Introduction Instructor Guide
Open Source Intelligence
Meta
Objectives
Students will be able to use a metadata viewer to determine information about a photo that was taken.
Prompt
This challenge will give you experience with extracting metadata from an image file. You are given an image with contains metadata and you will need to use a metadata viewer to help answer the questions.
Questions
- When was the image created? Round down to the nearest minute.
- What are the dimensions of the image? (ex: 800x600)
- What is the make of the camera that took the picture?
- What is the model of the camera that took the picture?
- What is the exposure time for the picture? (ex: 1/200)
- Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W)
Walk-through
A quick Google search for “metadata viewer” will provide several websites that can be used to view the metadata from the image.
Download the image from the challenge prompt window. Upload the image to the viewer to get a table containing the metadata information. Below is a view of metadata2go.com , but other tools or sites will work as well.
Find the corresponding field in the table to get the answer to each question.
Gym Answer Key
- When was the image created? (Round to the nearest minute) How to solve: See the “Create Date” field from the metadata viewer Answer: 2015/05/15 02:14
- What is the image size in pixels? (ex: 800x600) How to solve: See the “Image Size” field from the metadata viewer Answer: 1024x768
- What is the make of the camera that took the picture? How to solve: See the “Make” field from the metadata viewer Answer: apple
- What is the model of the camera that took the picture? How to solve: See the “Model” field from the metadata viewer Answer: iphone 5
- What is the exposure time for the picture? (ex: 1/200) How to solve: See the “Exposure Time” field from the metadata viewer Answer: 1/640
- Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W) How to solve: See the “GPSPosition” field from the metadata viewer| Possible answers: ● 39.8750N 20.0100E ● 39.8750N, 20.0100E ● 39 deg 52' 30.00" N, 20 deg 0' 36.00" E ● 39 deg 52' 30.00" N 20 deg 0' 36.00" E ● 39.8750 20.0100 ● N 39° 52' 30'' E 20° 0' 36'’ ● Latitude 39:52:30 Longitude 20:0:36 ● 39; 52;30 20;0; 36 ● 39º 52' 30.00" N, 20º 0' 36.00" E Incorrect answers: ● 39.8750 -20.0100 ● -39.8750 -20.0100 ● -39.8750N, 20.0
Extension Activities
Grade level | Extension Activity | Objective | Activity Steps |
6-8 | News Verification Lab | Distinguish between real and fake news using OSINT techniques. | Give students headlines or short articles.
Ask them to:Reverse image search pictures
Check sources
Cross-reference news stories |
9-12 | OSINT Tools Treasure Hunt | Explore safe, open-source tools. | Tools: WHOIS lookup, Google Earth, The Wayback Machine, Social Search Engines (e.g., Social Searcher, IntelX)
Activity: Create a challenge where students have to:
Find who owns a domain
Look at archived versions of a website (use wayback machine)
Track public social posts for patterns |
Lookup
Objectives
Students will be able to find and use a specification document to answer questions about DNS.
Prompt
Answer these questions about DNS. Make sure you enter the record type and not the description of the record type.
Questions
Answer these questions about DNS. Make sure you enter the record type and not the description of the record type:
- What type of DNS record holds the DNSSEC public signing key?
- What type of DNS record is used to map hostnames to IPv6 addresses?
- What type of DNS record is used to delegate a DNS zone?
Walk-through
This challenge will give you experience conducting online research in order to answer specific technical questions involving the Domain Name System (DNS) protocol.
A quick online search of each question should provide several sources with the answer. Be careful to make sure that the answer that you obtain can be verified using an authoritative source. If you search for “DNS protocol specification”, you should find that the Internet Engineering Task Force (IETF) publishes the specification for DNS. You should use IETF resources as the authoritative source for answers.
Knowing how to read and understand a specification document is important because many technologies across all industries use these types of documents to keep implementation uniform.
Gym Answer Key
- What type of DNS record hold the DNSSEC public signing key?
How to solve: DNSSEC is described in RFC 4034. The information related to the record can be found in section 2.
Answer: DNSKEY
- What type of DNS record is used to map hostnames to IPv6 addresses?
How to solve: The DNS Extension to Support IPv6 is described in RFD 3596. The information related to the record can be found in section 2.
Answer: AAAA
- What type of DNS record is used to delegate a DNS zone?
How to solve: The DNS record to delegate a DNS zone is described in RFC 1035. Answer this challenge require reading the specification to understand what it means to delegate a DNS zone in order to identify that they DNS record type that is need to delegate a DNS zone is the one that indicates an authoritative name server.
Answer: NS or Name Server
Extension Activities
6-8 | Username Investigation Game | Understand how usernames can reveal a digital trail. | Give a fictional username (e.g., “AlexGamer47”) and have students:Search for it on YouTube, Twitter (using screenshots), or game forums.Record patterns of use: hobbies, interests, locations.Discussion Prompt: Why do people reuse usernames? What can others learn from that? |
9-12 | Social Media Pattern Analysis | Understand how public posts create patterns. | Using a fictional account (set up by the teacher), have students:Map post times and locationsIdentify potential routinesConnect hashtags to interests or communities |
Threat Intel
Objectives
Students will be able to use search tools to answer questions about security topics.
Prompt
Answer the following questions about security issues.
Questions
Answer the following questions about security issues:
- What is the CVE of the original POODLE attack?
- What version of VSFTPD contained the smiley face backdoor?
- What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
- What was the original RFC number that described Telnet?
- How large (in bytes) was the SQL Slammer worm?
- Samy is my…
Walk-through
This challenge will give you experience conducting research on common security vulnerabilities. All that is required to solve these questions is to query online search engines and find multiple sources to confirm the answers.
Wikipedia can be a good place for open source intelligence work because multiple sources for the information are often linked on the page. Always be sure to double check and verify your answer with another source!
Gym Answer Key
- What is the CVE of the original POODLE attack?
- What version of VSFTPD contained the smiley face backdoor?
- What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
- What was the original RFC number that described Telnet?
- How large (in bytes) was the SQL Slammer worm?
- Samy is my…
How to solve: The answer to this question can be found on Wikipedia.
Answer: CVE-2014-3566
How to solve: The answer to this question can be found on Wikipedia.
Answer: 2.3.4
How to solve: The answer to this question can be found on Wikipedia.
Answer: 1.0.1g
How to solve: The answer to this question can be found on Wikipedia.
Answer: 15
How to solve: The answer to this question can be found on Wikipedia.
Answer: 376
How to solve: The answer to this question can be found on Wikipedia.
Answer: hero
Extension Activities
6-8 | Build-A-Hacker Workshop (Fictional Personas) | Understand how threat actors gather info. | Given a scenario (e.g., a hacker wants to target a school), students: Use fictional student or staff profiles. Identify what information is publicly available (e.g., school calendar, staff names).Outcome: Students write a short paragraph predicting how the hacker might use the info and how to defend against it. Have students share their writings. |
9-12 | Fake Job Post Scam Breakdown | Understand how cybercriminals target individuals. | Students analyze fake job posts or emails (pre-curated).Use OSINT to check company legitimacy (e.g., WHOIS, company site vs fake URL).Discussion Prompt: How do threat actors use platforms like LinkedIn to customize attacks? |
HTTP Headers
Objectives
Students will be able to find resources to understand different types of HTTP request headers.
Prompt
Solve these questions about HTTP headers.
Questions
Solve these questions about HTTP headers.
- What HTTP request header is used to denote what URI linked to the resource being requested?
- What HTTP request header is used to identify the client software that made the HTTP request?
- What HTTP request header is used to identify the acceptable content types that can be returned?
Walk-through
This challenge will give you experience researching HTTP headers.
The answers to these questions can be found by doing an online search. A full table of HTTP headers can be found on Wikipedia.
Locating answers on a Webpage
One method for locating answers on a webpage involves using the search function by pressing “CTRL + F” on the keyboard. This opens a dialog box where a keyword or short phrase can be entered to find specific content on the page.
It may be helpful to research and define unfamiliar terms from the question beforehand for better comprehension. Afterward, using “CTRL + F” can assist in identifying related terms or similar language within the page content.
Please Note: One of the terms has been misspelled so often that the incorrect spelling is now standard usage. Please make sure you double check to see the spelling that is used in whatever reputable resource you find!
Gym Answer Key
- What HTTP request header is used to denote what URI linked to the resource being requested?
- What HTTP request header is used to identify the client software that made the HTTP request?
- What HTTP request header is used to identify the acceptable content types that can be returned?
How to solve: The description for this header is, “This is the address of the previous web page from which a link to the currently requested page was followed.” Note that the official specification for this header has “referrer” spelled incorrectly as “referer”.
Answer: referer
How to solve: The description for this header is, “The user agent string of the user agent.”
Answer: user-agent
How to solve: The description for this header is, “Media type(s) that is/are acceptable for the response. See Content negotiation.”
