Skip to main content

About

Key Information

  • Location: Wareville, home of The Best Festival Company (TBFC)
  • Event: SOCMAS - annual cyber celebration being prepared
  • Problem: System glitches, password failures occurring
  • Suspect: McSkidy suspects foul play; King Malhare name keeps appearing
  • Purpose: Each mission teaches essential cybersecurity skills and provides clues for Advent of Cyber 2025

Major Plot Development

  • McSkidy has been kidnapped – escalating the stakes from system glitches to direct threat
  • Wareville's defenses are compromised without McSkidy's leadership
  • Christmas is at risk – the overarching threat has expanded beyond SOCMAS to the entire holiday

New Investigation Lead

  • Primary Target: tbfc-web01 (Linux server)
  • Function: Processes Christmas wishlists for TBFC
  • Evidence Potential: May contain traces of McSkidy's final actions or King Malhare's plans

Antagonist Evolution

  • King Malhare's endgame: EASTMAS (a corrupted version of the festival)
  • Motivation: Appears to be actively sabotaging TBFC operations, not just causing random glitches

Investigative Direction

The challenge shifts from discovering glitches in isolated systems to forensic investigation of a critical server for evidence of:

  • McSkidy's last actions before kidnapping
  • King Malhare's involvement and plans
  • How the Christmas wishlist system was compromised

THM Credentials

  • username: mcskidy
  • password: AoC2025!
  • Machine IP Changes upon start
  • ssh mskidy@ip

Investigation Methodology & Key Findings

The Eggstrike Malware Attack:

  • Target System: tbfc-web01 (Linux server that processes Christmas wishlists)
  • Attacker: Sir Carrotbane and HopSec Island operatives
  • Attack Goal: Compromise the wishlist system and execute the Eggstrike malware script
  • Evidence Location: /home/socmas/2025/eggstrike.sh

Critical Investigation Techniques: The three-part forensic approach that proved essential:

  1. Log Analysis - Checking /var/log/auth.log for failed login attempts revealing brute force attacks from HopSec
  2. Hidden File Discovery - Using ls -la to uncover .guide.txt and .bash_history files
  3. Advanced Forensics - Employing user switching, file decryption, and command history analysis to trace attacker movements

Expanded Threat Context

Antagonist Escalation:

  • King Malhare's endgame is EASTMAS (a corrupted version of the festival)
  • The threat has evolved from isolated system glitches to direct kidnapping (McSkidy's abduction) and comprehensive infrastructure sabotage

Investigative Scope: The challenge requires forensic investigation of critical servers to identify:

  • Evidence of McSkidy's last actions before kidnapping
  • King Malhare's involvement and operational plans
  • How the Christmas wishlist system was compromised at a technical level

These additions would provide essential context for understanding the full scope and severity of the attack campaign.

Back to top