Skip to main content
The Template That Read the Disk operation cover
COMING SOONBeginner

The Template That Read the Disk

An internet-facing CrushFTP 10.6.0 portal at Tideglow Logistics is exploited via CVE-2024-4040. An attacker grabs an anonymous session, abuses the <INCLUDE> template tag to escape the virtual file system sandbox and read /etc/passwd, exfiltrates the serialized session store, lifts a live crushadmin token, and replays it from a second IP to take over the administrator account. Walk the access logs and firewall traffic step by step to trace the injection, the session theft, and the takeover.

25m
6 tasks
25 points
Free

Launches in 5 days

Jul 14, 2026

Tuesday, July 14, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

SIEMFirewall

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: when a file server reads its own secrets
2Spot the template-injection payload
3Find the file that gave up the session tokens
4Trace where the admin session was replayed from
5Name the account the attacker became
6Map the initial access to MITRE ATT&CK

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 14, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever