Module: Open Source Intelligence
Topic: Meta
Objective
Students will be able to use a metadata viewer to determine information about a photo that was taken.
Prompt
This challenge will give you experience with extracting metadata from an image file. You are given an image with contains metadata and you will need to use a metadata viewer to help answer the questions.
Questions & Answers
- When was the image created? (Round to the nearest minute) Answer: 2015/05/15 02:14
- What is the image size in pixels? (ex: 800x600) Answer: 1024x768
- What is the make of the camera that took the picture? Answer: apple
- What is the model of the camera that took the picture? Answer: iphone 5
- What is the exposure time for the picture? (ex: 1/200) Answer: 1/640
- Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W) Possible answers: ● 39.8750N 20.0100E ● 39.8750N, 20.0100E ● 39 deg 52' 30.00" N, 20 deg 0' 36.00" E ● 39 deg 52' 30.00" N 20 deg 0' 36.00" E ● 39.8750 20.0100 ● N 39° 52' 30'' E 20° 0' 36'’ ● Latitude 39:52:30 Longitude 20:0:36 ● 39; 52;30 20;0; 36 ● 39º 52' 30.00" N, 20º 0' 36.00" E Incorrect answers: ● 39.8750 -20.0100 ● -39.8750 -20.0100 ● -39.8750N, 20.0
Extension Activities
Grade level | Extension Activity | Objective | Activity Steps |
6-8 | News Verification Lab | Distinguish between real and fake news using OSINT techniques. | Give students headlines or short articles.
Ask them to: Reverse image search pictures
Check sources
Cross-reference news stories |
9-12 | OSINT Tools Treasure Hunt | Explore safe, open-source tools. | Tools: WHOIS lookup, Google Earth, The Wayback Machine, Social Search Engines (e.g., Social Searcher, IntelX)
Activity: Create a challenge where students have to:
Find who owns a domain
Look at archived versions of a website (use wayback machine)
Track public social posts for patterns |
Topic: Lookup
Objective
Students will be able to find and use a specification document to answer questions about DNS.
Prompt
Answer these questions about DNS. Make sure you enter the record type and not the description of the record type.
Questions & Answers
- What type of DNS record hold the DNSSEC public signing key?
Answer: DNSKEY
- What type of DNS record is used to map hostnames to IPv6 addresses?
Answer: AAAA
- What type of DNS record is used to delegate a DNS zone?
Answer: NS or Name Server
Extension Activities
6-8 | Username Investigation Game | Understand how usernames can reveal a digital trail. | Give a fictional username (e.g., “AlexGamer47”) and have students: Search for it on YouTube, Twitter (using screenshots), or game forums. Record patterns of use: hobbies, interests, locations. Discussion Prompt: Why do people reuse usernames? What can others learn from that? |
9-12 | Social Media Pattern Analysis | Understand how public posts create patterns. | Using a fictional account (set up by the teacher), have students: Map post times and locations Identify potential routines Connect hashtags to interests or communities |
Topic: Threat Intel
Objectives
Students will be able to use search tools to answer questions about security topics.
Prompt
Answer the following questions about security issues.
Questions & Answers
- What is the CVE of the original POODLE attack?
- What version of VSFTPD contained the smiley face backdoor?
- What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
- What was the original RFC number that described Telnet?
- How large (in bytes) was the SQL Slammer worm?
- Samy is my…
How to solve: The answer to this question can be found on Wikipedia.
Answer: CVE-2014-3566
How to solve: The answer to this question can be found on Wikipedia.
Answer: 2.3.4
How to solve: The answer to this question can be found on Wikipedia.
Answer: 1.0.1g
How to solve: The answer to this question can be found on Wikipedia. You will have to search another linked Wikipedia page for more information related to when Telnet was first developed.
Answer: 15
How to solve: The answer to this question can be found on Wikipedia.
Answer: 376
How to solve: The answer to this question can be found on Wikipedia.
Answer: hero
Extension Activities
6-8 | Build-A-Hacker Workshop (Fictional Personas) | Understand how threat actors gather info. | Given a scenario (e.g., a hacker wants to target a school), students: Use fictional student or staff profiles. Identify what information is publicly available (e.g., school calendar, staff names).Outcome: Students write a short paragraph predicting how the hacker might use the info and how to defend against it. Have students share their writings. |
9-12 | Fake Job Post Scam Breakdown | Understand how cybercriminals target individuals. | Students analyze fake job posts or emails (pre-curated).Use OSINT to check company legitimacy (e.g., WHOIS, company site vs fake URL).Discussion Prompt: How do threat actors use platforms like LinkedIn to customize attacks? |
Topic: HTTP Headers
Objectives
Students will be able to find resources to understand different types of HTTP request headers.
Prompt
Solve these questions about HTTP headers.
Questions & Answers
- What HTTP request header is used to denote what URI linked to the resource being requested?
