# Check for backdoors
8
sudo find /tmp -type f -mtime -1
9
sudo find /home/dave -type f -mtime -1

Short-Term Fixes (24-72 Hours)#

Patch Vulnerability

1
# SECURE CODE (Example)
2
import os
3
from werkzeug.security import safe_join
4

5
@app.route('/public/plugins/<path:plugin_path>')
6
def serve_plugin(plugin_path):
7
    # Validate and sanitize input
8
    if '..' in plugin_path or plugin_path.startswith('/'):
9
        abort(403)
10

11
    # Use safe_join to prevent directory traversal
12
    base_dir = '/var/www/public/plugins'
13
    file_path = safe_join(base_dir, plugin_path)
14

15
    # Verify the file is within allowed directory
16
    if not file_path.startswith(base_dir):
17
        abort(403)
18

19
    return send_file(file_path)

Deploy WAF Rules

1
# Nginx: Block path traversal attempts
2
location ~ \.\. {
3
    deny all;
4
    return 403;
5
}
6

7
location ~ /\.ssh/ {
8
    deny all;
9
    return 403;
10
}

Implement Monitoring

1
# Set up alert for path traversal patterns
2
# Example: Fail2ban filter
3
[Definition]
4
failregex = ^<HOST>.*"GET.*\.\..*"
5
ignoreregex =

Long-Term Security Enhancements#

Security Controls
- Deploy Web Application Firewall (ModSecurity, CloudFlare WAF)
- Implement Content Security Policy (CSP) headers
- Use principle of least privilege for web server process
- Enable chroot jail for web application
Code Security
- Conduct secure code review
- Implement input validation library
- Use parameterized file access functions
- Enable static application security testing (SAST)
Monitoring & Detection
- Deploy SIEM solution (Splunk, ELK Stack, Wazuh)
- Create alerts for:
  - Multiple ../ in URLs
  - Access to sensitive file paths
  - Unusual response sizes (e.g., 1678 bytes from static endpoint)
- Implement file integrity monitoring (AIDE, Tripwire)
Access Controls
- Implement role-based access control (RBAC)
- Use allow-lists for file access
- Restrict web server filesystem permissions
- Enable SELinux/AppArmor policies
Security Training
- Developer training on secure coding practices
- Security awareness for operations team
- Incident response drills
- Regular vulnerability assessments

Indicators of Compromise (IOCs)#

Network Indicators#

Indicator Type	Value	Severity	Context
IP Address	192.168.1.101	CRITICAL	Path traversal attack source
User Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64)	INFO	Common browser UA (may be spoofed)

File System Indicators#

Indicator	Location	Description
Accessed File	/home/dave/.ssh/id_rsa	SSH private key exfiltrated
Web Log	/var/log/apache2/access.log	Contains attack evidence

Behavioral Indicators#

GET request with multiple ../ sequences
Access to files outside web root
1,678 byte response from plugin endpoint (unusual)
Direct URL access (no referrer header)

Lessons Learned#

What Went Right#

Logging Enabled: Attack was captured in access logs
Authentication Controls: 401/403 responses show some access controls exist
Error Handling: 500 errors logged for troubleshooting

What Went Wrong#

Input Validation: No sanitization of file paths
Access Controls: Insufficient filesystem restrictions
Monitoring: No real-time alerting for attacks
Incident Response: Delayed detection (tutorial exercise, but critical in production)

Recommendations for Future#

Security-First Development
- Security requirements in design phase
- Threat modeling for new features
- Secure coding standards enforcement
Defense in Depth
- Multiple layers of security controls
- Assume one layer will fail
- Redundant monitoring and detection
Continuous Improvement
- Regular security assessments
- Penetration testing
- Bug bounty program
- Post-incident reviews

Investigation Conclusions#

Summary of Findings#

Tutorial Decoded: Base64 poem successfully decoded, answer “TryHarder” extracted
Critical Vulnerability: Path traversal vulnerability identified and confirmed
Successful Attack: SSH private key for user ‘dave’ exfiltrated by 192.168.1.101
Additional Issues: Minor authentication failures and server errors detected
Impact: HIGH - Potential for unauthorized SSH access and lateral movement

