Cyber Skyline Plus Gym - Instructor Guide

Module: Open Source Intelligence

Topic: Meta

Objective

Students will be able to use a metadata viewer to determine information about a photo that was taken.

Prompt

This challenge will give you experience with extracting metadata from an image file. You are given an image with contains metadata and you will need to use a metadata viewer to help answer the questions.

Questions & Answers

  1. When was the image created? (Round to the nearest minute) Answer: 2015/05/15 02:14
  2. What is the image size in pixels? (ex: 800x600) Answer: 1024x768
  3. What is the make of the camera that took the picture? Answer: apple
  4. What is the model of the camera that took the picture? Answer: iphone 5
  5. What is the exposure time for the picture? (ex: 1/200) Answer: 1/640
  6. Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W) Possible answers: ● 39.8750N 20.0100E ● 39.8750N, 20.0100E ● 39 deg 52' 30.00" N, 20 deg 0' 36.00" E ● 39 deg 52' 30.00" N 20 deg 0' 36.00" E ● 39.8750 20.0100 ● N 39° 52' 30'' E 20° 0' 36'’ ● Latitude 39:52:30 Longitude 20:0:36 ● 39; 52;30 20;0; 36 ● 39º 52' 30.00" N, 20º 0' 36.00" E Incorrect answers: ● 39.8750 -20.0100 ● -39.8750 -20.0100 ● -39.8750N, 20.0

Extension Activities

Grade level
Extension Activity
Objective
Activity Steps
6-8
News Verification Lab
Distinguish between real and fake news using OSINT techniques.
Give students headlines or short articles. Ask them to: Reverse image search pictures Check sources Cross-reference news stories
9-12
OSINT Tools Treasure Hunt
Explore safe, open-source tools.
Tools: WHOIS lookup, Google Earth, The Wayback Machine, Social Search Engines (e.g., Social Searcher, IntelX) Activity: Create a challenge where students have to: Find who owns a domain Look at archived versions of a website (use wayback machine) Track public social posts for patterns

Topic: Lookup

Objective

Students will be able to find and use a specification document to answer questions about DNS.

Prompt

Answer these questions about DNS. Make sure you enter the record type and not the description of the record type.

Questions & Answers

  1. What type of DNS record hold the DNSSEC public signing key?
  2. Answer: DNSKEY

    image
  1. What type of DNS record is used to map hostnames to IPv6 addresses?
  2. Answer: AAAA

    image
  1. What type of DNS record is used to delegate a DNS zone?
  2. Answer: NS or Name Server

    image

Extension Activities

6-8
Username Investigation Game
Understand how usernames can reveal a digital trail.
Give a fictional username (e.g., “AlexGamer47”) and have students: Search for it on YouTube, Twitter (using screenshots), or game forums. Record patterns of use: hobbies, interests, locations. Discussion Prompt: Why do people reuse usernames? What can others learn from that?
9-12
Social Media Pattern Analysis
Understand how public posts create patterns.
Using a fictional account (set up by the teacher), have students: Map post times and locations Identify potential routines Connect hashtags to interests or communities

Topic: Threat Intel

Objectives

Students will be able to use search tools to answer questions about security topics.

Prompt

Answer the following questions about security issues.

Questions & Answers

  1. What is the CVE of the original POODLE attack?
  2. How to solve: The answer to this question can be found on Wikipedia.

    Answer: CVE-2014-3566

  3. What version of VSFTPD contained the smiley face backdoor?
  4. How to solve: The answer to this question can be found on Wikipedia.

    Answer: 2.3.4

  5. What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
  6. How to solve: The answer to this question can be found on Wikipedia.

    Answer: 1.0.1g

  7. What was the original RFC number that described Telnet?
  8. How to solve: The answer to this question can be found on Wikipedia. You will have to search another linked Wikipedia page for more information related to when Telnet was first developed.

    Answer: 15

  9. How large (in bytes) was the SQL Slammer worm?
  10. How to solve: The answer to this question can be found on Wikipedia.

    Answer: 376

  11. Samy is my…
  12. How to solve: The answer to this question can be found on Wikipedia.

    Answer: hero

Extension Activities

6-8
Build-A-Hacker Workshop (Fictional Personas)
Understand how threat actors gather info.
Given a scenario (e.g., a hacker wants to target a school), students: Use fictional student or staff profiles. Identify what information is publicly available (e.g., school calendar, staff names).Outcome: Students write a short paragraph predicting how the hacker might use the info and how to defend against it. Have students share their writings.
9-12
Fake Job Post Scam Breakdown
Understand how cybercriminals target individuals.
Students analyze fake job posts or emails (pre-curated).Use OSINT to check company legitimacy (e.g., WHOIS, company site vs fake URL).Discussion Prompt: How do threat actors use platforms like LinkedIn to customize attacks?