- What HTTP request header is used to identify the client software that made the HTTP request?
- What HTTP request header is used to identify the acceptable content types that can be returned?
Answer: referer *Note that the official specification for this header has “referrer” spelled incorrectly as “referer”
Answer: user-agent
Answer: accept
Extension Activities
6-8 | "What’s in a Web Request?" – Header Basics Lab | Introduce basic HTTP headers using simplified, printed mockups. | Present a mock HTTP GET request with headers like User-Agent, Host, and Referer. Ask students to decode what device/browser was used, what website was accessed, and where the request came from. Discussion Prompt: How could this data help someone track you online? |
9-12 | OSINT Header Case Study | Analyze how HTTP headers were used in a real-world investigation. | Setup: Use a public case (e.g., website misconfiguration or tech stack leakage). Activity: Provide captured headers from the case. Ask students to infer: Server type, Technologies in use, Possible vulnerabilities. Ethics Discussion: When is it okay to analyze headers? What should be off-limits? |
Topic: WHOIS
Objective
Students will be able to conduct a WHOIS query to learn publicly available information about a domain name.
Prompt
Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.
Questions & Answers
- Who is the registrar of this domain?
- On what day was this domain first registered?
- What is this domain's registry domain ID?
- What is the Top-Level Domain (TLD) of this domain?
- What organization manages the TLD used by cityinthe.cloud?
Answer: Dynadot
Answer: 2016-02-16
Answer: D15CD1AC4DEB54207A5048A69B9FC0558-ARI
Answer: cloud
Answer: Aruba
Extension Activities
6-8 | WHOIS Mystery Matching Game | Connect WHOIS records to fictional organizations. | Setup: Create 3–4 mock WHOIS records and 3–4 fictional website profiles. Activity: Students analyze clues like registrar location, organization name, or domain age. Match each WHOIS record to the correct fake website. Use cards or slides for a collaborative classroom game. |
9-12 | WHOIS in the Real World: Threat Intelligence Report | Apply WHOIS to a broader investigation. | Assign a simulated incident (e.g., spam email, fake site).Students gather WHOIS data, infer attacker profile traits (e.g., fast-registered domains, offshore registrars).Produce a 1-page “Threat Intel Summary.” |
Walkthrough
https://trove.cyberskyline.com/a60b1f22554d4d66a9a733a787e9df50
🔍 Topic: PGP Lookup
Objectives
Students will query a public key database to identify the types of information stored there.
Prompt
Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?
Questions & Answers
- What is the key fingerprint for security@cpanel.net?
- What email address is associated with the key fingerprint
7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2? - On what date does the above key expire (in UTC)?
Answer: B6709B4CC6F42077F69841919521BEDCABD94DDF
Answer: hx@liber8tion.cityinthe.cloud
Answer: 2050-12-26
Extension Activities
6-8 | Understanding Digital Signatures | Introduce students to the concept of digital signatures and their role in verifying the authenticity of digital communications. | Discuss the basics of encryption and how digital signatures work. Use a simple analogy (like sealing a letter in an envelope) to explain how PGP ensures message integrity. Provide examples of how digital signatures are used in everyday life (e.g., software downloads, secure emails). |
9-12 | Analyzing PGP Key Metadata | Teach students how to extract and analyze metadata from PGP keys to gather OSINT. | Provide students with sample PGP public keys (ensure these are fictional or anonymized).Guide students through the process of examining key details such as creation date, associated email addresses, and key fingerprints. Discuss how this information can be used in digital investigations and the importance of ethical considerations. |
Walkthrough
https://trove.cyberskyline.com/8eb49cf698d149fe969acd161020245d
🔐 Topic: SSL
Objectives
Students will use a browser in order to analyze a SSL certificate chain.
Prompt
Solve the following questions about the Cyber Skyline SSL certificate.
Note: If you see references to "BitDefender" in the process of solving this challenge, that means your BitDefender software is intercepting your SSL/TLS connection and will produce incorrect results.
Questions & Answers
- Who is the issuer for Cyber Skyline's SSL certificate?
- How many bits long is the SSL key?
- How many certificates are in the certificate chain?
Possible Answers: sectigo, comodo
Answer: 2048
Answer: 3
Extension Activities
6-8 | “What's in a URL?” Sorting Game | Learn to distinguish between HTTP and HTTPS. | Provide a stack of fake or real URLs.Students sort into “Secure” (HTTPS) and “Not Secure” (HTTP).Discuss what might happen if you send personal data over an insecure connection. |
9-12 | Expired or Misissued Certificate Challenge | Understand how SSL certificate issues may indicate threats. | Provide samples of expired, self-signed, or misconfigured certificates (can be screenshots or from certificate transparency logs).Students determine what’s wrong and how that might signal phishing, misconfiguration, or a suspicious site. |
Walkthrough
https://trove.cyberskyline.com/8835d44ab9914ab98e25c6b2b5999abf
💳Topic: Barcode
Objective
Students will be able to use a barcode reader to identify hidden information.
