About
KeyCampaign InformationOverview
Location:Setting: Wareville, home of The Best Festival Company (TBFC)- Event: SOCMAS - the annual cyber security celebration
beingThreatprepared Problem:Level:SystemCritical
glitches, password failures occurringSuspect:McSkidy suspects foul play;King Malharename keeps appearing- Purpose: Each mission teaches essential cybersecurity skills
andwhileprovidesuncovering cluesforaboutAdventKing Malhare's conspiracy to corrupt Christmas into EASTMAS
The Antagonist: King Malhare
Origin: HopSec Island
Motivation: Jealousy over Easter being overlooked; seeks to rebrand Christmas as EAST-mas
Operatives: Sir Carrotbane, Bandit Bunnies, and HopSec Island operatives
Endgame: EASTMAS - a corrupted version ofCyberthe2025festival designed to sabotage TBFC operations and hold Wareville hostage
Plot Progression
Act 1: The Glitches
- System failures and password issues plague TBFC
- McSkidy detects foul play; King Malhare's name surfaces
- Initial investigations begin on isolated systems
Escalation & KidnappingMajorAct
Plot2:Development- McSkidy
has beenis kidnapped–byescalatingKingtheMalhare'sstakes from system glitches to direct threatforces - Wareville's defenses are severely compromised
without McSkidy's leadership - Christmas
isitself becomes at risk - Ransom
thedemand:overarching1,000threatHopSechasCoinsexpandedforbeyondMcSkidy's release - Timeline threat: SOCMAS
toendsthe entire holidaytonight
–
& DefenseNewAct 3: Investigation
LeadPrimaryTheTarget:TBFCtbfc-web01SOC(Linuxteamserver)mobilizesFunction:MultipleProcesseschallengesChristmasacrosswishlistsdifferentforattackTBFCvectorsEvidence Potential:May contain traces of McSkidy's final actions or King Malhare's plans
Antagonist EvolutionKing Malhare's endgame:EASTMAS (a corrupted version of the festival)Motivation:Appears to be actively sabotaging TBFC operations, not just causing random glitches
Investigative DirectionThe challengeFocus shiftsfrom discovering glitches in isolated systemsto forensic investigationof a critical server for evidence of:McSkidy's last actions before kidnappingKing Malhare's involvementandplansincident How the Christmas wishlist system was compromisedresponse
THM Credentialsusername:mcskidypassword:AoC2025!Machine IP Changes upon startssh mskidy@ip
Key Investigation
MethodologyTargets &KeyFindingsThePrimary
Eggstrike Malware Attack:Target System:Investigation: tbfc-web01(System Type: Linux server
that processesprocessing Christmaswishlists)wishlistsAttacker:Attack:Sir Carrotbane and HopSec Island operativesAttack Goal:Compromise the wishlist system and execute theEggstrike malwarescriptinfiltration- Evidence Location:
/home/socmas/2025/eggstrike.sh
Critical
InvestigationForensic Techniques:The forensic approach that proved essential:
ExpandedEvidence Threat Context
Antagonist Escalation:
King Malhare's endgame isEASTMAS(a corrupted version of the festival)The threat has evolved from isolated system glitches to direct kidnapping (McSkidy's abduction) and comprehensive infrastructure sabotage
Investigative Scope:
The challenge requires forensic investigation of critical servers to identify:
Evidence ofMcSkidy's last actions before kidnapping- King Malhare's involvement and operational plans
How theChristmas wishlist systemwascompromisecompromised at a technical leveldetails
Challenge Categories
1. Forensic Investigation & Log Analysis
- Focus: Splunk SIEM analysis to trace ransomware infiltration
- Skill: Understanding attack vectors through log data
- Objective: Prevent infrastructure compromise and resolve the hostage situation
2. Red Team & Social Engineering
3. System Forensics & File Analysis
- Type: Linux server investigation
- Skills: Hidden file discovery, command history analysis, user switching
- Goal: Trace attacker movements and identify compromise vectors
Access Credentials
Username: mcskidy
Password: AoC2025!
Connection: ssh mcskidy@[machine_ip]
Note: Machine IP changes upon each start
Learning Outcomes
Each challenge reinforces essential cybersecurity competencies:
- Incident Response - Responding to active threats with time pressure
- Log Analysis - Using SIEM tools to identify attack patterns
- Forensic Investigation - Tracing evidence and attacker movements
- Red Team Methodology - Understanding offensive security tactics
- Security Awareness - Identifying social engineering and phishing threats
- Linux System Administration - File permissions, command history, user switching
The Stakes
- Missing: McSkidy (leadership compromised)
- Threatened: Christmas and SOCMAS celebration
- At Risk: TBFC systems and Wareville infrastructure
- Timeline: Demands must be resolved before SOCMAS ends tonight
- Mission: Stop King Malhare's EASTMAS plan and save Christmas