-
Notifications
You must be signed in to change notification settings - Fork 0
SAINTCON 2019 Getting Started
Welcome to the Active Threat Hunting event at SAINTCON 2019!
We call each team and their resources in the Active Threat Hunting challenge a "pod". Each pod has the following CIDR ranges:
Pod1: 192.168.10.0/24
Pod2: 192.168.20.0/24
Pod3: 192.168.30.0/24
Pod4: 192.168.40.0/24
192.168.X.5: guacamole
192.168.X.10: elk
192.168.X.15: fleet
192.168.X.30: ubuntu-vm (management host)
192.168.X.51: linux1
192.168.X.52: linux2
192.168.X.61: windows
There will be two credentials needed for the event:
- Pod-admin credentials will be needed to access all of the tools in the pods.
- User credentials for the Management Host.
Both of these credentials should have been shared with you during the event or prior to the event. If you do not have these credentials please let someone on the Active Threat Hunting team know.
A single Linux management host in your pod has been configured for you to do all your work from. It has the following IP address scheme in your pod:
192.168.X.30
You can use a Remote Desktop client on Windows, MacOS, or Linux to connect to the Linux management host or the Apache Guacamole instance described in the Tool URIs section. Please use the user credentials shared with you at the event.
Please do all of your work from this management host. If you would like to work from your own machine that is fine but will not be actively supported if issues are encountered.
The following resources are available in the management host:
- A file named
credentials.txt
on the Desktop withpodX-admin
credentials needed to login to tools. Double click the file in order to access the contents of the file. - Two files on the Desktop named
linux1
andlinux2
that you can double-click to open SSH sessions to linux1/linux2 in your pod. - Firefox bookmarks with links to all relevant web applications that will be in use during the event.
CTFd: https://192.168.1.21
Apache Guacamole: https://192.168.X.5
ELK: https://192.168.X.10:5601
Kolide Fleet: https://192.168.X.15:8080
CTFd: Web application housing all challenges
Apache Guacamole: Bastion host with pre-configured SSH and RDP connections
ELK: Central logging server
Kolide Fleet: Centralized OSQuery server
Use your pod-admin credentials that have been shared with you to login to each application or server. If you do not have those credentials, please ask an Active Threat Hunting staff member to provide them to you.