ProtoVault Breach
Analysis of Database and S3 Exposure in OffSec Challenge
OFFSEC ChallengesThis lab was launched on On October 6, 2025 by the Offensive Security. This challenge focuses on a ransom email of an anonymous adversary threatening to release the whole database. So lets Dive in.
First as usual i downloaded the given file,unzipped it and started .
When you unzip the source_code.zip take note of the “hidden” .git folder. We may need git artifacts and past application versions to reveal potentially vulnerable software or past misconfigurations in a few.laughs
With all of our files downloaded and extracted, we can get started.
1. Determine if the leak could have come from the application. Review the database connection string to ensure it is secure. Submit the connection string here.
After reviewing the the source code under app/app.py we can find the database connection string that the python app uses to connect to a postgresql database.
so the answer is
postgresql://assetdba:8d631d2207ec1debaafd806822122250@pgsql_prod_db01.protoguard.local/pgamgt?sslmode=verify-full
2. Review the other source files. Which one may have leaked the database? Provide the file name.
After our thorough review of the app.py file, we can conclude that the database is not malformed or forwarded to an external database. Therefore, we need another lead on how the nigga got access to the database.
When extracting we had a **.git** folder we said it will help ,the time has come.
With git log we can see all of the prior commits.
We can see here that there was a backup script. Maybe the nigga had access to the backup.
So we can review the removal of the backup scripts commit using the command below;
git show 1cc71b0fcfcdbfefc7b59cecd898f13b532acc35
Further down the change log we see a def upload_to_s3(): function,and by the turn of events and the evidence (The upload to AWS S3 bucket of the backup file) we can say thats how our nigga got access to the database.
Answer:
backup_db.py
After toiling and moiling we count’nt do question 3 without going though question 4 so lets go. :)
4. Submit the public address of the database leak, including the name of the file.
Now the context of the script variables, and the upload_to_s3() function, we can put together the S3 public address.The challenge is looking for the s3 format of the address not the HTTP(S) version.
So boom!
Answer:
s3://protoguard-asset-management/db_backup.xyz
3. Using the results of your analysis, discover the public address of the database leak. Verify the contents of the leak by submitting the password hash for Naomi Adler.
Based on our s3 public address, we can convert it to the HTTP(S) version and download the db_backup.xyz as per the challenge.
For further explanation read here: https://stackoverflow.com/questions/7933458/how-to-format-a-url-to-get-a-file-from-amazon-s3
so with this link we will be able to download the file:
wget https://protoguard-asset-management.s3.us-east-2.amazonaws.com/db_backup.xyz
Based on the backup_db.py script earlier , the db_backup.xyz was encoded in ROT13, so we use this bash oneliner, to decode the whole file. for easier reading.
cat db_backup.xyz | tr 'A-Za-z' 'N-ZA-Mn-za-m' > db_backup.sql
And Boom we can now retrieve Naomi Adler’s hash from the publically exposed S3 bucket proving how our nigga retrieved the data.
So the answer is :
pbkdf2:sha256:600000$YQqIvcDipYLzzXPB$598fe450e5ac019cdd41b4b10c5c21515573ee63a8f4881f7d721fd74ee43d59
conslusion
while some questions needed deep thinking and research i was able to grasp one or two things from this ,and also it was fun.
HAPPY HACKING :)