WRCCDC 2026 Invitational

Otto's Auto Autos

"Where Every Car Drives Itself… Eventually."

Competition Environment Reference & Defense Commands

Critical Competition Rules

  • Scoring: SLAs trigger after 5 failed checks
  • Check Interval: Services checked every 2-4 minutes
  • Router Resets: -100 points per reset on Alpine router
  • Cutover Windows: Every 30 minutes (10:00, 10:30, etc.)
  • First Priority: Inventory ALL assets immediately
  • NAT: External 10.100.1XX.Y → Internal 192.168.220.Y
Back to Cybersecurity Labs

Team Positioning Strategy

8 team members, 11 systems. Position your best people on critical infrastructure.

Role System(s) Skills Required Priority
Router Lead miata (.2) Linux networking, nftables/iptables, NAT/PAT, Alpine CRITICAL
AD/DC Lead jeep (.25) Windows Server 2022, Active Directory, GPO, DNS CRITICAL
SIEM Operator explorer (.240) Ubuntu, log analysis, alerting - monitors ALL systems CRITICAL
Windows Services supra (.79) + ptcruiser (.200) Windows Server 2019/2022, IIS, web apps HIGH
POS Specialist delorean (.88) Windows 10, POS systems, payment security HIGH
Linux Services skyline (.30) + superDuty (.250) Rocky Linux, CentOS 8, web apps, databases, ticketing HIGH
Kubernetes Lead pinto (.180) Rocky Linux, Kubernetes, containers, kubectl HIGH
Floater / Inject Lead Roams + solstice/sky Documentation, inject handling, incident response, backup FLEX
Tip: Windows 11 clients (solstice, sky) are lowest priority. Harden them in first 30 min, then leave unattended. Floater checks periodically.

First 30 Minutes Checklist

Execute these steps immediately. Speed matters - red team is already in.

Minutes 0-10: Secure Access
  1. Change ALL passwords - Start with admin/root accounts
  2. Check for rogue admins - UID 0 on Linux, Domain Admins on Windows
  3. Document what you change - Use shared password sheet
  4. DO NOT touch router yet - Document first!
  5. Verify you can still login after each change
Minutes 10-20: Inventory
  1. Run port scans - Document all open ports per system
  2. List running services - What's actually running?
  3. Check scheduled tasks/cron - Look for persistence
  4. Review user accounts - Remove suspicious ones
  5. Check authorized_keys on all Linux boxes
Minutes 20-30: Harden
  1. Enable firewalls - Windows Firewall, iptables
  2. Disable unnecessary services - Telnet, FTP if not scored
  3. Check scoring engine - Verify services are UP
  4. Start SIEM monitoring - Eyes on all traffic
  5. Brief team - What did everyone find?
Password Change Coordination

Use a shared document or whiteboard. Everyone uses the SAME password scheme so team can help each other.

System Account New Password Changed By Time
jeep (DC) Administrator CBU-Lancers2026! ___ ___
jeep (DC) All Domain Users Temp-Reset2026! ___ ___
skyline root CBU-Lancers2026! ___ ___
... continue for all systems ...
Password Rules: Use complex passwords (12+ chars, upper, lower, number, symbol). Submit changes to Quotient scoring engine if required!
Communication Plan
Team Discord/Slack Channels:
  • #general - Announcements, coordination
  • #incidents - ACTIVE ATTACKS - yell here
  • #passwords - Credential changes only
  • #injects - Inject assignments and status
Call-Outs (Say it loud!):
  • "CONTACT!" - Active attacker on your system
  • "SERVICE DOWN!" - Scored service went down
  • "PASSWORD CHANGED [system]" - Announce changes
  • "INJECT [number] CLAIMED" - Taking ownership
  • "NEED BACKUP ON [system]" - Request help
Inject Handling
Inject Workflow:
  1. Floater monitors Quotient for new injects
  2. Read TWICE before starting
  3. Claim in #injects channel
  4. Check deadline - prioritize accordingly
  5. Follow file naming: inject04_team13.pdf
NO AI ALLOWED

20%+ AI detection = 0 points for that inject. Write it yourself. Cite sources. Read the inject requirements carefully - they give you the rubric!

Incident Response - When You Find an Attacker

1
DON'T PANIC

Stay calm. Document what you see. Screenshot if possible.

2
CALL IT OUT

"CONTACT on [system]!" Get help. Don't fight alone.

3
IDENTIFY

What process? What user? What port? What's the source IP?

4
ELIMINATE

Kill process, disable user, block IP. Then find how they got in.