Prompt
We intercepted a barcode we think might be hiding a flag. See if you can find it.
Questions & Answers
- What format does the barcode use?
- What is the flag hidden in the barcode?
Possible Answers: code 39, code39, Code_39, USD-3, Code 3 of 9, Code 3/9, Alpha 39
Answer: SKY-UZLU-5635
Extension Activities
6-8 | Decode the Hidden Message (QR Detective) | Learn what QR codes are and how they encode information. | Students scan teacher-provided QR codes using school devices .Each QR code reveals a clue, message, or safe web link (e.g., a NASA fact, a riddle).Students work in teams to piece together a message or win a classroom scavenger hunt. Discussion: Why do we use QR codes? What kind of information can they hide? |
9-12 | Reverse Lookup of QR/Barcode Data | Investigate a product or web page linked via barcode or QR. | Scan or decode a real or simulated code. Conduct OSINT to find out: Who owns the domain or product? Where the item was manufactured or registered?Is the website or organization legitimate? Use WHOIS, Wayback Machine, and barcode prefix databases for investigation. |
Walkthrough
https://trove.cyberskyline.com/d695b934ae954d30b237eb4e1d81a946
Module: Cryptography
💯 Topic: Number Bases
Objectives
Students will use tools to recognize and convert various number bases.
Prompt
Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are all encoded using different number bases.
Questions & Answers
User | Cipher Text | Answer |
Nan | 0x73636f7270696f6e | Answer: scorpion |
Elliot | c2NyaWJibGU= | Answer: scribble |
Steve | 01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001 | Answer: securely |
Daniel | 01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101 | Answer: lollipop |
Extension Activities
6-8 | Color Code Encryption (Hex and RGB) | Use hexadecimal to encode color values and relate them to cryptographic codes. | Teach students how hex values map to RGB (e.g., #FF0000 = red).Create a color-coded message where each letter maps to a hex color.Students decode messages using hex charts. |
9-12 | Cryptographic Base Challenge | Understand base conversions and their role in encoding systems like Base64 and hexadecimal hashes. | Provide students with encrypted-looking strings (e.g., hex-encoded, binary). Challenge them to decode messages by identifying and converting base formats. Include layers (binary → decimal → ASCII → message). |
Walkthrough
https://trove.cyberskyline.com/8964d7b06a234684abffade642838140
〽️ Topic: Shift
Objectives
Students will decode a Ceasar shift cipher.
Prompt
Our analysts have obtained password dumps storing hacker passwords. It seems to be using a pretty simple encryption scheme, see if you can crack them.
Questions & Answers
User | Password Ciphertext | Answer | Solution |
Chris | iveghny ynxr | virtual lake |
Extension Activities
6-8 | Code Wheel Construction & Cipher Fun | Learn letter shifting using a Caesar cipher wheel. | Students build a Caesar cipher wheel from a printable template (inner and outer alphabet circles).Encode a message by rotating the wheel to a shift value (e.g., shift of 3).Partner up: one student encodes, the other decodes. |
9-12 | Caesar Cipher + Frequency Analysis | Understand and exploit the vulnerabilities of shift ciphers. | Provide a Caesar-encrypted message without a known key. Students: Try all 25 possible shifts (“brute-force” method).Perform frequency analysis (e.g., looking for common letters like E or T).Discuss how frequency analysis led to the downfall of simple substitution ciphers. |
Walkthrough
https://trove.cyberskyline.com/645f2b9059b04943bfa2c28b02667df5
🐢 Topic: @bash
Objective
Students will decode an atbash shift cipher.
Prompt
Our analysts have obtained password dumps storing hacker passwords. See if you can crack them.
Questions & Answers
User | Password Ciphertext | Answer | Solution |
Christian | hzuvob lyerlfh xzev | safely obvious cave |
Extension Activities
6-8 | Binary to Text Bash Simulation | Explore how computers use binary to represent letters. | Give students ASCII codes in binary. Simulate Bash decoding using a chart or worksheet. Discuss how computers turn data into readable info via shell tools. |
9-12 | Build a Bash Password Vault | Use Bash to securely store and retrieve hashed passwords. | Script idea: Accept a username and password. Hash the password. Store it in a file. Later, compare a login attempt to the stored hash. |
Walkthrough
https://trove.cyberskyline.com/7fa9781f241c4be49bf0cca9eadc2409
🚙 Topic: Beep
Objective
Students will recognize and decode morse code.
Prompt
Our analysts have intercepted an encoded message. See if you can decode it.
