User details : DFIR CTF - Remote winds, local storms

Level 1: File Server, 1,350 / 1,350 (100%)

Level 2: Admin PC, 2,500 / 2,500 (100%)

Level 3: Web Server, 2,950 / 3,750 (79%)

Total: 6,800 / 7,600 (89.5%)

Challenge	Solved	Points
7. How many times the attackers connected to ADMINPC1 computer? (Level 3: Web Server)	#7, 6 years after release (2025-12-03 16:18:43)	400
9. Would you be able to identify the exact name of the malware on the previous question? (Level 3: Web Server)	#6, 6 years after release (2025-12-03 15:57:52)	425
6. How many times the attackers connected to this server? (Level 3: Web Server)	#7, 6 years after release (2025-12-03 15:42:53)	375
8. This computer is a webserver (hence, a juicy target). The attackers have left an extra backdoor. Locate it. (Level 3: Web Server)	#7, 6 years after release (2025-12-03 15:27:28)	400
3. What exploit would you bet that has been used to access the server? (Level 3: Web Server)	#6, 6 years after release (2025-12-03 15:09:13)	350
4. The attackers have dropped an executable on a system folder. What's its name? (Level 3: Web Server)	#8, 6 years after release (2025-12-03 15:07:26)	350
2.Which user first connected successfully to the server? (Level 3: Web Server)	#8, 6 years after release (2025-12-03 12:51:07)	325
1. When was the server rebooted on 03/Nov/2019? Name the system start time. (Level 3: Web Server)	#6, 6 years after release (2025-12-03 12:44:50)	325
9. How many computers has accessed salvador.bendito through RDP? (Level 2: Admin PC)	#8, 6 years after release (2025-12-03 12:08:50)	300
10. Which IP has connected to this computer using RDP? (Level 2: Admin PC)	#9, 6 years after release (2025-12-03 11:42:49)	300
8. There has been a recon action on this computer. When did this recon started? (Level 2: Admin PC)	#9, 6 years after release (2025-12-03 11:36:33)	275
7. Could you find the name of a program that can help exonerate Salvador? (Level 2: Admin PC)	#8, 6 years after release (2025-12-03 10:30:26)	275
5.When was the last file successfully exfiltrated? (Level 2: Admin PC)	#8, 6 years after release (2025-12-03 09:59:53)	250
6. When was the service used by the exfiltration software installed? (Level 2: Admin PC)	#8, 6 years after release (2025-12-03 09:58:23)	250
4. To which remote computer was the data exfiltrated to? (Level 2: Admin PC)	#8, 6 years after release (2025-12-03 09:43:10)	225
3. Which program has transmitted most data on 05/Nov/2019 ? (Level 2: Admin PC)	#9, 6 years after release (2025-12-03 09:22:14)	225
1.Where in the system is hidden the folder "Secreto" (Secret) (Level 2: Admin PC)	#11, 6 years after release (2025-12-03 09:07:11)	200
2.Which song is going to be used for the EHP project? (Level 2: Admin PC)	#7, 6 years after release (2025-12-02 17:11:11)	200
11.Which executable do you think was used to exfiltrate data (Level 1: File Server)	#11, 6 years after release (2025-12-02 16:57:10)	175
12. How many items (at most) where copied in order to be exfiltrated? (Level 1: File Server)	#4, 6 years after release (2025-12-02 16:54:24)	175
10. Which registry key is the responsible for the non-matching timestamps in the previous challenge? (Level 1: File Server)	#11, 6 years after release (2025-12-02 16:16:30)	150
9. According to MFT, which time was last accessed the file README.txt.txt? And what time was REALLY opened this file with notepad.exe (Level 1: File Server)	#13, 6 years after release (2025-12-02 16:13:18)	150
4.EHP Project has a candidate list (the shortlist that was leaked). When was this list last accessed? (Level 1: File Server)	#17, 6 years after release (2025-12-02 15:41:38)	75
8. Which user tried to mount \\*\C$ (Level 1: File Server)	#16, 6 years after release (2025-12-02 15:37:59)	125
7. Which user was online when the file lista_candidatos.xlsx was modified the last time? (Level 1: File Server)	#13, 6 years after release (2025-12-02 15:37:27)	125
6. Which users have connected (using any kind of protocol) to the system in last month? (Level 1: File Server)	#15, 6 years after release (2025-12-02 15:34:35)	100
3.The EHP database is encrypted using PGP. What's the database name? (Level 1: File Server)	#22, 6 years after release (2025-12-02 13:07:48)	75
5.How many accounts have successfully logged in on the last month? (Level 1: File Server)	#12, 6 years after release (2025-12-02 13:04:23)	100
2.How many subfolders are in this shared folder (Level 1: File Server)	#20, 6 years after release (2025-12-02 12:48:54)	50
1.CHITONSRV has a shared folder. What's its name? (Level 1: File Server)	#26, 6 years after release (2025-12-02 12:38:09)	50

Tortuga

Solved challenges