Windows Quick Response:
netstat -ano | findstr ESTABLISHED
tasklist /v | findstr [PID]
taskkill /PID [PID] /F
net user [attacker] /active:no
Linux Quick Response:
ss -tunp | grep ESTAB
ps aux | grep [PID]
kill -9 [PID]
usermod -L [attacker]

Network Topology

IP (.Y) Hostname OS Purpose/Services Priority
.2 miata Alpine Linux Router/Firewall (nftables/iptables + netmap) CRITICAL
.25 jeep Windows Server 2022 Domain Controller CRITICAL
.30 skyline Rocky Linux Car Title & Customer Registration HIGH
.60 solstice Windows 11 Client Workstation MEDIUM
.63 sky Windows 11 Client Workstation MEDIUM
.79 supra Windows Server 2019 Web Server HIGH
.88 delorean Windows 10 Point of Sale (POS) HIGH
.180 pinto Rocky Linux Kubernetes HIGH
.200 ptcruiser Windows Server 2022 Car Tracker HIGH
.240 explorer Ubuntu 22.04 SIEM CRITICAL
.250 superDuty CentOS 8 Ticketing & Chat Support HIGH

Kubernetes Defense (pinto)

pinto (.180) runs Kubernetes. If you're not K8s-experienced, here are the essentials.

Inventory & Recon
# Check cluster status
kubectl cluster-info
kubectl get nodes

# List ALL resources
kubectl get all --all-namespaces

# List pods (containers)
kubectl get pods -A
kubectl get pods -o wide  # shows node/IP

# List services (what's exposed)
kubectl get svc -A

# List secrets (credentials!)
kubectl get secrets -A

# Describe a suspicious pod
kubectl describe pod [podname] -n [namespace]
Defense & Response
# Delete suspicious pod (will respawn if deployment exists)
kubectl delete pod [podname] -n [namespace]

# Scale deployment to 0 (stops it)
kubectl scale deployment [name] --replicas=0 -n [namespace]

# Check who can do what (RBAC)
kubectl auth can-i --list

# View pod logs
kubectl logs [podname] -n [namespace]
kubectl logs [podname] -n [namespace] --previous

# Exec into pod (for investigation)
kubectl exec -it [podname] -n [namespace] -- /bin/sh

# Check for privileged containers (BAD)
kubectl get pods -A -o json | grep -i privileged
K8s Red Flags to Watch For:
  • Pods in kube-system namespace you don't recognize
  • Privileged containers or hostNetwork: true
  • ServiceAccounts with cluster-admin role
  • Secrets being mounted into suspicious pods
  • NodePort services exposing internal apps

Know Your Enemy: What Red Team Will Try

They're already in. Assume compromise. Hunt them.

Backdoor Accounts

Hidden admin users, UID 0 accounts, unauthorized Domain Admins

Check: net user, /etc/passwd
Persistence

Scheduled tasks, cron jobs, startup scripts, services

Check: schtasks, crontab, init.d
Reverse Shells

Outbound connections on weird ports (4444, 5555, 8080)

Check: netstat -ano, ss -tunp
SSH Keys

Unauthorized authorized_keys entries for passwordless access

Check: ~/.ssh/authorized_keys
Common Attack Patterns
Initial Access:
  • Default/weak credentials (admin:admin, root:toor)
  • Unpatched vulnerabilities (check for updates)
  • Exposed management interfaces
  • Web application exploits
Lateral Movement:
  • Pass-the-hash with stolen creds
  • PSExec/WMI to other Windows boxes
  • SSH with stolen keys
  • Pivoting through compromised hosts
Privilege Escalation:
  • Misconfigured sudo permissions
  • Weak service account permissions
  • Unquoted service paths (Windows)
  • SUID binaries (Linux)
Disruption (Points!)
  • Stopping scored services
  • Changing passwords to lock you out
  • Modifying web content (defacement)
  • Deleting logs to hide tracks

Alpine Router (miata) - HANDLE WITH EXTREME CARE

Misconfiguration = Services Down = Points Lost = -100 per Reset

Understanding the 1:1 NAT Configuration

The router uses 1:1 NAT (Network Address Translation) with netmap. This means:

NAT (Network Address Translation)

Translates IP addresses between networks. In 1:1 NAT, each internal IP maps directly to one external IP.

External: 10.100.1XX.25 → Internal: 192.168.220.25
PAT (Port Address Translation)

Multiple internal IPs share one external IP using different ports. Know this for troubleshooting.

