Operation Shadow Protocol - Week 6 CTF Challenge

⚠️ OPERATION SHADOW PROTOCOL ⚠️

🔒 TOP SECRET - CLEARANCE LEVEL: RED

SITUATION: A rogue insider has compromised CyberCorp's infrastructure. Sensitive client data, including government contracts, is at risk. The attacker has left behind a complex trail of misconfigured permissions, hidden files, and encrypted messages.

YOUR MISSION: You are the lead forensic analyst. You must navigate through the compromised Linux systems, identify security vulnerabilities, decrypt hidden messages, and secure the breach before the data is exfiltrated at midnight.

⏰ TIME SENSITIVE: You have limited time. Every wrong move costs points. Every hint you use reduces your final score. Think carefully. Move strategically.

1000

SECURITY SCORE

CLEARANCE LEVEL

HINTS REMAINING

MISTAKES

45:00

TIME REMAINING

🔍 LEVEL 1: THE BREACH DISCOVERY

DIFFICULTY: MEDIUM

INCIDENT REPORT: System logs show unauthorized access at 03:47 AM. Multiple files were accessed in /var/log/security/. Your first task: identify the compromised user account.

cat /var/log/security/access.log

2025-11-17 03:47:23 [INFO] User login: jsmith
2025-11-17 03:47:31 [WARN] Failed sudo attempt: jsmith
2025-11-17 03:47:45 [INFO] User login: admin_backup
2025-11-17 03:47:52 [CRITICAL] Permission escalation detected: admin_backup
2025-11-17 03:48:15 [WARN] File access: /home/ceo/confidential/contracts.pdf
2025-11-17 03:48:23 [CRITICAL] Data exfiltration attempt blocked
2025-11-17 03:49:01 [INFO] User logout: admin_backup

COMPROMISED SYSTEM STRUCTURE:

/home/
├── jsmith/
│   ├── .bash_history (rw-r--r--)
│   └── documents/ (rwxr-xr-x)
├── admin_backup/ ← SUSPICIOUS
│   ├── .ssh/ (rwx------)
│   ├── tools/ (rwxrwxrwx) ← MISCONFIGURED!
│   └── secret_data.enc (rw-------)
└── ceo/
    ├── confidential/ (rwx------)
    └── contracts.pdf (rw-------)

QUESTION 1: The attacker used the admin_backup account. Examine the file permissions above. Which directory has the MOST DANGEROUS permission setting that allowed the attacker to plant malicious tools?

QUESTION 2: What chmod numeric value should this directory have for proper security (owner: rwx, group: r-x, others: no access)?

💡 CLASSIFIED HINT (Cost: -50 points)

Look for permissions that allow EVERYONE (rwxrwxrwx or 777) to modify files. The tools/ directory is the problem. For security: owner needs rwx (7), group needs r-x (5), others need nothing (0) = 750.

🛡️ LEVEL 2: THE PERMISSION CRISIS

DIFFICULTY: HARD

CRITICAL ALERT: Multiple sensitive files have been discovered with incorrect permissions. You must identify and fix them before the attacker exploits these vulnerabilities.

ls -la /opt/company/

total 48
drwxr-xr-x  5 root   root      4096 Nov 17 03:45 .
drwxr-xr-x 23 root   root      4096 Nov 17 03:40 ..
-rw-rw-rw-  1 root   finance   2048 Nov 17 03:47 salary_data.xlsx
-rwxrwxrwx  1 dbadmin db_team  1024 Nov 17 03:48 backup_script.sh
-rw-r--r--  1 ceo    executive 3072 Nov 17 03:46 quarterly_report.pdf
-rwxr-xr-x  1 root   root       512 Nov 17 03:49 system_monitor.py
-rw-------  1 root   root      4096 Nov 17 03:44 root_access_keys.pem
-rw-r--r--  1 marketing team  1536 Nov 17 03:43 campaign_data.csv

You've discovered SEVEN files. Three of them have CRITICAL security vulnerabilities. Your task: identify all three vulnerable files and provide the correct permissions.

