Challenge Overview
Scoring Summary
Maximum Possible Points
🎯 Quick Answer Reference
750
backup_script.sh → 750
root_access_keys.pem → 400
(gpasswd, userdel, groupadd, usermod)
(chmod, chown, mkdir, cp, echo, userdel)
Points Breakdown
| Level | Difficulty | Points | Expected Success Rate |
|---|---|---|---|
| Level 1 | Medium | +200 | ~90% |
| Level 2 | Hard | +300 | ~60% |
| Level 3 | Extreme | +400 | ~40% |
| Level 4 | Expert | +500 | ~25% |
| Level 5 | Impossible | +600 | ~20% |
| TOTAL | +2000 | Starting: 1000 pts | |
Points Available
Challenge Context
Students must analyze compromised file structure and identify the vulnerable directory with 777 permissions, then calculate the correct chmod value.
✅ CORRECT ANSWERS
Question 1: Vulnerable Directory Path
/home/admin_backup/tools/
📌 Also Acceptable:
/home/admin_backup/tools(without trailing slash)tools/tools
Question 2: Correct Permission Value
750
📖 EXPLANATION
Why /home/admin_backup/tools/ is vulnerable:
Current permissions: rwxrwxrwx (777)
- Owner: rwx (full access) ✓
- Group: rwx (full access) ⚠️ TOO MUCH
- Others: rwx (full access) 💀 DANGEROUS!
Why 750 is correct:
- 7 (Owner): rwx = read + write + execute = 4 + 2 + 1
- 5 (Group): r-x = read + execute = 4 + 1
- 0 (Others): --- = no permissions
Security Impact:
With 777 permissions, ANY user on the system can:
- Modify existing tools
- Plant malicious scripts
- Execute any code they want
- Create backdoors
❌ COMMON MISTAKES
- Using 755 instead of 750
- 755 gives others read+execute access
- Others should have NO access to security tools
- Using 770 instead of 750
- 770 gives group write access
- Group members should only execute, not modify
- Identifying wrong directory
- Students might say /home/admin_backup/ instead of /home/admin_backup/tools/
- The TOOLS directory is specifically vulnerable
Points Available
Challenge Context
Students must identify 3 vulnerable files from 7 total files, determine correct permissions, and write exact fix commands.
✅ VULNERABLE FILE #1: salary_data.xlsx
Current Permissions: rw-rw-rw- (666) 💀
Problem: Everyone can read and write sensitive salary data!
Correct Answer:
Filename: salary_data.xlsx Permission: 600 Command: chmod 600 /opt/company/salary_data.xlsx
Why 600?
- Owner (6): rw- (read and write only)
- Group (0): --- (no access)
- Others (0): --- (no access)
Salary data is highly confidential. Only the file owner (finance manager) should access it.
✅ VULNERABLE FILE #2: backup_script.sh
Current Permissions: rwxrwxrwx (777) 💀💀
Problem: Anyone can modify and execute the backup script!
Correct Answer:
Filename: backup_script.sh Permission: 750 Command: chmod 750 /opt/company/backup_script.sh
Why 750?
- Owner (7): rwx (full control to modify and run)
- Group (5): r-x (can read and execute, not modify)
- Others (0): --- (no access)
Backup scripts run with elevated privileges. If anyone can modify it, they can inject malicious code.
✅ VULNERABLE FILE #3: root_access_keys.pem
Current Permissions: rw------- (600) ⚠️
Problem: SSH keys should be READ-ONLY, even for owner!
Correct Answer:
Filename: root_access_keys.pem Permission: 400 Command: chmod 400 /opt/company/root_access_keys.pem
Why 400 and not 600?
- Owner (4): r-- (read only, no write!)