Answer: accept
Extension Activities
6-8 | "What’s in a Web Request?" – Header Basics Lab | Introduce basic HTTP headers using simplified, printed mockups. | Present a mock HTTP GET request with headers like User-Agent, Host, and Referer. Ask students to decode what device/browser was used, what website was accessed, and where the request came from. Discussion Prompt: How could this data help someone track you online? |
9-12 | OSINT Header Case Study | Analyze how HTTP headers were used in a real-world investigation. | Setup: Use a public case (e.g., website misconfiguration or tech stack leakage). Activity: Provide captured headers from the case. Ask students to infer: Server type, Technologies in use, Possible vulnerabilities. Ethics Discussion: When is it okay to analyze headers? What should be off-limits? |
WHOIS
Objectives
Students will be able to conduct a WHOIS query to learn publicly available information about a domain name.
Prompt
Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.
Questions
Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.
- Who is the registrar of this domain?
- On what day was this domain first registered?
- What is this domain's registry domain ID?
- What is the Top-Level Domain (TLD) of this domain?
- What organization manages the TLD used by cityinthe.cloud?
Walk-through
This challenge involves conducting a WHOIS query on a domain name. WHOIS is a protocol for querying databases that store information about Internet resources and domain names.
A domain name is a human-readable address that identifies resources on the Internet. Instead of the numerical IP addresses (e.g. 8.8.8.8) that computers use, domain names (e.g. google.com) provide an easier way for humans to access the Internet.
For those unfamiliar with the concept of domain names and the DNS system, the following articles may provide useful background before proceeding with the challenge.
Initial Steps
To solve this challenge, an executable tool (such as the standard whois command-line tool found on *nix systems) can be used or try a browser-based DNS lookup tool such as ICANN’s registration lookup tool.
Breaking Down a Domain Name
The cityinthe.cloud domain name can be broken down into two components:
cityinthe - The second-level domain
.cloud - The top-level domain (TLD)
A quick search of the .cloud TLD will pull up the Wikipedia article for the .cloud TLD (shown below) which will help provide key information to solving this challenge.
This research shows that the .cloud TLD is delegated by ICANN and managed by Aruba S.p.A., making these two organizations authoritative sources regarding the .cloud TLD.
Based on this information, ICANN’s registration lookup tool can be queried with confidence that its results are authoritative and should be preferred over those from third-party sources.
The results of the cityinthe.cloud query on the ICANN lookup tool (below) provide enough information to solve all the questions posed in this challenge.
Gym Answer Key
- Who is the registrar of this domain?
- On what day was this domain first registered?
- What is this domain's registry domain ID?
- What is the Top-Level Domain (TLD) of this domain?
- What organization manages the TLD used by cityinthe.cloud?
How to solve: See the “Registrar Information” section from the ICANN lookup results
Answer: Dynadot
How to solve: See the “Created” field from the ICANN lookup results
Answer: 2016-02-16
How to solve: See the “Registry Domain ID” field from the ICANN lookup results
Answer: D15CD1AC4DEB54207A5048A69B9FC0558-ARI
How to solve: See the description of how the domain name can be broken down
Answer: cloud
How to solve: See the research about the TLD.
Answer: Aruba
Extension Activities
6-8 | WHOIS Mystery Matching Game | Connect WHOIS records to fictional organizations. | Setup: Create 3–4 mock WHOIS records and 3–4 fictional website profiles. Activity: Students analyze clues like registrar location, organization name, or domain age. Match each WHOIS record to the correct fake website. Use cards or slides for a collaborative classroom game. |
9-12 | WHOIS in the Real World: Threat Intelligence Report | Apply WHOIS to a broader investigation. | Assign a simulated incident (e.g., spam email, fake site).Students gather WHOIS data, infer attacker profile traits (e.g., fast-registered domains, offshore registrars).Produce a 1-page “Threat Intel Summary.” |
PGP Lookup
Objectives
Students will query a public key database to identify the types of information stored there.
Prompt
Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?
Questions
Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?
- What is the key fingerprint for security@cpanel.net?
- What email address is associated with the key fingerprint
7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2? - On what date does the above key expire (in UTC)?
Walk-through
This challenge involves conducting a lookup on a PGP (Pretty Good Privacy) database. PGP utilizes public-key cryptography wherein a public/private key pair is used to encrypt, decrypt, and sign messages.
For those unfamiliar with PGP and public-key cryptography, the following articles may offer helpful background before proceeding with the challenge:
PGP cryptography allows a message to be encrypted so that it can only be decrypted by its intended recipient. To achieve this, the sender will use the recipient’s public key to encrypt the message so that only the recipient’s private key can decrypt the message.
The premise behind this challenge is that there are public databases that store records of public keys and their owners so that a sender may obtain their recipient’s public key to encrypt a message for them. Solving this challenge requires querying these databases to obtain this information. Some popular PGP lookup databases include, keyserver.ubuntu.com, keys.openpgp.org, and pgp.mit.edu.
There is no one single authoritative source keeping records of public keys, so it is important to compare the results across multiple different databases.
Below is a query using the keyserver.ubuntu.com database:
Gym Answer Key
- What is the key fingerprint for security@cpanel.net?
- What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?
- On what date does the above key expire (in UTC)?
How to solve: There are two possible options. The fingerprint is the hexadecimal string that follows the rsa4096/ . See the above for a screenshot.
Answer: B6709B4CC6F42077F69841919521BEDCABD94DDF
How to solve: The email address is to the right of uid in search results. See the above for a screenshot.
Answer: hx@liber8tion.cityinthe.cloud
How to solve: The expiry date is indicated with the “key expir” column. Make sure not to confuse “cr. time” (creation time) with “key expir” (expiry time). The answer is in the second to last column on the right (including the column of blue text). See the above for a screenshot.
Answer: 2050-12-26
Extension Activities
6-8 | Understanding Digital Signatures | Introduce students to the concept of digital signatures and their role in verifying the authenticity of digital communications. | Discuss the basics of encryption and how digital signatures work. Use a simple analogy (like sealing a letter in an envelope) to explain how PGP ensures message integrity. Provide examples of how digital signatures are used in everyday life (e.g., software downloads, secure emails). |
9-12 | Analyzing PGP Key Metadata | Teach students how to extract and analyze metadata from PGP keys to gather OSINT. | Provide students with sample PGP public keys (ensure these are fictional or anonymized).Guide students through the process of examining key details such as creation date, associated email addresses, and key fingerprints. Discuss how this information can be used in digital investigations and the importance of ethical considerations. |
SSL
Objectives
Students will use a browser in order to analyze a SSL certificate chain.
Prompt
Solve the following questions about the Cyber Skyline SSL certificate.
Note: if you see references to "BitDefender" in the process of solving this challenge, that means your BitDefender software is intercepting your SSL/TLS connection and will produce incorrect results.
Questions
- Who is the issuer for Cyber Skyline's SSL certificate?
- How many bits long is the SSL key?
- How many certificates are in the certificate chain?
Walk-through
This challenge will give you experience viewing and analyzing SSL certificate chains. SSL certificates help to secure the communication between a client and a server. Most modern browsers should have an interface to view the certificates in a SSL certificate chain. In this example, Google Chrome is used.
Start by clicking the icon next to cyberskyline.com URL. Then click on the “Connection is secure” section in the dropdown.
The SSL chain can then be accessed by clicking on the “Certificate is valid” option.
The Certificate Viewer will contain all of the details needed to answer the questions.
Gym Answer Key
- Who is the issuer for Cyber Skyline's SSL certificate?
- How many bits long is the SSL key?
- How many certificates are in the certificate chain?
How to solve: The issuer is listed in the “General” tab under “Issued By → Common Name”.
Possible Answers:
sectigo
comodo
How to solve: The number of bits is listed in the “Details” tab under “Certificate Fields → *.cyberskyline.com → Certificate → Subject Public Key Info → Subject’s Public Key”.
Answer: 2048
How to solve: The number of certificates can be counted by looking at how many certificates are listed in the “Details” tab under “Certificate Hierarchy”.
Answer: 3
Extension Activities
6-8 | “What's in a URL?” Sorting Game | Learn to distinguish between HTTP and HTTPS. | Provide a stack of fake or real URLs.Students sort into “Secure” (HTTPS) and “Not Secure” (HTTP).Discuss what might happen if you send personal data over an insecure connection. |
9-12 | Expired or Misissued Certificate Challenge | Understand how SSL certificate issues may indicate threats. | Provide samples of expired, self-signed, or misconfigured certificates (can be screenshots or from certificate transparency logs).Students determine what’s wrong and how that might signal phishing, misconfiguration, or a suspicious site. |
Barcode
Objectives
Students will be able to use a barcode reader to identify hidden information.
Prompt
We intercepted a barcode we think might be hiding a flag. See if you can find it.
Questions
We intercepted a barcode we think might be hiding a flag. See if you can find it.
- What format does the barcode use?
- What is the flag hidden in the barcode?
Walkthrough
This challenge will give you experience conducting lookups on a standard barcode. The challenge provides a .gif of the barcode.
Solve this challenge by using mobile barcode scanning apps or an online barcode reader. Below is a screenshot of the barcode using https://online-barcode-reader.inliteresearch.com/ :
Gym Answer Key
- What format does the barcode use?