Topic: HTTP Headers

Objectives

Students will be able to find resources to understand different types of HTTP request headers.

Prompt

Solve these questions about HTTP headers.

Questions & Answers

  1. What HTTP request header is used to denote what URI linked to the resource being requested?
  2. Answer: referer *Note that the official specification for this header has “referrer” spelled incorrectly as “referer”

  3. What HTTP request header is used to identify the client software that made the HTTP request?
  4. Answer: user-agent

  5. What HTTP request header is used to identify the acceptable content types that can be returned?
  6. Answer: accept

Extension Activities

6-8
"What’s in a Web Request?" – Header Basics Lab
Introduce basic HTTP headers using simplified, printed mockups.
Present a mock HTTP GET request with headers like User-Agent, Host, and Referer. Ask students to decode what device/browser was used, what website was accessed, and where the request came from. Discussion Prompt: How could this data help someone track you online?
9-12
OSINT Header Case Study
Analyze how HTTP headers were used in a real-world investigation.
Setup: Use a public case (e.g., website misconfiguration or tech stack leakage). Activity: Provide captured headers from the case. Ask students to infer: Server type, Technologies in use, Possible vulnerabilities. Ethics Discussion: When is it okay to analyze headers? What should be off-limits?

Topic: WHOIS

Objective

Students will be able to conduct a WHOIS query to learn publicly available information about a domain name.

Prompt

Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.

Questions & Answers

  1. Who is the registrar of this domain?
  2. Answer: Dynadot

  3. On what day was this domain first registered?
  4. Answer: 2016-02-16

  5. What is this domain's registry domain ID?
  6. Answer: D15CD1AC4DEB54207A5048A69B9FC0558-ARI

  7. What is the Top-Level Domain (TLD) of this domain?
  8. Answer: cloud

  9. What organization manages the TLD used by cityinthe.cloud?
  10. Answer: Aruba

Extension Activities

6-8
WHOIS Mystery Matching Game
Connect WHOIS records to fictional organizations.
Setup: Create 3–4 mock WHOIS records and 3–4 fictional website profiles. Activity: Students analyze clues like registrar location, organization name, or domain age. Match each WHOIS record to the correct fake website. Use cards or slides for a collaborative classroom game.
9-12
WHOIS in the Real World: Threat Intelligence Report
Apply WHOIS to a broader investigation.
Assign a simulated incident (e.g., spam email, fake site).Students gather WHOIS data, infer attacker profile traits (e.g., fast-registered domains, offshore registrars).Produce a 1-page “Threat Intel Summary.”

Walkthrough

https://trove.cyberskyline.com/a60b1f22554d4d66a9a733a787e9df50

🔍 Topic: PGP Lookup

Objectives

Students will query a public key database to identify the types of information stored there.

Prompt

Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?

Questions & Answers

  1. What is the key fingerprint for security@cpanel.net?
  2. Answer: B6709B4CC6F42077F69841919521BEDCABD94DDF

  3. What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?
  4. Answer: hx@liber8tion.cityinthe.cloud

  5. On what date does the above key expire (in UTC)?
  6. Answer: 2050-12-26

Extension Activities

6-8
Understanding Digital Signatures
Introduce students to the concept of digital signatures and their role in verifying the authenticity of digital communications.
Discuss the basics of encryption and how digital signatures work. Use a simple analogy (like sealing a letter in an envelope) to explain how PGP ensures message integrity. Provide examples of how digital signatures are used in everyday life (e.g., software downloads, secure emails).
9-12
Analyzing PGP Key Metadata
Teach students how to extract and analyze metadata from PGP keys to gather OSINT.
Provide students with sample PGP public keys (ensure these are fictional or anonymized).Guide students through the process of examining key details such as creation date, associated email addresses, and key fingerprints. Discuss how this information can be used in digital investigations and the importance of ethical considerations.

Walkthrough

https://trove.cyberskyline.com/8eb49cf698d149fe969acd161020245d

🔐 Topic: SSL

Objectives

Students will use a browser in order to analyze a SSL certificate chain.

