You have just been hired as the network and security administrators at a small company and will be taking administrative control of their web server. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company.
Services You Must Provide:
Your team must keep the following services available on all three IP
addresses that were given to you:
- MySQL (for the purpose of supporting the existing WordPress site)
- WordPress site must continue providing the content in the MONITOR THIS entry, at the same URL (http://<Your IP>/wordpress/?p=4), and must continue to function as a WordPress site
- The daytime service must continue providing the time of day on the server
- FTP must continue providing anonymous access to log in and download any files hosted there
- The print service (ipp) must be running
- Your IP address must respond to ICMP ECHO REQUESTs (ping) per
The following username and password will allow you to log in to any of your
VMs initially. Since these are the same for all teams, you are advised to
change the password immediately:
- username: student / password: student
The administrator of both MySQL databases has the following credentials:
Both MySQL databases are owned by the following:
- username: root / password: (empty)
- username: student / password: student
The CDX period begins at 6:00AM, December 7 and ends 8:00PM, December 7.
The final report is due 11:59PM, December 14 (OK, if you are a little late
and I have some other reports to read I will still accept it). A sample
final report is here.
- examine the supplied VM and improve the security posture with
changes to configuration files.
- allow the VM to undergo attack by the red team (Perfect Storm) during
- submit a final report that includes a listing of all changes
made to improve the security posture (and why), a Kill Chain
description of cyber attack(s) against your server during the CDX period,
and other items as described in the sample report below and as the
team sees fit to include.
Download: CDX-2018.ova - Size: approx 2.09GB - Use "Import Appliance" in VirtualBox to install
Red Team Rules of Engagement:
- SHA1sum: bce929d849de5a8bdf3a34979e6be2d032084926
- It is not OK to attempt to break out of the CDX network. That is, red
team members should stick to poking IP address 10.8.0.1XX.
- If a VM is compromised (that is, password is discovered and red team can
enter the VM and become root) it is not OK to attempt to open a connection to
UC's network from the compromised VM.
- It is OK to attack after 11:59PM on November 30 and before 11:59AM on
December 1 only (this has been changed to all day December 2 and all day
- The red teams provide for scoring based on service availability and the
scoring is posted via the internet.
- The red teams provide a log of attacks
- The red teams will generate benign traffic in addition to making attacks.
Blue Team Rules of Engagement:
- Recovery using a snapshot is disallowed as it violates the spirit of a
CDX where we are trying to improve skills of recovery from attack.
- It is OK to block ports that are not used to provide necessary
- It is OK to transfer files between the host OS and the VM but not between
the VM and a UC node. This means it is not OK to transfer a file from the VM
to the host then from the host to a UC node.
- It is OK to create new accounts, change passwords, add or remove users
and groups in the VM. All changes need to be documented (the change and the
date and time) in the final report.
- You must defend only through proactive configuration and defensive
blocking. In other words, you cannot attack anyone, whether it is a red
team or a blue team member.
- Points are deducted where the final report indicates an attack that was
actually benign traffic or has no mention of an attack that occurred.
- It is OK to add or remove packages from the VM. For example, you may
want to add some analysis tools and remove some potentially dangerous packages
that are not needed.
|Patel, Peasley, Millot||
|Mace, Gamstetter, Daugherty, Stewart||
|Kramer, Koch, Camburn, Hoelle||
|Leger, Bowman, Hasler||
|Moeen, Ramirez, Doan, Gautam||
|Komaragiri, Rajani, Karkera||
|Bakare, Elia, Alalade||
||Dare, Yinka & Zack||224-226|
|Lnu, Jaddi, Srinija, Saineni||
|Puchala, Yarlagadda, Patel||
|Addai, Efosa, Alharthi||
|Farolino, Fahey, Lewis||