Many Internal IPs → One External IP:Different Ports
Key Point: When you connect to 10.100.102.25 from OUTSIDE the router, you're actually reaching 192.168.220.25 INSIDE. The translation happens at the router. If you misconfigure NAT rules, scoring engine can't reach your services!
nftables (Modern Firewall)

nftables is the modern replacement for iptables. It uses tables, chains, and rules.

# View ALL rules
nft list ruleset

# View specific table
nft list table inet filter
nft list table ip nat

# View NAT rules specifically
nft list table nat

# Add a rule to drop traffic (CAREFUL!)
nft add rule inet filter input tcp dport 4444 drop

# Delete a rule (get handle first)
nft -a list ruleset  # shows handles
nft delete rule inet filter input handle 123

# Save rules (Alpine specific)
nft list ruleset > /etc/nftables.conf
iptables (Legacy Firewall)

iptables may still be present. Know both systems.

# View all rules with line numbers
iptables -L -n -v --line-numbers

# View NAT table
iptables -t nat -L -n -v

# View netmap/NAT translations
iptables -t nat -L PREROUTING -n -v
iptables -t nat -L POSTROUTING -n -v

# Block incoming port
iptables -A INPUT -p tcp --dport 4444 -j DROP

# Block outbound to attacker
iptables -A OUTPUT -d 10.0.0.99 -j DROP

# Delete rule by line number
iptables -D INPUT 3

# Save rules
iptables-save > /etc/iptables/rules.v4
Understanding netmap

netmap is used for 1:1 NAT mapping of entire subnets. It maps one network range to another.

nftables netmap syntax:
# DNAT (Destination NAT - incoming)
nft add rule ip nat prerouting \
  ip daddr 10.100.102.0/24 \
  dnat to 192.168.220.0/24

# SNAT (Source NAT - outgoing)
nft add rule ip nat postrouting \
  ip saddr 192.168.220.0/24 \
  snat to 10.100.102.0/24
iptables NETMAP syntax:
# DNAT (incoming traffic)
iptables -t nat -A PREROUTING \
  -d 10.100.102.0/24 \
  -j NETMAP --to 192.168.220.0/24

# SNAT (outgoing traffic)
iptables -t nat -A POSTROUTING \
  -s 192.168.220.0/24 \
  -j NETMAP --to 10.100.102.0/24
Tip: Before changing ANY NAT rules, document what's there first! Run nft list table nat or iptables -t nat -L -n -v and save the output.
Router DO NOTs
  • DO NOT disable syslog - you need visibility
  • DO NOT block WAN firewall config access
  • DO NOT delete admin user without backup creds
  • DO NOT flush all rules without knowing what's there
  • DO NOT block scoring engine traffic
  • DO NOT change NAT rules without understanding them
  • REMEMBER: Red team has same access you do
  • TEST changes on one service before applying broadly

Protocols to Inventory Immediately

Run scans and document which services are running WHERE as soon as you log in.

Remote Access
22SSH
23Telnet Insecure
3389RDP
5900VNC
1194OpenVPN
Web & Mail
80HTTP
443HTTPS
25SMTP
110POP3
143IMAP
File & Network Services
53DNS
445SMB
21FTP
2049NFS
161SNMP
Quick Inventory Commands - Run FIRST
# From any Linux box - scan entire subnet
nmap -sT -p 22,23,25,53,80,110,143,161,443,445,3389,5900 192.168.220.0/24

# Quick ping sweep
nmap -sn 192.168.220.0/24

# On each box - what's listening locally
ss -tulnp          # Linux
netstat -ano       # Windows

# Document everything in a text file
echo "=== $(hostname) ===" >> /tmp/inventory.txt
ss -tulnp >> /tmp/inventory.txt

Windows Defense Commands

For: jeep (DC), supra (Web), ptcruiser (Tracker), delorean (POS), solstice, sky (Clients)

User & Account Auditing
# List all local users
net user

# List domain users (on DC - jeep)
net user /domain

# Check admin group membership
net localgroup administrators
net group "Domain Admins" /domain

# Find enabled accounts (PowerShell)
Get-LocalUser | Where-Object {$_.Enabled -eq $true} | Select Name, LastLogon, PasswordLastSet

# Disable suspicious account
net user suspicioususer /active:no

# Change password
net user username NewP@ssw0rd!
Connections & Processes
# Show connections with PIDs
netstat -ano

# Show with executable names (requires admin)
netstat -b

# List running processes
tasklist /v

# Kill suspicious process
taskkill /PID 1234 /F

# PowerShell - find process by port
Get-NetTCPConnection -LocalPort 4444 | Select OwningProcess
Get-Process -Id (Get-NetTCPConnection -LocalPort 4444).OwningProcess
Scheduled Tasks & Services
# List scheduled tasks
schtasks /query /fo LIST /v