Prompt

Solve the following questions about the Cyber Skyline SSL certificate.

Note: If you see references to "BitDefender" in the process of solving this challenge, that means your BitDefender software is intercepting your SSL/TLS connection and will produce incorrect results.

Questions & Answers

  1. Who is the issuer for Cyber Skyline's SSL certificate?
  2. Possible Answers: sectigo, comodo

  3. How many bits long is the SSL key?
  4. Answer: 2048

  5. How many certificates are in the certificate chain?
  6. Answer: 3

Extension Activities

6-8
“What's in a URL?” Sorting Game
Learn to distinguish between HTTP and HTTPS.
Provide a stack of fake or real URLs.Students sort into “Secure” (HTTPS) and “Not Secure” (HTTP).Discuss what might happen if you send personal data over an insecure connection.
9-12
Expired or Misissued Certificate Challenge
Understand how SSL certificate issues may indicate threats.
Provide samples of expired, self-signed, or misconfigured certificates (can be screenshots or from certificate transparency logs).Students determine what’s wrong and how that might signal phishing, misconfiguration, or a suspicious site.

Walkthrough

https://trove.cyberskyline.com/8835d44ab9914ab98e25c6b2b5999abf

💳Topic: Barcode

Objective

Students will be able to use a barcode reader to identify hidden information.

Prompt

We intercepted a barcode we think might be hiding a flag. See if you can find it.

Questions & Answers

  1. What format does the barcode use?
  2. Possible Answers: code 39, code39, Code_39, USD-3, Code 3 of 9, Code 3/9, Alpha 39

  3. What is the flag hidden in the barcode?
  4. Answer: SKY-UZLU-5635

Extension Activities

6-8
Decode the Hidden Message (QR Detective)
Learn what QR codes are and how they encode information.
Students scan teacher-provided QR codes using school devices .Each QR code reveals a clue, message, or safe web link (e.g., a NASA fact, a riddle).Students work in teams to piece together a message or win a classroom scavenger hunt. Discussion: Why do we use QR codes? What kind of information can they hide?
9-12
Reverse Lookup of QR/Barcode Data
Investigate a product or web page linked via barcode or QR.
Scan or decode a real or simulated code. Conduct OSINT to find out: Who owns the domain or product? Where the item was manufactured or registered?Is the website or organization legitimate? Use WHOIS, Wayback Machine, and barcode prefix databases for investigation.

Walkthrough

https://trove.cyberskyline.com/d695b934ae954d30b237eb4e1d81a946

Module: Cryptography

💯 Topic: Number Bases

Objectives

Students will use tools to recognize and convert various number bases.

Prompt

Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are all encoded using different number bases.

Questions & Answers

User
Cipher Text
Answer
Nan
0x73636f7270696f6e
Answer: scorpion
Elliot
c2NyaWJibGU=
Answer: scribble
Steve
01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001
Answer: securely
Daniel
01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101
Answer: lollipop

Extension Activities

6-8
Color Code Encryption (Hex and RGB)
Use hexadecimal to encode color values and relate them to cryptographic codes.
Teach students how hex values map to RGB (e.g., #FF0000 = red).Create a color-coded message where each letter maps to a hex color.Students decode messages using hex charts.
9-12
Cryptographic Base Challenge
Understand base conversions and their role in encoding systems like Base64 and hexadecimal hashes.
Provide students with encrypted-looking strings (e.g., hex-encoded, binary). Challenge them to decode messages by identifying and converting base formats. Include layers (binary → decimal → ASCII → message).

Walkthrough

https://trove.cyberskyline.com/8964d7b06a234684abffade642838140

〽️ Topic: Shift

Objectives

Students will decode a Ceasar shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. It seems to be using a pretty simple encryption scheme, see if you can crack them.

Questions & Answers

User
Password Ciphertext
Answer
Solution
Chris
iveghny ynxr
virtual lake

Extension Activities

6-8
Code Wheel Construction & Cipher Fun
Learn letter shifting using a Caesar cipher wheel.
Students build a Caesar cipher wheel from a printable template (inner and outer alphabet circles).Encode a message by rotating the wheel to a shift value (e.g., shift of 3).Partner up: one student encodes, the other decodes.
9-12
Caesar Cipher + Frequency Analysis
Understand and exploit the vulnerabilities of shift ciphers.
Provide a Caesar-encrypted message without a known key. Students: Try all 25 possible shifts (“brute-force” method).Perform frequency analysis (e.g., looking for common letters like E or T).Discuss how frequency analysis led to the downfall of simple substitution ciphers.