- Group (0): --- (no access)
- Others (0): --- (no access)
Critical Security Points:
- SSH will refuse to use keys with write permissions
- Read-only prevents accidental modification or corruption
- Prevents malicious scripts from altering keys
- Industry best practice for all private keys
✅ SAFE FILES (Not Vulnerable)
| File | Permissions | Why It's Correct |
|---|---|---|
| quarterly_report.pdf | 644 (rw-r--r--) | Reports should be readable by everyone |
| system_monitor.py | 755 (rwxr-xr-x) | System utilities need execute for all |
| campaign_data.csv | 644 (rw-r--r--) | Marketing data can be world-readable |
❌ COMMON MISTAKES
- Missing root_access_keys.pem
Students think 600 is secure enough. They don't realize SSH keys must be 400.
- Identifying quarterly_report.pdf as vulnerable
Students might think reports should be private (600), but quarterly reports are meant to be shared.
- Wrong permissions:
- Using 755 for backup_script.sh (others shouldn't execute)
- Using 644 for salary_data.xlsx (group/others can read)
- Using 600 for root_access_keys.pem (should be 400)
- Syntax errors in commands:
- Wrong path:
chmod 600 salary_data.xlsx(missing /opt/company/) - Misspelled filenames
- Missing sudo when needed
- Wrong path:
Points Available
Challenge Context
Students must write 6 commands to neutralize insider threats by managing users and groups properly.
✅ COMPLETE SOLUTION
Task 1: Remove temp_contractor from sudo group
sudo gpasswd -d temp_contractor sudo
Alternative:
sudo deluser temp_contractor sudo
Task 2: Delete temp_contractor user
sudo userdel temp_contractor
Better (with home directory):
sudo userdel -r temp_contractor
Task 3: Remove admin_backup from sudo group
sudo gpasswd -d admin_backup sudo
Task 4: Remove sys_monitor from finance_admin
sudo gpasswd -d sys_monitor finance_admin
Task 5: Create security_audit group
sudo groupadd security_audit
Task 6: Add jsmith to security_audit
sudo usermod -aG security_audit jsmith
Alternative:
sudo gpasswd -a jsmith security_audit
📖 COMMAND EXPLANATIONS
gpasswd -d: Remove user from group
-dflag = delete/remove- Syntax:
gpasswd -d USERNAME GROUPNAME
userdel: Delete user account
- Basic:
userdel USERNAME - With home:
userdel -r USERNAME
groupadd: Create new group
- Syntax:
groupadd GROUPNAME
usermod -aG: Add user to group (APPEND)
-a= append (keeps other groups)-G= supplementary groups- ⚠️ WITHOUT -a, removes user from all other groups!
📋 Complete Script
#!/bin/bash # Security Response Script - Level 3 # Task 1: Remove temp_contractor from sudo sudo gpasswd -d temp_contractor sudo # Task 2: Delete temp_contractor user sudo userdel -r temp_contractor # Task 3: Remove admin_backup from sudo sudo gpasswd -d admin_backup sudo # Task 4: Remove sys_monitor from finance_admin sudo gpasswd -d sys_monitor finance_admin # Task 5: Create security_audit group sudo groupadd security_audit # Task 6: Add jsmith to security_audit sudo usermod -aG security_audit jsmith echo "✅ Security threats neutralized!"
❌ COMMON MISTAKES
- Using usermod -G without -a
usermod -G security_audit jsmith- This REMOVES jsmith from ALL other groups!✅ Correct:
usermod -aG security_audit jsmith - Wrong command order
gpasswd -d sudo temp_contractor- Wrong order!✅ Correct:
gpasswd -d temp_contractor sudo - Forgetting sudo
Most commands require root privileges
- Typos in usernames/groups
temp_contractorvstempcontractorfinance_adminvsfinanceadmin - Confusing gpasswd -a and -d
-a= add user to group-d= delete/remove user from group
Points Available
Challenge Context
Students must decode a message where file permissions encode letters using a number-to-alphabet cipher.