- code 39
- code39
- Code_39
- USD-3
- Code 3 of 9
- Code 3/9
- Alpha 39
- What is the flag hidden in the barcode?
How to solve: You can find the format under the “Type” field.
Possible Answers:
How to solve: You can find the hidden flag by obtaining the value of the barcode in a barcode viewer.
Answer: SKY-UZLU-5635
Extension Activities
6-8 | Decode the Hidden Message (QR Detective) | Learn what QR codes are and how they encode information. | Students scan teacher-provided QR codes using school devices.Each QR code reveals a clue, message, or safe web link (e.g., a NASA fact, a riddle).Students work in teams to piece together a message or win a classroom scavenger hunt.Discussion: Why do we use QR codes? What kind of information can they hide? |
9-12 | Reverse Lookup of QR/Barcode Data | Investigate a product or web page linked via barcode or QR. | Scan or decode a real or simulated code.Conduct OSINT to find out:Who owns the domain or product?Where the item was manufactured or registered?Is the website or organization legitimate?Use WHOIS, Wayback Machine, and barcode prefix databases for investigation. |
Cryptography
Number Bases
Objectives
Students will use tools to recognize and convert various number bases.
Prompt
Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are all encoded using different number bases.
Questions
User | Cipher Text |
Nan | 0x73636f7270696f6e |
Elliot | c2NyaWJibGU= |
Steve | 01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001 |
Daniel | 01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101 |
Walk-through
Video tutorial: 
Cyber Skyline Cyber Skyline Live: How Does Binary Work? - September 22, 2022
This challenge will give you experience recognizing and converting number bases. Text represented in a different number base is considered “encoded.” Unlike encryption, encoding is more akin to translating a language. For example, when translating from Latin to English, the content remains readable but is presented in a different format. Often what is ‘reading’ the base encoded formats are computers, but people have learned to understand some encodings (like Morse Code).
To start this challenge, an understanding of different number bases and how to convert between them is essential. A conversion chart, like the one below, can be a helpful reference. Numerous websites and tools are available to assist in this process.
The conversion chart illustrates how values are represented across various number systems. The final column, labeled “Char” for character (also known as ASCII (American Standard Code for Information Interchange)), displays the typical characters or text data that humans read. Computers, however, convert this ASCII input into mathematical formats such as hexadecimal or binary.
When decoding number bases, the goal is often to convert from a numerical base into the ASCII for character text.
Source of Conversion Table Another Conversion Chart Page
The challenge page includes a brief introduction to binary and hexadecimal. For more detailed information about converting between number bases, additional resources are available here.
While conversion charts are helpful, they typically cover only a limited range of number systems. Exploring other common bases through web searches or using tools like Cyber Chef can provide further insight into how ASCII text appears in different numerical formats.
Useful tools for decoding/encoding:
Gym Answer Key
- 0x73636f7270696f6e
- c2NyaWJibGU=
- 01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001
- 01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101
How to solve: This text is encoded in hexadecimal. This text can be converted to ASCII by hand or by using an online tool such as RapidTables or CyberChef. Note: The 0x is used to indicate that the value is hexadecimal and should not be converted.
Answer: scorpion
How to solve: This text is encoded in base64. You can identify this by analyzing the range of characters used in the message and recognizing that it falls within the range for base64 (A-Z, a-z, 0-9, +, /, and =). This text can be converted to ASCII by hand or by using an online tool such as Base64Decode or CyberChef.
Answer: scribble
How to solve: This text is encoded in binary. You can identify this because there are only 1s and 0s in groups of 8. You can use an ASCII table to convert by hand or an online tool.
Answer: securely
How to solve: This text is doubly encoded - first with base64 and then with binary. To revere the process, the message has to be converted from binary to ASCII, then base64 to ASCII. You can use the Binary Hex Converter followed by Base64Decode. It’s possible to combine these two steps using CyberChef.
Answer: lollipop
Extension Activities
6-8 | Color Code Encryption (Hex and RGB) | Use hexadecimal to encode color values and relate them to cryptographic codes. | Teach students how hex values map to RGB (e.g., #FF0000 = red).Create a color-coded message where each letter maps to a hex color.Students decode messages using hex charts. |
9-12 | Cryptographic Base Challenge | Understand base conversions and their role in encoding systems like Base64 and hexadecimal hashes. | Provide students with encrypted-looking strings (e.g., hex-encoded, binary). Challenge them to decode messages by identifying and converting base formats. Include layers (binary → decimal → ASCII → message). |
Shift
Objectives
Students will decode a Ceasar shift cipher.
Prompt
Our analysts have obtained password dumps storing hacker passwords. It seems to be using a pretty simple encryption scheme, see if you can crack them.
Questions
User | Password Ciphertext |
Chris | iveghny ynxr |
Walk-through
This challenge will give you experience decoding shift ciphers.
This message is encrypted using ROT-13, the standard Caesar Cipher. It is called ‘ROT’ because the letters of the alphabet are ‘rotated’. The ‘13’ indicates the number of letters are shifted; which is half of the alphabet. Therefore, ROT-13 is also considered a Caesar shift of 13.
Below, the inner loop of the wheel represents the plaintext while the outer loop represents the ciphertext of a ROT-13 shift. Often cipher disks like this were used to help manually decode ciphers.
A key feature of shift ciphers is that the ciphertext alphabet is in the same order as the plaintext alphabet, it’s just shifted. Shown below, the Plaintext is shifted by thirteen such that ‘A’ becomes ‘N’.
Plaintext: ABCDE FGHIJK LMNOP QRSTUV WXYZ
Ciphertext: NOPQR STUVWX YZABC DEFGHI JKLM
A Caesar shift can be decrypted by manually by matching ciphertext to possible plaintext letters, or by using online tools to make shifting through combinations faster.
Useful tools for decoding/encoding:
Gym Answer Key
- iveghny ynxr
How to solve: This message can be decoded by hand or through an online tool such as CyberChef.
Answer: virtual lake
Extension Activities
6-8 | Code Wheel Construction & Cipher Fun | Learn letter shifting using a Caesar cipher wheel. | Students build a Caesar cipher wheel from a printable template (inner and outer alphabet circles).Encode a message by rotating the wheel to a shift value (e.g., shift of 3).Partner up: one student encodes, the other decodes. |
9-12 | Caesar Cipher + Frequency Analysis | Understand and exploit the vulnerabilities of shift ciphers. | Provide a Caesar-encrypted message without a known key. Students: Try all 25 possible shifts (“brute-force” method).Perform frequency analysis (e.g., looking for common letters like E or T).Discuss how frequency analysis led to the downfall of simple substitution ciphers. |
@bash
Objectives
Students will decode an atbash shift cipher.
Prompt
Our analysts have obtained password dumps storing hacker passwords. See if you can crack them.
Questions
User | Password Ciphertext |
Christian | hzuvob lyerlfh xzev |
Walk-through
This challenge will give you experience decoding shift ciphers. This message is encrypted using the atbash cipher.
The text for this challenge, at first, looks like a Caesar shift cipher. The atbash cipher is similar in that the alphabet is shifted, however, the entire alphabet is reversed. With an atbash cipher, there is only one way that the letters are shifted; this is not the case with a Caesar shift cipher.
Plaintext: ABCDE FGHIJK LMNOP QRSTUV WXYZ
Ciphertext: ZYXWV UTSRQP ONMLK JIHGFE DCBA
To decode, replace the ciphertext letter in the alphabet above with the plaintext letter that matches its position in the alphabet. For example, “U” is the 6th letter in the ciphertext alphabet, so it should be replaced with “F” to get the plaintext message.
You can also use the other tools below to help make sure you are using the right cipher to decode. Atbash and Caesar shift ciphers look very similar, so it is not entirely possible to know at first glance which is being used.
Useful tools for decoding/encoding:
Gym Answer Key
- hzuvob lyerlfh xzev
How to solve: This message can be decoded by hand or through an online tool such as Rumkin or CyberChef.
Answer: safely obvious cave
Extension Activities
6-8 | Binary to Text Bash Simulation | Explore how computers use binary to represent letters. | Give students ASCII codes in binary. Simulate Bash decoding using a chart or worksheet. Discuss how computers turn data into readable info via shell tools. |
9-12 | Build a Bash Password Vault | Use Bash to securely store and retrieve hashed passwords. | Script idea: Accept a username and password. Hash the password. Store it in a file. Later, compare a login attempt to the stored hash. |
Beep
Objectives
Students will recognize and decode morse code.
Prompt
Our analysts have intercepted an encoded message. See if you can decode it.
Questions
User | Password Ciphertext |
Helen | - .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.… |
Walk-through
This challenge will give you experience decoding a message encoded with Morse Code.
Challenges that use Morse Code can be relatively easy to point out because of the binary nature of the output; there is a dot or there is a dash. You may notice here that a ‘/’ is also used. This delineates, or indicates, the end of a word.
Be aware that when looking for Morse Code charts to help translate (or if you’re interested in learning it for fun), that there are various alphabets for different languages. Some languages use additional letters and there is Morse Code for symbols as well.
