Secure Legion Labs
Misconfiguration Lab
Directory Listing Exposure
This room simulates a public web directory where indexing was left enabled. Your goal is to browse exposed folders, locate the sensitive backup area, and retrieve the leaked configuration file that should never have been web-accessible.
Observed during recon
The target returns a generated index page instead of a 403 when certain directories are requested directly.
Backup and export folders are often forgotten because teams assume obscurity is enough.
Start with ordinary web-accessible directories, then pivot toward paths that usually hold archives, exports, or old operational files.
Likely paths
- Start
public static-style paths - Pivot
backup and archive folders - Target
indexed storage areas - Goal
sensitive backup file exposure
Browse a path
Use the exposed directory listing exactly like a tester would: enumerate folders first, then pivot into backup files.
GET /{ "status": "idle" }Indexed content
The server returns raw directory indexes instead of restricting access. Once the right path is reached, the leaked backup file becomes directly retrievable.
Status: waiting for a path request.
Challenge flag
The flag appears after you retrieve the intended sensitive backup file.
Validate completion
Submit the unlocked flag to complete the room.
Flag is locked until you retrieve the leaked backup file.
How the weakness works here
The server returns a browsable listing instead of denying direct directory access.
The tester pivots from harmless folders toward backup or export locations.
A forgotten backup file becomes directly accessible through the public web root.