Walkthrough

https://trove.cyberskyline.com/645f2b9059b04943bfa2c28b02667df5

🐢 Topic: @bash

Objective

Students will decode an atbash shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. See if you can crack them.

Questions & Answers

User
Password Ciphertext
Answer
Solution
Christian
hzuvob lyerlfh xzev
safely obvious cave

Extension Activities

6-8
Binary to Text Bash Simulation
Explore how computers use binary to represent letters.
Give students ASCII codes in binary. Simulate Bash decoding using a chart or worksheet. Discuss how computers turn data into readable info via shell tools.
9-12
Build a Bash Password Vault
Use Bash to securely store and retrieve hashed passwords.
Script idea: Accept a username and password. Hash the password. Store it in a file. Later, compare a login attempt to the stored hash.

Walkthrough

https://trove.cyberskyline.com/7fa9781f241c4be49bf0cca9eadc2409

🚙 Topic: Beep

Objective

Students will recognize and decode morse code.

Prompt

Our analysts have intercepted an encoded message. See if you can decode it.

Questions

User
Password Ciphertext
Answer
Solution
Helen
- .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.…
THESECRETOFGETTINGAHEADISGETTINGSTARTEDSKYDKVB9816

Extension Activities

6-8
Beep Morse Code Challenge
Encode and decode messages using sound.
Teach students basic Morse code (e.g., A = .-).Use a simple tone generator app, physical buzzer, or your own voice (short/long beeps).In teams, students send coded beeps across the classroom; others decode the message.
9-12
Sonic Modem & Tones
Learn how modems used sound for data transfer.
Play samples of old dial-up modem sounds. Discuss how tones carried data across phone lines. Try encoding binary into a sequence of tones using tools like Audacity. Optional: build a tone-to-binary decoder in Python or spreadsheet format.

Walkthrough

https://trove.cyberskyline.com/346b7cdf8ae246c9b1ce41971d3e1b31

🤺 Topic: Fencing

Objective

Students will recognize and decode a rail fence cipher.

Prompt

Our analysts have obtained encrypted messages. We saw hand-written notes that indicated the keys as being "3" and "5". See if you can crack them.

Questions & Answers

User
Password Ciphertext
Answer
Solution
Eve
Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3
Courage is grace under pressure SKY-AIQI-9380
Nan
F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2
Feel the fear and do it anyway. SKY-IQIZ-3802.

Walkthrough

https://trove.cyberskyline.com/346b7cdf8ae246c9b1ce41971d3e1b31

🇫🇷 Topic: French

Objective

Students will decrypt a Vigenère cipher.

Prompt

Our analysts have obtained an encrypted message. We know that the key, qizkwcgqbs was used. See if you can crack them.

Questions & Answers

User
Password Ciphertext
Answer
Solution
Matt
Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026
I do not fear computers, I fear the lack of them SKY-QIZK-8026

Extension Activities

6-8
Vigenère Cipher Challenge
Encrypt/decrypt using a repeating keyword
Using a Vigenère square, students pick a keyword and encode a message so each letter shifts differently. They compare it to Caesar and discuss why a repeating key resists simple frequency analysis — a first taste of "polyalphabetic" thinking.
9-12
RSA in Real Life (Digital Certificates Demo)
Understand how RSA protects secure websites.
Use a browser to explore HTTPS certificates (lock icon → certificate).Identify the public key and certificate authority. Students answer questions: Who signed it? What does the public key do?

Walkthrough

https://trove.cyberskyline.com/c6c704add2e84e6ea6ddad7f2d7668d1

Topic: Stego 1

Objective

Students will use steganographic analysis tools to uncover a hidden message.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions & Answers

1. What is the hidden flag in the image?

Answer: SKY-TVJI-2063

Walkthrough

https://trove.cyberskyline.com/733a58d8135847bbb08a4a6aacaeb96a

Topic: Stego 2

Objective

Students will use steganographic analysis tools to uncover a hidden message.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions & Answers

1. What is the hidden flag?

How to solve: Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “BlindHide” mode.

Answer: SKY-ERNT-4183

Walkthrough

https://trove.cyberskyline.com/5133730a17214be3831588652a5ce777

Topic: Stego 3

Objective

Students will use steganographic analysis tools to uncover a hidden message.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions & Answers

1. What is the md5 sum of the hidden file?

How to solve: The MD5 sum can be found by running the Linux md5sum program (ex: md5sum file.out) on the output file from the Digital Invisible Ink Toolkit.

