📋 Challenge 5: Log Detective
Server access logs record every single request. A detective's job is to find the clues hidden in the noise!
📖 The Story
The company's web admin noticed some unusual activity on the server. She exported today's access logs and needs your help analyzing them.
Read through these logs carefully. Is there a suspicious request? The hacker may have left a trace in the URL or its parameters...
Read through these logs carefully. Is there a suspicious request? The hacker may have left a trace in the URL or its parameters...
📜 Server Access Log
192.168.1.45 - - [22/Mar/2026:08:12:03 +0800] "GET / HTTP/1.1" 200 3421
192.168.1.45 - - [22/Mar/2026:08:12:05 +0800] "GET /css/style.css HTTP/1.1" 200 1205
192.168.1.45 - - [22/Mar/2026:08:12:05 +0800] "GET /js/main.js HTTP/1.1" 200 890
10.0.0.99 - - [22/Mar/2026:08:15:22 +0800] "GET /about HTTP/1.1" 200 2103
10.0.0.99 - - [22/Mar/2026:08:15:30 +0800] "GET /products HTTP/1.1" 200 5670
172.16.0.3 - - [22/Mar/2026:08:20:11 +0800] "POST /login HTTP/1.1" 200 445
172.16.0.3 - - [22/Mar/2026:08:20:15 +0800] "GET /dashboard HTTP/1.1" 200 3200
192.168.1.45 - - [22/Mar/2026:08:25:33 +0800] "GET /images/logo.png HTTP/1.1" 200 15234
10.0.0.55 - - [22/Mar/2026:08:30:01 +0800] "GET /api/users HTTP/1.1" 403 120
10.0.0.55 - - [22/Mar/2026:08:30:05 +0800] "GET /admin HTTP/1.1" 403 120
10.0.0.55 - - [22/Mar/2026:08:30:10 +0800] "GET /admin/login HTTP/1.1" 200 890
10.0.0.55 - - [22/Mar/2026:08:30:45 +0800] "GET /search?q=ZmxhZ3tzaGVybG9ja19vZl90aGVfc2VydmVyfQ== HTTP/1.1" 200 0
10.0.0.55 - - [22/Mar/2026:08:31:02 +0800] "GET /api/config HTTP/1.1" 403 120
192.168.1.100 - - [22/Mar/2026:08:35:18 +0800] "GET / HTTP/1.1" 200 3421
192.168.1.100 - - [22/Mar/2026:08:35:20 +0800] "GET /products/1 HTTP/1.1" 200 2300
172.16.0.3 - - [22/Mar/2026:08:40:55 +0800] "GET /dashboard/settings HTTP/1.1" 200 1800
10.0.0.55 - - [22/Mar/2026:08:45:12 +0800] "GET /.env HTTP/1.1" 403 120
10.0.0.55 - - [22/Mar/2026:08:45:15 +0800] "GET /backup.sql HTTP/1.1" 404 0
192.168.1.45 - - [22/Mar/2026:08:50:00 +0800] "GET /contact HTTP/1.1" 200 1500
10.0.0.99 - - [22/Mar/2026:08:55:30 +0800] "POST /api/feedback HTTP/1.1" 201 45
🛠️ Log Analysis Tips
- Web server logs typically contain: IP address, timestamp, HTTP method, URL path, status code
- Look for unusual parameters or encoded strings in the URLs
- Some content might be encoded in Base64 (looks like a string of letters/numbers, possibly ending in
=) - Use an online Base64 decoder to decode suspicious strings
💡 Need a hint? Click to reveal
Look at each log line carefully. One request has a Base64-encoded string in its query parameter. Find it and decode it using an online tool — just search for "Base64 decode online." Base64 strings contain only letters, numbers, +, and /, and often end with =.