Useful tools for decoding/encoding:
Gym Answer Key
- - .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.…
How to solve: The message can be decoded by hand or through an online tool such as the Morse Code Translator or CyberChef.
Answer: THESECRETOFGETTINGAHEADISGETTINGSTARTEDSKYDKVB9816
Extension Activities
6-8 | Beep Morse Code Challenge | Encode and decode messages using sound. | Teach students basic Morse code (e.g., A = .-).Use a simple tone generator app, physical buzzer, or your own voice (short/long beeps).In teams, students send coded beeps across the classroom; others decode the message. |
9-12 | Sonic Modem & Tones | Learn how modems used sound for data transfer. | Play samples of old dial-up modem sounds. Discuss how tones carried data across phone lines. Try encoding binary into a sequence of tones using tools like Audacity. Optional: build a tone-to-binary decoder in Python or spreadsheet format. |
Fencing
Objectives
Students will recognize and decode a rail fence cipher.
Prompt
Our analysts have obtained encrypted messages. We saw hand-written notes that indicated the keys as being "3" and "5". See if you can crack them.
Questions
User | Password Ciphertext |
Eve | Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3 |
Nan | F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2 |
Walk-through
This challenge will give you experience decoding a transposition cipher. The messages are encrypted using the rail fence cipher.
To start this challenge, you can observe that there are some uppercase letters mixed with lowercase letters. There are also letters mixed with numbers. We can tell that somewhere there must be a flag. Notice that ‘S’,’K’ and ‘Y’ are in both ciphertexts and they are both capitalized, so the text used here must be scrambled around in a pattern.
Looking back at the prompt for this challenge, and even the title of the challenge, there are some clues about what to do next. Rail fence ciphers use keys to transpose text. This means that this cipher uses a key, or a number, to determine how to move the letters. Rail fence ciphers are also known as zig-zag ciphers. The key used here indicates how many “rails” to place the text on. See the encoding example below where the key is 4.
Plaintext: THIS IS A SECRET Ciphertext: TATHSSEIIERSC
T | A | T | ||||||||||
H | S | S | E | |||||||||
I | I | E | R | |||||||||
S | C |
To solve by hand, you can use some simple math operations and use the zig-zag format as shown above.
Example: Ciphertext: SSDETULCENORF key = 4
Start by subtracting 1 from the key, and multiply this number by 2. The product is the number of spaces apart the letters on the top and bottom rows are from each other. Use this number to place the letters of the ciphertext sequentially in the top row.
Number of spaces the letters are apart in the top row:
N = 2(key-1) N = 2(4-1) N = 6 spaces
To determine how many letters are placed in the top row, divide the total number of characters in the ciphertext by the key. This value indicates how many characters belong in the top row of the transposition.
Number of letters in the top row:
Total number of letters: 13 Key: 4 13/4 = 3 letters
Shown below, using the results of the calculations, the letters in the top row are placed 6 spaces apart and there are three letters in the top row.
0 1 2 3 4 5 6
S | S | D | ||||||||||
Once you have the top row set, you need to fill in the ciphertext sequentially across the row that follows, and so on, until you form the zig-zag message.
S | S | D | ||||||||||
E | T | U | L | |||||||||
S | S | D | ||||||||||
E | T | U | L | |||||||||
C | E | N | O | |||||||||
S | S | D | ||||||||||
E | T | U | L | |||||||||
C | E | N | O | |||||||||
R | F |
Online tools like CyberChef can also be used, however, be careful adding or removing spacing when entering the ciphertext into online tools. These tools often include the spacing in the decoding/encoding process, thus, adding or removing spaces will displace lettering in the output and you may not be able to decode the message.
Useful tools for decoding/encoding:
Gym Answer Key
- Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3
- F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0. r aI2
How to solve: This question uses the rail fence cipher with the standard 3 rails and can be decoded using an online tool such as CyberChef.
Answer: Courage is grace under pressure SKY-AIQI-9380
F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2
How to solve: This question uses the rail fence cipher with a non-standard 5 rails and can be decoded using an online tool such as CyberChef.
Answer: Feel the fear and do it anyway. SKY-IQIZ-3802
Extension Activities
Digital Fencing Game (Cardboard Network) | Visualize network fencing and encryption. | Use cardboard "servers" and string "network cables" to represent devices.Students act as data packets trying to travel from client to server.Introduce: Fences (firewalls): Only allow encrypted messages through.Keys (locks): Data must be "encrypted" with a shared code (e.g., Caesar cipher or simple key).Debrief how fences and encryption work together to protect systems. |
"Breach the Fence" Scenario | Apply ethical hacking logic to analyze firewall vulnerabilities. | Students are given a fictional company’s network layout and security policies.They must identify weaknesses in the “fence” (firewall rules, lack of encryption). |
French
Objectives
Students will decrypt a Vigenère cipher.
Prompt
Our analysts have obtained an encrypted message. We know that the key, qizkwcgqbs was used. See if you can crack them.
Questions
User | Password Ciphertext |
Matt | Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026 |
Walk-through
This challenge will give you experience decoding polyalphabetic substitution ciphers. This message is encrypted using the Vigenère cipher.
To start this challenge, take a look at the ciphertext. There is clear formatting for something resembling the flag format, however, it does not start with ‘SKY’. This is a clue that the encryption method does not move the letters like the shift or transposition ciphers used in previous challenges. There is also a key: qizkwcgqbs. A Vigenère cipher, named for cryptographer Blaise de Vigenère, uses a key and encrypts letters in place as observed.
A table, like the one from dcode.com below, is used to encrypt and decrypt the message in conjunction with the key.
To decrypt, find the row on the left side with the first letter of the key. This challenge uses ‘Q’ as the first letter in the key. In row ‘Q’, scan across the table until you find the first letter of the ciphertext ‘Y’. Letter ‘Y’ is in the column of letter ‘I’ so the first letter of the plaintext message starts with ‘I’. Use the next letter of the key to find the next plaintext letter of the message.
The key has fewer letters than the message. Once all of the letters of the key have been used, keep using the key over and over until all of the ciphertext letters have been decrypted.
You can also use an online tools to help you decode a Vigenère cipher.
Useful tools for decrypting/encrypting:
Gym Answer Key
- Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026
How to solve: This message can be decoded by hand or through an online tool such as dCode or CyberChef.
Answer: I do not fear computers, I fear the lack of them SKY-QIZK-8026
Linux
DIR
Objectives
Students will use commands via the Linux Command Line (CLI) to analyze files and directories.
Prompt
One of our analysts had their laptop damaged. However, we were able to recover and mount the hard drive. Access the terminal and recover various flags from the disk.
Questions
- What are the contents of flag1.txt, found in root's home directory?
- What are the contents of flag2.txt, found in the root directory?
- What are the contents of flag3.txt, found in an archive in /var/log?
- What are the contents of flag4.txt, found in the flag user's home directory?
- What flag is printed when you run the flag5 program?
- What is the full path to the flag5 program?
Walk-through
Tutorial video: 
Cyber Skyline NCL Summer Live - Linux Command Line - Sep 14, 2021
This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).
Background
The command line interface (CLI) functions similarly to File Explorer on Windows or Finder on macOS but relies on a text-based interface rather than a graphical user interface (GUI). Like its GUI counterparts, the CLI enables navigation through directories (folders) and the launching of files or programs. Upon opening the CLI, the prompt and command input line appear.
The prompt can be customized and configured for your personal preference. In this case, the default prompt contains some important information:
root is the name of the user that we are logged in as. On Linux systems, the root user is the default admin account.
dir is the hostname, or the name of the computer.
/home is the path of the directory that we are in. A “path” specifies a directory’s location, similar to how File Explorer displays it in the navigation bar, enabling easy navigation between folders.
Commands entered at the prompt tell the CLI what task to perform; like navigating directories, displaying file contents, or renaming folders. Each action uses a specific program. Typing the program name, supplying any necessary input, and pressing “Enter” runs the command and displays the result. The following includes examples of these commands and outputs.
Guide
List files in a directory: ls
In this challenge, access is provided as the root user, with the session starting in root’s home directory. Running the ls (short for ‘list’) command displays the contents of the current directory. Press enter after typing ls to get the command to run.
Display contents of a file: cat
This directory listing shows that only 1 file. In order to display the contents of a file, run the cat command (short for concatenate) followed by the name of the file you wish to display. This is the output of cat flag1.txt:
Change to another directory: cd
Try navigating to other directories using the cd command (short for change directory). Add the file path you want to go to after the cd command. To navigate to the root directory, simply use a forward slash. After changing to the root directory, the command line prompt has switches from ~ to /. This is the output after running cd / :
The ~ symbol denotes the home directory of the current user, while / indicates the root directory. The term “root” can refer either to the root user (a superuser account) or the root directory (the top-level directory in the system). In the root directory, running ls lists the files. Running ls in the root directory reveals additional items beyond flag2.txt, most of which are directories.
flag2.txt appear in white. The lighter blue text represents system directories. However, these color schemes are customizable and may vary across terminals.Extracting tar files: tar
Use the cd command to navigate to the /var/log directory and use ls to the files there.