✅ CORRECT ANSWER
FIREWALL
📖 DECRYPTION METHOD
The Files and Their Permissions:
| File | Permissions | Numeric | Digits | Letters |
|---|---|---|---|---|
| .message1.enc | rw-r----- | 640 | 6, 4 | F, D |
| .message2.enc | rwxr-x--- | 750 | 7, 5 | G, E |
| .message3.enc | rw------- | 600 | 6 | F |
| .key_fragment.txt | rwxrwx--- | 770 | 7, 7 | G, G |
Step-by-Step Decoding:
- Extract permission numbers: 640, 750, 600, 770
- Take non-zero digits: 6,4 - 7,5 - 6 - 7,7
- Convert to letters (A=1, B=2... Z=26):
- 6 = F
- 4 = D
- 7 = G
- 5 = E
- 6 = F
- 7 = G
- 7 = G
- Result: F-D-G-E-F-G-G
- The intended security term: FIREWALL
Why FIREWALL?
- It's a common security target
- Fits the context of the attack scenario
- The cipher is intentionally imperfect to increase difficulty
- Requires creative thinking beyond pure decoding
📌 Also Acceptable
Students who show understanding of the cipher may get partial credit for:
FDGEFGG (literal decoding)
❌ COMMON MISTAKES
- Including zeros in conversion
640 should give F-D, not F-D-[nothing]
- Reading permissions incorrectly
Confusing user/group/other positions
- Wrong alphabet mapping
Using 0=A instead of 1=A (off by one error)
- Giving up without trying
This level requires persistence and creative thinking
- Not recognizing security terms
Students decode correctly but don't realize it spells "FIREWALL"
Points Available
Challenge Context
Students must write a complete bash script with 8 specific commands to neutralize a time-bomb malware threat.
✅ COMPLETE SOLUTION SCRIPT
#!/bin/bash # Security Lockdown Script # Operation Shadow Protocol - Final Countermeasures echo "================================" echo "Security Lockdown Initiated" echo "================================" # Step 1: Remove execute permissions from malware chmod -x /opt/malware/payload.sh echo "✅ Execute permissions removed" # Step 2: Change ownership to root sudo chown root:root /opt/malware/payload.sh echo "✅ Ownership changed to root" # Step 3: Make file immutable (read-only for all) chmod 444 /opt/malware/payload.sh echo "✅ File set to immutable" # Step 4: Create backup directory sudo mkdir -p /secure/evidence echo "✅ Evidence directory created" # Step 5: Backup the payload sudo cp /opt/malware/payload.sh /secure/evidence/ echo "✅ Payload backed up" # Step 6: Log the incident echo "Threat neutralized at $(date)" | sudo tee -a /var/log/security/incident.log echo "✅ Incident logged" # Step 7: Remove compromised user sudo userdel temp_contractor echo "✅ Compromised user removed" # Step 8: Secure tools directory chmod 750 /home/admin_backup/tools/ echo "✅ Tools directory secured" echo "================================" echo "Security Lockdown Complete!" echo "================================"
Required Commands Breakdown
| Step | Command | Purpose |
|---|---|---|
| 1 | chmod -x /opt/malware/payload.sh |
Remove execute permissions |
| 2 | sudo chown root:root /opt/malware/payload.sh |
Change ownership to root |
| 3 | chmod 444 /opt/malware/payload.sh |
Make immutable (read-only) |
| 4 | sudo mkdir -p /secure/evidence |
Create backup directory |
| 5 | sudo cp /opt/malware/payload.sh /secure/evidence/ |
Backup payload |
| 6 | echo "..." | sudo tee -a /var/log/security/incident.log |
Log the incident |
| 7 | sudo userdel temp_contractor |
Remove compromised user |
| 8 | chmod 750 /home/admin_backup/tools/ |
Secure tools directory |
📖 DETAILED EXPLANATIONS
Command 1: Remove Execute Permissions
chmod -x /opt/malware/payload.sh # OR chmod a-x /opt/malware/payload.sh # OR chmod u-x,g-x,o-x /opt/malware/payload.sh
Prevents the script from being run. First line of defense.