Answer: B2BDE37FEEDE452DB6CA45D1618785CA

2. What is the hidden message?

How to solve: Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “BattleSteg” mode and then use the online hieroglyph translator to obtain the hidden message.

Note: e and i are replaceable in this alphabet, so you may need to tweak your message to create something that is sound in English.

Possible Answers: hidden messages, hedden messages

Walkthrough

https://trove.cyberskyline.com/455a54f0eb444fe399c9b4966a25f1d0

Topic: Stego 4

Objective

Students will use steganographic analysis tools to uncover a hidden message.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions & Answers

1. What is the md5 sum of the hidden file?

How to solve: The MD5 sum can be found by running the Linux md5sum program (ex: md5sum file.out) on the output file from the Digital Invisible Ink Toolkit.

Answer: 77864C67BC0D74B0A05E6FEC2C24125B

2. What is the hidden message?

Use the Digital Invisible Ink Toolkit to obtain the hidden image using the “HideSeek ” mode and then use the Futurama Alphabet converter to obtain the hidden message.

Answer: there is no spoon

Walkthrough

https://trove.cyberskyline.com/38ce8b2db6a24bb49615382e2a252085

Module: Linux

🖥️ Topic: DIR

Objective

Students will use commands via the Linux Command Line (CLI) to analyze files and directories.

Prompt

One of our analysts had their laptop damaged. However, we were able to recover and mount the hard drive. Access the terminal and recover various flags from the disk.

Questions & Answers

  1. What are the contents of flag1.txt, found in root's home directory?
  2. How to solve: Run cat flag1.txt from root’s home directory

    Answer: SKY-FNKC-3207

  3. What are the contents of flag2.txt, found in the root directory?
  4. How to solve: Use cd / to navigate to the root directory and then run cat flag2.txt.

    Answer: SKY-NPEJ-2501

  5. What are the contents of flag3.txt, found in an archive in /var/log?
  6. How to solve: Navigate to /var/log and then run tar -zxvf flag.tar.gz to extract the files from the archive.

    Answer: SKY-FVHR-3562

  7. What are the contents of flag4.txt, found in the flag user's home directory?
  8. How to solve: Navigate to the /home/flag directory and then run cat flag4.txt.

    Answer: SKY-SXIJ-6142

  9. What flag is printed when you run the flag5 program?
  10. How to solve: Run the flag5 program with the command flag5

    Answer: SKY-UDSV-9689

  11. What is the full path to the flag5 program?
  12. How to solve: Run which flag5

    Answers:

    • /usr/bin/flag5
    • /usr/bin/

    Incorrect: ./usr/bin/flag5

Extension Activities

6-8
Linux Adventure Story
Use commands like dir to progress through a narrative.
Students role-play as secret agents or explorers.Each directory contains parts of a story.Students unlock new parts by listing contents (dir) and making choices (cd cave, cd castle).
9-12
Linux Forensics Mini-Challenge
Find files based on clues using dir, ls, find, and grep.
Create a mystery scenario (e.g., “Find who deleted the secret file”).Students navigate directories, list contents (dir), and read logs (cat logfile.txt).Combine clues to solve the case.

Walkthrough

https://trove.cyberskyline.com/68a3552daa024ee6b4313703744ad77c

🗄️ Topic: File Edit

Objective

Students will use nano and Vim via the command line to create and edit files.

Prompt

Learn how to use command line file editors.

NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.

Questions & Answers

  1. What key should you press in addition to the CTRL key to trigger the combination to exit nano?
  2. Answer: x

  3. What vim mode allows you to write new characters in the file?
  4. How to solve: Search online for “vim mode to write new characters”.

    Answer: insert

  5. What keyboard combination will save and quit the file with vim?
    1. How to solve: Search online for “how to save and quit with vim” and read the descriptions for the different keyboard combinations.

      Answers:

    2. :wq
    3. wq
  6. What keyboard combination will delete an entire line in vim?
  7. How to solve: Search online for “vim delete line” and then read the descriptions for possible keyboard combinations. See the Trove for more detailed guidance.

    Answer: dd

  8. What command would you use to rename a file?
  9. How to solve: Search online for “linux how to rename a file” and read about the most common commands. See the Trove for more detailed guidance.