Questions
User | Password Ciphertext | Answer | Solution |
Helen | - .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.… | THESECRETOFGETTINGAHEADISGETTINGSTARTEDSKYDKVB9816 |
Extension Activities
6-8 | Beep Morse Code Challenge | Encode and decode messages using sound. | Teach students basic Morse code (e.g., A = .-).Use a simple tone generator app, physical buzzer, or your own voice (short/long beeps).In teams, students send coded beeps across the classroom; others decode the message. |
9-12 | Sonic Modem & Tones | Learn how modems used sound for data transfer. | Play samples of old dial-up modem sounds. Discuss how tones carried data across phone lines. Try encoding binary into a sequence of tones using tools like Audacity. Optional: build a tone-to-binary decoder in Python or spreadsheet format. |
Walkthrough
https://trove.cyberskyline.com/346b7cdf8ae246c9b1ce41971d3e1b31
🤺 Topic: Fencing
Objective
Students will recognize and decode a rail fence cipher.
Prompt
Our analysts have obtained encrypted messages. We saw hand-written notes that indicated the keys as being "3" and "5". See if you can crack them.
Questions & Answers
User | Password Ciphertext | Answer | Solution |
Eve | Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3 | Courage is grace under pressure SKY-AIQI-9380 | |
Nan | F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2 | Feel the fear and do it anyway. SKY-IQIZ-3802. |
Walkthrough
https://trove.cyberskyline.com/346b7cdf8ae246c9b1ce41971d3e1b31
🇫🇷 Topic: French
Objective
Students will decrypt a Vigenère cipher.
Prompt
Our analysts have obtained an encrypted message. We know that the key, qizkwcgqbs was used. See if you can crack them.
Questions & Answers
User | Password Ciphertext | Answer | Solution |
Matt | Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026 | I do not fear computers, I fear the lack of them SKY-QIZK-8026 |
Extension Activities
6-8 | Vigenère Cipher Challenge | Encrypt/decrypt using a repeating keyword | Using a Vigenère square, students pick a keyword and encode a message so each letter shifts differently. They compare it to Caesar and discuss why a repeating key resists simple frequency analysis — a first taste of "polyalphabetic" thinking. |
9-12 | RSA in Real Life (Digital Certificates Demo) | Understand how RSA protects secure websites. | Use a browser to explore HTTPS certificates (lock icon → certificate).Identify the public key and certificate authority. Students answer questions: Who signed it? What does the public key do? |
Walkthrough
https://trove.cyberskyline.com/c6c704add2e84e6ea6ddad7f2d7668d1
Topic: Stego 1
Objective
Students will use steganographic analysis tools to uncover a hidden message.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions & Answers
1. What is the hidden flag in the image?
Answer: SKY-TVJI-2063
Walkthrough
https://trove.cyberskyline.com/733a58d8135847bbb08a4a6aacaeb96a
Topic: Stego 2
Objective
Students will use steganographic analysis tools to uncover a hidden message.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions & Answers
1. What is the hidden flag?
How to solve: Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “BlindHide” mode.
Answer: SKY-ERNT-4183
Walkthrough
https://trove.cyberskyline.com/5133730a17214be3831588652a5ce777
Topic: Stego 3
Objective
Students will use steganographic analysis tools to uncover a hidden message.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions & Answers
1. What is the md5 sum of the hidden file?
How to solve: The MD5 sum can be found by running the Linux md5sum program (ex: md5sum file.out) on the output file from the Digital Invisible Ink Toolkit.
Answer: B2BDE37FEEDE452DB6CA45D1618785CA
2. What is the hidden message?
How to solve: Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “BattleSteg” mode and then use the online hieroglyph translator to obtain the hidden message.
Note: e and i are replaceable in this alphabet, so you may need to tweak your message to create something that is sound in English.
Possible Answers: hidden messages, hedden messages
Walkthrough
https://trove.cyberskyline.com/455a54f0eb444fe399c9b4966a25f1d0
Topic: Stego 4
Objective
Students will use steganographic analysis tools to uncover a hidden message.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions & Answers
1. What is the md5 sum of the hidden file?
How to solve: The MD5 sum can be found by running the Linux md5sum program (ex: md5sum file.out) on the output file from the Digital Invisible Ink Toolkit.
Answer: 77864C67BC0D74B0A05E6FEC2C24125B
2. What is the hidden message?
Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “HideSeek ” mode and then use the Futurama Alphabet converter to obtain the hidden message.
Answer: there is no spoon
Walkthrough
https://trove.cyberskyline.com/38ce8b2db6a24bb49615382e2a252085
Module: Linux
🖥️ Topic: DIR
Objective
Students will use commands via the Linux Command Line (CLI) to analyze files and directories.
Prompt
One of our analysts had their laptop damaged. However, we were able to recover and mount the hard drive. Access the terminal and recover various flags from the disk.
Questions & Answers
- What are the contents of flag1.txt, found in root's home directory?
