Standard Instructor Guide

Open Source Intelligence

Tutorial Video

Watch our full Tutorial Video to learn more about open source intelligence and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Open Source Intelligence Basics - March 17, 2022

In Cyber Skyline Live - Open Source Intelligence Basics, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to leverage online search tools to find key information. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - Open Source Intelligence Basics - March 17, 2022

Gym Answer Key

When was the image created? (Round to the nearest minute) How to solve: See the “Create Date” field from the metadata viewer Answer: 2015/05/15 02:14
What is the image size in pixels? (ex: 800x600) How to solve: See the “Image Size” field from the metadata viewer Answer: 1024x768
What is the make of the camera that took the picture? How to solve: See the “Make” field from the metadata viewer Answer: apple
What is the model of the camera that took the picture? How to solve: See the “Model” field from the metadata viewer Answer: iphone 5
What is the exposure time for the picture? (ex: 1/200) How to solve: See the “Exposure Time” field from the metadata viewer Answer: 1/640
Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W) How to solve: See the “GPSPosition” field from the metadata viewer| Possible answers: ● 39.8750N 20.0100E ● 39.8750N, 20.0100E ● 39 deg 52' 30.00" N, 20 deg 0' 36.00" E ● 39 deg 52' 30.00" N 20 deg 0' 36.00" E ● 39.8750 20.0100 ● N 39° 52' 30'' E 20° 0' 36'’ ● Latitude 39:52:30 Longitude 20:0:36 ● 39; 52;30 20;0; 36 ● 39º 52' 30.00" N, 20º 0' 36.00" E Incorrect answers: ● 39.8750 -20.0100 ● -39.8750 -20.0100 ● -39.8750N, 20.0

Extension Activities

Grade level	Extension Activity	Objective	Activity Steps
6-8	News Verification Lab	Distinguish between real and fake news using OSINT techniques.	Give students headlines or short articles. Ask them to:Reverse image search pictures Check sources Cross-reference news stories
9-12	OSINT Tools Treasure Hunt	Explore safe, open-source tools.	Tools: WHOIS lookup, Google Earth, The Wayback Machine, Social Search Engines (e.g., Social Searcher, IntelX) Activity: Create a challenge where students have to: Find who owns a domain Look at archived versions of a website (use wayback machine) Track public social posts for patterns

Lookup

Objectives

Students will be able to find and use a specification document to answer questions about DNS.

Prompt

Answer these questions about DNS. Make sure you enter the record type and not the description of the record type.

Questions

Answer these questions about DNS. Make sure you enter the record type and not the description of the record type:

What type of DNS record holds the DNSSEC public signing key?
What type of DNS record is used to map hostnames to IPv6 addresses?
What type of DNS record is used to delegate a DNS zone?

Walk-through

This challenge will give you experience conducting online research in order to answer specific technical questions involving the Domain Name System (DNS) protocol.

A quick online search of each question should provide several sources with the answer. Be careful to make sure that the answer that you obtain can be verified using an authoritative source. If you search for “DNS protocol specification”, you should find that the Internet Engineering Task Force (IETF) publishes the specification for DNS. You should use IETF resources as the authoritative source for answers.

Knowing how to read and understand a specification document is important because many technologies across all industries use these types of documents to keep implementation uniform.

Gym Answer Key

What type of DNS record hold the DNSSEC public signing key?

How to solve: DNSSEC is described in RFC 4034. The information related to the record can be found in section 2.

Answer: DNSKEY

What type of DNS record is used to map hostnames to IPv6 addresses?

How to solve: The DNS Extension to Support IPv6 is described in RFD 3596. The information related to the record can be found in section 2.

Answer: AAAA

What type of DNS record is used to delegate a DNS zone?

How to solve: The DNS record to delegate a DNS zone is described in RFC 1035. Answer this challenge require reading the specification to understand what it means to delegate a DNS zone in order to identify that they DNS record type that is need to delegate a DNS zone is the one that indicates an authoritative name server.

Answer: NS or Name Server

Extension Activities

6-8	Username Investigation Game	Understand how usernames can reveal a digital trail.	Give a fictional username (e.g., “AlexGamer47”) and have students:Search for it on YouTube, Twitter (using screenshots), or game forums.Record patterns of use: hobbies, interests, locations.Discussion Prompt: Why do people reuse usernames? What can others learn from that?
9-12	Social Media Pattern Analysis	Understand how public posts create patterns.	Using a fictional account (set up by the teacher), have students:Map post times and locationsIdentify potential routinesConnect hashtags to interests or communities

Threat Intel

Objectives

Students will be able to use search tools to answer questions about security topics.

Prompt

Answer the following questions about security issues.

Questions

Answer the following questions about security issues:

What is the CVE of the original POODLE attack?
What version of VSFTPD contained the smiley face backdoor?
What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
What was the original RFC number that described Telnet?
How large (in bytes) was the SQL Slammer worm?
Samy is my…

Walk-through

This challenge will give you experience conducting research on common security vulnerabilities. All that is required to solve these questions is to query online search engines and find multiple sources to confirm the answers.

Wikipedia can be a good place for open source intelligence work because multiple sources for the information are often linked on the page. Always be sure to double check and verify your answer with another source!

When you want to make searching Wikipedia easier, or search any webpage or document, use CTRL + F on your keyboard and enter what you want to find into the dialog box that pops up.

Gym Answer Key

What is the CVE of the original POODLE attack?

How to solve: The answer to this question can be found on Wikipedia.

Answer: CVE-2014-3566

What version of VSFTPD contained the smiley face backdoor?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 2.3.4

What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 1.0.1g

What was the original RFC number that described Telnet?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 15

How large (in bytes) was the SQL Slammer worm?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 376

Samy is my…

How to solve: The answer to this question can be found on Wikipedia.

Answer: hero

Extension Activities

6-8	Build-A-Hacker Workshop (Fictional Personas)	Understand how threat actors gather info.	Given a scenario (e.g., a hacker wants to target a school), students: Use fictional student or staff profiles. Identify what information is publicly available (e.g., school calendar, staff names).Outcome: Students write a short paragraph predicting how the hacker might use the info and how to defend against it. Have students share their writings.
9-12	Fake Job Post Scam Breakdown	Understand how cybercriminals target individuals.	Students analyze fake job posts or emails (pre-curated).Use OSINT to check company legitimacy (e.g., WHOIS, company site vs fake URL).Discussion Prompt: How do threat actors use platforms like LinkedIn to customize attacks?

HTTP Headers

Objectives

Students will be able to find resources to understand different types of HTTP request headers.

Prompt

Solve these questions about HTTP headers.

Questions

Solve these questions about HTTP headers.

What HTTP request header is used to denote what URI linked to the resource being requested?
What HTTP request header is used to identify the client software that made the HTTP request?
What HTTP request header is used to identify the acceptable content types that can be returned?

Walk-through

This challenge will give you experience researching HTTP headers.

The answers to these questions can be found by doing an online search. A full table of HTTP headers can be found on Wikipedia.

Guide

A useful skill for this challenge is to easily search or find keywords or phrases on a webpage. One method involves using the search function by pressing “CTRL + F” on the keyboard. This opens a dialog box where a keyword or short phrase can be entered to find specific content on the page.

It may be helpful to research and define unfamiliar terms from the question beforehand for better comprehension. Afterward, using “CTRL + F” can assist in identifying related terms or similar language within the page content.

💡

Please Note: One of the terms has been misspelled so often that the incorrect spelling is now standard usage. Please make sure you double check the spelling that is used in whatever reputable resource you find!

Gym Answer Key

What HTTP request header is used to denote what URI linked to the resource being requested?

How to solve: The description for this header is, “This is the address of the previous web page from which a link to the currently requested page was followed.” Note that the official specification for this header has “referrer” spelled incorrectly as “referer”.

Answer: referer

What HTTP request header is used to identify the client software that made the HTTP request?

How to solve: The description for this header is, “The user agent string of the user agent.”

Answer: user-agent

What HTTP request header is used to identify the acceptable content types that can be returned?

How to solve: The description for this header is, “Media type(s) that is/are acceptable for the response. See Content negotiation.”

Answer: accept

Extension Activities

6-8	"What’s in a Web Request?" – Header Basics Lab	Introduce basic HTTP headers using simplified, printed mockups.	Present a mock HTTP GET request with headers like User-Agent, Host, and Referer. Ask students to decode what device/browser was used, what website was accessed, and where the request came from. Discussion Prompt: How could this data help someone track you online?
9-12	OSINT Header Case Study	Analyze how HTTP headers were used in a real-world investigation.	Setup: Use a public case (e.g., website misconfiguration or tech stack leakage). Activity: Provide captured headers from the case. Ask students to infer: Server type, Technologies in use, Possible vulnerabilities. Ethics Discussion: When is it okay to analyze headers? What should be off-limits?

WHOIS

Objectives

Students will be able to conduct a WHOIS query to learn publicly available information about a domain name.

Prompt

Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.

Questions

Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.

Who is the registrar of this domain?
On what day was this domain first registered?
What is this domain's registry domain ID?
What is the Top-Level Domain (TLD) of this domain?
What organization manages the TLD used by cityinthe.cloud?

Walk-through

This challenge involves conducting a WHOIS query on a domain name. WHOIS is a protocol for querying databases that store information about Internet resources and domain names.

A domain name is a human-readable address that identifies resources on the Internet. Instead of the numerical IP addresses (e.g. 8.8.8.8) that computers use, domain names (e.g. google.com) provide an easier way for humans to access the Internet.

For those unfamiliar with the concept of domain names and the DNS system, the following articles may provide useful background before proceeding with the challenge.

Wikipedia Article

Cloudflare Blog Post

Guide

To solve this challenge, an executable tool (such as the standard whois command-line tool found on *nix systems) can be used or try a browser-based DNS lookup tool such as ICANN’s registration lookup tool.

⚠️

Please note: When using online sources, rely on authoritative or multiple reputable references to avoid inaccurate information. This will help you minimize the risk that you mistakenly obtain incorrect information

Breaking Down a Domain Name

The cityinthe.cloud domain name can be broken down into two components:

cityinthe - The second-level domain

.cloud - The top-level domain (TLD)

💡

The precedence of domain names goes from right to left.

A quick search of the .cloud top-level domain will pull up the Wikipedia article for the .cloud TLD (shown below) which will help provide key information to solving this challenge.

The Wikipedia article for the .cloud TLD

This research shows that the .cloud TLD is delegated by ICANN and managed by Aruba S.p.A., making these two organizations authoritative sources regarding the .cloud TLD. Based on this information, ICANN’s registration lookup tool can be queried with confidence that its results are authoritative and should be preferred over those from third-party sources.

The results of the cityinthe.cloud query on the ICANN lookup tool (below) provide enough information to solve all the questions posed in this challenge.

The results of the cityinthe.cloud query on the ICANN lookup tool

Useful Resources:

Domain Name Wikipedia page - https://en.wikipedia.org/wiki/Domain_name
What is DNS? How DNS works Cloudflare Blog - https://www.cloudflare.com/learning/dns/what-is-dns/
Linux command line tool—
whois(1): client for whois service - Linux man page
.cloud Wikipedia page - https://en.wikipedia.org/wiki/.cloud
ICANN Registration data lookup tool - https://lookup.icann.org/en

Gym Answer Key

Who is the registrar of this domain?

How to solve: See the “Registrar Information” section from the ICANN lookup results

Answer: Dynadot

On what day was this domain first registered?

How to solve: See the “Created” field from the ICANN lookup results

Answer: 2016-02-16

What is this domain's registry domain ID?

How to solve: See the “Registry Domain ID” field from the ICANN lookup results

Answer: D15CD1AC4DEB54207A5048A69B9FC0558-ARI

What is the Top-Level Domain (TLD) of this domain?

How to solve: See the description of how the domain name can be broken down

Answer: cloud

What organization manages the TLD used by cityinthe.cloud?

How to solve: See the research about the TLD.

Answer: Aruba

Extension Activities

6-8	WHOIS Mystery Matching Game	Connect WHOIS records to fictional organizations.	Setup: Create 3–4 mock WHOIS records and 3–4 fictional website profiles. Activity: Students analyze clues like registrar location, organization name, or domain age. Match each WHOIS record to the correct fake website. Use cards or slides for a collaborative classroom game.
9-12	WHOIS in the Real World: Threat Intelligence Report	Apply WHOIS to a broader investigation.	Assign a simulated incident (e.g., spam email, fake site).Students gather WHOIS data, infer attacker profile traits (e.g., fast-registered domains, offshore registrars).Produce a 1-page “Threat Intel Summary.”

PGP Lookup

Objectives

Students will query a public key database to identify the types of information stored there.

Prompt

Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?

Questions

Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?

What is the key fingerprint for security@cpanel.net?
What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?
On what date does the above key expire (in UTC)?

Walk-through

This challenge involves conducting a lookup on a PGP (Pretty Good Privacy) database. PGP utilizes public-key cryptography wherein a public/private key pair is used to encrypt, decrypt, and sign messages.

