> In the wake of recent security breaches, it has become paramount to ensure
> the integrity and safety of our systems. A routine audit of our admin
> activity logs has revealed several anomalies that could suggest a breach or
> an attempted breach. These logs are critical to understanding the actions
> taken by users with administrative privileges and identifying any that could
> have jeopardized our network’s security. Your task is to analyze the
> provided admin activity logs to identify any suspicious activities.  
>

If we delete the generic HTML pages (index.html) in the log file, we are left
with one different URL.

```  
192.168.0.8 – – [26/Feb/2024:08:46:37 -0500] “GET /admin/ufile.io/y8ls94tu
HTTP 1.1” 401 2048  
```

![](https://margheritaviola.com/wp-content/uploads/2024/03/image-95.png)

We go to this ufile.io/y8ls94tu URL

![](https://margheritaviola.com/wp-content/uploads/2024/03/image-96.png)

We download the file in the URL and there are many CSV files in it, if you
want you can search for texsaw{ flag in the content of the files with the grep
command. user.csv contains flag.

![](https://margheritaviola.com/wp-content/uploads/2024/03/image-97.png)

```  
texsaw{g0tcha_fl@g_m1ne}  
```

Original writeup (https://margheritaviola.com/2024/03/26/texsaw2024-forensics-
malicious-threat-writeup/).