- What are the contents of flag2.txt, found in the root directory?
- What are the contents of flag3.txt, found in an archive in
/var/log? - What are the contents of flag4.txt, found in the flag user's home directory?
- What flag is printed when you run the flag5 program?
- What is the full path to the flag5 program?
- /usr/bin/flag5
- /usr/bin/
How to solve: Run cat flag1.txt from root’s home directory
Answer: SKY-FNKC-3207
How to solve: Use cd / to navigate to the root directory and then run cat flag2.txt.
Answer: SKY-NPEJ-2501
How to solve: Navigate to /var/log and then run tar -zxvf flag.tar.gz to extract the files from the archive.
Answer: SKY-FVHR-3562
How to solve: Navigate to the /home/flag directory and then run cat flag4.txt.
Answer: SKY-SXIJ-6142
How to solve: Run the flag5 program with the command flag5
Answer: SKY-UDSV-9689
How to solve: Run which flag5
Answers:
Incorrect: ./usr/bin/flag5
Extension Activities
6-8 | Linux Adventure Story | Use commands like dir to progress through a narrative. | Students role-play as secret agents or explorers.Each directory contains parts of a story.Students unlock new parts by listing contents (dir) and making choices (cd cave, cd castle). |
9-12 | Linux Forensics Mini-Challenge | Find files based on clues using dir, ls, find, and grep. | Create a mystery scenario (e.g., “Find who deleted the secret file”).Students navigate directories, list contents (dir), and read logs (cat logfile.txt).Combine clues to solve the case. |
Walkthrough
https://trove.cyberskyline.com/68a3552daa024ee6b4313703744ad77c
🗄️ Topic: File Edit
Objective
Students will use nano and Vim via the command line to create and edit files.
Prompt
Learn how to use command line file editors.
NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.
Questions & Answers
- What key should you press in addition to the CTRL key to trigger the combination to exit nano?
- What vim mode allows you to write new characters in the file?
- What keyboard combination will save and quit the file with vim?
- :wq
- wq
- What keyboard combination will delete an entire line in vim?
- What command would you use to rename a file?
Answer: x
How to solve: Search online for “vim mode to write new characters”.
Answer: insert
How to solve: Search online for “how to save and quit with vim” and read the descriptions for the different keyboard combinations.
Answers:
How to solve: Search online for “vim delete line” and then read the descriptions for possible keyboard combinations. See the Trove for more detailed guidance.
Answer: dd
How to solve: Search online for “linux how to rename a file” and read about the most common commands. See the Trove for more detailed guidance.
Answer: mv
Extension Activities
6-8 | Echo & Redirect Challenge | Use echo to write text to a file. | Run commands like echo "I love coding!" > myfile.txt.Append text using echo "And Linux!" >> myfile.txt.Display contents with cat myfile.txt.Discussion: What’s the difference between > and >>? |
9-12 | File Permissions and Editing | Explore how permissions affect file editing. | Create files with different permission settings (chmod).Try to edit them and observe what happens.Discuss why permissions are important for security. |
Walkthrough
https://trove.cyberskyline.com/cb681eb17071486a9906361f91247086
🗣️ Topic: Basic Commands
Objective
Use open source tools and Linux command line knowledge to string Linux commands together.
Prompt
Learn the common basic commands used on the Linux command line.
NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.
Questions & Answers
- What character can you use to redirect the output of one program as the input to another program?
- What character can you use the redirect the output of a program to a file?
- How many people have a first name of Jordan in names.csv?
How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to another program (and not to a file). See the Trove for additional guidance.
Answer: |
How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to a file (and not to another program). See the Trove for additional guidance.
Answer: >
How to solve: Use cut to grab only the column of first names, then use grep to search for “Jordan” and then use wc -l to get a line count.
cut -d "," -f 1 < names.csv | grep Jordan | wc -l
Answer: 2
Extension Activities
6-8 | Linux Command Bingo | Familiarize with common Linux commands. | Create Bingo cards with commands like ls, pwd, cd, mkdir, rm.Call out definitions or tasks (“Show me files in the folder”), students mark corresponding commands.First to bingo explains one command in detail. |
9-12 | Linux Trivia & Command Line Quiz | Reinforce command knowledge. | Prepare a quiz with multiple choice and practical terminal commands.Use interactive platforms or classroom polling.Include “Identify the command” from output examples. |
Walkthrough
https://trove.cyberskyline.com/5f6865d970874da2ab2b915ba79fd4c3
🧶 Topic: Strings
Objective
Use the strings command to find hidden information in a file.
Prompt
The hackers have hidden a message in this image. Find out what it is.