For those unfamiliar with PGP and public-key cryptography, the following articles may offer helpful background before proceeding with the challenge:

Wikipedia Article

Varonis Blog Post

PGP cryptography allows a message to be encrypted so that it can only be decrypted by its intended recipient. To achieve this, the sender will use the recipient’s public key to encrypt the message so that only the recipient’s private key can decrypt the message.

Alice requires Bob’s public key in order to encrypt a message so that only his private key may read it

The premise behind this challenge is that there are public databases that store records of public keys and their owners so that a sender may obtain their recipient’s public key to encrypt a message for them. Solving this challenge requires querying these databases to obtain this information. Some popular PGP lookup databases include, keyserver.ubuntu.com, keys.openpgp.org, and pgp.mit.edu.

There is no one single authoritative source keeping records of public keys, so it is important to compare the results across multiple different databases.

Below is a query using the keyserver.ubuntu.com database:

Query results for “security@cpanel.net” on

Query results for “7A39A”… on keyserver.ubuntu.com

Useful Resources:

https://keyserver.ubuntu.com/
https://keys.openpgp.org/
MIT PGP Public Key Server - https://pgp.mit.edu/

Gym Answer Key

What is the key fingerprint for security@cpanel.net?

How to solve: There are two possible options. The fingerprint is the hexadecimal string that follows the rsa4096/ . See the above for a screenshot.

Answer: B6709B4CC6F42077F69841919521BEDCABD94DDF

What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?

How to solve: The email address is to the right of uid in search results. See the above for a screenshot.

Answer: hx@liber8tion.cityinthe.cloud

On what date does the above key expire (in UTC)?

How to solve: The expiry date is indicated with the “key expir” column. Make sure not to confuse “cr. time” (creation time) with “key expir” (expiry time). The answer is in the second to last column on the right (including the column of blue text). See the above for a screenshot.

Answer: 2050-12-26

Extension Activities

6-8	Understanding Digital Signatures	Introduce students to the concept of digital signatures and their role in verifying the authenticity of digital communications.	Discuss the basics of encryption and how digital signatures work. Use a simple analogy (like sealing a letter in an envelope) to explain how PGP ensures message integrity. Provide examples of how digital signatures are used in everyday life (e.g., software downloads, secure emails).
9-12	Analyzing PGP Key Metadata	Teach students how to extract and analyze metadata from PGP keys to gather OSINT.	Provide students with sample PGP public keys (ensure these are fictional or anonymized).Guide students through the process of examining key details such as creation date, associated email addresses, and key fingerprints. Discuss how this information can be used in digital investigations and the importance of ethical considerations.

SSL

Objectives

Students will use a browser in order to analyze a SSL certificate chain.

Prompt

Solve the following questions about the Cyber Skyline SSL certificate.

Note: if you see references to "BitDefender" in the process of solving this challenge, that means your BitDefender software is intercepting your SSL/TLS connection and will produce incorrect results.

Questions

Who is the issuer for Cyber Skyline's SSL certificate?
How many bits long is the SSL key?
How many certificates are in the certificate chain?

Walk-through

This challenge will give you experience viewing and analyzing SSL certificate chains. SSL certificates help to secure the communication between a client and a server. Most modern browsers should have an interface to view the certificates in a SSL certificate chain. In this example, Google Chrome is used.

Start by clicking the icon next to cyberskyline.com URL. Then click on the “Connection is secure” section in the dropdown.

The SSL chain can then be accessed by clicking on the “Certificate is valid” option.

The Certificate Viewer will contain all of the details needed to answer the questions.

An answer is redacted.

Some answers were not captured in this screenshot. Scroll to view more when on this tab.

Gym Answer Key

Who is the issuer for Cyber Skyline's SSL certificate?

How to solve: The issuer is listed in the “General” tab under “Issued By → Common Name”.

Possible Answers:

sectigo

comodo

How many bits long is the SSL key?

How to solve: The number of bits is listed in the “Details” tab under “Certificate Fields → *.cyberskyline.com → Certificate → Subject Public Key Info → Subject’s Public Key”.

Answer: 2048

How many certificates are in the certificate chain?

How to solve: The number of certificates can be counted by looking at how many certificates are listed in the “Details” tab under “Certificate Hierarchy”.

Answer: 3

Extension Activities

6-8	“What's in a URL?” Sorting Game	Learn to distinguish between HTTP and HTTPS.	Provide a stack of fake or real URLs.Students sort into “Secure” (HTTPS) and “Not Secure” (HTTP).Discuss what might happen if you send personal data over an insecure connection.
9-12	Expired or Misissued Certificate Challenge	Understand how SSL certificate issues may indicate threats.	Provide samples of expired, self-signed, or misconfigured certificates (can be screenshots or from certificate transparency logs).Students determine what’s wrong and how that might signal phishing, misconfiguration, or a suspicious site.

Barcode

Objectives

Students will be able to use a barcode reader to identify hidden information.

Prompt

We intercepted a barcode we think might be hiding a flag. See if you can find it.

Questions

We intercepted a barcode we think might be hiding a flag. See if you can find it.

What format does the barcode use?
What is the flag hidden in the barcode?

Walkthrough

This challenge will give you experience conducting lookups on a standard barcode. The challenge provides a .gif of the barcode.

Solve this challenge by using mobile barcode scanning apps or an online barcode reader. Below is a screenshot of the barcode using https://online-barcode-reader.inliteresearch.com/ :

We’ve censored the value of the barcode so you can practice using a barcode viewer

Gym Answer Key

What format does the barcode use?

How to solve: You can find the format under the “Type” field.

Possible Answers:

code 39
code39
Code_39
USD-3
Code 3 of 9
Code 3/9
Alpha 39

What is the flag hidden in the barcode?

How to solve: You can find the hidden flag by obtaining the value of the barcode in a barcode viewer.

Answer: SKY-UZLU-5635

Extension Activities

6-8	Decode the Hidden Message (QR Detective)	Learn what QR codes are and how they encode information.	Students scan teacher-provided QR codes using school devices.Each QR code reveals a clue, message, or safe web link (e.g., a NASA fact, a riddle).Students work in teams to piece together a message or win a classroom scavenger hunt.Discussion: Why do we use QR codes? What kind of information can they hide?
9-12	Reverse Lookup of QR/Barcode Data	Investigate a product or web page linked via barcode or QR.	Scan or decode a real or simulated code.Conduct OSINT to find out:Who owns the domain or product?Where the item was manufactured or registered?Is the website or organization legitimate?Use WHOIS, Wayback Machine, and barcode prefix databases for investigation.

Cryptography

Number Bases

Objectives

Students will use tools to recognize and convert various number bases.

Prompt

Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are all encoded using different number bases.

Questions

User	Cipher Text
Nan	0x73636f7270696f6e
Elliot	c2NyaWJibGU=
Steve	01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001
Daniel	01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101

Walk-through

This challenge will give you experience recognizing and converting number bases. Text represented in a different number base is considered “encoded.” Unlike encryption, encoding is more akin to translating a language. For example, when translating from Latin to English, the content remains readable but is presented in a different format. Often what is ‘reading’ the base encoded formats are computers, but people have learned to understand some encodings (like Morse Code).

Guide

To start this challenge, an understanding of different number bases and how to convert between them is essential. A conversion chart, like the one below, can be a helpful reference. Numerous websites and tools are available to assist in this process.

The conversion chart illustrates how values are represented across various number systems. The final column, labeled “Char” for character (also known as ASCII —American Standard Code for Information Interchange), displays the typical characters or text data that humans read. Computers, however, convert this ASCII input into mathematical formats, such binary.

When decoding number bases, the goal is often to convert from a numerical base into the ASCII for character text.

Source of Conversion Table

Another Conversion Chart Page

The challenge page includes a brief introduction to binary and hexadecimal. For more detailed information about converting between number bases, additional resources are available here.

Pro Tips

While conversion charts are helpful, they typically cover only a limited range of number systems. Exploring other common bases through web searches or using tools like Cyber Chef can provide further insight into how ASCII text appears in different numerical formats.

Useful tools for decoding/encoding:

rumkin.com
RapidTables
CyberChef
See our resources on how computers store data: https://trove.cyberskyline.com/computer-fundamentals-for-cybersecurity/data
See our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about encoding and number bases and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: How Does Binary Work? - September 22, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how binary is used to represent data, how to use binary to store human-readable characters, and how to convert between different number bases. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live: How Does Binary Work? - September 22, 2022

Gym Answer Key

0x73636f7270696f6e

How to solve: This text is encoded in hexadecimal. This text can be converted to ASCII by hand or by using an online tool such as RapidTables or CyberChef. Note: The 0x is used to indicate that the value is hexadecimal and should not be converted.

Answer: scorpion

c2NyaWJibGU=

How to solve: This text is encoded in base64. You can identify this by analyzing the range of characters used in the message and recognizing that it falls within the range for base64 (A-Z, a-z, 0-9, +, /, and =). This text can be converted to ASCII by hand or by using an online tool such as Base64Decode or CyberChef.

Answer: scribble

01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001

How to solve: This text is encoded in binary. You can identify this because there are only 1s and 0s in groups of 8. You can use an ASCII table to convert by hand or an online tool.

Answer: securely

01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101

How to solve: This text is doubly encoded - first with base64 and then with binary. To revere the process, the message has to be converted from binary to ASCII, then base64 to ASCII. You can use the Binary Hex Converter followed by Base64Decode. It’s possible to combine these two steps using CyberChef.

Answer: lollipop

Extension Activities

6-8	Color Code Encryption (Hex and RGB)	Use hexadecimal to encode color values and relate them to cryptographic codes.	Teach students how hex values map to RGB (e.g., #FF0000 = red).Create a color-coded message where each letter maps to a hex color.Students decode messages using hex charts.
9-12	Cryptographic Base Challenge	Understand base conversions and their role in encoding systems like Base64 and hexadecimal hashes.	Provide students with encrypted-looking strings (e.g., hex-encoded, binary). Challenge them to decode messages by identifying and converting base formats. Include layers (binary → decimal → ASCII → message).

Shift

Objectives

Students will decode a Ceasar shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. It seems to be using a pretty simple encryption scheme, see if you can crack them.

Questions

User	Password Ciphertext
Chris	iveghny ynxr

Walk-through

This challenge will give you experience decoding shift ciphers.

This message is encrypted using ROT-13, the standard Caesar Cipher. It is called ‘ROT’ because the letters of the alphabet are ‘rotated’. The ‘13’ indicates the number of letters are shifted; which is half of the alphabet. Therefore, ROT-13 is also considered a Caesar shift of 13.

Below, the inner loop of the wheel represents the plaintext while the outer loop represents the ciphertext of a ROT-13 shift. Often cipher disks like this were used to help manually decode ciphers.

A key feature of shift ciphers is that the ciphertext alphabet is in the same order as the plaintext alphabet, it’s just shifted. Shown below, the Plaintext is shifted by thirteen such that ‘A’ becomes ‘N’.

Plaintext: ABCDE FGHIJK LMNOP QRSTUV WXYZ

Ciphertext: NOPQR STUVWX YZABC DEFGHI JKLM

A Caesar shift can be decrypted by manually by matching ciphertext to possible plaintext letters, or by using online tools to make shifting through combinations faster.

Useful tools for decoding/encoding:

Gym Answer Key

iveghny ynxr

How to solve: This message can be decoded by hand or through an online tool such as CyberChef.

Answer: virtual lake

Extension Activities

6-8	Code Wheel Construction & Cipher Fun	Learn letter shifting using a Caesar cipher wheel.	Students build a Caesar cipher wheel from a printable template (inner and outer alphabet circles).Encode a message by rotating the wheel to a shift value (e.g., shift of 3).Partner up: one student encodes, the other decodes.
9-12	Caesar Cipher + Frequency Analysis	Understand and exploit the vulnerabilities of shift ciphers.	Provide a Caesar-encrypted message without a known key. Students: Try all 25 possible shifts (“brute-force” method).Perform frequency analysis (e.g., looking for common letters like E or T).Discuss how frequency analysis led to the downfall of simple substitution ciphers.

@bash

Objectives

Students will decode an atbash shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. See if you can crack them.

Questions

User	Password Ciphertext
Christian	hzuvob lyerlfh xzev

Walk-through

This challenge will give you experience decoding shift ciphers. This message is encrypted using the atbash cipher.

The text for this challenge, at first, looks like a Caesar shift cipher. The atbash cipher is similar in that the alphabet is shifted, however, the entire alphabet is reversed. With an atbash cipher, there is only one way that the letters are shifted; this is not the case with a Caesar shift cipher.

Plaintext: ABCDE FGHIJK LMNOP QRSTUV WXYZ

Ciphertext: ZYXWV UTSRQP ONMLK JIHGFE DCBA

To decode, replace the ciphertext letter in the alphabet above with the plaintext letter that matches its position in the alphabet. For example, “U” is the 6th letter in the ciphertext alphabet, so it should be replaced with “F” to get the plaintext message.

You can also use the other tools below to help make sure you are using the right cipher to decode. Atbash and Caesar shift ciphers look very similar, so it is not entirely possible to know at first glance which is being used.

Useful tools for decoding/encoding:

Gym Answer Key

hzuvob lyerlfh xzev

How to solve: This message can be decoded by hand or through an online tool such as Rumkin or CyberChef.

