404 FTW
Difficulty:
Shown in Report
Alabaster Snowball is standing in the very dark.
Objective Image
Back
Challenge

The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?

Solution

After talking with Alabaster Snowball you will get following hint:

Wireshark Top Talkers

The victim web server is 10.12.42.16. Which host is the next top talker?

We'll unzip the artifacts and get a PCAP file which we can open using Wireshark. To see the Top Talkers we select statistics - conversations and the tab IPv4. By sorting the column packets we can see which host is sending/receiving the most packets and causing the biggest traffic.
In our case it's 18.222.86.32.

We get following hints:

Wireshark String Searching

The site's login function is at /login.html. Maybe start by searching for a string.