Questions & Answers
1. What is the hidden flag in the image?
How to solve: Run the strings command on the image and search for text that contains “SKY”.
strings STEG1.jpg | grep SKY
Answer: SKY-RCLO-4839
Extension Activities
6-8 | Guess the File Type | Use strings output to guess the type of file. | Give several files without extensions. Students use strings to extract text clues. Guess file types based on the strings (e.g., image metadata, code snippets, document text). |
9-12 | Build Your Own Binary File | Create a file with hidden text and practice extraction. | Use a hex editor or programming language (e.g., Python) to embed text inside a binary file. Use strings to extract it. Reflect on how data can be hidden and recovered. |
Walkthrough
https://trove.cyberskyline.com/e864b69e76f54f309385ea6dbe111c4c
Module: Log Analysis
🐚 Topic: SSH
Objective
Students will analyze the contents of an SSH log to identify adversarial behavior.
Prompt
Analyze this SSH log file to answer the following questions.
Questions & Answers
- What is the hostname of the ssh server that was compromised?
- What was the first IP address to attack the server?
- What was the second IP address to attack the server?
- What was the third IP address to attack the server?
- Which user was targeted in the attack?
- From which IP address was the attacker able to successfully log in?
Answer: myraptor
Oct 11 10:12:00 myraptor sshd[29459]: Server listening on 0.0.0.0 port 22.Answer: 169.139.243.218
Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273 ssh2Answer: 56.13.188.38
Answer: 30.167.206.91
Answer: harvey
Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273 sshAnswer: 30.167.206.91
Oct 11 10:36:59 myraptor sshd[30003]: Accepted password for harvey from 30.167.206.91 port 55326 ssh2Extension Activities
6-8 | Log Line Match Game | Learn SSH terminology and log meanings. | Match terms like Accepted password, Failed password, port, user, IP to their meanings. Color code log lines by type (green for success, red for failed attempts). |
9-12 | Create Your Own SSH Log Puzzle | Design and share SSH log puzzles with classmates. | Students write their own fake SSH logs with a narrative: attack, success, mistake, etc. Swap puzzles and analyze each other’s scenarios. |
Walkthrough:
https://trove.cyberskyline.com/5213e481daa544fb94001cd51096edbb
⌨️Topic: Login
Objective
Students will use command line tools to analyze a custom application log format.
Prompt
Analyze a custom application login event log to help us understand user behavior.
Questions & Answers
- How many total login attempts were made in this log?
- How many unique usernames appear in this log?
- What is the username with the most login attempts?
- How many attempts were made for the username with the most login attempts?
- What is the date with the most login attempts?
- What is the username that had logins from the most unique IP addresses?
How to solve: Get the line count of the log. (Reminder: at the end of the command, that is a lower case ‘L’ not a number 1)
cat login.log | wc -l
Answer: 6063
How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get the unique usernames, and then get a line count of the number of unique usernames.
cat login.log | cut -f 3 | sort | uniq | wc -l
Answer: 1879
How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get a frequency count of each unique username, and then sort the unique usernames by frequency.
cat login.log | cut -f 3 | sort | uniq -c |sort -n
Answer: ntory
cat login.log | cut -f 3 | sort | uniq -c |sort -n
Answer: 124
How to solve: Extract the first field (with the date+time) of the log, extract just the date, sort the dates, get a frequency count of each unique date, and then sort the unique dates by frequency.
cat login.log | cut -f 1 | cut -d " " -f 1 | sort | uniq -c | sort -n
Answer: 2011-03-23
How to solve: Extract the second field (with the IP address) and third field (with the username) of the log, sort the IP/username pairs, get the unique IP/username pairs, then extract just the usernames from each pair, sort the usernames, get a frequency count of how many unique pairs each username has, and then sort by frequency.
cat login.log | cut -f 2,3 | sort | uniq | cut -f 2 | sort | uniq -c | sort -n
Answer: wlfla0190
Extension Activities
6-8 | Login Color Code | Visually interpret log entries. | Print or display several log lines.Students highlight: Green: Successful logins Red: Failed logins Blue: IP addresses Discuss: What can logs tell us about system usage? |
9-12 | User Behavior Profile | Analyze and profile user activity. | Provide anonymized logs for 2–3 users. Students summarize: Login times Access locations (IP)Behavior patterns Discuss: What’s normal vs suspicious? |
Walkthrough
https://trove.cyberskyline.com/7c704ee8ab0a4e959360a1486fb60bae
⬆️Topic: VSFTPD
Objective
Students will analyze a VSFTPD log file.
Prompt
Analyze a VSFTPD log file that we obtained.
Questions & Answers
- What IP address did "ftpuser" first log in from?
- What is the first directory that ftpuser created?
- What is the last directory that ftpuser created?
- What file extension was the most used by ftpuser?
- What is the username of the other user in this log?
- What IP address did this other user log in from?
- How many total bytes did this other user upload?
- How many total bytes did ftpuser upload?
- How many total bytes did ftpuser download?
- Identify the IP address of the suspicious login (the login with no subsequent activity).
