Room Banner

Honeynet Collapse CTF

Welcome to Honeynet Collapse!

hard

360 min

12,442

User avatar
User avatar
User avatar
Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Intro and Rules

Welcome

Welcome to Honeynet Collapse, a blue-team capture-the-flag (CTF) event where you need to investigate a realistic security incident comprised of six unique scenarios to answer various, often quite challenging questions.

The event starts on July 26th, at 17:00 BST and will last exactly six hours. The challenges will be made available in this room when the CTF starts. While you wait for the competition, learn and practice your DFIR skills in the Advanced Endpoint Investigations path - you will need them soon!

The room will still be available for the weekend, but only the first six hours will decide who's the fastest incident responder. You can find the official competitive scoreboard on the CTF website.

A timeline of the event: the competition lasts 6 hours, but the room will still be available until July 28, 18:00 BST.

How to Join

This is a single-player CTF where anyone can join! This competition has no limits for participants and is open for all.  Make sure to join this room, set up OpenVPN if you want to use your own tools, and join #honeynet-collapse-ctf Discord channel to keep updated!

CTF Rules

  • Do not attack TryHackMe's infrastructure or other users' machines.
  • Do not brute force answers (flags) on the TryHackMe platform.
  • Don't share flags with others, and do not ask for hints during the event.

If you have questions or need support from TryHackMe, please join our Discord channel and open a ticket. The full Terms and Conditions of the competition can be read here.

Tips Before the Start

Keep notes, and don't focus on a single data source. From Auditd to Zimmerman Tools, you may need to use lots of artifacts and utilities to fully investigate the cases. To better prepare for the event, repeat the topics covered in the Advanced Endpoint Investigations path:

  • Linux and Windows endpoint investigation
  • Memory forensics using Volatility 3
  • NTFS filesystem and disk investigation
  • MacOS artefact parsing and forensics
Answer the questions below

I have joined Discord channel!

Meet DeceptiTech

DeceptiTech is a fast-growing cyber security company specializing in honeypot development and deception technologies. At the heart of their success are DeceptiPots - lightweight, powerful, and configurable honeypots that you can install on any OS and capture every malicious action!

The internal DeceptiTech network is organized around a traditional on-premises Active Directory domain with approximately 50 active users. The product platform, however, is isolated and hosted entirely in the AWS cloud:

A diagram of the DeceptiTech network

The Story So Far

One ordinary morning, DeceptiTech’s entire network collapsed. Within minutes, all critical on-premises systems were locked down and encrypted. The IT department hurried to restore backups, while the security team rushed to their SIEM - only to find the backups corrupted and all SIEM data wiped clean.

DeceptiTech has been out-deceived and they have to idea what to do next. Which is why they called you, a part of an external DFIR response unit, called in to perform a full-scope investigation.

Ready To Begin?

Uncover the origin of the breach, trace the attacker's movements, and piece together how the entire DeceptiTech network went down before it's too late. Welcome to the Honeynet Collapse, and good luck - you have only six hours!

Answer the questions below

Let's go!

Final Words

In the chaos of a breach, collecting the artifacts wasn't easy. But piece by piece, you uncovered the timeline of the breach and contained the threat before it reached AWS And even more important, we hope you had fun solving the case. The entire team at DeceptiTech applauds your effort and determination - well done!

Competitive Results

Those first six hours were challenging, right? We hope they were rewarding too, both in terms of practice and hopefully of prizes! For top 10 participants, see the scoreboard on the CTF website or check out the screenshot below. To see your place in the global scoreboard, either wait until Monday to receive your certificate, or, if you can't wait any longer, check out this Notion document: https://tryhackme.notion.site/honeynet-collapse-ctf

The final competitive scoreboard.

Thanks for Playing

From all of the TryHackMe team, a massive thank you for participating in this CTF! We hope you enjoyed the challenges and had a great time solving them. It was a pleasure having you all on board!

The CTF room will remain active for the weekend in case you want to complete all questions or review the whole case without worrying about a time pressure.

We would really appreciate it if you could provide us with your honest feedback for the event by filling out this form. Let us know what we did well or what needs to be improved, and hope to see you at our future events!

~ TryHackMe

Answer the questions below

Thanks for playing!

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more