On this page

• Open Source Intelligence
• Meta (Easy)
• Threat Intel
• Codes
• Domain Recon
• Company Profile
• Compromise Report
• Cryptography
• Bashes
• Shift
• Alphabet
• Polyalphabetic
• ASCII
• Phone
• Morse
• Fencing
• Linux + Log Analysis
• Directories
• DPKG
• Breach Prevention

Open Source Intelligence

Meta (Easy)

This challenge has users find and identify information that is stored within pictures that are taken.

Reference:

Questions

1. On what date was this image created?

• How to solve: View the metadata using ExifTool or an online meta image viewer like https://exif.tools/ and look for the create date field
• Answer: 2020-10-22

2. What is the make of the camera that took the picture?

• How to solve: View the metadata using ExifTool or an online meta image viewer like https://exif.tools/ and look for the “make” field
• Answer: Hackercams

3. What is the model of the camera that took the picture?

• How to solve: View the metadata using ExifTool or an online meta image viewer like https://exif.tools/ and look for the “model” field
• Answer: Cyberlens 8400E

4. What is the flag hidden in the image?

• How to solve: View the metadata using ExifTool or an online meta image viewer like https://exif.tools/ and use grep to search for the flag
• Answer: SKY-YKFU-8855

Threat Intel

This challenge will give you experience conducting research on common security vulnerabilities. All that is required to solve these questions is to query online search engines and find multiple sources to confirm the answers.

Questions

1. What is the CVE for Dirty Cow?

• How to solve: Search google for “dirty cow cve”
• Answer: CVE-2016-5195

2. What company was affected by the Cloudbleed vulnerability?

• How to solve: Search google for “Cloudbleed”
• Answer: Cloudflare

3. What is the RFC number for TLS 1.2

• How to solve: Search google for “rfc number tls 1.2”
• Answer: 5246

4. What is the Metasploit module name that can be used to exploit the CVE-2017-6510 vulnerability?

• How to solve: Search google for “CVE-2017-6510 metasploit module”
• Answer: 15easy_file_sharing_ftp Easy File Sharing FTP

Codes

This is a challenge to look at the different types of barcode-type scannable resources.

Questions

1. What barcode format is being used by the first code?

• How to solve: The first Code #1 should be a familiar type of barcode called QR codes, these are commonly used on customer facing products such as flyers, restaurant menus, or general quick access to a website from your phone’s camera.
• Answer: QR (quick response)

2. What is the flag hidden in the first code?

• How to solve: Scan the QR code using your phone’s camera or use an online tool like https://zxing.org/w/decode.jspx or https://www.qrcoderaptor.com
• Answer: SKY-QRCD-4499

3. What barcode format is being used by the second code?

• How to solve: This is your more “standard” barcode used more primarily by businesses to track products and scan inventory. They can also be scanned by your phone’s camera or mobile apps or online tools like https://demo.dynamsoft.com/barcode-reader/
• Answer: code 128

4. What flag is hidden in the second code?

• How to solve: Use a tool like https://demo.dynamsoft.com/barcode-reader/
• Answer: SKY-EBIM-7920

5. What barcode format is being used by the third code?

• How to solve: This could be an unfamiliar barcode, so a quick way to find it would be to search “barcode types” and leading to sites like https://www.scandit.com/resources/guides/types-of-barcodes-choosing-the-right-barcode/. While looking through the “13 Common barcodes” you can see the familiar looking “Data Matrix” barcode. Or use a tool like this: https://demo.dynamsoft.com/barcode-reader/
• Answer: data matrix

6. What is the flag hidden in the third code?

• How to solve: Scan the barcode using your phone’s camera or mobile app or online tools like https://demo.dynamsoft.com/barcode-reader/
• Answer: SKY-LRVD-8573

Domain Recon

The challenge is to conduct reconnaissance on the cyberskyline.com domain.