Answer: safely obvious cave

Extension Activities

6-8	Binary to Text Bash Simulation	Explore how computers use binary to represent letters.	Give students ASCII codes in binary. Simulate Bash decoding using a chart or worksheet. Discuss how computers turn data into readable info via shell tools.
9-12	Build a Bash Password Vault	Use Bash to securely store and retrieve hashed passwords.	Script idea: Accept a username and password. Hash the password. Store it in a file. Later, compare a login attempt to the stored hash.

Beep

Objectives

Students will recognize and decode morse code.

Prompt

Our analysts have intercepted an encoded message. See if you can decode it.

Questions

User	Password Ciphertext
Helen	- .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.…

Walk-through

This challenge will give you experience decoding a message encoded with Morse Code.

Challenges that use Morse Code can be relatively easy to point out because of the binary nature of the output; there is a dot or there is a dash. You may notice here that a ‘/’ is also used. This delineates, or indicates, the end of a word.

Be aware that when looking for Morse Code charts to help translate (or if you’re interested in learning it for fun), that there are various alphabets for different languages. Some languages use additional letters and there is Morse Code for symbols as well.

Useful tools for decoding/encoding:

Gym Answer Key

- .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.…

How to solve: The message can be decoded by hand or through an online tool such as the Morse Code Translator or CyberChef.

Answer: THESECRETOFGETTINGAHEADISGETTINGSTARTEDSKYDKVB9816

Extension Activities

6-8	Beep Morse Code Challenge	Encode and decode messages using sound.	Teach students basic Morse code (e.g., A = .-).Use a simple tone generator app, physical buzzer, or your own voice (short/long beeps).In teams, students send coded beeps across the classroom; others decode the message.
9-12	Sonic Modem & Tones	Learn how modems used sound for data transfer.	Play samples of old dial-up modem sounds. Discuss how tones carried data across phone lines. Try encoding binary into a sequence of tones using tools like Audacity. Optional: build a tone-to-binary decoder in Python or spreadsheet format.

Fencing

Objectives

Students will recognize and decode a rail fence cipher.

Prompt

Our analysts have obtained encrypted messages. We saw hand-written notes that indicated the keys as being "3" and "5". See if you can crack them.

Questions

User	Password Ciphertext
Eve	Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3
Nan	F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2

Walk-through

This challenge will give you experience decoding a transposition cipher. The messages are encrypted using the rail fence cipher.

To start this challenge, you can observe that there are some uppercase letters mixed with lowercase letters. There are also letters mixed with numbers. We can tell that somewhere there must be a flag. Notice that ‘S’,’K’ and ‘Y’ are in both ciphertexts and they are both capitalized, so the text used here must be scrambled around in a pattern.

Looking back at the prompt for this challenge, and even the title of the challenge, there are some clues about what to do next. Rail fence ciphers use keys to transpose text. This means that this cipher uses a key, or a number, to determine how to move the letters. Rail fence ciphers are also known as zig-zag ciphers. The key used here indicates how many “rails” to place the text on. See the encoding example below where the key is 4.

Plaintext: THIS IS A SECRET Ciphertext: TATHSSEIIERSC

To solve by hand, you can use some simple math operations and use the zig-zag format as shown above.

Example: Ciphertext: SSDETULCENORF key = 4

Start by subtracting 1 from the key, and multiply this number by 2. The product is the number of spaces apart the letters on the top and bottom rows are from each other. Use this number to place the letters of the ciphertext sequentially in the top row.

Number of spaces the letters are apart in the top row:

N = 2(key-1) N = 2(4-1) N = 6 spaces

To determine how many letters are placed in the top row, divide the total number of characters in the ciphertext by the key. This value indicates how many characters belong in the top row of the transposition.

Number of letters in the top row:

Total number of letters: 13 Key: 4 13/4 = 3 letters

Shown below, using the results of the calculations, the ciphertext letters in the top row are placed in order 6 spaces apart and there are three letters in the top row.

0 1 2 3 4 5 6

Once you have the top row set, you need to fill in the ciphertext (SSDETULCENORF) sequentially across the row that follows, and so on, until you form the zig-zag message.

Online tools like CyberChef can also be used, however, be careful adding or removing spacing when entering the ciphertext into online tools. These tools often include the spacing in the decoding/encoding process, thus, adding or removing spaces will displace lettering in the output and you may not be able to decode the message.

Useful tools for decoding/encoding:

CyberChef

Gym Answer Key

Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3

How to solve: This question uses the rail fence cipher with the standard 3 rails and can be decoded using an online tool such as CyberChef.

Answer: Courage is grace under pressure SKY-AIQI-9380

F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0. r aI2

F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2

How to solve: This question uses the rail fence cipher with a non-standard 5 rails and can be decoded using an online tool such as CyberChef.

Answer: Feel the fear and do it anyway. SKY-IQIZ-3802

Extension Activities

Digital Fencing Game (Cardboard Network)	Visualize network fencing and encryption.	Use cardboard "servers" and string "network cables" to represent devices.Students act as data packets trying to travel from client to server.Introduce: Fences (firewalls): Only allow encrypted messages through.Keys (locks): Data must be "encrypted" with a shared code (e.g., Caesar cipher or simple key).Debrief how fences and encryption work together to protect systems.
"Breach the Fence" Scenario	Apply ethical hacking logic to analyze firewall vulnerabilities.	Students are given a fictional company’s network layout and security policies.They must identify weaknesses in the “fence” (firewall rules, lack of encryption).

French

Objectives

Students will decrypt a Vigenère cipher.

Prompt

Our analysts have obtained an encrypted message. We know that the key, qizkwcgqbs was used. See if you can crack them.

Questions

User	Password Ciphertext
Matt	Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026

Walk-through

This challenge will give you experience decoding polyalphabetic substitution ciphers. This message is encrypted using the Vigenère cipher.

To start this challenge, take a look at the ciphertext. There is clear formatting for something resembling the flag format, however, it does not start with ‘SKY’. This is a clue that the encryption method does not move the letters like the shift or transposition ciphers used in previous challenges. There is also a key: qizkwcgqbs. A Vigenère cipher, named for cryptographer Blaise de Vigenère, uses a key and encrypts letters in place as observed.

A table, like the one from dCode below, is used to encrypt and decrypt the message in conjunction with the key.

To decrypt, find the row on the left side with the first letter of the key. This challenge uses ‘Q’ as the first letter in the key. In row ‘Q’, scan across the table until you find the first letter of the ciphertext ‘Y’. Letter ‘Y’ is in the column of letter ‘I’ so the first letter of the plaintext message starts with ‘I’. Use the next letter of the key to find the next plaintext letter of the message.

The key has fewer letters than the message. Once all of the letters of the key have been used, keep using the key over and over until all of the ciphertext letters have been decrypted.

You can also use an online tools to help you decode a Vigenère cipher.

Useful tools for decrypting/encrypting:

Gym Answer Key

Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026

How to solve: This message can be decoded by hand or through an online tool such as dCode or CyberChef.

Answer: I do not fear computers, I fear the lack of them SKY-QIZK-8026

RSA

Objectives

Use an understanding of key encryption to break a weak implementation of RSA.

Prompt:

Our analysts have obtained several artifacts from a message that was encrypted with RSA. We need you to decrypt the message and figure out what the hackers are up to.

n = 1079
e = 43
c = 996 894 379 631 894 82 379 852 631 677 677 194 893

Questions:

1. What is the value of p (the smaller prime)?

2. What is the value of q (the larger prime)

3. What is the plaintext of the encrypted message?

Walkthrough

This challenge involves using math to decrypt an RSA message. The premise behind this challenge is that the prime numbers that are used to generate the RSA keypairs are too small, making it trivial to reconstruct the keypair.

RSA Primer

Before attempting to decrypt the RSA message, it is important to understand how RSA encrypts messages. The simplified RSA process is as follows:

Generate the priv/pub key pair

Generate two prime numbers p and q
Calculate n, which is the value of $p * q$
Calculate values d and e such that $d * e \equiv 1 \bmod(p-1)(q-1)$
The public key consists of n and e and the private key consists of d p and q

⚠️

What will make the decryption attack possible later is the use of small prime numbers in step 1. These must be large numbers for the encryption process to be secure.

Encrypt the message

Convert the plaintext message into an integer, m
Encrypt the message to obtain the ciphertext c, where $c \equiv m^e \pmod n$

Decrypt the message

Calculate the plaintext message m, where is $m = c^d \pmod n$

A deep understanding of the math equations used in RSA is not necessary to decrypt the message - just an understanding of the relationship between the different variables and where they are used in the process.

Breaking RSA

The information provided in the prompt includes the cipher text (c) and the public key used to encrypt the message (n and e). To decrypt the message, we will need to obtain the private key (d p and q). Once we have the private key, we can calculate m, the plaintext message.

We have	We need
`c` - The ciphertext	`d` - Part of the private key
`n` - Part of the public key	`p` - Part of the private key
`e` - Part of the public key	`q` - Part of the private key
	`m` - The plaintext message

From step 2 of the key generation process, we know that $n = p * q$ . By using a prime factorization calculator, we can generate possible values for p and q. There should be only two possible values: 83 and 13.

\begin{align*} \nonumber n = p * q \\ 1079 = p * q \\ 1079 = 83 * 13 \\ p = 83, q = 13 \end{align*}

⚠️

This trivial factoring of n to obtain p and q is a result of p and q being small numbers. Larger values of p and q would have made this process much more difficult.

The equation from step 3 of the key generation process can also be rewritten to obtain d. A scientific calculator or RSA calculator will need to be used to perform this calculation.

\begin{aligned} d * e = 1 \bmod(p-1)(q-1) \\ d * 43 = 1 \bmod(83-1)(13-1) \\ d = 43 ^ {-1} \bmod 984 \\ d = 595 \end{aligned}

All of the values needed to decrypt the ciphertext are now present.

n = 1079
e = 43
c = 996 894 379 631 894 82 379 852 631 677 677 194 893

p = 83
q = 13
d = 595

With these values, the decryption equation can be used to obtain the plaintext, m. This step must be repeated for each item within the cipher text array.

\begin{aligned} m = c^d \pmod n \\ m = 996^{595} \bmod {1079} \\ m = 83 \end{aligned}

The resulting value of m = 83 can then be looked up using the ASCII table to reveal that the first character of the plaintext message is “S”.

996^{595} \bmod {1079} = 83 = S\\ 894^{595} \bmod {1079} = 75 = K\\ 379^{595} \bmod {1079} = 89 = Y\\ 631^{595} \bmod {1079} = 45 = - \\ 894^{595} \bmod {1079} = 75 = K\\ 82^{595} \bmod {1079} = 82 = R\\ 379^{595} \bmod {1079} = 89 = Y\\ 852^{595} \bmod {1079} = 71 = G\\ 631^{595} \bmod {1079} = 45 = -\\ ...

The remainder of the plaintext message can then be calculated by plugging in the remaining values of c into the equation.

Similarly, you can perform the same operations explained above by using the python script used in the tutorial video to get the decrypted message.

import gmpy2

e = 43
p = //add p here
q = //add q here
n = p*q

c= [
996,
894,
379,
631,
894,
82,
379,
852,
631,
677,
677,
194,
893
]
phi=(p-1)*(q-1)

d= gmpy2.invert(e, phi)
print(d)

for i in c:
	m=pow(i, d, n)
	print(chr(m))

print("")

Useful tools:

Prime Factorization Calculator like: https://www.calculator.net/factor-calculator.html
RSA calculator: https://www.tausquared.net/pages/ctf/rsa.html
See our Tutorial Video

Tutorial Video

Watch our full Tutorial Video to learn more specifics about RSA and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Decrypting an RSA Message - Oct 27, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how to decrypt an RSA message. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live: Decrypting an RSA Message - Oct 27, 2022

Gym Answer Key

What is the value of p (the smaller prime)?

How to solve: Use the factor calculator on the value of n (1079)

Answer: 13

What is the value of q (the larger prime)

How to solve: Use the factor calculator on the value of n (1079)

Answer: 83

What is the plaintext of the encrypted message?

How to solve: Plug in each value of the ciphertext into the decryption function

Answer: SKY-KRYG-5530

Extension Activities

6-8	RSA Role Play Game: Lock & Key Simulation	Understand public and private key mechanics.	Give each student a "public key" (a lock) and keep their "private key" (the key) hidden.Classmates can write secret messages and "lock" them (put in an envelope marked with your public key).Only the student with the matching private key can open the envelope and read it.Discussion: How does this simulate online encryption?
9-12	RSA in Real Life (Digital Certificates Demo)	Understand how RSA protects secure websites.	Use a browser to explore HTTPS certificates (lock icon → certificate).Identify the public key and certificate authority.Students answer questions: Who signed it? What does the public key do?

Linux

DIR

Objectives

Students will use commands via the Linux Command Line (CLI) to analyze files and directories.

Prompt

One of our analysts had their laptop damaged. However, we were able to recover and mount the hard drive. Access the terminal and recover various flags from the disk.