The flag file in this folder is stored as a tar archive, or tarball, indicated by the “.tar” extension. Similar to a zip file, a tarball packages multiple files for easier storage and transfer. Unlike zip files, tarballs are not compressed by default and often rely on gunzip for compression, noted by the “.gz” extension.
To access the files inside, the tar program is used to decompress and extract contents. This requires configuring command line flags which are single-letter options preceded by a hyphen. Each program defines its own flags and usage patterns.
For tar, the z flag enables decompression, x extracts the archive, v (optional) activates verbose output, and f signals that the archive filename follows. The tar -zxvf flag.tar.gz command will decompress and extract the files from the tarball:
./flag/ denotes a directory. The output includes ./flag/ and ./flag/flag3.txt, indicating that a folder named flag was extracted, containing a file named flag3.txt. The flag folder now appears in the current directory. Change to the flag directory to view the contents of flag3.txt.
Users & Home Directories: ~ or /home/
From the home directory, you can list the private directory of other users (if you have permission). As with Windows or macOS, each user on a Linux system has a private home directory, typically stored under /home/ . You can navigate directly to your own home directory by entering ~. The blue text below indicates a directory for a user named “flag”.
It is not required to switch users to view the contents of the ‘flag’ user’s folder because root is the default admin. However, if it was needed to switch users and become the ‘flag’ user use the su or ‘switch user’ command as follows and enter the password for that user. Notice how the user name changes from root to flag:
Run Programs:
There a couple ways to run programs. One way is to type in the program name and press enter. Running programs in user folders might not work if that user doesn’t have permission to run the program. Navigate back to root user’s home directory (~) or to the root directory (/). Below is the output of running the flag5 program:
Identify file paths: which
Non built-in Linux programs are simply files located somewhere in the file system. While it's possible to navigate directly to their directories, the command line automatically searches a predefined set of directories when a command is entered. The which command can be used to determine the location of a given program.
Useful tools for learning Linux:
Gym Answer Key
- What are the contents of flag1.txt, found in root's home directory?
- What are the contents of flag2.txt, found in the root directory?
- What are the contents of flag3.txt, found in an archive in /var/log?
- What are the contents of flag4.txt, found in the flag user's home directory?
- What flag is printed when you run the flag5 program?
- What is the full path to the flag5 program?
- /usr/bin/flag5
- /usr/bin/
How to solve: Run cat flag1.txt from root’s home directory
Answer: SKY-FNKC-3207
How to solve: Use cd / to navigate to the root directory and then run cat flag2.txt.
Answer: SKY-NPEJ-2501
How to solve: Navigate to /var/log and then run tar -zxvf flag.tar.gz to extract the files from the archive.
Answer: SKY-FVHR-3562
How to solve: Navigate to the /home/flag directory and then run cat flag4.txt.
Answer: SKY-SXIJ-6142
How to solve: Run the flag5 program with the command flag5
Answer: SKY-UDSV-9689
How to solve: Run which flag5
Answers:
Incorrect: ./usr/bin/flag5
Extension Activities
6-8 | Linux Adventure Story | Use commands like dir to progress through a narrative. | Students role-play as secret agents or explorers.Each directory contains parts of a story.Students unlock new parts by listing contents (dir) and making choices (cd cave, cd castle). |
9-12 | Linux Forensics Mini-Challenge | Find files based on clues using dir, ls, find, and grep. | Create a mystery scenario (e.g., “Find who deleted the secret file”).Students navigate directories, list contents (dir), and read logs (cat logfile.txt).Combine clues to solve the case. |
File Edit
Objectives
Students will use nano and Vim via the command line to create and edit files.
Prompt
Learn how to use command line file editors.
NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.
Questions
- What key should you press in addition to the CTRL key to trigger the combination to exit nano?
- What vim mode allows you to write new characters in the file?
- What keyboard combination will save and quit the file with vim?
- What keyboard combination will delete an entire line in vim?
- What command would you use to rename a file?
Walk-through
Video tutorial: Cyber Skyline NCL Summer Live - Linux Command Line - Sep 14, 2021
This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).
Background
Editing files in the Command Line Interface (CLI) requires a text-based editor, as graphical tools like Microsoft Word, Textedit, or Notepad aren't available. Common CLI editors include nano, vim, and Emacs. Nano is the simplest, while Vim and Emacs offer more advanced features but come with a steeper learning curve. This guide focuses on nano and Vim.
Guide
- Nano
To open nano, simply type nano into the terminal. File names can also be included as the second argument to the command. For example, nano example.txt will create a file named “example.txt” and will launch the application.
When launched, a list of commands is given at the bottom of the screen. Each command is preceded by a caret character ( ^ ) - this represents the “CTRL” or control key on the keyboard. The caret is used as a shorthand for the CTRL key.
Once in nano, type as you normally would in a graphical text editor. However, the mouse can not be used to change the position of the cursor in the document. Use the arrow keys to move your position within the document. A text cursor will highlight your position in the file.
When you are ready to save and exit, press the CTRL + X characters to trigger the exit process. You will be prompted to save the buffer (buffer is referring to the data) and you can press the “Y” key to save or the “N” key to discard your edits.
- Vim
Nano can often be too simple for certain tasks, which may be reason to use Vim. Start Vim by using the vim command and optionally providing a filename: vim example.txt
There are various modes in Vim. The default normal mode in Vim functions as read-only. Press i to enter insert mode (indicated by “INSERT” at the bottom left) where standard typing and deletions are enabled. Press Esc to exit insert mode.
Visual mode enables copying and pasting. Press v in normal mode to begin selecting text from the cursor. Use arrow keys to expand the selection, then press y to “yank” it. Paste the copied text using the p character key, which will paste the text immediately after your cursor.
To save changes after editing, ensure you're in normal mode, then enter command mode with a colon. If editing is complete, type wq to write and quit, then press Enter. Vim displays a warning when quitting with unsaved changes. To exit without saving, use :q!.
Vim Command | Purpose |
:q | Quit (only if there are no unsaved edits) |
:w | Save the file |
:wq | Save the file and quit |
:q! | Quit without saving |
Vim relies on keyboard commands to perform editing tasks due to the lack of on-screen buttons. Only basic features are covered here. Commands like dd , which deletes lines, or shortcuts <SHIFT> + G , which jumps the cursor to the end of a file, become familiar with practice.
- Renaming, Copying and Deleting Files
After creating a file with nano or Vim, it can be renamed, copied, or deleted as needed.
Rename a File: mv
Use the mv (move) command to rename a file. Provide the original filename as the first argument and the new name as the second.
For example, mv example.txt newname.txt renames the file in the same directory. Include a different path in the second argument to move the file to another location. Below, the file “example.txt” was renamed to newname.txt, and then was moved to the “/” directory using mv newname.txt /newname.txt.
Copy a File: cp
Use the cp (copy) command to duplicate a file. Specify the original filename first and the name of the copy second. For example, cp example.txt copy.txt creates a duplicate named “copy.txt” in the same directory.
Remove a File: rm
Use the rm (remove) command to delete a file. Specify the filename as the first argument as follows: rm example.txt. This action is permanent and bypasses recovery options like the Recycle Bin. Restoring deleted files typically requires forensic tools.
Tools to learn more about text editors:
Gym Answer Key
- What key should you press in addition to the CTRL key to trigger the combination to exit nano?
- What vim mode allows you to write new characters in the file?
- What keyboard combination will save and quit the file with vim?
- :wq
- wq
- What keyboard combination will delete an entire line in vim?
- What command would you use to rename a file?
How to solve: Start the nano from the Linux terminal. Instructions on the keyboard shortcuts should appear at the bottom of the screen. See the Trove for more detailed guidance.
Answer: x
How to solve: Search online for “vim mode to write new characters”. See the Trove for more detailed guidance.
Answer: insert
How to solve: Search online for “how to save and quit with vim” and read the descriptions for the different keyboard combinations. See the Trove for more detailed guidance.
Answers:
How to solve: Search online for “vim delete line” and then read the descriptions for possible keyboard combinations. See the Trove for more detailed guidance.
Answer: dd
How to solve: Search online for “linux how to rename a file” and read about the most common commands. See the Trove for more detailed guidance.
Answer: mv
Extension Activities
6-8 | Echo & Redirect Challenge | Use echo to write text to a file. | Run commands like echo "I love coding!" > myfile.txt.Append text using echo "And Linux!" >> myfile.txt.Display contents with cat myfile.txt.Discussion: What’s the difference between > and >>? |
9-12 | File Permissions and Editing | Explore how permissions affect file editing. | Create files with different permission settings (chmod).Try to edit them and observe what happens.Discuss why permissions are important for security. |
Basic Commands
Objectives
Use open source tools and Linux command line knowledge to string Linux commands together.
Prompt
Learn the common basic commands used on the Linux command line.
NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.
Questions
- What character can you use to redirect the output of one program as the input to another program?
- What character can you use the redirect the output of a program to a file?
- How many people have a first name of Jordan in names.csv?
Walk-through
This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).
