📅 Published: 2026-05-05 20:44 | 🔄 Last Updated: 2026-05-16 02:32
https://cyberdefenders.org/blueteam-ctf-challenges/16
Q1: This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Answer guidance: A six-letter word with no punctuation.​
Splunk
Q2: Amber Turing was hoping for Frothly to be acquired by a potential competitor who fell through, but they visited their website to find contact information for their executive team. What is the website domain that she visited? Answer guidance: Do not provide the FQDN. Answer example: google.com​
Q3: Amber found the executive contact information and sent him an email. What is the CEO's name? Provide the first and last name.​
Q4: After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?​
Q5: What is the name of the file attachment that Amber sent to a contact at the competitor?​
Q6: What is Amber's personal email address?​
Q7: What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiters.​
Q8: What is the public IPv4 address of the server running www.brewertalk.com?​
Q9: Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.​
Q10: A likely different piece of software is also using the IP address from question 9 to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php​
Q11: What SQL function is being abused on the URI path from question 10?​
Q12: What is Frank Ester's password salt value on www.brewertalk.com?​
Q13: What is user btun's password on brewertalk.com?​
Q14: What are the characters displayed by the XSS probe? Answer guidance: Submit answer in the native language or character set.​
Q15: What was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.​
Q16: The brewertalk.com website employed Cross-Site Request Forgery (CSRF) techniques. What was the value of the anti-CSRF token stolen from Kevin Lagerfield's computer and used to help create an unauthorized admin user on brewertalk.com?​
Q17: What was brewertalk.com username maliciously created by a spearphishing attack?​
Q18: Considering the threat group associated with the suspect IP address 5.39.93.112 in Enterprise Security, and related data, what protocol often used for file transfer is actually responsible for the generated traffic?​
Q19: Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. At what hour, minute, and second does this actually happen? Answer guidance: Provide the time in PDT. Use the 24h format HH:MM:SS, using leading zeroes if needed. Do not use Splunk's _time (index time).​
Q20: How many seconds elapsed when the ransomware executable was written to disk on MACLORY-AIR13 and the first local file encryption? Answer guidance: Use the index times (_time) instead of other timestamps in the events.​
Q21: Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory's personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.​
Q22: What programming language is at least part of the malware from the question above written in?​
Q23: The malware from the two questions above appears as a specific process name in the process table when it is running. What is it?​
Q24: The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully qualified domain name (FQDN) of the first (alphabetically) of these destinations?​
Q25: From the question above, what is the fully qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?​
Q26: A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?​
Q27: The Taedonggang APT group encrypts most of their traffic with SSL. What is the "SSL Issuer" that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.​
Q28: Threat indicators for a specific file triggered notable events on two distinct workstations. What IP address did both workstations have a connection with?​
Q29: Based on the IP address found in the question above, what domain of interest is associated with that IP address?​
Q30: What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?​
Q31: What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim's workstation? Answer example: John Smith​
Q32: To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer guidance: Remove the path and type a single value with an extension. Answer example: index.php or images.html​
Q33: Which HTTP user agent is associated with a fraudster who appears to be gaming the site by unsuccessfully testing multiple coupon codes?​
Q34: Individual clicks made by a user when interacting with a website are associated with each other using session identifiers. You can find session identifiers in the stream:http sourcetype. The Frothly store website session identifier is found in one of the stream:http fields and does not change throughout the user session. What session identifier is assigned to dberry398@mail.com when visiting the Frothly store for the very first time? Answer guidance: Provide the value of the field, not the field name.​
Q35: What is the domain name used in email addresses by someone creating multiple accounts on the Frothly store website (http://store.froth.ly) that appear to have machine-generated usernames?​
Q36: Which user ID experienced the most logins to their account from different IP addresses and user agent combinations? Answer guidance: The user ID is an email address.​
Q37: Several user accounts sharing a common password are usually a precursor to an undesirable scenario orchestrated by a fraudster. Which password is being seen most often across users logging into http://store.froth.lyx.​