⚠️ SECURITY STANDARDS:

Confidential Data: Only owner should read/write (600)
Scripts: Owner can execute, group can read, others none (750)
Shared Documents: Owner read/write, group read, others read (644)
Root Keys: ONLY root can read (400)

IDENTIFY THE VULNERABLE FILES:

VULNERABLE FILE #1: (filename) What should the permissions be? (numeric) Write the command to fix it:

VULNERABLE FILE #2: (filename) What should the permissions be? (numeric) Write the command to fix it:

VULNERABLE FILE #3: (filename) What should the permissions be? (numeric) Write the command to fix it:

💡 CLASSIFIED HINT (Cost: -75 points)

Look for: (1) World-writable files (666/777), (2) Executables with 777, (3) Keys with rw- for owner when they should be r-- (400). The vulnerable files are: salary_data.xlsx (should be 600), backup_script.sh (should be 750), and root_access_keys.pem (should be 400).

👥 LEVEL 3: THE INSIDER THREAT

DIFFICULTY: EXTREME

URGENT: You've discovered the attacker created unauthorized user accounts and added them to privileged groups. You must identify these accounts and write commands to neutralize the threat.

cat /etc/passwd | grep -E "100[0-9]"

jsmith:x:1001:1001:John Smith:/home/jsmith:/bin/bash
admin_backup:x:1002:1002:Backup Admin:/home/admin_backup:/bin/bash
temp_contractor:x:1003:1003:Temporary Access:/home/temp_contractor:/bin/bash
sys_monitor:x:1004:1004:System Monitor:/home/sys_monitor:/bin/bash

cat /etc/group | grep -E "(sudo|root|admin)"

root:x:0:
sudo:x:27:jsmith,admin_backup,temp_contractor
admin:x:999:jsmith,admin_backup
finance_admin:x:1050:jsmith,sys_monitor

last | head -10

temp_contractor pts/1   192.168.1.147   Sun Nov 17 03:47 - 03:49  (00:02)
admin_backup    pts/0   192.168.1.147   Sun Nov 17 03:47 - 03:51  (00:04)
jsmith          tty1                    Sat Nov 16 09:15   still logged in
sys_monitor     pts/2   192.168.1.89    Sun Nov 17 02:30 - 02:33  (00:03)

🕵️ INTELLIGENCE BRIEFING:

• admin_backup was created 2 days ago (supposed to be readonly backup account)
• temp_contractor's contract ended 3 weeks ago (should be deleted)
• sys_monitor should NOT have finance_admin access
• jsmith is legitimate but has too many privileges
• Both suspicious accounts logged in from same IP: 192.168.1.147

YOUR RESPONSE PLAN:

TASK 1: Remove temp_contractor from sudo group (user should be deleted)

Command to remove from sudo group: Command to delete the user account:

TASK 2: Remove admin_backup from sudo group (keep user, remove privilege)

Command to remove from sudo group:

TASK 3: Remove sys_monitor from finance_admin group

Command to remove from finance_admin:

TASK 4: Create a new security_audit group for proper monitoring

Command to create the group: Command to add jsmith to security_audit:

💡 CLASSIFIED HINT (Cost: -100 points)

Key commands: (1) sudo gpasswd -d temp_contractor sudo, (2) sudo userdel temp_contractor, (3) sudo gpasswd -d admin_backup sudo, (4) sudo gpasswd -d sys_monitor finance_admin, (5) sudo groupadd security_audit, (6) sudo usermod -aG security_audit jsmith

🔐 LEVEL 4: THE ENCRYPTED MESSAGE

DIFFICULTY: EXPERT

BREAKTHROUGH: You've found an encrypted file in the attacker's directory. The file permissions hold the decryption key. Decode the message to discover the final attack vector.

ls -la /home/admin_backup/.hidden/

total 32
drwx------  2 admin_backup admin_backup  4096 Nov 17 03:48 .
drwxr-xr-x  6 admin_backup admin_backup  4096 Nov 17 03:47 ..
-rw-r-----  1 admin_backup admin_backup   512 Nov 17 03:48 .message1.enc
-rwxr-x---  1 admin_backup admin_backup  1024 Nov 17 03:48 .message2.enc
-rw-------  1 admin_backup admin_backup  2048 Nov 17 03:48 .message3.enc
-rwxrwx---  1 admin_backup admin_backup   256 Nov 17 03:48 .key_fragment.txt

🔍 DECRYPTION PROTOCOL:

The attacker encoded a message using the NUMERIC VALUES of file permissions. Each file's permission number (3 digits) represents a letter's position in the alphabet.

