Skip to main content

About

KeyCampaign InformationOverview

  • Location:Setting: Wareville, home of The Best Festival Company (TBFC)


  • Event: SOCMAS - the annual cyber security celebration
    beingThreat prepared
  • Problem:Level: SystemCritical
    glitches, password failures occurring
  • Suspect: McSkidy suspects foul play; King Malhare name keeps appearing
  • Purpose: Each mission teaches essential cybersecurity skills andwhile providesuncovering clues forabout AdventKing Malhare's conspiracy to corrupt Christmas into EASTMAS

    The Antagonist: King Malhare

    Origin: HopSec Island
    Motivation: Jealousy over Easter being overlooked; seeks to rebrand Christmas as EAST-mas
    Operatives: Sir Carrotbane, Bandit Bunnies, and HopSec Island operatives
    Endgame: EASTMAS - a corrupted version of Cyberthe 2025festival designed to sabotage TBFC operations and hold Wareville hostage

    Plot Progression

    Act 1: The Glitches

    • System failures and password issues plague TBFC
    • McSkidy detects foul play; King Malhare's name surfaces
    • Initial investigations begin on isolated systems

    Major

    Act Plot2: Development

    Escalation & Kidnapping
    • McSkidy has beenis kidnapped by escalatingKing theMalhare's stakes from system glitches to direct threatforces
    • Wareville's defenses are severely compromised without McSkidy's leadership
    • Christmas isitself becomes at risk
    • Ransom thedemand: overarching1,000 threatHopSec hasCoins expandedfor beyondMcSkidy's release
    • Timeline threat: SOCMAS toends the entire holidaytonight

    New

    Act 3: Investigation Lead

    & Defense
    • PrimaryThe Target:TBFC tbfc-web01SOC (Linuxteam server)mobilizes
    • Function:Multiple Processeschallenges Christmasacross wishlistsdifferent forattack TBFCvectors
    • Evidence Potential: May contain traces of McSkidy's final actions or King Malhare's plans

    Antagonist Evolution

    • King Malhare's endgame: EASTMAS (a corrupted version of the festival)
    • Motivation: Appears to be actively sabotaging TBFC operations, not just causing random glitches

    Investigative Direction

    The challengeFocus shifts from discovering glitches in isolated systems to forensic investigation of a critical server for evidence of:

    • McSkidy's last actions before kidnapping
    • King Malhare's involvement and plans
      • incident
    • How the Christmas wishlist system was compromisedresponse

    THM Credentials

    • username: mcskidy
    • password: AoC2025!
    • Machine IP Changes upon start
    • ssh mskidy@ip

    Key Investigation MethodologyTargets & Key Findings

    The

    Primary Eggstrike Malware Attack:

    • Target System:Investigation: tbfc-web01

    (

    System Type: Linux server that processesprocessing Christmas wishlists)

    • wishlists
  • Attacker:Attack: Sir Carrotbane and HopSec Island operatives
  • Attack Goal: Compromise the wishlist system and execute the Eggstrike malware script
    • infiltration
  • Evidence Location: /home/socmas/2025/eggstrike.sh

Critical InvestigationForensic Techniques: The forensic approach that proved essential:

    • Hidden Filefile Discoverydiscovery - Usingusing ls -la to uncover .guide.txt and .bash_history files
    • Advanced Forensicsforensics - Employingincluding user switching, file decryption,switching and command history analysis
    • File decryption to trace attacker movements

Expanded

Evidence Threat Context

Antagonist Escalation:

Trail
  • King Malhare's endgame is EASTMAS (a corrupted version of the festival)
  • The threat has evolved from isolated system glitches to direct kidnapping (McSkidy's abduction) and comprehensive infrastructure sabotage

Investigative Scope: The challenge requires forensic investigation of critical servers to identify:

  • Evidence of McSkidy's last actions before kidnapping
  • King Malhare's involvement and operational plans
  • How the Christmas wishlist system wascompromise compromised at a technical leveldetails

Challenge Categories

1. Forensic Investigation & Log Analysis

  • Focus: Splunk SIEM analysis to trace ransomware infiltration
  • Skill: Understanding attack vectors through log data
  • Objective: Prevent infrastructure compromise and resolve the hostage situation

2. Red Team & Social Engineering

  • Type: Authorized penetration testing
  • Team: Recon McRed, Exploit McRed, Pivot McRed
  • Focus: Phishing campaigns and employee awareness testing
  • Goal: Evaluate cybersecurity training effectiveness

3. System Forensics & File Analysis

  • Type: Linux server investigation
  • Skills: Hidden file discovery, command history analysis, user switching
  • Goal: Trace attacker movements and identify compromise vectors

Access Credentials

Username: mcskidy
Password: AoC2025!
Connection: ssh mcskidy@[machine_ip]
Note: Machine IP changes upon each start

Learning Outcomes

Each challenge reinforces essential cybersecurity competencies:

  • Incident Response - Responding to active threats with time pressure
  • Log Analysis - Using SIEM tools to identify attack patterns
  • Forensic Investigation - Tracing evidence and attacker movements
  • Red Team Methodology - Understanding offensive security tactics
  • Security Awareness - Identifying social engineering and phishing threats
  • Linux System Administration - File permissions, command history, user switching

The Stakes

  • Missing: McSkidy (leadership compromised)
  • Threatened: Christmas and SOCMAS celebration
  • At Risk: TBFC systems and Wareville infrastructure
  • Timeline: Demands must be resolved before SOCMAS ends tonight
  • Mission: Stop King Malhare's EASTMAS plan and save Christmas
Back to top