A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

Challenge Files:

  • victoria-v8.kcore.img: memory dump done by dd’ing /proc/kcore.
  • victoria-v8.memdump.img: memory dump done with memdump.
  • Debian5_26.zip: volatility custom Linux profile.


Supportive Tools:

# Question Weight Solved
1 The attacker was performing a Brute Force attack. What account triggered the alert? 50 54

2 How many were failed attempts there? 50 42

3 What kind of system runs on the targeted server? 50 46

4 What is the victim's IP address? 100 55

5 What are the attacker's two IP addresses? (comma separated without spaces) 100 54

6 What is the "nc" service PID number that was running on the server? 150 52

7 What service was exploited to gain access to the system? 150 50

8 What is the CVE number of exploited vulnerability? 150 48

9 During this attack, the attacker downloaded two files to the server. What are they? 100 45

10 What are the two port numbers involved in the process of data exfiltration? (comma separated without spaces) 100 51

11 Which port did the attacker try to open on the firewall? 100 35