Scoreboard : DFIR CTF Challenge - The dangers of daydreaming in O365

#	Team	Points
1	Traxos	2,125
2	Meta	2,025
3	H0nt3	850
4	Crow	650
5	Gremlins	650
6	Riddler	550
7	BootCamp Rooted 2023	500
8	Bururu	475
9	Mack	425
10	AP	400
11	BRVT3F0RC3	175
12	Carlos	175
13	N/A	175
14	Coffee Enjoyer	175
15	Replicador	0
16	BOR	0
17	DGF_JC	0
18	MF	0
19	Rafban	0
20	AFRDP	0
21	Akna	0
22	Tream-O365	0
23	Frederico	0

#	Team	Points
1	PhineasFisher	2,125
2	Xeyuin	2,025
3	JonDoe	1,875
4	Ps	1,850
5	mer	1,825
6	Ellendar	1,775
7	aillusion	1,725
8	cikixa7241	575
9	Rivery	450
10	RootedR	150
11	RootedCom24	0

Level 1: MINAF-PC7	Points	Solved by	First solvers
1.1 At which time did María José Feliz create the document "World_Happiness_Plan.docx" on her computer?	50	72%	SiCk-Boy adriandlhc bomoca
1.2 Which file generated the most recent AV alert?	50	79%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.3 If you look carefully in the user folder, you'll see some suspicious compressed files. What final extension is the most used?	50	90%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.4 Which payload do these files have?	75	72%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.5 In that folder there is DEFINITELY another file that Windows Defender strongly dislikes. Which one?	50	83%	h4cK_3nD-B3Er5 adriandlhc bomoca
1.6 Where did all these malware was downloaded from?	75	79%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.7 Which user advises Maria Jose Files to "install" everything?	125	72%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.8 How many times have been the compressed payload successfully executed?	100	38%	SiCk-Boy adriandlhc Crow
1.9 María José Feliz shared this document with other user. Which one?	75	66%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc

Level 2: Alert! Emergency!	Points	Solved by	First solvers
2.1 María José Feliz shared this file with an user ... who reshared it with a third user. Who?	75	62%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.2. When did the attackers got the World_Happiness_Plan.docx?	100	55%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.3 ... and from which IP address?	50	52%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.4 The attackes have given themselves permissions over two Sharepoint sites. Who are their owners?	75	41%	SiCk-Boy Meta H0nt3
2.5 Attackers also created an email rule that filtered out some keywords. Which ones?	75	34%	SiCk-Boy Meta Traxos
2.6 To expand their activities, the attackers have obtained full access to some mailboxes. Which ones?	75	34%	SiCk-Boy Meta Traxos
2.7 Attackers have left a privileged backdoor to MINAF's O365. Which form does it take?	125	34%	SiCk-Boy Meta Traxos
2.8 When the attackers did first successfully use the stolen account ?	75	38%	SiCk-Boy Traxos Meta
2.9 Which in the "innocent" password of the compromised account ?	100	45%	h4cK_3nD-B3Er5 SiCk-Boy Traxos

Level 3: We're not happy	Points	Solved by	First solvers
3.1 Attackers have tricked someone to consent the installation of something. What is its name?	125	45%	SiCk-Boy Meta Coffee Enjoyer
3.2 Who fooled this user to install the "thingy" ?	75	45%	h4cK_3nD-B3Er5 SiCk-Boy Meta
3.3 This kind of attack is EXACTLY called ...	100	24%	SiCk-Boy Meta Traxos
3.4 The compromised user have connecting from another countries ... Which one is the most frequent?	50	38%	SiCk-Boy Meta Traxos
3.5 The attackers are nice tricksters because they also fooled this user. Which URL did they make him/her click?	100	24%	SiCk-Boy Meta Traxos
3.6 Before this successful attack, they tried another one, more sneaky but unsucessful. Could you tell the "code" they used?	100	21%	Traxos Meta Manny Rivera
3.7 From which REAL domain was this last attack launched?	75	41%	SiCk-Boy Meta Traxos
3.8 In what time the attackers first set foot on MINAF's O365 infrastructure?	100	28%	SiCk-Boy Meta Traxos

BootCamp Rooted 2023 Scoreboard