Skip to main content

About

Campaign Overview

Setting: Wareville, home of The Best Festival Company (TBFC)
Event: SOCMAS - the annual cyber security celebration
Threat Level: Critical
Purpose: Each mission teaches essential cybersecurity skills while uncovering clues about King Malhare's conspiracy to corrupt Christmas into EASTMAS

The Antagonist: King Malhare

Origin: HopSec Island
Motivation: Jealousy over Easter being overlooked; seeks to rebrand Christmas as EAST-mas
Operatives: Sir Carrotbane, Bandit Bunnies, and HopSec Island operatives
Endgame: EASTMAS - a corrupted version of the festival designed to sabotage TBFC operations and hold Wareville hostage

Plot Progression

Act 1: The Glitches

  • System failures and password issues plague TBFC
  • McSkidy detects foul play; King Malhare's name surfaces
  • Initial investigations begin on isolated systems

Act 2: Escalation & Kidnapping

  • McSkidy is kidnapped by King Malhare's forces
  • Wareville's defenses are severely compromised
  • Christmas itself becomes at risk
  • Ransom demand: 1,000 HopSec Coins for McSkidy's release
  • Timeline threat: SOCMAS ends tonight

Act 3: Investigation & Defense

  • The TBFC SOC team mobilizes
  • Multiple challenges across different attack vectors
  • Focus shifts to forensic investigation and incident response

Key Investigation Targets & Findings

Primary Investigation: tbfc-web01

System Type: Linux server processing Christmas wishlists
Attack: Eggstrike malware infiltration
Evidence Location: /home/socmas/2025/eggstrike.sh
Critical Forensic Techniques:

  • Hidden file discovery using ls -la to uncover .guide.txt and .bash_history
  • Advanced forensics including user switching and command history analysis
  • File decryption to trace attacker movements

Evidence Trail

  • McSkidy's last actions before kidnapping
  • King Malhare's involvement and operational plans
  • Christmas wishlist system compromise details

Challenge Categories

1. Forensic Investigation & Log Analysis

  • Focus: Splunk SIEM analysis to trace ransomware infiltration
  • Skill: Understanding attack vectors through log data
  • Objective: Prevent infrastructure compromise and resolve the hostage situation

2. Red Team & Social Engineering

  • Type: Authorized penetration testing
  • Team: Recon McRed, Exploit McRed, Pivot McRed
  • Focus: Phishing campaigns and employee awareness testing
  • Goal: Evaluate cybersecurity training effectiveness

3. System Forensics & File Analysis

  • Type: Linux server investigation
  • Skills: Hidden file discovery, command history analysis, user switching
  • Goal: Trace attacker movements and identify compromise vectors

Access Credentials

Username: mcskidy
Password: AoC2025!
Connection: ssh mcskidy@[machine_ip]
Note: Machine IP changes upon each start

Learning Outcomes

Each challenge reinforces essential cybersecurity competencies:

  • Incident Response - Responding to active threats with time pressure
  • Log Analysis - Using SIEM tools to identify attack patterns
  • Forensic Investigation - Tracing evidence and attacker movements
  • Red Team Methodology - Understanding offensive security tactics
  • Security Awareness - Identifying social engineering and phishing threats
  • Linux System Administration - File permissions, command history, user switching

The Stakes

  • Missing: McSkidy (leadership compromised)
  • Threatened: Christmas and SOCMAS celebration
  • At Risk: TBFC systems and Wareville infrastructure
  • Timeline: Demands must be resolved before SOCMAS ends tonight
  • Mission: Stop King Malhare's EASTMAS plan and save Christmas
Back to top