Questions

What are the contents of flag1.txt, found in root's home directory?
What are the contents of flag2.txt, found in the root directory?
What are the contents of flag3.txt, found in an archive in /var/log?
What are the contents of flag4.txt, found in the flag user's home directory?
What flag is printed when you run the flag5 program?
What is the full path to the flag5 program?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Background

The command line interface (CLI) functions similarly to File Explorer on Windows or Finder on macOS but relies on a text-based interface rather than a graphical user interface (GUI). Like its GUI counterparts, the CLI enables navigation through directories (folders) and the launching of files or programs. Upon opening the CLI, the prompt and command input line appear.

The prompt can be customized and configured for your personal preference. In this case, the default prompt contains some important information:

root is the name of the user that we are logged in as. On Linux systems, the root user is the default admin account.

dir is the hostname, or the name of the computer.

/home is the path of the directory that we are in. A “path” specifies a directory’s location, similar to how File Explorer displays it in the navigation bar, enabling easy navigation between folders.

Commands entered at the prompt tell the CLI what task to perform; like navigating directories, displaying file contents, or renaming folders. Each action uses a specific program. Typing the program name, supplying any necessary input, and pressing “Enter” runs the command and displays the result. The following includes examples of these commands and outputs.

Guide

List files in a directory: ls

In this challenge, access is provided as the root user, with the session starting in root’s home directory. Running the ls (short for ‘list’) command displays the contents of the current directory. Press enter after typing ls to get the command to run.

Display contents of a file: cat

This directory listing shows that only 1 file. In order to display the contents of a file, run the cat command (short for concatenate) followed by the name of the file you wish to display. This is the output of cat flag1.txt:

Change to another directory: cd

Try navigating to other directories using the cd command (short for change directory). Add the file path you want to go to after the cd command. To navigate to the root directory, simply use a forward slash. After changing to the root directory, the command line prompt has switched from ~ to /. This is the output after running cd / :

The ~ symbol denotes the home directory of the current user, while / indicates the root directory. The term “root” can refer either to the root user (a superuser account) or the root directory (the top-level directory in the system).

In the root directory, running ls lists the files. Running ls in the root directory reveals additional items beyond flag2.txt, most of which are directories.

Directories are typically displayed in blue, while files, like flag2.txt, appear in white. The lighter blue text represents system directories. Note that these color schemes are customizable and may vary across terminals.

Extracting tar files: tar

Use the cd command to navigate to the /var/log directory and use ls to see the files there.

The flag file in this folder is stored as a tar archive, or tarball, indicated by the “.tar” extension. Similar to a zip file, a tarball packages multiple files for easier storage and transfer. Unlike zip files, tarballs are not compressed by default and often rely on gunzip for compression, noted by the “.gz” extension.

To access the files inside, the tar program is used to decompress and extract contents. This requires configuring command line flags which are single-letter options preceded by a hyphen. Each program defines its own flags and usage patterns.

For tar, the z flag enables decompression, x extracts the archive, v (optional) activates verbose output, and f signals that the archive filename follows. The tar -zxvf flag.tar.gz command will decompress and extract the files from the tarball:

The trailing slash in ./flag/ denotes a directory.

The output includes ./flag/ and ./flag/flag3.txt, indicating that a folder named flag was extracted, containing a file named flag3.txt. The flag folder now appears in the current directory. Change to the flag directory to view the contents of flag3.txt.

Users & Home Directories: ~ or /home/

From the home directory, you can list the private directory of other users (if you have permission). As with Windows or macOS, each user on a Linux system has a private home directory, typically stored under /home/ . You can navigate directly to your own home directory by entering ~. The blue text below indicates a directory for a user named “flag”.

It is not required to switch users to view the contents of the ‘flag’ user’s folder because root is the default admin. However, if it was needed to switch users and become the ‘flag’ user use the su or ‘switch user’ command as follows and enter the password for that user. Notice how the user name changes from root to flag:

Run Programs:

There a couple ways to run programs. One way is to type in the program name and press enter. Running programs in user folders might not work if that user doesn’t have permission to run the program. Navigate back to root user’s home directory (~) or to the root directory (/). Below is the output of running the flag5 program:

Identify file paths: which

Non built-in Linux programs are simply files located somewhere in the file system. While it's possible to navigate directly to their directories, the command line automatically searches a predefined set of directories when a command is entered. The which command can be used to determine the location of a given program.

The output of which flag5 has been hidden.

Useful tools for learning Linux:

Linux Journey
Use our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about the Linux command line.

NCL Summer Live - Linux Command Line - Sep 14, 2021

Watch this live demonstration, especially for beginners, on Linux Command Line, presented by popular demand by the National Cyber League organizer Cyber Skyline CEO Franz Payer. Reach out with questions on NCL at info@nationalcyberleague.org. The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

www.youtube.com

NCL Summer Live - Linux Command Line - Sep 14, 2021

Gym Answer Key

What are the contents of flag1.txt, found in root's home directory?

How to solve: Run cat flag1.txt from root’s home directory

Answer: SKY-FNKC-3207

What are the contents of flag2.txt, found in the root directory?

How to solve: Use cd / to navigate to the root directory and then run cat flag2.txt.

Answer: SKY-NPEJ-2501

What are the contents of flag3.txt, found in an archive in /var/log?

How to solve: Navigate to /var/log and then run tar -zxvf flag.tar.gz to extract the files from the archive.

Answer: SKY-FVHR-3562

What are the contents of flag4.txt, found in the flag user's home directory?

How to solve: Navigate to the /home/flag directory and then run cat flag4.txt.

Answer: SKY-SXIJ-6142

What flag is printed when you run the flag5 program?

How to solve: Run the flag5 program with the command flag5

Answer: SKY-UDSV-9689

What is the full path to the flag5 program?

How to solve: Run which flag5

Answers:

/usr/bin/flag5
/usr/bin/

Incorrect: ./usr/bin/flag5

Extension Activities

6-8	Linux Adventure Story	Use commands like dir to progress through a narrative.	Students role-play as secret agents or explorers.Each directory contains parts of a story.Students unlock new parts by listing contents (dir) and making choices (cd cave, cd castle).
9-12	Linux Forensics Mini-Challenge	Find files based on clues using dir, ls, find, and grep.	Create a mystery scenario (e.g., “Find who deleted the secret file”).Students navigate directories, list contents (dir), and read logs (cat logfile.txt).Combine clues to solve the case.

File Edit

Objectives

Students will use nano and Vim via the command line to create and edit files.

Prompt

Learn how to use command line file editors.

NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.

Questions

What key should you press in addition to the CTRL key to trigger the combination to exit nano?
What vim mode allows you to write new characters in the file?
What keyboard combination will save and quit the file with vim?
What keyboard combination will delete an entire line in vim?
What command would you use to rename a file?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Editing files in the Command Line Interface (CLI) requires a text-based editor, as graphical tools like Microsoft Word, Textedit, or Notepad aren't available. Common CLI editors include nano, vim, and Emacs. Nano is the simplest, while Vim and Emacs offer more advanced features but come with a steeper learning curve. This guide focuses on nano and Vim.

Guide

Nano

To open nano, simply type nano into the terminal. File names can also be included as the second argument to the command. For example, nano example.txt will create a file named “example.txt” and will launch the application.

When launched, a list of commands is given at the bottom of the screen. Each command is preceded by a caret character ( ^ ) - this represents the “CTRL” or control key on the keyboard. The caret is used as a shorthand for the CTRL key.

Once in nano, type as you normally would in a graphical text editor. However, the mouse can not be used to change the position of the cursor in the document. Use the arrow keys to move your position within the document. A text cursor will highlight your position in the file.

When you are ready to save and exit, press the CTRL + X characters to trigger the exit process. You will be prompted to save the buffer (buffer is referring to the data) and you can press the “Y” key to save or the “N” key to discard your edits.

Vim

Nano can often be too simple for certain tasks, which may be reason to use Vim. Start Vim by using the vim command and optionally providing a filename: vim example.txt

There are various modes in Vim. The default normal mode in Vim functions as read-only. Press i to enter insert mode (indicated by “INSERT” at the bottom left) where standard typing and deletions are enabled. Press Esc to exit insert mode.

vim in insert mode. Press i to enter insert mode. Press the esc button to escape or change modes.

Visual mode enables copying and pasting. Press v in normal mode to begin selecting text from the cursor. Use arrow keys to expand the selection, then press y to “yank” it. Paste the copied text using the p character key, which will paste the text immediately after your cursor.

vim in visual mode. Press v to enter visual mode. This allows copying and pasting.

To save changes after editing, ensure you're in normal mode, then enter command mode with a colon. If editing is complete, type wq to write and quit, then press Enter. Vim displays a warning when quitting with unsaved changes. To exit without saving, use :q!.

vim in command mode. Press : to enter command mode. A colon appears at the bottom of the window to accept commands. Press enter to execute commands.

Vim Command	Purpose
`:q`	Quit (only if there are no unsaved edits)
`:w`	Save the file
`:wq`	Save the file and quit
`:q!`	Quit without saving

Vim relies on keyboard commands to perform editing tasks due to the lack of on-screen buttons. Only basic features are covered here. Commands like dd , which deletes lines, or shortcuts <SHIFT> + G , which jumps the cursor to the end of a file, become familiar with practice.

Renaming, Copying and Deleting Files

After creating a file with nano or Vim, it can be renamed, copied, or deleted as needed.

Rename a File: mv

Use the mv (move) command to rename a file. Provide the original filename as the first argument and the new name as the second.

For example, mv example.txt newname.txt renames the file in the same directory. Include a different path in the second argument to move the file to another location. Below, the file “example.txt” was renamed to newname.txt, and then was moved to the “/” directory using mv newname.txt /newname.txt.

This screenshot lists the contents of the current directory, which contains the example.txt file. The mv command is used to rename the example.txt file. The current directory listing shows the file has been renamed to newname.txt. Then the mv command is used to show that you can move a file to another directory. newname.txt is shown in another directory.

Copy a File: cp

Use the cp (copy) command to duplicate a file. Specify the original filename first and the name of the copy second. For example, cp example.txt copy.txt creates a duplicate named “copy.txt” in the same directory.

This screenshot lists the contents of the current directory, which contains the example.txt file. The cp command is used to make a copy of the example.txt file. After the command is used, the contents of the directory are listed. The copy.txt file has been been added to the directory.

Remove a File: rm

Use the rm (remove) command to delete a file. Specify the filename as the first argument as follows: rm example.txt. This action is permanent and bypasses recovery options like the Recycle Bin. Restoring deleted files typically requires forensic tools.

This screenshot lists the contents of the current directory, which contains the example.txt file. The rm command is used to remove the example.txt file. The directory is shown with the example.txt file gone.

Tools to learn more about text editors:

Linux Journey
Vim adventures
Use out Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about the Linux command line.

NCL Summer Live - Linux Command Line - Sep 14, 2021

www.youtube.com

Gym Answer Key

What key should you press in addition to the CTRL key to trigger the combination to exit nano?

How to solve: Start the nano from the Linux terminal. Instructions on the keyboard shortcuts should appear at the bottom of the screen. See the Trove for more detailed guidance.

Answer: x

What vim mode allows you to write new characters in the file?

How to solve: Search online for “vim mode to write new characters”. See the Trove for more detailed guidance.

Answer: insert

What keyboard combination will save and quit the file with vim?

How to solve: Search online for “how to save and quit with vim” and read the descriptions for the different keyboard combinations. See the Trove for more detailed guidance.

Answers:

What keyboard combination will delete an entire line in vim?

How to solve: Search online for “vim delete line” and then read the descriptions for possible keyboard combinations. See the Trove for more detailed guidance.

Answer: dd

What command would you use to rename a file?

How to solve: Search online for “linux how to rename a file” and read about the most common commands. See the Trove for more detailed guidance.

Answer: mv

Extension Activities

6-8	Echo & Redirect Challenge	Use echo to write text to a file.	Run commands like echo "I love coding!" > myfile.txt.Append text using echo "And Linux!" >> myfile.txt.Display contents with cat myfile.txt.Discussion: What’s the difference between > and >>?
9-12	File Permissions and Editing	Explore how permissions affect file editing.	Create files with different permission settings (chmod).Try to edit them and observe what happens.Discuss why permissions are important for security.

Basic Commands

Objectives

Use open source tools and Linux command line knowledge to string Linux commands together.

Prompt

Learn the common basic commands used on the Linux command line.

Questions

What character can you use to redirect the output of one program as the input to another program?
What character can you use the redirect the output of a program to a file?
How many people have a first name of Jordan in names.csv?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Background

When running a Linux command, different options can be provided to get a specific behavior. One of these is arguments. Arguments always follow the name of the program and could provide information such as the file you wish to run the program on. You may also see arguments referred to as “options” or “flags”.

The syntax for arguments is set by the author of the program. You can often type in the name of the command followed by --help to get information on how to use the program.

For some programs, you can use the man (manual) program to pull up the instructions. If a program has a manual entry, you can open the manual by typing man followed by the name of the program.

Below is the man page for the ls command. You can view it by entering man ls into the command line:

Enter man followed by the command name to get the manual page for a specific command.

If the -a argument is used with the ls command, all of the files, even the hidden ones which start with . , will be listed.