How to solve: Search for any entries that include “ftpuser”. One of these lines should include an IP address. cat vsftpd.log | grep ftpuser
Answer: 10.0.0.123
cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1
Answer: TreeSizeFree
cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1
Answer: 110D300S
How to solve: Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort
Possible Answers: jpeg, jpg, Joint Photographic Experts Group
cat vsftpd.log | awk '{print $8}' | sort | uniq
Answer: jimmy
cat vsftpd.log | grep jimmy
Answer: 10.0.0.214
How to solve: Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’
Answer: 105750628 bytes
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’
Answer: 13980839165 bytes
cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’
Answer: 6008032 bytes
How to solve: Search for all of the successful login attempts, extract the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection
cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq
Answer: 10.3.0.6
Extension Activities
6-8 | FTP Role-Play Activity | Act out FTP log scenarios and decode them. | Assign roles (Client, Server, Logger).Simulate login attempts and file transfers.Logger writes log entries, others guess what actions they represent. |
9-12 | Create Your Own FTP Log Puzzle | Design a VSFTPD log mystery for peers. | Students generate fictitious VSFTPD logs with:Students generate fictitious VSFTPD logs with:One suspicious loginOne normal userA fake attack attemptPeers analyze the log and identify the risky event. |
Walkthrough
https://trove.cyberskyline.com/a9aad5ab10334ac4ab37bdd04058e1ba
❎ Topic: Nginx
Objective
Students will analyze an nginx access log.
Prompt
Analyze an nginx access log and answer questions about what happened.
Questions & Answers
- How many different IP addresses reached the server?
- How many requests yielded a 200 code?
- How many requests yielded a 400 code?
- What IP address rang at the doorbell?
- What version of the Googlebot visited the website?
- Which IP address attempted to exploit the shellshock vulnerability?
- What was the most popular version of Firefox used for browsing the website?
- What is the most common HTTP method used?
- What is the second most common HTTP method used?
- How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?
Answer: 47
How to solve: Extract the third field after double quotes as the delimiter (which includes the HTTP codes), sort the codes, get the unique values with a count of the occurrences of each. Optional: sort in descending numeric order.
cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn
Answer: 19
cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn
Answer: 38
cat access.log | grep "bell"
Answer: 186.64.69.141
cat access.log | grep "Googlebot"
Answer: 2.1
How to solve: Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. With this knowledge, search the log for any lines with that sequence of characters.
cat access.log | grep '() { :; };'
Answer: 61.161.130.241
How to solve: Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.
cat access.log | grep -o "Firefox/.*" | sort | uniq -c
Answer: Firefox/31.0
How to solve: Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.
cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn
Answer: GET
Incorrect: POST, PUT, HEAD, DELETE, CONNECT
cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn
Answer: CONNECT
Incorrect: GET, POST, PUT, HEAD, DELETE
Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.
cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l
Answer: 6
Extension Activities
6-8 | Website Detective | Match access log lines to website actions. | Give students fictional scenarios (e.g., visiting a page, clicking a link).Match them to the correct NGINX access log line. Match errors to mis-clicks (e.g., 404 for broken links). |
9-12 | Traffic Pattern Analysis | Analyze a set of access logs for usage trends. | Provide a few dozen real or simulated NGINX access log lines. Have students: Count total visits Identify top-requested URLs Chart visit frequency over time Use spreadsheets or visual tools for analysis. |
Walkthrough
https://trove.cyberskyline.com/7884f0c64e8b46cea64332a77b5ef56e
🕰️ Topic: History
Objective
Students will use SQL commands to analyze a SQlite database.
Prompt
Analyze a Firefox SQlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/
Questions & Answers
- What did the user search for on craigslist?
- What was the current price (USD) of bitcoin when the user was browsing?
- What Bitcoin exchange did the user log in to?
- What is the email that was used to log into the exchange?
- What was the ID of the Bitcoin transaction that the user looked at?
- What was the total BTC value of all the inputs of the Bitcoin transaction?
- Which Bitcoin address received the majority of the Bitcoin in the transaction?
Answer: bitcoin
Answer: $239.50
Answer: Coinbase
Answer: b1gbird@gmail.com
Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7 blockchain.info
Answer: 0.22616302
Answer: 18z6bTFjxkXCmhfp8YBetR2wgmoVjXGJZz
Extension Activities
6-8 | Log Story Sequencing Game | Reconstruct a digital activity timeline. | Provide: Cut-out log line cards with mixed-up order. User logs in at 8:00User opens a document. User edits document. User deletes a file User logs out Activity: Students rearrange the cards into the correct order. They write a one-paragraph summary of what happened based on the log. |
9-12 | Command Frequency Analysis | Determine behavior based on command frequency. | Provide a long history list with command repetition. Students: Tally top 5 used commands. Infer the user’s job (developer, admin, attacker?). Discuss what's "normal" vs "abnormal" usage. |
Walkthrough
https://trove.cyberskyline.com/038f8feecbf4489a9ee68d8c2131b49c
🦑 Topic: Squid
Objective
Students will analyze a Squid proxy log.
