Scoreboard : DFIR CTF - Remote winds, local storms

#	Team	Points
1	CHdezFdez	7,600
2	eneasthetrojan	6,825
3	helsinki	6,675
4	crisisvision	6,125
5	carpese	3,450
6	FaaS	1,650
7	obogs	850
8	L0sD3S13mpr3	325
9	DreamTeam	175
10	bolasdecocido	50
11	Crow	50
12	maricarmen	50
13	NextSecurity	0
14	adier	0
15	Calimero	0
16	H.LAVOE	0
17	amix	0
18	Berenjena al fallo	0
19	freelen	0
20	catarata	0

Level 1: File Server	Points	Solved by	First solvers
1.CHITONSRV has a shared folder. What's its name?	50	100%	eneasthetrojan bolasdecocido DreamTeam
2.How many subfolders are in this shared folder	50	73%	eneasthetrojan DreamTeam carpese
3.The EHP database is encrypted using PGP. What's the database name?	75	73%	eneasthetrojan carpese FaaS
4.EHP Project has a candidate list (the shortlist that was leaked). When was this list last accessed?	75	67%	eneasthetrojan DreamTeam carpese
5.How many accounts have successfully logged in on the last month?	100	33%	eneasthetrojan antonio L0sD3S13mpr3
6. Which users have connected (using any kind of protocol) to the system in last month?	100	53%	eneasthetrojan carpese adriandlhc
8. Which user tried to mount \\*\C$	125	60%	eneasthetrojan carpese FaaS
7. Which user was online when the file lista_candidatos.xlsx was modified the last time?	125	40%	eneasthetrojan carpese adriandlhc
9. According to MFT, which time was last accessed the file README.txt.txt? And what time was REALLY opened this file with notepad.exe	150	53%	eneasthetrojan carpese FaaS
10. Which registry key is the responsible for the non-matching timestamps in the previous challenge?	150	53%	eneasthetrojan carpese FaaS
11.Which executable do you think was used to exfiltrate data	175	47%	eneasthetrojan carpese antonio
12. How many items (at most) where copied in order to be exfiltrated?	175	20%	eneasthetrojan carpese CHdezFdez

Level 2: Admin PC	Points	Solved by	First solvers
1.Where in the system is hidden the folder "Secreto" (Secret)	200	47%	eneasthetrojan carpese FaaS
2.Which song is going to be used for the EHP project?	200	33%	eneasthetrojan carpese crisisvision
3. Which program has transmitted most data on 05/Nov/2019 ?	225	40%	eneasthetrojan carpese antonio
4. To which remote computer was the data exfiltrated to?	225	33%	eneasthetrojan carpese crisisvision
6. When was the service used by the exfiltration software installed?	250	40%	eneasthetrojan carpese antonio
5.When was the last file successfully exfiltrated?	250	33%	eneasthetrojan carpese crisisvision
7. Could you find the name of a program that can help exonerate Salvador?	275	40%	eneasthetrojan carpese antonio
8. There has been a recon action on this computer. When did this recon started?	275	40%	eneasthetrojan carpese antonio
9. How many computers has accessed salvador.bendito through RDP?	300	27%	eneasthetrojan antonio helsinki
10. Which IP has connected to this computer using RDP?	300	40%	eneasthetrojan carpese antonio

Level 3: Web Server	Points	Solved by	First solvers
1. When was the server rebooted on 03/Nov/2019? Name the system start time.	325	20%	eneasthetrojan crisisvision CHdezFdez
2.Which user first connected successfully to the server?	325	33%	eneasthetrojan antonio crisisvision
3. What exploit would you bet that has been used to access the server?	350	33%	FaaS antonio crisisvision
4. The attackers have dropped an executable on a system folder. What's its name?	350	33%	eneasthetrojan antonio crisisvision
6. How many times the attackers connected to this server?	375	27%	eneasthetrojan antonio helsinki
5. What is the real name of this executable?	375	33%	eneasthetrojan antonio crisisvision
7. How many times the attackers connected to ADMINPC1 computer?	400	27%	eneasthetrojan antonio helsinki
8. This computer is a webserver (hence, a juicy target). The attackers have left an extra backdoor. Locate it.	400	33%	eneasthetrojan antonio crisisvision
9. Would you be able to identify the exact name of the malware on the previous question?	425	27%	eneasthetrojan crisisvision helsinki
10. The EHP database is encrypted using an AES 4096 bits key. Taking account of all the evidences you've got through the case ... Do you believe the EHP spanish candidates data is safe?	425	27%	FaaS antonio crisisvision

TEST Scoreboard