Questions

1. What is the Registry Domain ID for the domain?

• How to solve: A good place to start for domain related lookups, ICANN is the place to go.https://lookup.icann.org/en/lookupYou can search by domain and in this case. The answer for this question is in the “Domain Information” grouping.
• Answer: cyberskyline.com

1854866838_DOMAIN_COM-VRSN

1854866838

2. Who is the registrar for the domain?

• How to solve: https://lookup.icann.org/en/lookup Contact Information > Registrant on the ICANN lookup tool
• Answer: Dynadot

Super Privacy Service

3. What is the IANA ID of the registrar for the domain?

• How to solve: https://lookup.icann.org/en/lookup. Registrar Information Grouping
• Answer: 472

4. When was the domain first registered (UTC)?

• How to solve: https://lookup.icann.org/en/lookup. In the Domain Information grouping at the top, the Created date will show when the domain was first registered, or created.
• Answer: 2014-04-15 19:03:26 UTC

Company Profile

You are given a company name and logo. The challenge is to gather information about the company to do reconnaissance.

Questions

1. How much money has this company raised in its first round of funding?

• How to solve: Searching for “StrongIntro funding rounds” can find the page https://tracxn.com/d/companies/strongintro/__5s_vdrCw--HO28DME7Xx5wZYJ6zZKC-yaM2LxDeoTq0/funding-and-investorsThis shows there only has been 1 round of funding and the amount it was for.
• Answer: $120k

$120,000

$120000

• Incorrect Answers: 120, $120

2. On what day did StrongIntro raise its first round of funding?

• How to solve: https://tracxn.com/d/companies/strongintro/__5s_vdrCw--HO28DME7Xx5wZYJ6zZKC-yaM2LxDeoTq0/funding-and-investors Shows the date of funding. Multiple answers are accepted due to potential information differing between sources.
• Answer: 2016-03-22

2016-03-23

2015-11-21

3. Who is the founder of StrongIntro?

• How to solve: On the same site, tracxn.com in the “Founders and & Board of Directors” sidebar will show the founder. https://tracxn.com/d/companies/strongintro/__5s_vdrCw--HO28DME7Xx5wZYJ6zZKC-yaM2LxDeoTq0/founders-and-board-of-directors
• Answer: Fouad Matin or Tieshun Roquerre (they are co-founders)

4. What programming language is StrongIntro's server written in?

• How to solve: Searching for “StrongIntro Github” is a good start to begin the search for any code they may have available.https://github.com/strongintro/docker-node repo shows their “StrongIntro node.js apps”.
• Answer: Javascript

NodeJS

Compromise Report

This challenge is to research around the malware that was found bundled in the CCleaner installer for version 5.33.

Questions

1. What is the name of the malware included in CCleaner?

• How to solve: Searching around for the name of malware can show a timeline of events which reveal the malware name: https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/
• Answer:Floxif

Nyetya

2. How many seconds does the malware wait before starting malicious operations?

• How to solve: Looking at other reports, you can find a Talos Intelligence blog post that breaks down the technical aspects:https://blog.talosintelligence.com/avast-distributes-malware/In the CCBkrdr_GetShellcodeFromC2AndCall section, it shows the wait
• Answer: 601

601 seconds

3. What is the DLL that the malware infects?

• How to solve: In the same blog post, you can see it infects CBkrdr.dll https://blog.talosintelligence.com/avast-distributes-malware/
• Answer: CBkrdr.dll

4. What is the registry location where the malware stores the DGA IP address?

• How to solve: In the same blog post, in the Command and Control (C2) section, it breaks down the registry locations
• Answer: HKLM\SOFTWARE\Piriform\Agomo:NID

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo:NID

HKLM\SOFTWARE\Piriform\Agomo\NID

5. What specific IP address does the malware make HTTP POST requests to?

• How to solve: In the Talos Intelligence blog post, there is a diagram in the Command and Control (C2) section that shows the IP that is connected to.
• Answer: 216.126.225.148
• Incorrect Answer: 216.126.255.148

Cryptography

Bashes

This challenge has users identify and convert between different common number bases.

Reference:

Questions

1. 01001001 00100000 01100110 01101111 01110101 01101110 01100100 00100000 00110001 00110010 00110110 00100000 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 00100000 01101000 01100001 01110011 01101000 01100101 01110011

• How to solve: Decode from binary
• Answer: I found 1** password hashes

Answer varies according to user, can be 1 followed by any two digits.

2. 54686572652061726520333138206f70656e20706f727473

• How to solve: Decode from Hex
• Reference:
• Answer: There are 3** open ports

Answer varies according to user, can be 3 followed by any two digits.