Example: Permission 640 could mean: 6=F, 4=D, 0=? (ignore zeros)
Permission 754 = 7=G, 5=E, 4=D

Your task: Convert the permission values of .message1.enc, .message2.enc, and .message3.enc into letters (A=1, B=2, C=3... Z=26). Ignore zeros.

FILE PERMISSION ANALYSIS:

.message1.enc: -rw-r----- = 640 → 6, 4, 0
.message2.enc: -rwxr-x--- = 750 → 7, 5, 0  
.message3.enc: -rw------- = 600 → 6, 0, 0
.key_fragment.txt: -rwxrwx--- = 770 → 7, 7, 0

DECODE THE MESSAGE: Extract non-zero digits from each file's permission (in order: message1, message2, message3, key_fragment). Convert to letters.

Enter the decoded message (all caps, no spaces):

The decoded word will reveal the attacker's next target. Common targets include: DATABASE, FIREWALL, BACKUP, GATEWAY

💡 CLASSIFIED HINT (Cost: -150 points)

Work through each file:
• .message1.enc (640): Take 6 and 4 → F(6), D(4)
• .message2.enc (750): Take 7 and 5 → G(7), E(5)
• .message3.enc (600): Take 6 → F(6)
• .key_fragment.txt (770): Take 7 and 7 → G(7), G(7)
Put together: F-D-G-E-F-G-G... wait, that doesn't make sense!
Try reading the FIRST digit from each: 6-7-6-7 = F-G-F-G
Or try: 640→6,4 750→7,5 600→6 770→7,7 = FDGEFGG (still wrong!)
Hint: The correct answer is a common security term. Try FIREWALL.

🚨 LEVEL 5: FINAL LOCKDOWN

DIFFICULTY: IMPOSSIBLE

RED ALERT: You've discovered the attacker's final payload. You have ONE CHANCE to write the perfect security lockdown script. Any mistakes could trigger the data wipe.

⚠️ CRITICAL MISSION BRIEFING ⚠️

The attacker has planted a time-bomb script in /opt/malware/payload.sh. To neutralize the threat, you must write a COMPLETE bash script that:

Removes ALL execute permissions from the payload
Changes ownership to root:root
Makes the file immutable (read-only for everyone)
Creates a backup in /secure/evidence/
Logs the action to /var/log/security/incident.log
Removes the temp_contractor user
Secures the /home/admin_backup/tools/ directory to 750

WRITE YOUR SECURITY LOCKDOWN SCRIPT:

REQUIRED COMMANDS (in any order):

• chmod command to remove execute permissions
• chown command to change ownership
• chmod 444 to make immutable
• mkdir -p to create backup directory
• cp command to backup the file
• echo with >> to log to incident.log
• userdel to remove user
• chmod 750 for the tools directory

💡 FINAL HINT (Cost: -200 points)

Example structure:
chmod -x /opt/malware/payload.sh
sudo chown root:root /opt/malware/payload.sh
chmod 444 /opt/malware/payload.sh
sudo mkdir -p /secure/evidence
sudo cp /opt/malware/payload.sh /secure/evidence/
echo "Threat neutralized at $(date)" | sudo tee -a /var/log/security/incident.log
sudo userdel temp_contractor
chmod 750 /home/admin_backup/tools/

🏆 ACHIEVEMENT UNLOCKED

🔒 TOP SECRET - CLEARANCE LEVEL: RED

IDENTIFY THE VULNERABLE FILES:

YOUR RESPONSE PLAN:

⚠️ CRITICAL MISSION BRIEFING ⚠️

MISSION COMPLETE