Titan Aerospace CTF: Pwn Voyage

Titan Aerospace CTF

BAE Systems Logo
Pwn Voyage

TOP PRIORITY - SECURITY INCIDENT

Dear Security Operations Team,

Our organisation, Titan Aerospace, has detected suspicious activity across our corporate network. Initial investigation suggests we may have been compromised. As members of our incident response team, you have been asked to investigate this security breach.

Incident Overview

At approx. 11:30 on the 7th of September, we saw a suspicious network connection, but we couldn't get much more info on the connection due to the skill level of our analysts. That's where you come in.

Initial triage indicates potentially compromised systems within our network. The SOC has checked the logs in Splunk, but we need your expertise to understand the full scope of the compromise.

Your Mission

As our Blue Team, your task is to analyse the available evidence and determine:

  1. How the initial compromise occurred
  2. What actions the threat actors took on our systems
  3. The extent of lateral movement and system compromise
  4. What data may have been accessed or exfiltrated
  5. Persistence mechanisms that may have been established

Available Resources

You have been provided with access to Splunk containing:

  • Windows logs with Sysmon enabled
  • Linux logs with Sysmon enabled
  • Zeek network monitoring logs
  • Snort IDS logs
  • OSQuery logs

The Challenge

This Capture the Flag exercise consists of 25 questions of increasing difficulty that will test your ability to detect, analyse, and understand sophisticated attack techniques. The questions range from identifying initial access vectors to uncovering advanced persistence mechanisms and lateral movement

You'll need to apply a range of blue team skills including:

  • Log analysis and correlation
  • Threat hunting
  • Incident response procedures
  • MITRE ATT&CK mapping

Security Classification

All information related to this incident should be considered sensitive and should not be shared outside your team. For any discussions relating to the incident that you don't want to have in person, consider using Teams instead.


Scoring

Points are awarded based on question difficulty:

  • Easy questions: 10-20 points
  • Medium questions: 25-30 points
  • Hard questions: 40-50 points

The team with the highest score at the end of the exercise will be recognised for their exceptional cyber defense capabilities and awarded a 3D printed challenge coin, with their team name on (one per member).

Remember: In the real world, threat actors only need to be successful once, but as defenders, we need to be successful every time. Good hunting!

Al Titude
CISO, Titan Aerospace

TECHNICAL ENVIRONMENT DETAILS:


  • Active directory domain: titan-aero.local
  • Security tooling:
    • Splunk (centralised logging)
    • Sysmon (endpoint monitoring on both Windows and Linux)
    • OSQuery logs for linux device

  • Hosts overview:
    • titan-win-dc.titan-aero.local - Active Directory domain controller
    • titan-win-desktop-(1-3).titan-aero.local - Windows desktops
    • titan-linux-server-1 - Linux based mail server, running a dockerised version of MailCow
    • titan-linux-server-3 - Generic Linux server

  • Splunk indexes available:
    • win - All windows event logs, including sysmon and network traffic
    • unix - All linux logs, including sysmon for linux but not including network traffic
    • proxy - Nginx proxy logs from the HTTP proxy. This does only includes traffic only from the linux servers, and not the windows devices
    • dns - All DNS logs from the active directory server. This is NOT external DNS resolutions, and only DNS resolutions from the AD server
    • osquery - Osquery logs from the linux servers

  • Technical notes:
    • Anything relating to ghosts.exe or the IP address 54.246.238.146 is NOT related to the CTF, and forms part of the underlying infrastructure.
    • Any of the events on the 4th and 5th of September are related to the inital creation of the range infrastructure, and do not form part of the CTF. Some events on the 6th of September may also be related to the range infrastructure creation, although if you are unsure, please check.

Begin your investigation by examining the initial access vector, then trace the attacker's movements throughout the network. And remember - what you see in the logs is just the tip of the iceberg. Think like the adversary to uncover what they were trying to achieve.

Good luck, team. The security of Titan Aerospace is in your hands.