← All Challenges

Nginx in the Dark

Forensics 200 pts standard
Challenge Description

A public-facing Nginx server was compromised and used as an internal pivot. Some logs were tampered with. Reconstruct what happened.

Find :

  1. Real webshell URI path used for command execution.
  2. Persistence mechanism.
  3. Effective compromised service user.
  4. Remote beacon host in persistence command.

Flag format: HackCTF{...}

Files
↓ auth.log ↓ cron_dump.txt ↓ decoy_webshells.txt ↓ mixed_case_telemetry.log ↓ nginx_access.log ↓ noise.log ↓ noise_expanded.log ↓ timeline.csv
Hints
View Hint : Hint
  1. Differentiate executed webshell endpoints from passive probes.
  2. Persistence is minute-level and shell-based.
  3. Include beacon host from cron command in the flag.
Submit Flag

Login to submit a flag.