-Tips
There is some strange network traffic eminating from a logging server used by services within the enterprise...probably worth a look.
-
Download the Capstone2017 ISO here
-
Untar and Add to Virtualbox (untested w/ VMware)
-
Tweak hardware settings if you would like to dedicate more horsepower to the box. The scenario runs fine on 512MB of Ram and a Single core.
-
Startup the box in VirtualBox, wait for a few then curl and get the private key to SSH into the box
curl localhost:2224
- Copy the key portion including headers into a file called
capstone_id
and thenchmod 0600 capstone_id
. Finally you can ssh into the logging servervictim
.
STOP Once you are here stop and shutdown the VM. Do not spend time prior to 26 June working on the Capstone. The key will persist between reboots.
A few Tips:
- The hosts you are operating on internal to this VM DO NOT save state. Reccomend prototyping work on another VM or host computer then transfering to the hosts. Scripting is heavily encouraged so you can easily get back to your past location if you crash a box.
- All tools you need to traverse the capstone are on the
victim
box, though there are some pretty common packages that might make it easier. - There isn't one way/order to solve it.
- Don't try to do forensics on the VM's bare drive. All source used to build scenario has been rm'd.
man netstat
printing connection information
man lsof
listing open files
man ps
getting current processes
man who
seeing who is logged on
man ls
listing directory contects
man grep
printing lines matching a pattern
man gdb
debugging
man nc
swiss army knife
man tcpdump
dumps...tcp
man sshfs
allows you to mount remote ssh as a filesystem