Background
When running a Linux command, different options can be provided to get a specific behavior. One of these is arguments. Arguments always follow the name of the program and could provide information such as the file you wish to run the program on. You may also see arguments referred to as “options” or “flags”.
The syntax for arguments is set by the author of the program. You can often type in the name of the command followed by --help to get information on how to use the program.
For some programs, you can use the man (manual) program to pull up the instructions. If a program has a manual entry, you can open the manual by typing man followed by the name of the program.
Below is the man page for the ls command. You can view it by entering man ls into the command line:
man followed by the command name to get the manual page for a specific command.
If the -a argument is used with the ls command, all of the files, even the hidden ones which start with . will be listed.
ls -aMultiple arguments can be added together. The -l argument will list the read, write, execute permissions, the users who can access the file, the file size, and the date modified.
ls -la
Some common Linux commands are listed in a table below . Read the manual pages to learn more about different arguments. Understanding how commands can be used is a key part of using Linux.Guide
- Standard Streams
The output of one program can be used as the input to another program. This utilizes a system in Linux called standard streams. There are three standard streams in Linux:
standard input (stdin) - data going into a program
standard output (stdout) - data coming out of a program
standard error (stderr) - errors coming out of a program
The greater than symbol is used to redirect stdout data of a command to a file. For example, echo “I Love Linux” > linux.txt will create a file named “linux.txt” (if it doesn’t already exist) and add “I Love Linux” to it.
Entering echo “Penguins are Cool” > linux.txt will overwrite the pre-existing linux.txt file with the new contents.
Using two greater than symbols will allow contents to be added to the current file contents. echo “I Love Linux” >> linux.txt
The less than symbol can be used in a variety of ways. One is to redirect contents of a file (or stdin) to a certain command. Shown below is the stdout of names.csv using the cat command. But the contents of the names.csv file can be re-directed to the cut command. cut -d ',' -f 1 is used below to show the contents of the first column of a file which is determined by using a comma and the separator, or delimiter, of the columns.
- Stringing Commands
The stdout of one program can be made into the stdin of another program. This is done by using the pipe operator, which is represented with the vertical bar, and allows you string commands together.
For example, to find the number of people with the first name of “Jordan” from the names.csv file, try using cut -d "," -f 1 < names.csv | grep Jordan. Here, the grep command takes the output from the first portion of the command and only outputs strings that match “Jordan”:
It would be easier if a number was given as an output instead of needing to count. What if there were thousands of people named Jordan in the file? The number of lines that are output can be counted using wc -l:
cut -d ‘,’ -f1 <names.csv | grep Jordan | wc -l is hiddenChaining multiple Linux commands can become useful in manipulating and analyzing data. Practice running different commands using these different customization tools. Below is a table of common Linux commands.
Please note that within the terminals provided by Cyber Skyline, you will only have access to the tools that are pre-installed. You may not be able to install tools that are not already included in the terminal.
You should become comfortable and will be expected to search online for command line tools that can help you accomplish a task from the terminal. You can also use the built-in help or manual pages to learn how to use a tool.
Program | Description | Example | Example Description |
ls | “list” - Display files and directories | ls / | Display all files and directories in the “/” folder |
cat | “concatenate” - Print out the contents of a file | cat example.txt | Print out the contents of the “example.txt” file |
cd | “change directories” - Switch the current folder that the command line is working on | cd / | Change the terminal to the “/” folder |
mv | “move” - Move a file or folder from one location to another or rename a file | mv /root/old.txt /tmp/new.txt | Move the “old.txt” from the the “/root” folder to the “/tmp” folder and rename the file to “new.txt” |
cp | “copy” - Make a copy of a file or folder | cp original.txt copy.txt | Makes a duplicate of “original.txt” named “copy.txt” |
mkdir | “make directory” - Makes a new folder | mkdir test | Makes a new folder named “test” |
rm
| “remove” - Deletes a file or folder permanently | rm example.txt | Permanently deletes the “example.txt” file |
pwd | “print working directory” - Displays the absolute file path of the directory the command line is currently in | pwd | Prints the full path of the current directory |
history | Prints a chronological log of the past commands that were entered | history | Prints the log of past commands |
echo | Prints the provided string to standard output | echo "test" | Prints the string, “test” to standard output |
grep | “global regular expression print” - search for text that matches a specific pattern | grep match example.txt | Prints lines that contain the text “match” in example.txt |
wc | “word count” - Gets a line count (followed by a word count and a byte count) of a file or text stream | wc example.txt | Prints the number of lines in example.txt |
cut | Extract column(s) from a file or text stream. Columns must be delineated by a consistent character | cut example.txt -d , -f 2 | Prints out the column at index 2 from example.txt |
sort | Sorts the lines from a file or text stream. | sort example.txt | Prints the sorted output of the lines from example.txt |
uniq | “Unique” - Prints the result of removing duplicate lines from a file or text stream | uniq example.txt | Prints out the result of removing any duplicate lines from example.txt. |
man | “manual” - Displays the manual for a program | man echo | Display the manual for the “echo” program |
Useful tools for learning Linux:
Gym Answer Key
- What character can you use to redirect the output of one program as the input to another program?
- What character can you use the redirect the output of a program to a file?
- How many people have a first name of Jordan in names.csv?
How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to another program (and not to a file). See the Trove for additional guidance.
Answer: |
How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to a file (and not to another program). See the Trove for additional guidance.
Answer: >
How to solve: Use cut to grab only the column of first names, then use grep to search for “Jordan” and then use wc -l to get a line count.
cut -d "," -f 1 < names.csv | grep Jordan | wc -l
Answer: 2
Extension Activities
6-8 | Linux Command Bingo | Familiarize with common Linux commands. | Create Bingo cards with commands like ls, pwd, cd, mkdir, rm.Call out definitions or tasks (“Show me files in the folder”), students mark corresponding commands.First to bingo explains one command in detail. |
9-12 | Linux Trivia & Command Line Quiz | Reinforce command knowledge. | Prepare a quiz with multiple choice and practical terminal commands.Use interactive platforms or classroom polling.Include “Identify the command” from output examples. |
Strings
Objectives
Use the strings command to find hidden information in a file.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions
- What is the hidden flag in the image?
Walk-through
This challenge involves using the strings Linux command to find a hidden message. A random portion of the image file was modified to insert the message, which is why there is a distortion in the image. The horizontal distortion that occurs near the eye is a result of the corruption caused by inserting the hidden message randomly within the image data.
.jpg&w=828&q=90)
Background
Recall from the bases challenge about how data can be converted from one form to another. Some values in binary that are used in files are not convertible to text characters. strings will pull any binary data out of the file that corresponds to a text character. Text characters would include letters (abc), numbers (123), or symbols (&^,*).
Here is the output of the strings command used on the STEG.jpg file:
Guide
Searching Standard Output (stdout) : grep
The output of the strings command can be searched with another command; grep.
grep is a powerful search command that looks for characters matching the exact string entered by the user. grep is often used with the pipe character ( | ) to search the output of other commands or to format the output of grep.
This challenge specifies that a flag is contained in the image, therefore, grep could be used to look for binary data that converts to characters resembling the standard flag format. This can be done using the command below:
strings STEG1.jpg | grep SKYUsing strings is a quick way to see if a flag is hidden within the file without needing to open other programs. However, this challenge could also be solved using a hex editor and searching for SKY as shown below:
Gym Answer Key
1. What is the hidden flag in the image?
How to solve: Run the strings command on the image and search for text that contains “SKY”.
strings STEG1.jpg | grep SKY
Answer: SKY-RCLO-4839
Extension Activities
6-8 | Guess the File Type | Use strings output to guess the type of file. | Give several files without extensions.Students use strings to extract text clues.Guess file types based on the strings (e.g., image metadata, code snippets, document text). |
9-12 | Build Your Own Binary File | Create a file with hidden text and practice extraction. | Use a hex editor or programming language (e.g., Python) to embed text inside a binary file. Use strings to extract it. Reflect on how data can be hidden and recovered. |
Log Analysis
SSH
Objectives
Students will analyze the contents of an SSH log to identify adversarial behavior.
Prompt
Analyze this SSH log file to answer the following questions.
Questions
- What is the hostname of the ssh server that was compromised?
- What was the first IP address to attack the server?
- What was the second IP address to attack the server?
- What was the third IP address to attack the server?
- Which user was targeted in the attack?
- From which IP address was the attacker able to successfully log in?
Walk-through
This challenge will give you experience doing a manual analysis of an SSH (Secure Shell Protocol) log file. SSH is a service that allows a device to provide remote terminal access. No additional tools are required to solve this challenge, only the ability to infer the meaning of the data in the log.
To start, look at the content of the log. If you’re unfamiliar with SSH logs, you can query the internet to find out more about how they are structured and what different terms used in the log mean.
The message field will often include warnings or errors. The event details field will include when sessions initiate or authentication attempts.
The questions for this challenge imply that there is an attack on the server. To understand what that could mean, look at more of the log file. There seem to be a lot of failed password attempts for a certain account trying to connect to the server.