The output of ls -a

Multiple arguments can be added together. The -l argument will list the read, write, execute permissions, the users who can access the file, the file size, and the date modified.

The output of ls -la Some common Linux commands are listed in a table below . Read the manual pages to learn more about different arguments. Understanding how commands can be used is a key part of using Linux.

Guide

Standard Streams

The output of one program can be used as the input to another program. This utilizes a system in Linux called standard streams. There are three standard streams in Linux:

standard input (stdin) - data going into a program

standard output (stdout) - data coming out of a program

standard error (stderr) - errors coming out of a program

The greater than symbol is used to redirect stdout data of a command to a file. For example, echo “I Love Linux” > linux.txt will create a file named “linux.txt” (if it doesn’t already exist) and add “I Love Linux” to it.

Entering echo “Penguins are Cool” > linux.txt will overwrite the pre-existing linux.txt file with the new contents.

Using two greater than symbols will allow contents to be added to the current file contents. echo “I Love Linux” >> linux.txt

The use of the greater than symbol is important to how output is written to files.

The less than symbol can be used in a variety of ways. One is to redirect contents of a file (or stdin) to a certain command. Shown below is the stdout of names.csv using the cat command. But the contents of the names.csv file can be re-directed to the cut command. cut -d ',' -f 1 is used below to show the contents of the first column of a file which is determined by using a comma and the separator, or delimiter, of the columns.

This screenshot shows the stout of the cat command on the names.csv file.

This screenshot shows the names.csv file used as stdin for the cut command. Only the first names in the file are shown as a result of the command.

Stringing Commands

The stdout of one program can be made into the stdin of another program. This is done by using the pipe operator ( | ), which is represented with the vertical bar, and allows you string commands together.

For example, to find the number of people with the first name of “Jordan” from the names.csv file, try using cut -d "," -f 1 < names.csv | grep Jordan. Here, the grep command takes the output from the first portion of the command and only outputs strings that match “Jordan”:

It would be easier if a number was given as an output instead of needing to count. What if there were thousands of people named Jordan in the file? The number of lines that are output can be counted using wc -l:

The output of cut -d ‘,’ -f1 <names.csv | grep Jordan | wc -l is hidden

Chaining multiple Linux commands can become useful in manipulating and analyzing data. Practice running different commands using these different customization tools. Below is a table of common Linux commands.

Please note that within the terminals provided by Cyber Skyline, you will only have access to the tools that are pre-installed. You may not be able to install tools that are not already included in the terminal.

You should become comfortable and will be expected to search online for command line tools that can help you accomplish a task from the terminal. You can also use the built-in help or manual pages to learn how to use a tool.

Program	Description	Example	Example Description
ls	“list” - Display files and directories	ls /	Display all files and directories in the “/” folder
cat	“concatenate” - Print out the contents of a file	cat example.txt	Print out the contents of the “example.txt” file
cd	“change directories” - Switch the current folder that the command line is working on	cd /	Change the terminal to the “/” folder
mv	“move” - Move a file or folder from one location to another or rename a file	mv /root/old.txt /tmp/new.txt	Move the “old.txt” from the the “/root” folder to the “/tmp” folder and rename the file to “new.txt”
cp	“copy” - Make a copy of a file or folder	cp original.txt copy.txt	Makes a duplicate of “original.txt” named “copy.txt”
mkdir	“make directory” - Makes a new folder	mkdir test	Makes a new folder named “test”
rm	“remove” - Deletes a file or folder permanently	rm example.txt	Permanently deletes the “example.txt” file
pwd	“print working directory” - Displays the absolute file path of the directory the command line is currently in	pwd	Prints the full path of the current directory
history	Prints a chronological log of the past commands that were entered	history	Prints the log of past commands
echo	Prints the provided string to standard output	echo "test"	Prints the string, “test” to standard output
grep	“global regular expression print” - search for text that matches a specific pattern	grep match example.txt	Prints lines that contain the text “match” in example.txt
wc	“word count” - Gets a line count (followed by a word count and a byte count) of a file or text stream	wc example.txt	Prints the number of lines in example.txt
cut	Extract column(s) from a file or text stream. Columns must be delineated by a consistent character	cut example.txt -d , -f 2	Prints out the column at index 2 from example.txt
sort	Sorts the lines from a file or text stream.	sort example.txt	Prints the sorted output of the lines from example.txt
uniq	“Unique” - Prints the result of removing duplicate lines from a file or text stream	uniq example.txt	Prints out the result of removing any duplicate lines from example.txt.
man	“manual” - Displays the manual for a program	man echo	Display the manual for the “echo” program

Useful tools for learning Linux:

Linux Journey

Gym Answer Key

What character can you use to redirect the output of one program as the input to another program?

How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to another program (and not to a file). See the Trove for additional guidance.

Answer: |

What character can you use the redirect the output of a program to a file?

How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to a file (and not to another program). See the Trove for additional guidance.

Answer: >

How many people have a first name of Jordan in names.csv?

How to solve: Use cut to grab only the column of first names, then use grep to search for “Jordan” and then use wc -l to get a line count.

cut -d "," -f 1 < names.csv | grep Jordan | wc -l

Answer: 2

Extension Activities

6-8	Linux Command Bingo	Familiarize with common Linux commands.	Create Bingo cards with commands like ls, pwd, cd, mkdir, rm.Call out definitions or tasks (“Show me files in the folder”), students mark corresponding commands.First to bingo explains one command in detail.
9-12	Linux Trivia & Command Line Quiz	Reinforce command knowledge.	Prepare a quiz with multiple choice and practical terminal commands.Use interactive platforms or classroom polling.Include “Identify the command” from output examples.

Strings

Objectives

Use the strings command to find hidden information in a file.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions

What is the hidden flag in the image?

Walk-through

This challenge involves using the strings Linux command to find a hidden message. A random portion of the image file was modified to insert the message, which is why there is a distortion in the image. The horizontal distortion that occurs near the eye is a result of the corruption caused by inserting the hidden message randomly within the image data.

The horizontal distortion that occurs near the eye is a result of the corruption caused by inserting the hidden message randomly within the image data

Background

Recall from the bases challenge about how data can be converted from one form to another. Some values in binary that are used in files are not convertible to text characters. strings will pull any binary data out of the file that corresponds to a text character. Text characters would include letters (abc), numbers (123), or symbols (&^,*).

Here is the output of the strings command used on the STEG.jpg file:

Guide

Searching Standard Output (stdout) : grep

The output of the strings command can be searched with another command; grep.

grep is a powerful search command that looks for characters matching the exact string entered by the user. grep is often used with the pipe character ( | ) to search the output of other commands or to format the output of grep.

This challenge specifies that a flag is contained in the image, therefore, grep could be used to look for binary data that converts to characters resembling the standard flag format. This can be done using the command below:

strings STEG1.jpg | grep SKY

Pro Tip

Using strings is a quick way to see if a flag is hidden within the file without needing to open other programs. However, this challenge could also be solved using a hex editor and searching for SKY in the ASCII data as shown below:

Gym Answer Key

1. What is the hidden flag in the image?

How to solve: Run the strings command on the image and search for text that contains “SKY”.

strings STEG1.jpg | grep SKY

Answer: SKY-RCLO-4839

Extension Activities

6-8	Guess the File Type	Use strings output to guess the type of file.	Give several files without extensions.Students use strings to extract text clues.Guess file types based on the strings (e.g., image metadata, code snippets, document text).
9-12	Build Your Own Binary File	Create a file with hidden text and practice extraction.	Use a hex editor or programming language (e.g., Python) to embed text inside a binary file. Use strings to extract it. Reflect on how data can be hidden and recovered.

Log Analysis

SSH

Objectives

Students will analyze the contents of an SSH log to identify adversarial behavior.

Prompt

Analyze this SSH log file to answer the following questions.

Questions

What is the hostname of the ssh server that was compromised?
What was the first IP address to attack the server?
What was the second IP address to attack the server?
What was the third IP address to attack the server?
Which user was targeted in the attack?
From which IP address was the attacker able to successfully log in?

Walk-through

This challenge will give you experience doing a manual analysis of an SSH (Secure Shell Protocol) log file. SSH is a service that allows a device to provide remote terminal access. No additional tools are required to solve this challenge, only the ability to infer the meaning of the data in the log.

To start, look at the content of the log. If you’re unfamiliar with SSH logs, you can query the internet to find out more about how they are structured and what different terms used in the log mean.

The message field will often include warnings or errors. The event details field will include when sessions initiate or authentication attempts.

The questions for this challenge imply that there is an attack on the server. To understand what that could mean, look at more of the log file. There seem to be a lot of failed password attempts for a certain account trying to connect to the server.

Looking more closely at the messages, it’s evident that connections are coming from various IP addresses for the same user in a very short amount of time. That seems like odd behavior for a legitimate user trying to login; therefore, looking at the “Failed password” attempts is critical to finding which IP addresses are attacking the server and which account is being targeted.

In order to determine which IP address the attacker was successfully able to login from, we need to find a message that communicates a login attempt was successful. Scroll through the log file to find the line that includes “Accepted password”.

Gym Answer Key

What is the hostname of the SSH server that was compromised?

How to solve: This can be solved by finding the hostname, which is listed directly after the timestamp for each entry in the log.

Oct 11 10:12:00 myraptor sshd[29459]: Server listening on 0.0.0.0	port 22.

Answer: myraptor

What was the first IP address to attack the server?

How to solve: This can be solved by identifying the IP address of the attacker in the first “Failed password” entries.

Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh2

Answer: 169.139.243.218

What was the second IP address to attack the server?

How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.

Answer: 56.13.188.38

What was the third IP address to attack the server?

How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.

Answer: 30.167.206.91

Which user was targeted in the attack?

How to solve: This can be solved by identifying the name of the account that had failed password attempts. Search for “Failed password” and then look for the account name.

Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh

Answer: harvey

From which IP address was the attacker able to successfully log in?

How to solve: This can be solved by searching for the entry that has “Accepted password”.

Oct 11 10:36:59 myraptor sshd[30003]: Accepted password for harvey from 30.167.206.91 port 55326	ssh2

Answer: 30.167.206.91

Extension Activities

6-8	Log Line Match Game	Learn SSH terminology and log meanings.	Match terms like Accepted password, Failed password, port, user, IP to their meanings.Color code log lines by type (green for success, red for failed attempts).
9-12	Create Your Own SSH Log Puzzle	Design and share SSH log puzzles with classmates.	Students write their own fake SSH logs with a narrative: attack, success, mistake, etc.Swap puzzles and analyze each other’s scenarios.

Login

Objectives

Students will use command line tools to analyze a custom application log format.

Prompt

Analyze a custom application login event log to help us understand user behavior.

Questions

How many total login attempts were made in this log?
How many unique usernames appear in this log?
What is the username with the most login attempts?
How many attempts were made for the username with the most login attempts?
What is the date with the most login attempts?
What is the username that had logins from the most unique IP addresses?

Walk-through

This challenge involves analyzing a custom application log format that uses tab-delineated columns. The tab-delineated format is well-suited for the cut tool to extract specific columns from the log. cut can be used in combination with several other Linux command line utilities to obtain the answers to the questions.

Using head and tail to see the first few or last few lines:

To start, use ls to list the files in the directory, you should see login.log. The cat command can be used to display the contents of the file. Sometimes, log files can be quite long, so to avoid having to scroll back up through several lines, use head or tail to just see the first few lines or the last few lines. Used with no arguments, they will display 10 lines by default:

This can be helpful for log files that have column headers - using head instead of cat will display the column names and the first few lines of data.

Counting words or lines in the output:

Piping the wc command (short for word count), along with the -l flag (lower case L for “lines”) will count the lines in the output:

Display only one column with cut:

To display only the usernames, use the cut command with the -f flag to extract field 3 (the username column). The default delimiter for cut is a tab space.

Sorting a list alphabetically and displaying unique output:

The usernames can be sorted alphabetically by piping the output through the command sort:

Some usernames are listed twice. To list only the unique entries, use the uniq command.

The -c flag will show the number of times an entry occurs in the output:

💡

Please note that uniq -c without sort will yield a different (and incorrect) result because uniq -c only counts consecutive duplicate lines. If the same line appears multiple times, but not next to each other, uniq -c cannot identify them: sort puts all identical lines next to each other, allowing uniq -c to count them properly.

This list can be sorted again, this time numerically, with the -n flag:

Other features of cut:

The output can be piped throughcut -f 1,3 to display the first column (Date and Time) and the third column (usernames):

To display only the date (without the timestamp), use cut -d " " -f 1. This tells cut to split the line by spaces (instead of the default tab) and extract the first field:

Gym Answer Key

How many total login attempts were made in this log?

How to solve: Get the line count of the log. (Reminder: at the end of the command, that is a lower case ‘L’ not a number 1)

cat login.log | wc -l

Answer: 6063

How many unique usernames appear in this log?

How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get the unique usernames, and then get a line count of the number of unique usernames.

cat login.log | cut -f 3 | sort | uniq | wc -l

Answer: 1879

What is the username with the most login attempts?

