Skip to content

SAINTCON 2019 Getting Started

Jump to bottom
Spencer Heywood edited this page Oct 18, 2019 · 14 revisions

Welcome to the Active Threat Hunting event at SAINTCON 2019!

Accessing Pod Resources:

We call each team and their resources in the Active Threat Hunting challenge a "pod". Each pod has the following CIDR ranges:

Pod1: 192.168.10.0/24
Pod2: 192.168.20.0/24
Pod3: 192.168.30.0/24
Pod4: 192.168.40.0/24

Pod Hosts/Network Layout:

192.168.X.5: guacamole (rdp/ssh bastion)
192.168.X.10: elk (logging)
192.168.X.15: fleet (osquery)
192.168.X.30: ubuntu-vm (management host)

192.168.X.51: linux1
192.168.X.52: linux2
192.168.X.61: windows

Credentials:

There will be two credentials needed for the event:

  1. Pod-admin credentials will be needed to access all of the tools in the pods.
  2. User credentials for the Management Host (Management Host will be used for most of your work, please refer to section below).

Both of these credentials will be available as hints in the Getting Started challenge.

Connecting to Your Management Host:

A single Linux management host in your pod has been configured for you to do all your work from. It has the following IP address scheme in your pod:

192.168.X.30 (e.g. Pod 1 would be 192.168.10.30)

You can use a Remote Desktop client on Windows, MacOS, or Linux to connect to the Linux management host or the Apache Guacamole instance described in the Tool URIs section below. Please use the user credentials for the Linux management host shared with you in the Getting Started hints.

Please do all of your work from this management host. If you would like to work from your own machine that is fine but will not be actively supported if issues are encountered.

Management Host Resources:

The following resources are available in the management host:

  1. A file named credentials.txt on the Desktop with podX-admin credentials needed to login to tools. Double click the file in order to access the contents of the file.
  2. Two files on the Desktop named linux1 and linux2 that you can double-click to open SSH sessions to linux1/linux2 in your pod.
  3. Firefox bookmarks with links to all relevant web applications that will be in use during the event.

Tool URIs:

CTFd: https://192.168.1.21
Apache Guacamole: https://192.168.X.5
ELK: https://192.168.X.10:5601
Kolide Fleet: https://192.168.X.15:8080

Tool Description:

CTFd: Web application housing all challenges
Apache Guacamole: Bastion host with pre-configured SSH and RDP connections
ELK: Central logging server
Kolide Fleet: Centralized OSQuery server

Accessing Tools:

Use your pod-admin credentials that have been shared with you to login to each application or server. If you do not have those credentials, please ask an Active Threat Hunting team member to provide them to you.

Optional -- Chatting:

If you'd like to have a messaging service in place for chatting with other members of your team (in order to easily share credentials, links, etc.) please use CloakMy's Chatting Service:

  1. Go to https://cloakmy.org/c
  2. Set your username, room password and then Create Room
  3. Share the room link with your teammates
Clone this wiki locally