Dust Jacket
A cooperative bookstore that ships nationwide. The shop has been migrating off an old hosting plan — and they left a few crates of files where the public can poke at them.
The Scenario
Dust Jacket is a regional indie-bookstore co-op based in Asheville, NC. They share inventory across three storefronts and sell online. The new e-commerce site went live last week; the old site is still half-deployed on the same box. A reader noticed the new server is "weirdly verbose" about what it's hosting.
Challenge Intel
Synopsis
An /archive/ directory has autoindex on and ships a .bak file with owner credentials inside.
What It Is
Apache is configured with `Options +Indexes` on the /archive/ directory. The directory listing exposes config.php.bak (legacy WordPress config from the old site), site.zip.old, and a few decoy backups. The .bak file contains a DB_PASSWORD line and an `OWNER_KEY` constant. POSTing that OWNER_KEY to /owner returns the flag.
Who It's For
Players who know to look for backup-file naming patterns and directory listings but haven't yet built the muscle of grepping recovered configs for app-specific secrets.
Skills You'll Practice
- Recognising autoindex / directory listing exposure
- Enumerating predictable backup filename patterns (.bak, .old, ~)
- Grepping recovered config files for credentials
What You'll Gain
- An eye for legacy-migration debris on production hosts
- A pattern: backup file leaks credentials -> credentials unlock a route
Ready to hack Dust Jacket?
Upgrade to Pro to unlock this challenge and the full library.