Log Analysis PBQs: CompTIA PenTest+ (PT0-003)
easyQuestion 1 of 3
During a penetration test debrief, the blue team is reviewing web server and WAF logs to understand what their defenses caught. The pen tester reported attempting path traversal attacks against a file download endpoint. Your task is to review the logs, identify which entries show path traversal activity, and assess whether the WAF successfully blocked the attempts. Flag all entries related to the path traversal attack and classify the incident.
Objectives
- •Review web server and IDS logs for path traversal attack indicators
- •Flag all log entries related to the path traversal attempts
- •Classify the type of attack observed
- •Identify the attacker's source IP address
- •Recommend the most appropriate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 10:00:00 | INFO | web | 200 GET /downloads/report-q1.pdf from 192.168.1.30 | |
| 10:02:15 | INFO | web | 200 GET /index.html from 192.168.1.25 | |
| 10:05:30 | WARN | web | 400 GET /downloads?file=../../../etc/passwd from 198.51.100.30 -- path traversal detected | |
| 10:05:32 | ALERT | ids | Path traversal attack: GET /downloads?file=../../../etc/passwd from 198.51.100.30 -- signature: dir-traversal-unix | |
| 10:06:00 | INFO | web | 200 GET /api/health from 10.0.0.5 (monitoring) | |
| 10:07:00 | INFO | system | Log rotation completed on web-server-01 | |
| 10:08:15 | WARN | web | 400 GET /downloads?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd from 198.51.100.30 -- URL-encoded traversal | |
| 10:08:17 | ALERT | ids | Path traversal attack: URL-encoded bypass attempt from 198.51.100.30 -- signature: dir-traversal-urlenc | |
| 10:10:00 | INFO | web | 200 GET /downloads/report-q2.pdf from 192.168.1.30 | |
| 10:12:00 | INFO | auth | Successful login: admin from 192.168.1.10 -- internal admin panel | |
| 10:14:00 | INFO | web | 200 GET /admin/settings from 192.168.1.10 | |
| 10:16:00 | INFO | system | Automated certificate renewal check: all certificates valid |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 7 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete