Skip to content

SAINTCON 2019 Getting Started

Jump to bottom
Spencer Heywood edited this page Oct 18, 2019 · 14 revisions

Welcome to the Active Threat Hunting event at SAINTCON 2019!

Accessing Pod Resources:

We call each team and their resources in the Active Threat Hunting challenge a "pod". Each pod has the following CIDR ranges:

Pod1: 192.168.10.0/24
Pod2: 192.168.20.0/24
Pod3: 192.168.30.0/24
Pod4: 192.168.40.0/24

Pod Hosts/Network Layout:

192.168.X.5: guacamole
192.168.X.10: elk
192.168.X.15: fleet
192.168.X.30: ubuntu-vm (management host)
192.168.X.51: linux1
192.168.X.52: linux2
192.168.X.61: windows

Credentials:

There will be two credentials needed for the event:

  1. Pod-admin credentials will be needed to access all of the tools in the pods.
  2. User credentials for the Management Host.

Both of these credentials should have been shared with you during the event or prior to the event. If you do not have these credentials please let someone on the Active Threat Hunting team know.

Connecting to Your Management Host:

A single Linux management host in your pod has been configured for you to do all your work from. It has the following IP address scheme in your pod:

192.168.X.30

You can use a Remote Desktop client on Windows, MacOS, or Linux to connect to the Linux management host or the Apache Guacamole instance described in the Tool URIs section. Please use the user credentials shared with you at the event.

Please do all of your work from this management host. If you would like to work from your own machine that is fine but will not be actively supported if issues are encountered.

Management Host Resources:

The following resources are available in the management host:

  1. A file named credentials.txt on the Desktop with podX-admin credentials needed to login to tools. Double click the file in order to access the contents of the file.
  2. Two files on the Desktop named linux1 and linux2 that you can double-click to open SSH sessions to linux1/linux2 in your pod.
  3. Firefox bookmarks with links to all relevant web applications that will be in use during the event.

Tool URIs:

CTFd: https://192.168.1.21
Apache Guacamole: https://192.168.X.5
ELK: https://192.168.X.10:5601
Kolide Fleet: https://192.168.X.15:8080

Tool Description:

CTFd: Web application housing all challenges
Apache Guacamole: Bastion host with pre-configured SSH and RDP connections
ELK: Central logging server
Kolide Fleet: Centralized OSQuery server

Accessing Tools:

Use your pod-admin credentials that have been shared with you to login to each application or server. If you do not have those credentials, please ask an Active Threat Hunting staff member to provide them to you.

Clone this wiki locally