Looking more closely at the messages, it’s evident that connections are coming from various IP addresses for the same user in a very short amount of time. That seems like odd behavior for a legitimate user trying to login; therefore, looking at the “Failed password” attempts is critical to finding which IP addresses are attacking the server and which account is being targeted.
In order to determine which IP address the attacker was successfully able to login from, we need to find a message that communicates a login attempt was successful. Scroll through the log file to find the line that includes “Accepted password”.
Gym Answer Key
- What is the hostname of the SSH server that was compromised?
- What was the first IP address to attack the server?
- What was the second IP address to attack the server?
- What was the third IP address to attack the server?
- Which user was targeted in the attack?
- From which IP address was the attacker able to successfully log in?
How to solve: This can be solved by finding the hostname, which is listed directly after the timestamp for each entry in the log.
Oct 11 10:12:00 myraptor sshd[29459]: Server listening on 0.0.0.0 port 22.Answer: myraptor
How to solve: This can be solved by identifying the IP address of the attacker in the first “Failed password” entries.
Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273 ssh2Answer: 169.139.243.218
How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.
Answer: 56.13.188.38
How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.
Answer: 30.167.206.91
How to solve: This can be solved by identifying the name of the account that had failed password attempts. Search for “Failed password” and then look for the account name.
Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273 sshAnswer: harvey
How to solve: This can be solved by searching for the entry that has “Accepted password”.
Oct 11 10:36:59 myraptor sshd[30003]: Accepted password for harvey from 30.167.206.91 port 55326 ssh2Answer: 30.167.206.91
Extension Activities
6-8 | Log Line Match Game | Learn SSH terminology and log meanings. | Match terms like Accepted password, Failed password, port, user, IP to their meanings.Color code log lines by type (green for success, red for failed attempts). |
9-12 | Create Your Own SSH Log Puzzle | Design and share SSH log puzzles with classmates. | Students write their own fake SSH logs with a narrative: attack, success, mistake, etc.Swap puzzles and analyze each other’s scenarios. |
Login
Objectives
Students will use command line tools to analyze a custom application log format.
Prompt
Analyze a custom application login event log to help us understand user behavior.
Questions
- How many total login attempts were made in this log?
- How many unique usernames appear in this log?
- What is the username with the most login attempts?
- How many attempts were made for the username with the most login attempts?
- What is the date with the most login attempts?
- What is the username that had logins from the most unique IP addresses?
Walk-through
This challenge involves analyzing a custom application log format that uses tab-delineated columns. The tab-delineated format is well-suited for the cut tool to extract specific columns from the log. cut can be used in combination with several other Linux command line utilities to obtain the answers to the questions.
Using head and tail to see the first few or last few lines:
To start, use ls to list the files in the directory, you should see login.log. The cat command can be used to display the contents of the file. Sometimes, log files can be quite long, so to avoid having to scroll back up through several lines, use head or tail to just see the first few lines or the last few lines. Used with no arguments, they will display 10 lines by default:
This can be helpful for log files that have column headers - using head instead of cat will display the column names and the first few lines of data.
Counting words or lines in the output:
Piping the wc command (short for word count), along with the -l flag (lower case L for “lines”) will count the lines in the output:
Display only one column with cut:
To display only the usernames, use the cut command with the -f flag to extract field 3 (the username column). The default delimiter for cut is a tab space.
Sorting a list alphabetically and displaying unique output:
The usernames can be sorted alphabetically by piping the output through the command sort:
Some usernames are listed twice. To list only the unique entries, use the uniq command.
The -c flag will show the number of times an entry occurs in the output:
Please note that uniq -c without sort will yield a different (and incorrect) result because uniq -c only counts consecutive duplicate lines. If the same line appears multiple times, but not next to each other, uniq -c cannot identify them: sort puts all identical lines next to each other, allowing uniq -c to count them properly.
This list can be sorted again, this time numerically, with the -n flag:
Other features of cut:
The output can be piped throughcut -f 1,3 to display the first column (Date and Time) and the third column (usernames):
To display only the date (without the timestamp), use cut -d " " -f 1. This tells cut to split the line by spaces (instead of the default tab) and extract the first field:
Gym Answer Key
- How many total login attempts were made in this log?
- How many unique usernames appear in this log?
- What is the username with the most login attempts?
- How many attempts were made for the username with the most login attempts?
- What is the date with the most login attempts?
- What is the username that had logins from the most unique IP addresses?
How to solve: Get the line count of the log. (Reminder: at the end of the command, that is a lower case ‘L’ not a number 1)
cat login.log | wc -l
Answer: 6063
How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get the unique usernames, and then get a line count of the number of unique usernames.
cat login.log | cut -f 3 | sort | uniq | wc -l
Answer: 1879
How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get a frequency count of each unique username, and then sort the unique usernames by frequency.
cat login.log | cut -f 3 | sort | uniq -c |sort -n
Answer: ntory
How to solve: Use the same command as the question above.
cat login.log | cut -f 3 | sort | uniq -c |sort -n
Answer: 124
How to solve: Extract the first field (with the date+time) of the log, extract just the date, sort the dates, get a frequency count of each unique date, and then sort the unique dates by frequency.
cat login.log | cut -f 1 | cut -d " " -f 1 | sort | uniq -c | sort -n
Answer: 2011-03-23
How to solve: Extract the second field (with the IP address) and third field (with the username) of the log, sort the IP/username pairs, get the unique IP/username pairs, then extract just the usernames from each pair, sort the usernames, get a frequency count of how many unique pairs each username has, and then sort by frequency.
cat login.log | cut -f 2,3 | sort | uniq | cut -f 2 | sort | uniq -c | sort -n
Answer: wlfla0190
Extension Activities
6-8 | Login Color Code | Visually interpret log entries. | Print or display several log lines.Students highlight: Green: Successful logins Red: Failed logins Blue: IP addresses Discuss: What can logs tell us about system usage? |
9-12 | User Behavior Profile | Analyze and profile user activity. | Provide anonymized logs for 2–3 users. Students summarize: Login times Access locations (IP)Behavior patterns Discuss: What’s normal vs suspicious? |
Nginx
Objectives
Students will analyze an nginx access log.
Prompt
Analyze an nginx access log and answer questions about what happened.
Questions
- How many different IP addresses reached the server?
- How many requests yielded a 200 status?
- How many requests yielded a 400 status?
- What IP address rang at the doorbell?
- What version of the Googlebot visited the website?
- Which IP address attempted to exploit the shellshock vulnerability?
- What was the most popular version of Firefox used for browsing the website?
- What is the most common HTTP method used?
- What is the second most common HTTP method used?
- How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?
Walk-through
Video tutorial: Cyber Skyline NCL Summer Live - Log Analysis 1 - July 8 2021
This challenge involves analyzing an nginx access log. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.
Looking through the first few lines of the log, it is apparent that the IP addresses are the first field in each line:
To answer the first question, the IPs need to be extracted, sorted to filter for only unique ones, and counted. This can be done with cut, sort, uniq and wc :
For a more thorough explanation of these commands, refer to the Walkthrough for Log Analysis Challenge Login.
Extracting data from a column in a log file:
Looking at the first screenshot, the HTTP return codes are in the fourth field from the last:
The field right before it is enclosed in double quotes, so " can be used as a delimiter with cut. The first field before the " will contain data from the IP address to the timestamp. The second field, starting with GET, is the actual HTTP request. Therefore, the return codes will be the third field when a double quote is used as the delimiter.
*Note: you only need to use one "between two single quotes in the cut command.
A portion of the output of cat access.log | cut -d '"' -f3 is shown here :
To eliminate the second column from this output, the output can be piped through another cut command using a space as the delimiter. It looks like there is a space before the HTTP return codes as well, so the codes will be the second field after the first “space”:
Now that we are working with the HTTP return codes, we can sort and count the code occurrences:
Matching patterns with grep:
The remaining parts of this challenge require using grep , a tool that can be used to search entries for a keyword. Refer to the Linux: Basic Commands Walkthrough for more information on using grep.Using grep with the -o flag tells grep to print only the part of the line that matches the pattern, instead of the entire line.
To answer the questions about the HTTP methods used (here is a resource to learn more about HTTP Request methods: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods), we can approach it two ways: first, using cut to extract the field containing the HTTP request methods (enclosed in double quotes), and then filtering out the first field within it which contains the actual HTTP request method, sorting it and counting the unique values. This method should be familiar from the process we worked through before. sort -rn will list the output in reverse numeric order, so the term with the highest number of occurrences is listed at the top.
Extracting columnar data with awk
We can also use awk to get the desired output. It is a powerful text processing tool that treats any amount of whitespace as a single field separator by default, as compared to cut, which treats only a tab space as a default field separator. Therefore, for awk, the HTTP Request Method would be the 6th field from the left.
Backslash - Escape character:
The last question prompts us to look for a raw byte sequence in the log file. If grep '\41' access.log was used, the Linux shell is going to convert the byte to ASCII, and look for ‘A’ instead. To prevent the shell from interpreting the backslash as an escape character, it needs to be escaped with another backslash as follows: grep ‘\\41’ access.log. This ensures grep receives the full byte sequence and not the translated character.
grep ‘\\x04’ access.logGym Answer Key
- How many different IP addresses reached the server?
