In the storm-battered depths of a discreet mountain peak range, lies ProtoVault, an arcane sanctuary governed by the secretive guild known as the Everbound Order. They safeguard some of the most hidden knowledge across the Cyber Realms. Its defenses are forged in dragonfire and sealed with runes that demand the blood, breath, and soulprint of their masters.
But magic can't guard everything.
Whispers ripple through the cyber realm. The vault's inner sanctuary has been breached. A ransom scroll claims access to the Corespell – the foundational arcane code for ProtoVault – and issues a chilling demand:
"Surrender the Archivist Verin."
Verin holds command over the hidden vaults – each safeguarding knowledge not meant to be accessed, but to protect the balance of the Cyber Realms.
If Verin isn't given over, the ProtoVault could unravel everything they were built to defend.
AnchorHelm, an OffSec Legend, has summoned you, a skilled codecaster, to stop this before it goes any further.
Preparation - working directory and provided files
Create a clean workspace and copy the challenge archive into it.
mkdir -p ~/protovault_investigation && cd ~/protovault_investigation
cp /path/to/9ee32ac125677475052b3b0ea3b28112-protovault-breach.zip ./protovault-breach.zip
unzip -l protovault-breach.zip
# expected entries: ransom_email.png, source_code.zip
If the inner archive is password-protected (as in this challenge), extract it using the provided password.
# inner archive password known from the lab: BloodBreathSoulFire
unzip -P 'BloodBreathSoulFire' protovault-breach.zip source_code.zip
unzip -P 'BloodBreathSoulFire' source_code.zip -d source_code
# if unzip complains, use 7z:
7z x -p'BloodBreathSoulFire' source_code.zip -osource_code
Confirm you have ransom_email.png and a source_code/ tree.
Question 1 - "Determine if the leak could have come from the application. Review the database connection string to ensure it is secure. Submit the connection string here."
Goal: Find configuration in the app that reveals DB URI.
Steps & commands
Inspect the application directory for Flask/SQLAlchemy config.
cd source_code
# look for SQLAlchemy config or any 'postgres' strings
grep -RIn "SQLALCHEMY_DATABASE_URI\|postgresql:\/\/\|assetdba" . | sed -n '1,200p'
Open the file that contained the match. In this repo it is
app/app.py:
sed -n '1,220p' app/app.py
You should see a line similar to:
app.config['SQLALCHEMY_DATABASE_URI'] = 'postgresql://assetdba:8d631d2207ec1debaafd806822122250@pgsql_prod_db01.protoguard.local/pgamgt?sslmode=verify-full'
Answer (connection string to submit):
postgresql://assetdba:8d631d2207ec1debaafd806822122250@pgsql_prod_db01.protoguard.local/pgamgt?sslmode=verify-full
Why this proves the app could leak the DB: Embedding credentials in source is a root cause: anyone with repo access or a readable artifact can exfiltrate DB contents. The rest of this guide shows how a backup script could use those credentials.