# Delete malicious task
schtasks /delete /tn "TaskName" /f

# List all services
sc query state= all

# PowerShell - running services
Get-Service | Where-Object {$_.Status -eq "Running"}

# Stop and disable suspicious service
sc stop servicename
sc config servicename start= disabled
Windows Firewall
# Check firewall status
netsh advfirewall show allprofiles

# Enable firewall (all profiles)
netsh advfirewall set allprofiles state on

# Block inbound port
netsh advfirewall firewall add rule name="Block 4444" dir=in action=block protocol=tcp localport=4444

# Block outbound to attacker IP
netsh advfirewall firewall add rule name="Block attacker" dir=out action=block remoteip=10.0.0.99

# List all rules
netsh advfirewall firewall show rule name=all
Event Log Monitoring (PowerShell)
# Recent failed logins (Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20

# Recent successful logins (4624)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 20

# New user created (4720)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720} -MaxEvents 10

# Continuous monitoring loop - watch for new connections
while($true) { Get-NetTCPConnection | Where {$_.State -eq "Established"} | Select RemoteAddress,RemotePort,OwningProcess; Start-Sleep 30 }

Linux Defense Commands

For: skyline (Rocky), pinto (Rocky/K8s), explorer (Ubuntu/SIEM), superDuty (CentOS)

User Auditing
# List users with login shells
cat /etc/passwd | grep -E '/bin/(ba)?sh'

# CRITICAL: Check for UID 0 (should ONLY be root!)
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Recently modified passwd/shadow
ls -la /etc/passwd /etc/shadow

# List sudoers
cat /etc/sudoers
ls -la /etc/sudoers.d/

# Lock suspicious account
usermod -L baduser

# Disable shell access completely
usermod -s /sbin/nologin baduser

# Change password
passwd username
Connections & Processes
# All listening ports with process info
ss -tulnp

# Established connections only
ss -tunp | grep ESTAB

# All processes with full command line
ps auxww

# Find process using specific port
lsof -i :4444

# Kill process by PID
kill -9 PID

# Continuous monitoring
watch -n 30 'ss -tunp | grep ESTAB'
Cron Jobs & Persistence
# System cron locations
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/

# Check ALL user crontabs
for user in $(cut -f1 -d: /etc/passwd); do
  echo "==$user=="; crontab -u $user -l 2>/dev/null
done

# Check startup scripts
cat /etc/rc.local 2>/dev/null
ls -la /etc/init.d/

# Systemd services (check for suspicious)
systemctl list-units --type=service --state=running
systemctl list-unit-files --state=enabled
SSH Hardening
# Check ALL authorized_keys files
find /home -name authorized_keys -exec ls -la {} \; -exec cat {} \;
cat /root/.ssh/authorized_keys 2>/dev/null

# Check sshd config
grep -E "PermitRootLogin|PasswordAuthentication|Port|AllowUsers" /etc/ssh/sshd_config

# Recommended hardening in /etc/ssh/sshd_config:
# PermitRootLogin no
# PasswordAuthentication yes  (change passwords first!)
# AllowUsers specificuser1 specificuser2

# Restart SSH after changes
systemctl restart sshd
Linux Firewall (iptables)
# View current rules
iptables -L -n -v --line-numbers

# Block incoming port (e.g., reverse shell)
iptables -A INPUT -p tcp --dport 4444 -j DROP

# Block outbound to attacker IP
iptables -A OUTPUT -d 10.0.0.99 -j DROP

# Save rules (distro-specific)
# Rocky/CentOS:
iptables-save > /etc/sysconfig/iptables
# Ubuntu:
iptables-save > /etc/iptables/rules.v4
Log Monitoring
# Auth logs (location varies!)
tail -f /var/log/auth.log        # Ubuntu
tail -f /var/log/secure          # Rocky/CentOS

# Failed SSH attempts
grep "Failed password" /var/log/auth.log | tail -20
grep "Failed password" /var/log/secure | tail -20

# All logs live via journald
journalctl -f

# Recent sudo usage
grep sudo /var/log/auth.log | tail -20

# Check for log tampering (gaps, deletions)
ls -la /var/log/

Print Quick Reference for Competition Day

Get a condensed one-page cheat sheet with all essential commands and info.

View Quick Reference

Ready to Practice?

Use our SOC Training challenges to sharpen your blue team skills before competition day.

Back to Labs SOC Training