Scoreboard : DFIR CTF Challenge - The dangers of daydreaming in O365

#	Team	Points
1	Traxos	2,125
2	Meta	2,025
3	H0nt3	850
4	Crow	650
5	Gremlins	650
6	Riddler	550
7	BootCamp Rooted 2023	500
8	Bururu	475
9	Mack	425
10	AP	400
11	BRVT3F0RC3	175
12	Carlos	175
13	N/A	175
14	Coffee Enjoyer	175
15	DGF_JC	0
16	MF	0
17	Rafban	0
18	AFRDP	0
19	Akna	0
20	Tream-O365	0
21	Frederico	0
22	Replicador	0
23	BOR	0

#	Team	Points
1	PhineasFisher	2,125
2	crisix	2,125
3	JuanXXIII	2,125
4	atila	2,125
5	cpou	2,125
6	mary4	2,125
7	Xeyuin	2,025
8	JonDoe	1,875
9	Ps	1,850
10	mer	1,825
11	BXVI	1,825
12	Ellendar	1,775
13	aillusion	1,725
14	fernandogf	1,625
15	martafg	1,550
16	bikthor	650
17	cikixa7241	575
18	Rivery	450
19	RootedR	150
20	xunta2024	0
21	RootedCom24	0
22	usuario1	0

Level 1: MINAF-PC7	Points	Solved by	First solvers
1.1 At which time did María José Feliz create the document "World_Happiness_Plan.docx" on her computer?	50	72%	SiCk-Boy adriandlhc bomoca
1.2 Which file generated the most recent AV alert?	50	86%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.3 If you look carefully in the user folder, you'll see some suspicious compressed files. What final extension is the most used?	50	93%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.4 Which payload do these files have?	75	72%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.5 In that folder there is DEFINITELY another file that Windows Defender strongly dislikes. Which one?	50	88%	h4cK_3nD-B3Er5 adriandlhc bomoca
1.6 Where did all these malware was downloaded from?	75	81%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.7 Which user advises Maria Jose Files to "install" everything?	125	81%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.8 How many times have been the compressed payload successfully executed?	100	51%	SiCk-Boy adriandlhc Crow
1.9 María José Feliz shared this document with other user. Which one?	75	70%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc

Level 2: Alert! Emergency!	Points	Solved by	First solvers
2.1 María José Feliz shared this file with an user ... who reshared it with a third user. Who?	75	67%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.2. When did the attackers got the World_Happiness_Plan.docx?	100	53%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.3 ... and from which IP address?	50	56%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.4 The attackes have given themselves permissions over two Sharepoint sites. Who are their owners?	75	56%	SiCk-Boy Meta H0nt3
2.5 Attackers also created an email rule that filtered out some keywords. Which ones?	75	47%	SiCk-Boy Meta Traxos
2.6 To expand their activities, the attackers have obtained full access to some mailboxes. Which ones?	75	49%	SiCk-Boy Meta Traxos
2.7 Attackers have left a privileged backdoor to MINAF's O365. Which form does it take?	125	49%	SiCk-Boy Meta Traxos
2.8 When the attackers did first successfully use the stolen account ?	75	53%	SiCk-Boy Traxos Meta
2.9 Which in the "innocent" password of the compromised account ?	100	56%	h4cK_3nD-B3Er5 SiCk-Boy Traxos

Level 3: We're not happy	Points	Solved by	First solvers
3.1 Attackers have tricked someone to consent the installation of something. What is its name?	125	58%	SiCk-Boy Meta Coffee Enjoyer
3.2 Who fooled this user to install the "thingy" ?	75	58%	h4cK_3nD-B3Er5 SiCk-Boy Meta
3.3 This kind of attack is EXACTLY called ...	100	44%	SiCk-Boy Meta Traxos
3.4 The compromised user have connecting from another countries ... Which one is the most frequent?	50	53%	SiCk-Boy Meta Traxos
3.5 The attackers are nice tricksters because they also fooled this user. Which URL did they make him/her click?	100	40%	SiCk-Boy Meta Traxos
3.6 Before this successful attack, they tried another one, more sneaky but unsucessful. Could you tell the "code" they used?	100	37%	Traxos Meta Manny Rivera
3.7 From which REAL domain was this last attack launched?	75	49%	SiCk-Boy Meta Traxos
3.8 In what time the attackers first set foot on MINAF's O365 infrastructure?	100	40%	SiCk-Boy Meta Traxos

BootCamp Rooted 2023 Scoreboard