NETWORK TOPOLOGY
| IP | Name | OS | Role |
|---|
| .2 | miata | Alpine | Router/FW |
| .25 | jeep | WS2022 | DC |
| .30 | skyline | Rocky | Car Title/Reg |
| .60 | solstice | Win11 | Client |
| .63 | sky | Win11 | Client |
| .79 | supra | WS2019 | Web Server |
| .88 | delorean | Win10 | POS |
| .180 | pinto | Rocky | Kubernetes |
| .200 | ptcruiser | WS2022 | Car Tracker |
| .240 | explorer | Ubuntu | SIEM |
| .250 | superDuty | CentOS8 | Ticketing |
FIRST 30 MINUTES
0-10 min: Secure Access
- Change ALL admin/root passwords
- Check for rogue admins (UID 0, Domain Admins)
- Document changes on shared sheet
- Verify you can still login after each change
10-20 min: Inventory
- Run port scans:
nmap -sT 192.168.220.0/24
- List services:
ss -tulnp / netstat -ano
- Check cron/scheduled tasks
- Check authorized_keys on Linux
20-30 min: Harden
- Enable firewalls
- Disable unnecessary services
- Verify scoring engine sees services UP
- Team brief - what did everyone find?
WINDOWS COMMANDS
Users
net user # list users
net localgroup administrators # check admins
net user badguy /active:no # disable
net user admin NewP@ss123! # change pw
Connections
netstat -ano # all connections
netstat -ano | findstr ESTAB # established
tasklist /v # processes
taskkill /PID 1234 /F # kill process
Persistence
schtasks /query /fo LIST /v # scheduled tasks
schtasks /delete /tn "Name" /f # delete task
sc query state= all # services
sc stop svcname # stop service
sc config svcname start= disabled # disable
Firewall
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state on
netsh advfirewall firewall add rule name="Block" dir=in action=block protocol=tcp localport=4444
LINUX COMMANDS
Users
cat /etc/passwd | grep bash # users w/ shell
awk -F: '$3==0 {print}' /etc/passwd # UID 0 (BAD!)
usermod -L baduser # lock account
passwd username # change pw
Connections
ss -tulnp # listening ports
ss -tunp | grep ESTAB # established
ps auxww # all processes
lsof -i :4444 # proc on port
kill -9 PID # kill process
Persistence
crontab -l # user cron
cat /etc/crontab # system cron
ls /etc/cron.d/ # cron.d jobs
find /home -name authorized_keys # SSH keys
Firewall
iptables -L -n -v # list rules
iptables -A INPUT -p tcp --dport 4444 -j DROP
iptables-save > /etc/iptables.rules
ROUTER (miata) - CAREFUL!
⚠️ -100 POINTS PER RESET ⚠️
nftables
nft list ruleset # view all
nft list table nat # view NAT
nft add rule inet filter input tcp dport 4444 drop
iptables
iptables -L -n -v # view rules
iptables -t nat -L -n -v # view NAT
iptables -A INPUT -p tcp --dport 4444 -j DROP
DO NOT:
- Flush rules without documenting first
- Block scoring engine traffic
- Delete admin user
- Disable syslog or WAN access
HUNT RED TEAM
Look For:
- Backdoor accounts: UID 0, Domain Admins
- Persistence: cron, schtasks, services
- Reverse shells: ports 4444, 5555, 8080
- SSH keys: unauthorized authorized_keys
- Web shells: .php files in /var/www
Incident Response:
- CALL OUT: "CONTACT on [system]!"
- IDENTIFY: What PID? What user? What port?
- KILL:
kill -9 PID / taskkill /F
- BLOCK: Firewall the source IP
- FIND: How did they get in?
KUBERNETES (pinto)
kubectl get all -A # all resources
kubectl get pods -A # list pods
kubectl get svc -A # list services
kubectl get secrets -A # list secrets
kubectl delete pod NAME -n NS # delete pod
kubectl scale deploy NAME --replicas=0 -n NS
kubectl logs PODNAME -n NS # view logs
Red Flags:
- Unknown pods in kube-system
- privileged: true containers
- ServiceAccounts with cluster-admin
COMMUNICATION
Call-Outs:
- "CONTACT!" - Active attacker
- "SERVICE DOWN!" - Scored service failed
- "PASSWORD CHANGED [sys]" - Announce
- "INJECT [#] CLAIMED" - Taking inject
- "NEED BACKUP" - Request help
Inject Rules:
- File:
inject04_team13.pdf
- NO AI - 20% detection = 0 points
- Read inject TWICE before starting
- Cite sources
COMMON PORTS TO CHECK
| Port | Service |
Port | Service |
Port | Service |
Port | Service |
| 21 | FTP |
22 | SSH |
23 | Telnet ⚠️ |
25 | SMTP |
| 53 | DNS |
80 | HTTP |
110 | POP3 |
143 | IMAP |
| 443 | HTTPS |
445 | SMB |
3389 | RDP |
5900 | VNC |