- How many requests yielded a 200 code?
- How many requests yielded a 400 code?
- What IP address rang at the doorbell?
- What version of the Googlebot visited the website?
- Which IP address attempted to exploit the shellshock vulnerability?
- What was the most popular version of Firefox used for browsing the website?
- What is the most common HTTP method used?
- POST
- PUT
- DELETE
- HEAD
- CONNECT
- What is the second most common HTTP method used?
- GET
- POST
- PUT
- HEAD
- DELETE
- How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?
How to solve: Extract the first field (with the IP addresses), sort the IP addresses, get the unique IP addresses, and then get a line count.
cat access.log | cut -d " " -f 1 | sort | uniq | wc -l
Answer: 47
How to solve: Extract the third field after double quotes as the delimiter (which includes the HTTP codes), sort the codes, get the unique values with a count of the occurrences of each. Optional: sort in descending numeric order.
cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn
Answer: 19
How to solve: Same as the question above.
cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn
Answer: 38
How to solve: Search for “bell”
cat access.log | grep "bell"
Answer: 186.64.69.141
How to solve: Search for “Googlebot”
cat access.log | grep "Googlebot"
Answer: 2.1
How to solve: Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. With this knowledge, search the log for any lines with that sequence of characters.
cat access.log | grep '() { :; };'
Answer: 61.161.130.241
How to solve: Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.
cat access.log | grep -o "Firefox/.*" | sort | uniq -c
Answer: Firefox/31.0
How to solve: Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.
cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn
Answer: GET
Incorrect:
How to solve: Use the same command as the question above.
cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn
Answer: CONNECT
Incorrect:
How to solve: Search the log for all lines that contain that sequence of characters and then get a line count. Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.
cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l
Answer: 6
Extension Activities
6-8 | Website Detective | Match access log lines to website actions. | Give students fictional scenarios (e.g., visiting a page, clicking a link).Match them to the correct NGINX access log line.Match errors to misclicks (e.g., 404 for broken links). |
9-12 | Traffic Pattern Analysis | Analyze a set of access logs for usage trends. | Provide a few dozen real or simulated NGINX access log lines.Have students: Count total visitsIdentify top-requested URLsChart visit frequency over timeUse spreadsheets or visual tools for analysis. |
History
Objectives
Students will use SQL commands to analyze a SQlite database.
Prompt
Analyze a Firefox SQlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/
Questions
- What did the user search for on craigslist?
- What was the current price (USD) of bitcoin when the user was browsing?
- What Bitcoin exchange did the user log in to?
- What is the email that was used to log into the exchange?
- What was the ID of the Bitcoin transaction that the user looked at?
- What was the total BTC value of all the inputs of the Bitcoin transaction?
- Which bitcoin address received the majority of the Bitcoin in the transaction?
Walk-through
Video tutorial: 
Cyber Skyline Cyber Skyline Live: Analyzing an SQL Database - Nov 3, 2022
This challenge will give you experience analyzing a SQLite database. The answers can be obtained by using the sqlite3 Linux program or a GUI-based viewer. There are also browser-based SQLite viewers such as https://inloop.github.io/sqlite-viewer/.
Click into the terminal on the Cyber Skyline platform. Thebrowser.sqlite file in the current directory. Use the command sqlite3 browser.sqlite to start the SQLite program.
sqlite> prompt will indicate that the SQLite program has startedUse the command .tables to see all of the database tables available to view.
Use the command SELECT * FROM moz_hosts; (or use any of the other table names) to view the information contained in the tables. The wildcard indicates that we want to select all the columns, and the semicolon at the end of the query signal the end of the query, like a full stop at the end of a sentence.
Searching for Firefox Sqlite Database can help narrow down which tables to look through. This site mentions that moz_places contains the sites visited, so that might be helpful for the first few questions: Places.sqlite - MozillaZine Knowledge Base.
There is a way to list of the columns in the moz_places table with PRAGMA table_info(moz_places); :
For the first question, look for the user’s search on craigslist. This information is most likely to be in the ‘url’ column, so we can display that with the query select url from moz_places;
The price of bitcoin when the user was browsing will show up in the “title” column in this table. Search for the $ sign with select * from moz_places where title like '%$%'; :
For question 3, run select url from moz_places; and scroll to see where the user signs in.
To find the user’s gmail account, query the table for any titles containing ‘gmail’ with select * from moz_places where title like '%gmail%'; :
Scrolling further down from the output of select url from moz_places; , we can see the transaction ID that the user looked at:
The remaining questions can be answers by visiting the URLs that are listed inside the database. The URL with id 290 is for a bitcoin transaction listed on blockchain.info. The main page displays the ID as well as the total value of the inputs.
The Bitcoin transaction ID and the amounts that were transferred are all listed on the blockchain.info page.
Alternatively for this challenge, you can upload the SQLite database file to theSQLite Viewer Web App to navigate through a GUI:
Helpful Tools:
Gym Answer Key
- What did the user search for on craigslist?
- What was the current price (USD) of bitcoin when the user was browsing?
- What Bitcoin exchange did the user log in to?
- What is the email that was used to log into the exchange?
- What was the ID of the Bitcoin transaction that the user looked at?
- What was the total BTC value of all the inputs of the Bitcoin transaction?
- Which Bitcoin address received the majority of the Bitcoin in the transaction?
How to solve: The user’s search can be seen in row 23 inside the “query’ parameter in the URL.
Answer: bitcoin
How to solve: The current price is listed in row 23 in of the “title” of Bitstamp’s homepage.
Answer: $239.50
How to solve: The Bitcoin exchange is identified in row 253, which shows the user successfully loading their account page after logging in.
Answer: Coinbase
How to solve: The email can be found on row 47 in the “title” of the Gmail webpage.
Answer: b1gbird@gmail.com
How to solve: The ID of the Bitcoin transaction is the “Hash” value listed on the blockchain.info page.
Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7
How to solve: The total BTC value of the inputs can be obtained by adding up the values of all the BTC inputs on theblockchain.info page.
Answer: 0.22616302
How to solve: The right side of theblockchain.info page contains the addresses and amounts that were sent to each recipient. The address that received the majority of the Bitcoin was that one that was sent the most BTC.
Answer: 18z6bTFjxkXCmhfp8YBetR2wgmoVjXGJZz
Extension Activities
6-8 | Log Story Sequencing Game | Reconstruct a digital activity timeline. | Provide: Cut-out log line cards with mixed-up order. User logs in at 8:00User opens a document. User edits document. User deletes a file User logs out Activity: Students rearrange the cards into the correct order. They write a one-paragraph summary of what happened based on the log. |
9-12 | Command Frequency Analysis | Determine behavior based on command frequency. | Provide a long history list with command repetition. Students: Tally top 5 used commands. Infer the user’s job (developer, admin, attacker?). Discuss what's "normal" vs "abnormal" usage. |
Squid
Objectives
Students will analyze a Squid proxy log.
Prompt
Analyze this Squid proxy log to answer the following questions.
Questions
- In what year was this log saved?
- How many milliseconds did the fastest request take?
- How many milliseconds did the longest request take?
- How many different IP addresses did the proxy service in this log?
- How many GET requests were made?
- How many POST requests were made?
- What company created the antivirus used on the host at 192.168.0.224?
- What URL is used to download an antivirus update?
Walk-through
Video tutorial: Cyber Skyline NCL Summer Live - Log Analysis 2 - July 15 2021
This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.
Use head to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.
Converting a timestamp from Epoch to Unix:
Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date command to convert it within linux:
Using awk to extract column data:
To answer the second and third questions, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shows in milliseconds. To extract this field, we can use awk '{print $2}' and sort -n to sort numerically.
The last question can be answered by extracting the IP address field, sorting and counting the number of unique values with awk '{print $3}' | sort | uniq | wc -l.
For other examples of using awk, refer to Log Analysis challenge Nginx.
Helpful Tools:
Gym Answer Key
- In what year was this log saved?
- How many milliseconds did the fastest request take?
- How many milliseconds did the longest request take?
- How many different IP addresses did the proxy service in this log?
How to solve: Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.
Answer: 2010
How to solve: Extract the second field (the response time) and then sort the results numerically
cat squid_access.log | awk '{print $2}' | sort -n
Answer: 5
How to solve: Same as the question above.
cat squid_access.log | awk '{print $2}' | sort -n
Answer: 41762
How to solve: Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count.
cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l
Answer: 4
Extension Activities
6-8 | URL Scavenger Hunt | Explore responsible internet use. | Provide fake Squid logs with safe and unsafe URLs .Students highlight URLs that are: Educational Entertainment Suspicious or inappropriate Discussion: Why might schools block certain content? |
9-12 | Attack Simulation: Malicious Site Detection | Detect unsafe browsing behavior. | Some logs include suspicious URLs (e.g., phishing sites).Students must: Identify risky URLs Explain why they are suspicious Suggest how the network should respond (block? notify? educate?) |