How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get a frequency count of each unique username, and then sort the unique usernames by frequency.

cat login.log | cut -f 3 | sort | uniq -c |sort -n

Answer: ntory

How many attempts were made for the username with the most login attempts?

How to solve: Use the same command as the question above.

cat login.log | cut -f 3 | sort | uniq -c |sort -n

Answer: 124

What is the date with the most login attempts?

How to solve: Extract the first field (with the date+time) of the log, extract just the date, sort the dates, get a frequency count of each unique date, and then sort the unique dates by frequency.

Answer: 2011-03-23

What is the username that had logins from the most unique IP addresses?

How to solve: Extract the second field (with the IP address) and third field (with the username) of the log, sort the IP/username pairs, get the unique IP/username pairs, then extract just the usernames from each pair, sort the usernames, get a frequency count of how many unique pairs each username has, and then sort by frequency.

Answer: wlfla0190

Extension Activities

6-8	Login Color Code	Visually interpret log entries.	Print or display several log lines.Students highlight: Green: Successful logins Red: Failed logins Blue: IP addresses Discuss: What can logs tell us about system usage?
9-12	User Behavior Profile	Analyze and profile user activity.	Provide anonymized logs for 2–3 users. Students summarize: Login times Access locations (IP)Behavior patterns Discuss: What’s normal vs suspicious?

VSFTPD

Objectives

Students will analyze a VSFTPD log file.

Prompt

Analyze a VSFTPD log file that we obtained.

Questions

What IP address did "ftpuser" first log in from?
What is the first directory that ftpuser created?
What is the last directory that ftpuser created?
What file extension was the most used by ftpuser?
What is the username of the other user in this log?
What IP address did this other user log in from?
How many total bytes did this other user upload?
How many total bytes did ftpuser upload?
How many total bytes did ftpuser download?
Identify the IP address of the suspicious login (the login with no subsequent activity)

Walkthrough

This challenge involves analyzing the log file of a VSFTPD server. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

VSFTPD stands for “Very Secure FTP Daemon” and is used on Linux servers to create a secure way to users to upload and download files. This type of server is implemented for different purposes, but the logs created from its use convey similar information like timestamps, process IDs (PID), event types, client IP addresses, as well as usernames.

To find an IP address of a specific user use grep as shown:cat vsftpd.log | grep ftpuser

Sometimes, log files can be quite long, so to avoid having to scroll back up through several lines, use head or tail to just see the first few lines or the last few lines. Used with no arguments, they will display 10 lines by default.

The actions performed by ftpuser (like making directories) can be filtered by searching the output of the previous command and using the head command to see the first results. Using -i with grep will ignore the case of what you want to search for. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

The output has been partially redacted

The same can be done with tail to see actions performed by the user at a later time:

cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

The output has been partially redacted

Using awk and custom delimiters to isolate file types:

To determine what file type was most commonly uploaded, use grep to get an idea of what the uploads look like. This will help determine how to structure a command to filter the log down such that only file extensions are output. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD'

As shown below, the file path where the file was uploaded contains the file extension. There is a comma used after the file path— this can be used to set a custom delimiter with the awk command. Using awk, the specific column of data segmented by the commas can be printed. The second column has the file path with the file extension.

To use a custom delimiter with awk, use the -F option and enter the keyboard character you want to use as a delimiter between two single quotes as follows:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | head

Now lets isolate the file extension using the period as the delimiter. The output needed will come after the period, so be sure to use to tell awk to print the second field. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | awk -F '.' '{print $2}' | head

From here, all that’s needed is to sort and print the unique file types using the following command:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

The output has been partially redacted. (Notice that the double quotes are still present. These can be filtered out with awk or cut, but this is was not shown for brevity)

To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field. Be sure to use sort and uniq so you can more easily see how many different users are in the log file.

cat vsftpd.log | awk '{print $8}' | sort | uniq

Enter another command using grep and the username in question to find their IP address.

Using awk to calculate a total:

To determine how many bytes are uploaded or downloaded by a particular user, lets grep for the desired user, use grep to determine if we’re looking for uploaded or downloaded files, and then use the commas as a delimiter to see the file size.

Those are just the bytes for each individual file, not the total. awk can be used to get the total bytes using this command: awk '{s+=$1} END {print s}' . This will take the value of the first column ($1) and add it to variable s — creating a running total through each line of the log. When the log file ends (END), awk will print the value of s—the sum of the bytes. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3}'| awk '{s+=$1} END {print s}’

The output has been partially redacted.

To identify the IP address associated with a suspicious login, or logins without any other activity, lets grep for successful logins, and then filter out the field with IP addresses. Use a double quote (”) as the delimiter. Syntax-wise this is used between two single quotes. Don’t forget to sort for unique IP addresses and count the total.

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq -c

The output has been partially redacted.

Gym Answer Key

What IP address did "ftpuser" first log in from?

How to solve: Search for any entries that include “ftpuser”. One of these lines should include an IP address. cat vsftpd.log | grep ftpuser

Answer: 10.0.0.123

What is the first directory that ftpuser created?

How to solve: Search for the first entry of the ftpuser account running the mkdir command. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

Answer: TreeSizeFree

What is the last directory that ftpuser created?

How to solve: Search for the last entry of the ftpuser account running the mkdir command. cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

Answer: 110D300S

What file extension was the most used by ftpuser?

How to solve: Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

Possible Answers:

jpeg
jpg
Joint Photographic Experts Group

What is the username of the other user in this log?

How to solve: To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field.

cat vsftpd.log | awk '{print $8}' | sort | uniq

Answer: jimmy

What IP address did this other user log in from?

How to solve: Search for any entries that include jimmy. One of these lines should include an IP address. cat vsftpd.log | grep jimmy

Answer: 10.0.0.214

How many total bytes did this other user upload?

How to solve: Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer:

How many total bytes did ftpuser upload?

How to solve: Search for successful file upload entries from ftpuser, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer: 13980839165 bytes

How many total bytes did ftpuser download?

How to solve: Search for successful file download entries from ftpuser, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer: 6008032 bytes

Identify the IP address of the suspicious login (the login with no subsequent activity).

How to solve: Search for all of the successful login attempts, extract the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq

Answer: 10.3.0.6

Extension Activities

6-8	FTP Role-Play Activity	Act out FTP log scenarios and decode them.	Assign roles (Client, Server, Logger).Simulate login attempts and file transfers.Logger writes log entries, others guess what actions they represent.
9-12	Create Your Own FTP Log Puzzle	Design a VSFTPD log mystery for peers.	Students generate fictitious VSFTPD logs with:Students generate fictitious VSFTPD logs with:One suspicious loginOne normal userA fake attack attemptPeers analyze the log and identify the risky event.

Nginx

Objectives

Students will analyze an nginx access log.

Prompt

Analyze an nginx access log and answer questions about what happened.

Questions

How many different IP addresses reached the server?
How many requests yielded a 200 status?
How many requests yielded a 400 status?
What IP address rang at the doorbell?
What version of the Googlebot visited the website?
Which IP address attempted to exploit the shellshock vulnerability?
What was the most popular version of Firefox used for browsing the website?
What is the most common HTTP method used?
What is the second most common HTTP method used?
How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

Walk-through

This challenge involves analyzing an nginx access log. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

Looking through the first few lines of the log, it is apparent that the IP addresses are the first field in each line:

To answer the first question, the IPs need to be extracted, sorted to filter for only unique ones, and counted. This can be done with cut, sort, uniq and wc :

For a more thorough explanation of these commands, refer to the Walkthrough for Log Analysis Challenge Login.

Extracting data from a column in a log file:

Looking at the first screenshot, the HTTP return codes are in the fourth field from the last:

The field right before it is enclosed in double quotes, so " can be used as a delimiter with cut. The first field before the " will contain data from the IP address to the timestamp. The second field, starting with GET, is the actual HTTP request. Therefore, the return codes will be the third field when a double quote is used as the delimiter.

💡

*Note: you only need to use one "between two single quotes in the cut command.

A portion of the output of cat access.log | cut -d '"' -f3 is shown here :

To eliminate the second column from this output, the output can be piped through another cut command using a space as the delimiter. It looks like there is a space before the HTTP return codes as well, so the codes will be the second field after the first “space”:

Now that we are working with the HTTP return codes, we can sort and count the code occurrences:

Matching patterns with grep:

The remaining parts of this challenge require using grep , a tool that can be used to search entries for a keyword. Refer to the Linux: Basic Commands Walkthrough for more information on using grep. Using grep with the -o flag tells grep to print only the part of the line that matches the pattern, instead of the entire line.

Extracting columnar data with awk

Before answering the questions about HTTP methods is may be helpful to learn more about them here. Solving the questions about the HTTP methods used can be approached in two ways; using cut or awk.

cut can be used to extract the field containing the HTTP request methods ( the second field enclosed in double quotes). Then cut will be used to extract the first field of that output (which contains the actual HTTP request method). The output of that will be sorted, and counted using uniq.

sort -rn will list the output in reverse numeric order, so the term with the highest number of occurrences is listed at the top.

awk can also be used to get the desired output. It is a powerful text processing tool that treats any amount of whitespace as a single field separator by default, as compared to cut, which treats only a tab space as a default field separator. For awk, the HTTP Request Method would be the 6th field from the left.

Backslash - Escape character:

The last question prompts us to look for a raw byte sequence in the log file. If grep '\41' access.log was used, the Linux shell is going to convert the byte to ASCII, and look for ‘A’ instead. To prevent the shell from interpreting the backslash as an escape character, it needs to be escaped with another backslash as follows: grep ‘\\41’ access.log. This ensures grep receives the full byte sequence and not the translated character.

The output of grep ‘\\x04’ access.log

Tutorial Video

Watch our full Tutorial Video to learn more specifics about crafting SQL queries and injections and see a walkthrough of how to solve this challenge:

NCL Summer Live - Log Analysis 1 - July 8 2021

Learn tips and tools of the trade with the National Cyber League's NCL Summer Live video tutorial series. This episode covers a demo of how to solve a problem in Log Analysis, one of the 9 NCL competition categories. Perfect for beginners! The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

www.youtube.com

NCL Summer Live - Log Analysis 1 - July 8 2021

Gym Answer Key

How many different IP addresses reached the server?

How to solve: Extract the first field (with the IP addresses), sort the IP addresses, get the unique IP addresses, and then get a line count.

cat access.log | cut -d " " -f 1 | sort | uniq | wc -l

Answer: 47

How many requests yielded a 200 code?

How to solve: Extract the third field after double quotes as the delimiter (which includes the HTTP codes), sort the codes, get the unique values with a count of the occurrences of each. Optional: sort in descending numeric order.

Answer: 19

How many requests yielded a 400 code?

How to solve: Same as the question above.

Answer: 38

What IP address rang at the doorbell?

How to solve: Search for “bell”

cat access.log | grep "bell"

Answer: 186.64.69.141

What version of the Googlebot visited the website?

How to solve: Search for “Googlebot”

cat access.log | grep "Googlebot"

Answer: 2.1

Which IP address attempted to exploit the shellshock vulnerability?

How to solve: Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. With this knowledge, search the log for any lines with that sequence of characters.

cat access.log | grep '() { :; };'

Answer: 61.161.130.241

What was the most popular version of Firefox used for browsing the website?

How to solve: Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.

cat access.log | grep -o "Firefox/.*" | sort | uniq -c

Answer: Firefox/31.0

What is the most common HTTP method used?

How to solve: Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

Answer: GET

Incorrect:

POST
PUT
DELETE
HEAD
CONNECT

What is the second most common HTTP method used?

How to solve: Use the same command as the question above.

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

Answer: CONNECT

Incorrect:

GET
POST
PUT
HEAD
DELETE

How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

How to solve: Search the log for all lines that contain that sequence of characters and then get a line count. Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.

cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l

Answer: 6

Extension Activities

6-8	Website Detective	Match access log lines to website actions.	Give students fictional scenarios (e.g., visiting a page, clicking a link).Match them to the correct NGINX access log line.Match errors to misclicks (e.g., 404 for broken links).
9-12	Traffic Pattern Analysis	Analyze a set of access logs for usage trends.	Provide a few dozen real or simulated NGINX access log lines.Have students: Count total visitsIdentify top-requested URLsChart visit frequency over timeUse spreadsheets or visual tools for analysis.

History

Objectives

Students will use SQL commands to analyze a SQlite database.

Prompt

Analyze a Firefox SQlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/

Questions

What did the user search for on craigslist?
What was the current price (USD) of bitcoin when the user was browsing?
What Bitcoin exchange did the user log in to?
What is the email that was used to log into the exchange?
What was the ID of the Bitcoin transaction that the user looked at?
What was the total BTC value of all the inputs of the Bitcoin transaction?
Which bitcoin address received the majority of the Bitcoin in the transaction?

Walk-through

This challenge will give you experience analyzing a SQLite database. The answers can be obtained by using the sqlite3 Linux program or a GUI-based viewer. There are also browser-based SQLite viewers such as https://inloop.github.io/sqlite-viewer/.

Click into the terminal on the Cyber Skyline platform. Thebrowser.sqlite file in the current directory. Use the command sqlite3 browser.sqlite to start the SQLite program.