3. d2UndmUgcmV0cmlldmVkIHRoZSBwaG9uZQ==

• How to solve: Decode from base64
• Answer: we've retrieved the ______

The answer can be computer, iphone, laptop, desktop, table, phone.

4. NzQ2ODY1NzkyNzcyNjUyMDcyNzU2ZTZlNjk2ZTY3MjA2MTIwNjY3NDcwMjA3MzY1NzI3NjY5NjM2NTIwNmY2ZTIwNzA2ZjcyNzQyMDMyMzgzNDM5

• How to solve: Convert from base64 and then convert that output from Hex
• Answer: they're running a ftp service on port 2***

The answer can be http, http, ftp, mysql, ssh, smtp, imap, irc and a port number of 2 followed by any three digits.

Shift

This challenge has users identify transposition, or shift ciphers, to decode the ciphertext back into the plaintext.

Reference:

Questions

1. guvf cebonoyl vfag frpher

• How to solve: Use Rot13 to decode it
• Answer: this probably isnt secure

2. bpqa qavb uckp jmbbmz

• How to solve: Use Rot18 to decode it
• Answer: this isnt much better

Alphabet

This is a simple letter-number substitution cipher that will have users converting the numerical alphabet positions to letters.

Questions

1. 9 19-5-5-13 20-15 8-1-22-5 12-15-19-20 13-25 6-12-1-19-8-4-18-9-22-5

• How to solve: Each letter represents the numerical alphabet character. ‘I’ is the 9th letter in the alphabet, ‘19’ is S and the grouped letter are the different words.
• Answer: I seem to have lost my flash drive

Polyalphabetic

This challenge is encoded using a simple polyalphabetic cipher. Users will have to try different ciphers to find the one that properly decodes the message.

Reference:

Questions

1. gsv szmwluu droo yv yvsrmw gsv nlerv gsvzgvi

• How to solve: Decode using an atbash cipher
• Answer: the handoff will be behind the movie theater

ASCII

This challenge has users decode a hidden message that has been encoded using ASCII numbers.

Questions

1. 84 104 101 114 101 32 97 114 101 32 101 105 103 104 116 32 118 117 108 110 101 114 97 98 105 108 105 116 105 101 115 32 111 110 32 116 104 101 32 115 101 114 118 101 114

• How to solve: Each decimal number represents an ASCII character, for example ‘84’ in ASCII represents the letter T. Use a tool like Cyber Chef to convert from decimal to ASCII.
• Answer: There are eight vulnerabilities on the server

Phone

Questions

1. What is the plaintext of the message: 555-2-88-66-222-44 8-44-33 7-44-444-7777-44-444-66-4 2-8-8-2-222-55?

• How to solve: This is a Multitap Phone cipher used in mobile phones to type text/SMS on a keyboard with a numeric keypad. You can begin with running the cipher through a cipher identifier like this one: https://www.dcode.fr/cipher-identifier
• Answer: launch the phishing attack

Morse

Questions

What is the plaintext message?

• How to solve: This can be done by ear or by looking at the graph of the audio using a tool like audacity. You can also use online tools such as https://morsecode.world/international/decoder/audio-decoder-adaptive.html to decode.
• Reference:
• Answer: send the bitcoin

Fencing

This challenge has users decode transposition ciphers. This one in particular is a rail fence cipher, the name fencing is a hint toward a rail fence cipher.

Reference:

Questions

1. whydue r vhc e i o s oecyttedieikdyutnphr

• How to solve:  rail fence cipher decode key 3 offset 0
• Answer: which key did you use to encrypt the drive

2. u epelh lhotsotg era oredtv

• How to solve: rail fence cipher decode key 6 offset 0
• Answer: upload the log to the server

Linux + Log Analysis

Directories

This challenge involves looking traversing a Linux file system. Starting from the user's home directory and eventually changing the user to view other directories.