Recommendations Summary#

Priority	Action	Timeline
CRITICAL	Revoke compromised SSH key	Immediate
CRITICAL	Block malicious IP (192.168.1.101)	Immediate
HIGH	Patch path traversal vulnerability	24 hours
HIGH	Deploy WAF with path traversal rules	72 hours
MEDIUM	Implement real-time log monitoring	1 week
LOW	Security awareness training	1 month

Case Status#

Status: INVESTIGATION COMPLETE
Severity: CRITICAL (High Confidentiality Impact)
Remediation: IN PROGRESS (Requires immediate credential rotation)
Follow-up: Security audit recommended within 30 days

References#

CVE & Vulnerability Databases#

CWE-22: Improper Limitation of a Pathname to a Restricted Directory
https://cwe.mitre.org/data/definitions/22.html
OWASP A01:2021: Broken Access Control
https://owasp.org/Top10/A01_2021-Broken_Access_Control/

MITRE ATT&CK Framework#

T1083: File and Directory Discovery
https://attack.mitre.org/techniques/T1083/
T1552.004: Unsecured Credentials: Private Keys
https://attack.mitre.org/techniques/T1552/004/

Security Best Practices#

OWASP Path Traversal Prevention Cheat Sheet
NIST SP 800-53: Security and Privacy Controls
CIS Benchmarks for Web Application Security

Appendices#

Appendix A: Full Access Log (21 Entries)#

Click to expand complete access.log

1
192.168.1.10 - - [01/Oct/2025:08:02:15 +0000] "GET / HTTP/1.1" 200 4523 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"
2
192.168.1.15 - - [01/Oct/2025:08:03:05 +0000] "GET /login HTTP/1.1" 200 1321 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15"
3
192.168.1.20 - - [01/Oct/2025:08:04:32 +0000] "POST /api/auth HTTP/1.1" 401 543 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
4
192.168.1.20 - - [01/Oct/2025:08:04:40 +0000] "POST /api/auth HTTP/1.1" 200 1023 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
5
[... remaining 17 entries ...]
6
192.168.1.101 - - [01/Oct/2025:08:17:55 +0000] "GET /public/plugins/welcome/../../../../../../../../home/dave/.ssh/id_rsa HTTP/1.1" 200 1678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Appendix B: Decoding Methods#

PowerShell:

1
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("TXVmZmluIH..."))

Python:

1
import base64
2
base64.b64decode("TXVmZmluIH...").decode('utf-8')

Bash:

1
echo "TXVmZmluIH..." | base64 -d

Appendix C: Analysis Script#

See analyze_tutorial.py for automated forensic analysis tool.

Report Prepared By: MR. Umair
Date: October 7, 2025

End of Investigation Report

Investigation Report#

Tutorial Challenge - Security Incident Investigation Report#

Executive Summary#

Investigation Objectives#

Evidence Collection#

Evidence Files#

Chain of Custody#

Part 1: Base64 Decoding Analysis#

Encoded Content Analysis#

Decoding Process#

Decoded Message#

Security Awareness Lessons#

Answer Extraction#

Part 2: Access Log Analysis#

Log File Overview#

Normal Traffic Baseline#

Suspicious Activity Detection#

Critical Finding: Path Traversal Attack#

Authentication-Related Events#

Failed Authentication Attempt#

Successful Authentication#

Error Responses#

1. Forbidden Access to Metrics Endpoint#

2. Internal Server Error on Upload#

3. Missing Favicon#

Timeline of Events#

Impact Assessment#

Confidentiality Impact: HIGH#

Integrity Impact: MEDIUM#

Availability Impact: MEDIUM#

Overall Risk Rating: CRITICAL#

Root Cause Analysis#

Vulnerability Details#

Why the Attack Succeeded#

Vulnerable Code Pattern (Hypothetical)#

Remediation Steps#

Immediate Actions (0-24 Hours)#

Short-Term Fixes (24-72 Hours)#

Long-Term Security Enhancements#

Indicators of Compromise (IOCs)#

Network Indicators#

File System Indicators#

Behavioral Indicators#

Lessons Learned#

What Went Right#

What Went Wrong#

Recommendations for Future#

Investigation Conclusions#

Summary of Findings#

Recommendations Summary#

Case Status#

References#

CVE & Vulnerability Databases#

MITRE ATT&CK Framework#

Security Best Practices#

Appendices#

Appendix A: Full Access Log (21 Entries)#

Appendix B: Decoding Methods#

Appendix C: Analysis Script#