The sqlite> prompt will indicate that the SQLite program has started

Use the command .tables to see all of the database tables available to view.

Use the command SELECT * FROM moz_hosts; (or use any of the other table names) to view the information contained in the tables. The wildcard indicates that we want to select all the columns, and the semicolon at the end of the query signal the end of the query.

Searching for Firefox Sqlite Database can help narrow down which tables to look through. This site mentions that moz_places contains the sites visited, so that might be helpful for the first few questions:

Places.sqlite - MozillaZine Knowledge Base

There is a way to list of the columns in the moz_places table with PRAGMA table_info(moz_places); :

Notice the second column contains urls

For the first question, look for the user’s search on craigslist. This information is most likely to be in the ‘url’ column, so we can display that with the query select url from moz_places;

The price of bitcoin when the user was browsing will show up in the “title” column in this table. Search for the $ sign with select * from moz_places where title like '%$%'; :

For question 3, run select url from moz_places; and scroll to see where the user signs in.

To find the user’s gmail account, query the table for any titles containing ‘gmail’ with select * from moz_places where title like '%gmail%'; :

Scrolling further down from the output of select url from moz_places; , we can see the transaction ID that the user looked at:

The remaining questions can be answers by visiting the URLs that are listed inside the database. The URL with id 290 is for a bitcoin transaction listed on blockchain.info. The main page displays the ID as well as the total value of the inputs.

The Bitcoin transaction ID and the amounts that were transferred are all listed on the blockchain.info page.

Alternatively for this challenge, you can upload the SQLite database file to the

SQLite Viewer Web App

to navigate through a GUI:

From this table, it is possible to identify what pages the user has visited.

Useful resources for this challenge:

SQLite Viewer Web App

Tutorial Video

Watch our full Tutorial Video to learn more specifics about SQL databases and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Analyzing an SQL Database - Nov 3, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how to crack open a SQL database and extract the data you’re looking for. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

youtu.be

Cyber Skyline Live: Analyzing an SQL Database - Nov 3, 2022

Gym Answer Key

What did the user search for on craigslist?

How to solve: The user’s search can be seen in row 23 inside the “query’ parameter in the URL.

Answer: bitcoin

What was the current price (USD) of bitcoin when the user was browsing?

How to solve: The current price is listed in row 23 in of the “title” of Bitstamp’s homepage.

Answer: $239.50

What Bitcoin exchange did the user log in to?

How to solve: The Bitcoin exchange is identified in row 253, which shows the user successfully loading their account page after logging in.

Answer: Coinbase

What is the email that was used to log into the exchange?

How to solve: The email can be found on row 47 in the “title” of the Gmail webpage.

Answer: b1gbird@gmail.com

What was the ID of the Bitcoin transaction that the user looked at?

How to solve: The ID of the Bitcoin transaction is the “Hash” value listed on the blockchain.info page.

Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7

What was the total BTC value of all the inputs of the Bitcoin transaction?

How to solve: The total BTC value of the inputs can be obtained by adding up the values of all the BTC inputs on theblockchain.info page.

Answer: 0.22616302

Which Bitcoin address received the majority of the Bitcoin in the transaction?

How to solve: The right side of theblockchain.info page contains the addresses and amounts that were sent to each recipient. The address that received the majority of the Bitcoin was that one that was sent the most BTC.

Answer: 18z6bTFjxkXCmhfp8YBetR2wgmoVjXGJZz

Extension Activities

6-8	Log Story Sequencing Game	Reconstruct a digital activity timeline.	Provide: Cut-out log line cards with mixed-up order. User logs in at 8:00User opens a document. User edits document. User deletes a file User logs out Activity: Students rearrange the cards into the correct order. They write a one-paragraph summary of what happened based on the log.
9-12	Command Frequency Analysis	Determine behavior based on command frequency.	Provide a long history list with command repetition. Students: Tally top 5 used commands. Infer the user’s job (developer, admin, attacker?). Discuss what's "normal" vs "abnormal" usage.

Squid

Objectives

Students will analyze a Squid proxy log.

Prompt

Analyze this Squid proxy log to answer the following questions.

Questions

In what year was this log saved?
How many milliseconds did the fastest request take?
How many milliseconds did the longest request take?
How many different IP addresses did the proxy service in this log?
How many GET requests were made?
How many POST requests were made?
What company created the antivirus used on the host at 192.168.0.224?
What URL is used to download an antivirus update?

Walk-through

This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.

Use head to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.

Converting a timestamp from Epoch to Unix:

Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date command to convert it within linux:

Using awk to extract column data:

To answer questions about the speed of the request, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shown in milliseconds. To extract this field, use awk '{print $2}' and sort -n to sort numerically.

To answer how many different ip addresses that the proxy serviced in this log, use awk to output the ip addresses found in field 3. awk '{print $3}' | sort | uniq | wc -l.

For other examples of using awk, refer to Log Analysis challenge Nginx.

The GET and POST requests are found in the 6th column. Usecat squid_access.log | awk '{print $6}' | sort | uniq –c to see the number of GET and POST requests made.

To find information about the antivirus used on 192.168.0.224, use grep to find that ip address in the log file: cat squid_access.log | grep "192.168.0.224"

The output of this command has been partially redacted to show the ip addresses filtered using grep

Helpful Tools

Epoch Converter
Understanding how to use awk to print specific columns
How squid logs are formatted
Use our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about log analysis and see a walkthrough of how to solve this challenge:

NCL Summer Live - Log Analysis 2 - July 15 2021

Learn tips and tools of the trade with the National Cyber League's NCL Summer Live video tutorial series. This episode goes deep into Log Analysis, one of the 9 NCL competition categories. As a follow-up to the July 8 Log Analysis Tutorial, Franz Payer, CEO of Cyber Skyline, demonstrates: 1. How to convert an epoch timestamp into human-readable format 2. Identifying the smallest or largest value in a column 3. Counting unique number of values in a column 4. Counting number of times a value repeats 5. Searching for an IP address in a file 6. Counting how many times an event happens for each IP address. The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

youtu.be

NCL Summer Live - Log Analysis 2 - July 15 2021

Gym Answer Key

In what year was this log saved?

How to solve: Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.

Answer: 2010

How many milliseconds did the fastest request take?

How to solve: Extract the second field (the response time) and then sort the results numerically

cat squid_access.log | awk '{print $2}' | sort -n

Answer: 5

How many milliseconds did the longest request take?

How to solve: Same as the question above.

cat squid_access.log | awk '{print $2}' | sort -n

Answer: 41762

How many different IP addresses did the proxy service in this log?

How to solve: Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count.

cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l

Answer: 4

Extension Activities

6-8	URL Scavenger Hunt	Explore responsible internet use.	Provide fake Squid logs with safe and unsafe URLs .Students highlight URLs that are: Educational Entertainment Suspicious or inappropriate Discussion: Why might schools block certain content?
9-12	Attack Simulation: Malicious Site Detection	Detect unsafe browsing behavior.	Some logs include suspicious URLs (e.g., phishing sites).Students must: Identify risky URLs Explain why they are suspicious Suggest how the network should respond (block? notify? educate?)

Log Payments

Objectives

Students will analyze a SOAP log using the command line and a spreadsheet editor.

Prompt

A payment transaction log was compromised in a data breach. Help us determine what information was stolen.

Questions

How many transactions are contained in the log?
What is the transaction ID of the largest purchase made in the log?
Which state made the greatest number of purchases?

Walkthrough

This challenge involves parsing a log file from a SOAP web server. SOAP is used to send messages using the Extensible Markup Language (XML). Solving this challenge requires a mechanism to parse the XML and query the underlying data. This can be done by extracting the relevant XML from the log file, converting the XML to CSV format, and then using a spreadsheet editor to query the data.

Extracting the XML

There are many debug lines within this log file; however, the only relevant lines for this scenario are the ones that begin with PPAPIService: Request: and PPAPIService: Response:. These lines appear to contain the plaintext payment data that are being sent to/from the server. A regular expression can quickly match these lines and extract the raw XML to be saved as a separate file.

sed -nr 's/PPAPIService: Request: (.*)/\1/p' payments.log > requests.xml
sed -nr 's/PPAPIService: Response: <\?.*\?>(.*)/\1/p' payments.log > responses.xml

Parses the entries for the requests and responses and saves them into separate files. The regex for the responses also removes the starting XML tag (which is not present in the requests) from each response to avoid confusing the XML to CSV parser.

Get-Content payments.log | ForEach-Object {if ($_ -match 'PPAPIService: Request: (.*)') {$matches[1] | Out-File -Append requests.xml}
}

Get-Content payments.log | ForEach-Object {if ($_ -match 'PPAPIService: Response: <\?.*\?>(.*)') {$matches[1] | Out-File -Append responses.xml}
}

Here are Powershell commands for the same extraction.

⚠️

You will need to add <xml> to the beginning and </xml> to the end of your XML file so it can be recognized properly by your CSV converter.

Converting the XML to CSV

Once you have extracted the payment requests into a separate file, you can now convert the XML into a CSV (or .xlsx file). There are various tools that can do this conversion, such as convertcsv.

Using a Spreadsheet Editor

Any common spreadsheet editor should provide tools that can be used to answer the questions from the prompt.

To determine how many transactions occurred, count the number of rows of data from either csv file.

To determine the largest purchase made in the log and its associated transaction ID, use the “requests” spreadsheet. Sort the column for the order total (column ‘F’) with the largest transaction at the top. Then unsort and find the row number for the highest value.

Use the row number to find the corresponding response in the “responses” spreadsheet. Look for the transaction ID (column ‘Z’).

To determine which state had the greatest number of purchases, use the “requests” spreadsheet. Right click on the column header for the state of the ship-to address and selecting “Column Stats”.

Column stats will display the most common unique values and their frequency

Useful tools

convertcsv.com

Gym Answer Key

How many transactions are contained in the log?

How to solve: Count the number of lines that start with PPAPIService: Request:

Answer: 192

What is the transaction ID of the largest purchase made in the log?

How to solve: Sort the requests by the order total column to find the largest purchase, then get the transaction ID from the corresponding response.

Answer: 3a4da8c8-6934-4655-9ec5-335ab4540a2b

Which state made the greatest number of purchases?

How to solve: Get a count of the unique values for the state of the ship-to address

Answer: massachusetts

Incorrect: maryland

Extension Activities

6-8	Budget Match	Practice real-world math and budgeting.	Each student is given a budget (e.g., $20/week).They "shop" using log entries from a store list.Keep track of their spending and create their own log lines.
9-12	Policy Designer	Understand how rules protect users and systems.	After analyzing fictional logs, students propose:Spending limitsDaily caps on categories (e.g., junk food)Rules to prevent refunds/gift card abusePresent their “fraud prevention policy” to the class

Network Traffic Analysis

DNS

Objectives

Students will analyze a network packet capture to communicate an understanding of DNS.

Prompt

DNS is what enables us to access much of the internet without remembering IP addresses, analyze the network packet capture to understand more about DNS.

You can read this guide to learn more about computer networking.

Questions

What is the type of the DNS query requested?
What domain was requested?
How many items were in the response?
What is the TTL for all of the DNS records?
What is the IP address for the "welcome" subdomain?

Walkthrough

This challenge evaluates the user’s ability to understand a packet capture containing network traffic using the DNS protocol. Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge.

Background

The DNS (Domain Name Service) protocol enables a system that allows devices to lookup the IP address of a domain name. This is useful because, as humans, it is much easier for us to remember “google.com” instead of the specific IP address that you should use when you want to reach any website’s services.

All of the questions and answers in this challenge are specific to the DNS protocol, so it may be helpful to learn more about DNS. See the “Helpful Tools” section below for relevant links or conduct your own research.

Guide

Questions 1 and 2 can be solved by looking for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for Domain Name System (DNS) will yield the answers.

This is a partial screenshot of the Network capture in Cloudshark. Notice that packet 4 has DNS under the “Protocol” column. The answers have been redacted by white shapes with red outlines.

Questions 3 – 5 can be solved by looking for a packet with “Standard query response” in the info column (packet #5). When you click on the packet, it will say “(response)” next to the DNS portion of the frame (indicated in the image below with a red circle). Once found, expand the packet dissectors for the ‘Answers’ section under DNS.

This is the output of packet 5. In order to find the answer to question 3, you will need to count the number of entries in the answer section. This answer is not shown. The answers have been redacted.

Other Resources to Learn about DNS:

https://www.cloudflare.com/learning/dns/what-is-dns/
https://aws.amazon.com/route53/what-is-dns/
Use the Tutorial Video below

Video Tutorial

Watch our full Tutorial Video to learn more about DNS web data and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - DNS - Oct 28, 2021

What does DNS (Domain Name System) do, and why should you care? In this episode of the Cyber Skyline Live tutorial series, Franz Payer, CEO of Cyber Skyline, gives an in-depth explanation of DNS - what it does, how you can interact with DNS in cybersecurity context, and how to use Wireshark to to solve cybersecurity challenges. Comes in super-handy for the National Cyber League competitions! Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

What is the type of the DNS query requested?

How to solve: Look for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for DNS will yield the answers.

Answer: AXFR

What domain was requested?