Prompt
Analyze this Squid proxy log to answer the following questions.
Questions & Answers
- In what year was this log saved?
- How many milliseconds did the fastest request take?
- How many milliseconds did the longest request take?
- How many different IP addresses did the proxy service in this log?
- How many GET requests were made?
- How many POST requests were made?
- What company created the antivirus used on the host at 192.168.0.224?
- What URL is used to download an antivirus update?
How to solve: Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.
Answer: 2010
How to solve: Extract the second field (the response time) and then sort the results numerically
cat squid_access.log | awk '{print $2}' | sort -n
Answer: 5
How to solve: Same as the question above.
cat squid_access.log | awk '{print $2}' | sort -n
Answer: 41762
How to solve: Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count.
cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l
Answer: 4
How to solve: Extract the 6th field (the HTTP Request type), sort, and then get the unique values with a count of their occurrences. cat squid_access.log | awk '{print $6}' | sort | uniq –c
Answer: 35
Answer: 78
How to solve: The name of the company is found within the URLs of the requests made 192.168.0.224 . cat squid_access.log | grep "192.168.0.224"
Answer: Symantec
How to solve: Use the command from the question above and then find the URL that includes “virus” and “definitions”
Extension Activities
6-8 | URL Scavenger Hunt | Explore responsible internet use. | Provide fake Squid logs with safe and unsafe URLs .Students highlight URLs that are: Educational Entertainment Suspicious or inappropriate Discussion: Why might schools block certain content? |
9-12 | Attack Simulation: Malicious Site Detection | Detect unsafe browsing behavior. | Some logs include suspicious URLs (e.g., phishing sites).Students must: Identify risky URLs Explain why they are suspicious Suggest how the network should respond (block? notify? educate?) |
Walkthrough:
https://trove.cyberskyline.com/b2ca66f2ed8747139b26ba3539e6b4f7
Module: Network Traffic Analysis
Topic: WiFi PCAP 1
Objective
Crack a WEP-encrypted wireless network by analyzing captured initialization vectors.
Prompt
We have created a packet capture from our test lab to see if you can handle the challenges of wireless password cracking.
Questions & Answers
- How many IVs are in the packet capture?
- What is the key size of the wireless network data encryption method in bits?
- What is the IV for the first packet in the capture in hexadecimal representation?
- What is the WEP key?
- What is the TCP checksum, in hexadecimal representation, of the first packet in the capture?
Answer: 14337
Answer: 64
Answer: 003a33
Answer: A4:81:53:B4:C
Answer: 897b
Walkthrough
https://trove.cyberskyline.com/288b1672a3824de0b3cd6386057b348b
Topic: WiFi PCAP 2
Objective
Crack a WEP-encrypted wireless capture to recover the network key and packet data.
Prompt
We have created a packet capture from our test lab to see if you can handle the challenges of wireless password cracking.
Questions & Answers
- How many IVs are in the packet capture?
- What is the key size of the wireless network data encryption method in bits?
- What is the IV for the first packet in the capture in hexadecimal representation?
- What is the WEP key?
- What is the TCP checksum, in hexadecimal representation, of the first packet in the capture?
Answer: 24592
Possible Answers: 128, or 104
Answer: 0994ff
Answer: DE:AD:10:CC:D1:5E:A5:EC:DC:C2:D6:7A:CA
Answer: 08f0
Walkthrough
https://trove.cyberskyline.com/ca95b65b466c4d3fa3f6b9eb37338b15
Topic: WiFi PCAP 3
Objective
Crack a WPA wireless capture and investigate router configurations and network activity.
Prompt
We have created a packet capture on a temporary wireless network that a couple of hackers have set up. Break into their network and see what you can learn.
Questions & Answers
- What is the MAC address of the router?
- What is the ESSID of the wifi network?
- What is the password for the wireless network?
- What is the IP address of the router?
- What company manufactured the router?
- What is the model of the router?
- What firmware version is installed on the router?
- What release number is the router using?
- What is the IP address of the user who logged into the router admin panel?
- What is the MAC address of the first victim of the deauth attack?
- What is the MAC address of the second victim of the deauth attack?
Answer: C0:4A:00:80:76:E4
Answer: TP-LINK_8076E4
Answer: blueberrymuffin
Answer: 192.168.0.254
Answer: tp link
Answer: WR702N
Answer: 4.19.1
Answer: 52704n
Answer: 192.168.0.101
Answer: B8:E8:56:47:44:38
Answer: 80:E6:50:0B:26:BA
Walkthrough
https://trove.cyberskyline.com/5c795a418e19432ca84093f469c0d25e