Reference:

Questions

1. What is the absolute file path of the directory you start in when you connect to the terminal? (You can use the "exit" command to quit the terminal and re-enter)

• How to solve: Using the command pwd you can print out the directory that you start in.
• Answer: /home/basic-user/start

2. What is flag1, the flag that is in the home directory?

• How to solve: It solves this first change into the user's home directory using the cd command. You can then use ls to see any files in the directory and cat to view the contents of the flag file.
• Answer: SKY-HBHD-9913

3. What is flag2, the flag that is in a "temporary" location?

• How to solve: Linux stores temporary files in the /tmp/ directory. You can change into the directory using cd /tmp then use ls and cat to find and view the file.
• Answer: SKY-YDBJ-9262

3. What is flag3, the flag that is located where the logs are?

• How to solve: Linux stores log files in the /var/log/ directory. Navigate to this directory using cd and then use ls and cat to find and view the file:

cd /var/log/

ls

cat flag3.txt

• Answer: SKY-IKCW-2336

4. What is flag4, the flag that is in root's home?

• How to solve: You need to be able to switch to the root user. In the starting directory there is a file called README.md Its contents container the root password. Use su root and use the password in this file to login as root. Afterwards use the same process as solving question number 2.
• Answer: SKY-WIQA-1402

5. What is flag5, the flag that is hiding in root's home?

• How to solve: Use ls -la to show all the files in the root directory. Files that begin with a . (Example .bashrc ) are hidden files and not shown by default. Using -a with the ls command shows these files.
• Answer: SKY-WPEJ-2171

DPKG

This challenge requires analyzing a dpkg log. This log container information about what software has been installed and removed from the system.

Reference:

Questions

1. What version number of mongodb was installed on the machine?

• How to solve: In the /var/log directory there is a dpkg.log file. If you use grep mongodb /var/log/dpkg.log you will see all mongodb related entries. This information includes any version information.
• Answer: 3.4.15

2. What version of gnupg-utils was installed on the machine?

• How to solve: Use grep gnupg-utils /var/log/dpkg.log And look specifically for when a package is fully installed. This means the line will not include the half-installed indicator.
• Answer: 2.10

2.5-1

2.20

• Incorrect: 2.2.5-1 2.2.10-1

3. What distribution of Linux is the machine running?

• How to solve: Looking at the /etc/apt/sources.list file shows that this distribution is kali, or cat /etc/os-release
• Answer: kali

4. When was mongodb uninstalled from the machine (round up to the nearest minute)?

• How to solve: Again looking at the dpkg log you can tell when the package is uninstalled by looking for the remove action and using the timestamp at the start of the line.
• Answer: 2018-11-16 04:18

Breach Prevention

The point of the challenge is to extract important data out of a security appliance log file.

Reference:

Questions

1. How many total attacks were blocked by the breach prevention software?

• How to solve: Run the following command grep "Blocking reason" breach.log | wc -l This looks for each block that occurred and gets a total of the number of occurrences
• Answer: 340

2. What IP address attempted the most attacks?

• How to solve: grep "IP" breach.log | sort | uniq -c This commands looks for each IP field, sorts them, and then gets the amount of times each IP occurs.
• Answer: 172.16.4.27

3. How many remote file inclusion attacks were prevented?

• How to solve: grep "Blocking reason" breach.log | sort | uniq -c This command looks at the amount of times each type of prevention worked
• Answer: 12

4. How many different types of attacks are listed in this log?

• How to solve: grep "Blocking reason" breach.log | sort | uniq -c This command looks at the amount of times each type of prevention worked.
• Answer: 3

5. What software was used by 172.16.4.27 against this server?

• How to solve: How to solve: Since this log file has its entries split across multiple lines, the easiest way to solve this challenge is to open the log file into a text editor, like notepad++, and search for the ip and look at a given entry for it.
• Answer: OpenVAS

Open Vulnerability Assessment System

Open VAS

6. How many different IP addresses attempted an attack on this server?

• How to solve: grep "IP" breach.log | sort | uniq | wc -l

This command will get the total number of unique ip address that attacked the server.

• Answer: 5

7. What URL was blocked the most often by the direct file inclusion defense?

• How to solve:

cat breach.log | grep -A 3 'Blocking reason: dfishield' | grep 'URL.*:' | sort | uniq -c | sort -n | tail

This will get the counts for how many time each URL appeared in the log.

• Answer: https://www.dc4-web-portal.cityinthe.cloud/uploadify/uploadify.php?folder=/
• Incorrect: https://dc4-web-portal.cityinthe.cloud/index.php?url=http://116.125.126.111/page.php

https://dc4-web-portal.cityinthe.cloud/index.php