On October 18, 2025, Wowza Enterprise hosted their first cybersecurity conference. To reduce staff overhead, the IT team configured several unused laptops as self-registration kiosks. Each machine ran a single webpage displaying a QR code that attendees could scan to register and view the event schedule.
After the event, the security team detected suspicious outbound connections originating from one of those kiosk machines — KioskExpo7. Surveillance footage confirmed that a suspicious individual had spent an unusually long time at that particular terminal. The machine was isolated and a KAPE triage image was collected for examination.
Your objective is to trace the full attack chain — how the attacker broke out of kiosk restrictions, how they escalated privileges, what they modified, and what persistence mechanisms they left behind.
This walkthrough covers every question in the lab in order. The triage image was collected using KAPE with the KAPETriage target, giving us the following artifact categories:
$MFT and $J (USN Journal), parsed with MFTECmdNTUSER.DAT (per user), SOFTWARE, SAM, SYSTEM, SECURITY, loaded with Registry ExplorerHistory SQLite database, opened with DB Browser for SQLite