How to solve: Look for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for DNS will yield the answers.

Answer: etas.com

How many items were in the response?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 4

What is the TTL for all of the DNS records?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 3600

What is the IP address for the "welcome" subdomain?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 1.1.1.1

Extension Activities

6-8	Guess That Domain!	Identify which domain names are real vs. suspicious.	Show 10 domains (e.g., netflix.com vs. netf1ix-login.xyz).Students vote whether it's safe or suspicious.Discuss how DNS could be used in phishing.Extension: Create their own fake (but safe!) domains and test each other.
9-12	Model a DNS Spoofing Attack	Understand how DNS can be exploited.	Students map out:How the spoofing occursWhat the attacker gainsHow it can be prevented (e.g., DNSSEC, user awareness)Output: Students can write or present their scenario.

FTP Traffic

Objectives

Students will analyze a network packet capture to communicate an understanding of FTP traffic.

Prompt

We found some interesting FTP traffic, analyze the network packet capture to identify what was transferred.

You can read this guide to learn more about computer networking.

Questions

What was the first username:password combination attempt made to log in to the server? ex. 'user:password'
What software is the FTP server running? (Name and version)?
What is the first username:password combination that allows for successful authentication?
What is the first command the user executes on the ftp server?
What file is deleted from the ftp server?
What file is uploaded to the ftp server?
What is the filesize (in bytes) of the uploaded file?
What file does the anonymous user download?

Walkthrough

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. FTP (File Transfer Protocol) is a basic protocol used to transfer files from one computer to another. All of the questions and answers are specific to FTP, so it is suggested that you learn more about FTP. FTP is an insecure protocol because it does not use encryption.

Questions 1 and 2 can be solved by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option.

Using CloudShark, clicking on the first packet and then clicking on “TCP Stream” at the bottom will have the same effect. Doing so will yield the following results:

Shown are the contents of packet 1 after clicking “TCP Stream 0” at the bottom. The answers have been redacted with white shapes that have a red border.

From this view, the username and password listed on the “USER” and “PASS” lines (in blue text) are visible. The server version is on the first line of the stream.

Questions 4 - 6 can be solved by applying the filter: ftp.response.code == 230. Once filtered, following the TCP stream on the first packet will yield the following results:

The answers have been redacted from the output.

💡

ftp.response.code == 230 This filter searches for the server response that indicates that a session has been successfully authenticated (code 230).

Question 7 can be solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

There are 4 different interactions that can be seen from the filtered packets. These can be most easily identified by the timing shown on the “Time” column. Notice there are packets at 58 seconds, 92 seconds, 152 second and 162 seconds. By default, the time column displays the time offset (in seconds) that the packet was recorded since the beginning of the packet capture.

🚧

Packets that are very close (in the order of milliseconds) in time are likely a continuation of the same response, just split across multiple packets. By viewing the TCP stream, you can combine their contents into a single view. You can also look at the “Info” column to see the corresponding command associated with each packet.

Three of the four interactions are shown here by looking at the ‘Time’ column. Notice there are many packets all with the same time.

Look at packet No. 17, at approx. 58 seconds into the capture. In the “Info” column, it shows a “LIST” command in parentheses. The LIST command provides a listing of the current directory. Follow the TCP stream of this packet to see the contents of the directory when the command was run.

Below that packet, you can see packet No. 25 at approx. 92 seconds, which shows a “STOR” command in parentheses. The STOR command uploads the file and stores it on the FTP server and the packets in this stream are the pieces of data being uploaded. This explains why there are so many packets occurring at this time.

Packet No. 65 at approx. 152 seconds shows another listing of the current directory after the file was uploaded in the previous TCP stream. You can follow the TCP stream on this packet to see the new directory listing with the uploaded file included. From here, you can see the file size listed in one of the columns to get the answer to question 7.

The answer has been partially redacted

Question 8 can be solved by using the ftp.response.code == 230 filter. However, this time the 2nd TCP stream should be followed. Following the first stream reveals the user who uploaded the file, and the second stream shows the activity of a USER named “anonymous”:

The answer has been redacted

Where to learn more about FTP:

Wikipedia File Transfer Protocol
Be sure to watch all of our Tutorial Video for more information!

Tutorial Video

Cyber Skyline Live - Analyzing FTP Traffic - Feb 3, 2022

In Cyber Skyline Live - Analyzing FTP Traffic, you'll learn from Franz Payer, CEO of Cyber Skyline, about what FTP is, extracting files from a FTP packet capture, and setting up your own FTP server. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - Analyzing FTP Traffic - Feb 3, 2022

Gym Answer Key

What was the first username:password combination attempt made to log in to the server? ex. 'user:password'

How to solve: Solve by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option. If you are using CloudShark, you can select the first packet in the capture and then go to: “Analysis Tools > Follow Stream”. From this view, you can see the username and password listed on the “USER” and “PASS” lines. You can find the server version on the first line of the stream.

Answer:

user1/cyberskyline
user1:cyberskyline

What software is the FTP server running? (Name and version)?

Answer: FileZillaServer0.9.53

What is the first username:password combination that allows for successful authentication?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, following the TCP stream on the first packet will yield results.

Answer:

user1/metropolis
user1/metropolis
user1:metropolis

What is the first command the user executes on the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer:

dir
list

What file is deleted from the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer: bank.cap

What file is uploaded to the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer: compcodes.zip

What is the filesize (in bytes) of the uploaded file?

How to solve: Solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

Answer:

3303628E25D43BE4E11CC8878C5C5878
28183
28183 bytes

What file does the anonymous user download?

How to solve: Solve by again using the ftp.response.code == 230 filter. (See packet 52)

Answer: compcodes.zip

Extension Activities

6-8	"Guess the Protocol" Sorting Game	Compare how FTP works with other network services.	Provide printed “network traffic cards” with clues (e.g., "transfers files", "sends web pages", "sends email").Students sort them into categories (FTP, HTTP, SMTP, etc.).Highlight that FTP sends data in plain text, unlike HTTPS.
9-12	FTP vs. SFTP Comparison Lab	Understand the difference between FTP and SFTP.	Show examples (screenshots or logs) of FTP and SFTP sessions.Students identify:What data is visible in FTP (e.g., usernames, files)What’s encrypted in SFTPExtension: Propose a school policy recommendation: should your school block unsecured FTP?

HTTP

Objectives

Students will analyze a network packet capture to communicate an understanding of HTTP.

Prompt

HTTP is how we're sending you this message, analyze the provided capture to answer the following questions about a HTTP download.

You can read this guide to learn more about computer networking.

Questions

What Linux tool was used to execute a file download?
What is the name of the web server software that handled the request?
What IP address initiated the request?
What is the IP address of the server?
What is the MD5 sum of the file downloaded?

Walkthrough

Use Wireshark or the web-based CloudShark tool to solve the challenge. HTTP, or Hypertext Transfer Protocol, is used to deliver and present the information you see on a webpage. All of the questions and answers are specific to the HTTP, so it is suggested that you learn more about HTTP:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP

Guide

To find what Linux tool was used to execute a file download, apply the http.request filter at the top of Cloudshark and look at the Hypertext Transfer Protocol (HTTP) section of the packet dissector. The filter restricts the results to packets that contain the request that the client sent to the server.

💻

The “User-Agent” field in the HTTP portion of the packet is used to identify the software making the HTTP request.

This is the output of adding ahttp.request filter. The answer has been redacted

Questions 2 - 4 can be solved by applying the http.response filter and looking at the HTTP packet dissection. This filter restricts the results to packets that the server responded with.

💻

The “Server” field in the HTTP portion of the packet is used to identify the software of the server responding to the HTTP request.

This is the output of adding ahttp.response filter. The answers have been redacted.

📨

Refer to the “Internet Protocol Version 4” (IPv4) portion of the packet, to see the “src” (Source) and “dst” (Destination) for the packet. These fields are similar to addresses on a mail envelope. The source is the sender and the destination is the recipient.

Recall that this is a http.response packet, which means we are currently looking at a packet that the server (source) is sending in response to the client (destination). This means that the source is the IP address of the server (answer to question 4) and the destination is the IP address that initiated the request (answer to question 3). If you go back to the packet from question 1, you will notice that the Source and Destination are flipped - this is because the packet was traveling from the client to the server.

For Question 5, we need more information about what file was sent in this exchange to know what the client was downloading. Using Cloudshark, filter using http and inspect packet 36— the packet that has “(PNG)” in the info section of the Cloudshark.

It looks like there is a PNG file (image file) in this packet.

In order to determine the MD5 sum of this file, the data to create this image file will need to be taken from the frame. To do this, highlight the Hex data (see image below) starting at the PNG Signature (89 50 4E 47 0D 0A 1A) and end at the very bottom of the frame (49 45 4E 44 AE 42 60 82). You can click on “PNG Signature” at the left to automatically highlight where to start. Once this data is highlighted, right click and wait until the copy option appears.

Be patient. It may take a moment for the data to copy.

Open CyberChef. Paste the Hex data you copied into the Input portion. Check that the bytes at the beginning and the end match the Cloudshark data.

The beginning of the Hex data is shown in this screenshot

Right now, CyberChef is not interpreting the content pasted as Hex data. To ensure it does this, type “From Hex” in the Operations box and add it to the Recipe.

Select the magic wand icon next to “Output”. An image should render.

The image appears after pressing the magic wand or by adding “Render Image” to the Recipe section.

Now let’s calculate the MD5 sum of the file. Type “MD5” into the operations section and move it to the recipe.

The MD5 sum output has been partially redacted.

Question 5 can also be solved in Wireshark by selecting the option, “File > Export Objects > HTTP”. This exports the files transferred via HTTP from the packet capture to a local copy on your computer. Then use the Linux “md5sum” program to calculate the MD5 sum.

Other Resources to Learn about HTTP:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP
Watch all of our Tutorial Video below for more info!

Tutorial Video

Cyber Skyline Live: Analyzing HTTP Traffic with Wireshark - Feb 16, 2023

One of the most common uses of HTTP is file transfers. Every time you load a page in your browser, HTTP requests are being made to fetch all the assets on the page - from images to fonts. Learn how to follow and analyze packets from a HTTP file transfer. You’ll learn how to identify the devices involved, establish a timeline of events, and even extract a file that was transferred. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live: Analyzing HTTP Traffic with Wireshark - Feb 16, 2023

Gym Answer Key

What Linux tool was used to execute a file download?

How to solve: Apply thehttp.request filter and looking at the HTTP dissection. The “User-Agent” field in the HTTP portion of the packet is used to identify the software making the HTTP request.

Answer: wget

What is the name of the web server software that handled the request?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The “Server” field in the HTTP portion of the packet is used to identify the software responding to the HTTP request.

Answer: nginx

What IP address initiated request?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The Destination is the IP address that initiated the request.

Answer: 192.168.1.140

What is the IP address of the server?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The Source is the IP address of the server.

Answer: 174.143.213.184

What is the MD5 sum of the file downloaded?

How to solve: Copy data into Cyberchef and add the following operations to the Recipe: Ensure data is in Hex, Determine file type, Calculate MD5 sum.

Answer: 966007c476e0c200fba8b28b250a6379

Extension Activities

6-8	"HTTP vs. HTTPS: Spot the Difference" Scavenger Hunt	Understand the difference between HTTP and HTTPS.	Have students visit a list of sample websites (teacher-approved) and record:Which ones use HTTP Which ones use HTTPS (look for padlock in the URL bar) Create a chart or tally board. Discussion: Ask: What does the padlock mean? Why is HTTPS better for logging into websites?
9-12	HTTP vs. HTTPS Debate	Analyze the pros and cons of different web protocols.	Students research and prepare arguments for a debate:Should all websites be required to use HTTPS?Is HTTP ever acceptable?Roles: Debate teams + moderator + audience voters.

Telnet

Objectives

Students will analyze a network packet capture to communicate an understanding of Telnet.

Prompt

Telnet is an older protocol that allowed an interactive text-oriented communication with remote systems, use the provided capture to answer the following questions about telnet.

Questions

What is the username that was used to log in?
What is the password that was used to log in?
What command was executed once the user was authenticated?
In what year was this capture created?
What is the hostname of the machine that was logged in to?
What CPU architecture does the remote machine use?

Walkthrough

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. The Telnet protocol is an old, insecure protocol used to remotely login to and administer computers. Additional information about Telnet is included at the beginning of the tutorial video for this challenge.

Guide

Questions 1- 6 can be solved by following the TCP stream on any of the packets. Following the TCP stream yields the following:

Select “TCP Stream” at the bottom of CloudShark to filter the communications over Telnet. The answers have been redacted.

💻

Keep in mind that telnet will echo (repeat) back what is typed (except for passwords). Therefore, for the login name, you’ll only want to use the characters in blue text in your answer. There are periods at the end of the login and the password; these are not part of the credentials.

💡

When you find the command that is run once the user is authenticated (question 3), look up more information about it!

This will help in understanding the hostname (Question 5) and the CPU architecture (Question 6).

Tutorial Video

Cyber Skyline Live - What is Telnet - March 24, 2022

In Cyber Skyline Live - What is Telnet, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to use telnet and analyze telnet traffic. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com