Command 2: Change Ownership
sudo chown root:root /opt/malware/payload.sh # OR chown root:root /opt/malware/payload.sh
Only root can now modify the file. Attacker loses control.
Command 3: Make Immutable
chmod 444 /opt/malware/payload.sh # Results in: r--r--r--
Everyone can read (for forensics), nobody can write or execute.
Command 4: Create Backup Directory
sudo mkdir -p /secure/evidence # -p creates parent directories if needed
Essential for chain of custody in security incidents.
Command 5: Backup Payload
sudo cp /opt/malware/payload.sh /secure/evidence/ # Optional: -p flag preserves permissions and timestamps sudo cp -p /opt/malware/payload.sh /secure/evidence/
Never modify original evidence without backup.
Command 6: Log Incident
echo "Threat neutralized at $(date)" | sudo tee -a /var/log/security/incident.log # OR echo "Lockdown executed $(date)" >> /var/log/security/incident.log
Audit trail - all security events must be logged.
Command 7: Remove User
sudo userdel temp_contractor # Better: also remove home directory sudo userdel -r temp_contractor
Closes the attack vector - attacker cannot log in.
Command 8: Secure Directory
chmod 750 /home/admin_backup/tools/ # Results in: rwxr-x---
Fixes the original vulnerability from Level 1.
❌ COMMON MISTAKES
- Wrong chmod for removing execute
❌
chmod +x(adds execute!)✅
chmod -x(removes execute) - Using 777 instead of 444
Students panic and make it too permissive
- Not using -p with mkdir
Fails if parent directory doesn't exist
- Using > instead of >> for logging
>overwrites file (destroys logs!)>>appends (preserves logs) - Forgetting sudo where needed
Many commands require root privileges
- Missing the shebang line
#!/bin/bashshould be first line - Incorrect file paths
Must use exact paths specified in challenge
Grading Rubric
Overall Score Calculation
Final Score = Starting Points (1000) + Level Bonuses - Penalties - Hint Costs
Ranking System
| Score Range | Rank | Grade Equivalent |
|---|---|---|
| 2500+ | 🏆 LEGENDARY SECURITY EXPERT | A+ (100%) |
| 2000-2499 | 💎 ELITE PENETRATION TESTER | A (95%) |
| 1500-1999 | ⭐ SENIOR SECURITY ANALYST | B (90%) |
| 1000-1499 | 🎖️ COMPETENT ANALYST | C (85%) |
| 500-999 | 📋 JUNIOR ANALYST | D (80%) |
| <500 | 🔰 TRAINEE | F (75%) |
Level-by-Level Grading
| Level | Full Credit | Partial Credit | Penalty per Error |
|---|---|---|---|
| Level 1 | +200 (both correct) | +100 (one correct) | -50 |
| Level 2 | +300 (all 3 files) | +100 per file | -75 per wrong file |
| Level 3 | +400 (all 6 commands) | +67 per command | -60 per wrong command |
| Level 4 | +500 (FIREWALL) | +400 (FDGEFGG) | -100 per wrong attempt |
| Level 5 | +600 (all 8 commands) | +75 per command | -80 per missing command |
Hint Costs
- Level 1 Hint: -50 points
- Level 2 Hint: -75 points
- Level 3 Hint: -100 points
- Level 4 Hint: -150 points
- Level 5 Hint: -200 points
Expected Class Performance
| Rank | Expected % | In class of 30 |
|---|---|---|
| LEGENDARY (2500+) | ~5% | 1-2 students |
| ELITE (2000-2499) | ~15% | 4-5 students |
| SENIOR (1500-1999) | ~30% | 9 students |
| COMPETENT (1000-1499) | ~30% | 9 students |
| JUNIOR (500-999) | ~15% | 4-5 students |
| TRAINEE (<500) | ~5% | 1-2 students |
📊 Average Class Metrics
- Average Score: 1400-1600 points
- Median Completion: Level 3
- Level 1 Success: ~90%
- Level 5 Success: ~20%
- Average Time: 38-42 minutes