    Answer: mv

Extension Activities

6-8
Echo & Redirect Challenge
Use echo to write text to a file.
Run commands like echo "I love coding!" > myfile.txt.Append text using echo "And Linux!" >> myfile.txt.Display contents with cat myfile.txt.Discussion: What’s the difference between > and >>?
9-12
File Permissions and Editing
Explore how permissions affect file editing.
Create files with different permission settings (chmod).Try to edit them and observe what happens.Discuss why permissions are important for security.

Walkthrough

https://trove.cyberskyline.com/cb681eb17071486a9906361f91247086

🗣️ Topic: Basic Commands

Objective

Use open source tools and Linux command line knowledge to string Linux commands together.

Prompt

Learn the common basic commands used on the Linux command line.

NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.

Questions & Answers

  1. What character can you use to redirect the output of one program as the input to another program?
  2. How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to another program (and not to a file). See the Trove for additional guidance.

    Answer: |

  3. What character can you use the redirect the output of a program to a file?
  4. How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to a file (and not to another program). See the Trove for additional guidance.

    Answer: >

  5. How many people have a first name of Jordan in names.csv?
  6. How to solve: Use cut to grab only the column of first names, then use grep to search for “Jordan” and then use wc -l to get a line count.

    cut -d "," -f 1 < names.csv | grep Jordan | wc -l

    Answer: 2

Extension Activities

6-8
Linux Command Bingo
Familiarize with common Linux commands.
Create Bingo cards with commands like ls, pwd, cd, mkdir, rm.Call out definitions or tasks (“Show me files in the folder”), students mark corresponding commands.First to bingo explains one command in detail.
9-12
Linux Trivia & Command Line Quiz
Reinforce command knowledge.
Prepare a quiz with multiple choice and practical terminal commands.Use interactive platforms or classroom polling.Include “Identify the command” from output examples.

Walkthrough

https://trove.cyberskyline.com/5f6865d970874da2ab2b915ba79fd4c3

🧶 Topic: Strings

Objective

Use the strings command to find hidden information in a file.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions & Answers

1. What is the hidden flag in the image?

How to solve: Run the strings command on the image and search for text that contains “SKY”.

strings STEG1.jpg | grep SKY

Answer: SKY-RCLO-4839

Extension Activities

6-8
Guess the File Type
Use strings output to guess the type of file.
Give several files without extensions. Students use strings to extract text clues. Guess file types based on the strings (e.g., image metadata, code snippets, document text).
9-12
Build Your Own Binary File
Create a file with hidden text and practice extraction.
Use a hex editor or programming language (e.g., Python) to embed text inside a binary file. Use strings to extract it. Reflect on how data can be hidden and recovered.

Walkthrough

https://trove.cyberskyline.com/e864b69e76f54f309385ea6dbe111c4c

Module: Log Analysis

🐚 Topic: SSH

Objective

Students will analyze the contents of an SSH log to identify adversarial behavior.

Prompt

Analyze this SSH log file to answer the following questions.

Questions & Answers

  1. What is the hostname of the ssh server that was compromised?
  2. Answer: myraptor

    Oct 11 10:12:00 myraptor sshd[29459]: Server listening on 0.0.0.0	port 22.
  3. What was the first IP address to attack the server?
  4. Answer: 169.139.243.218

    Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh2
  5. What was the second IP address to attack the server?
  6. Answer: 56.13.188.38

  7. What was the third IP address to attack the server?
  8. Answer: 30.167.206.91

  9. Which user was targeted in the attack?
  10. Answer: harvey

    Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh
  11. From which IP address was the attacker able to successfully log in?
  12. Answer: 30.167.206.91

    Oct 11 10:36:59 myraptor sshd[30003]: Accepted password for harvey from 30.167.206.91 port 55326	ssh2

Extension Activities

6-8
Log Line Match Game
Learn SSH terminology and log meanings.
Match terms like Accepted password, Failed password, port, user, IP to their meanings. Color code log lines by type (green for success, red for failed attempts).
9-12
Create Your Own SSH Log Puzzle
Design and share SSH log puzzles with classmates.
Students write their own fake SSH logs with a narrative: attack, success, mistake, etc. Swap puzzles and analyze each other’s scenarios.

Walkthrough:

https://trove.cyberskyline.com/5213e481daa544fb94001cd51096edbb

⌨️Topic: Login

Objective

Students will use command line tools to analyze a custom application log format.

Prompt

Analyze a custom application login event log to help us understand user behavior.

Questions & Answers

  1. How many total login attempts were made in this log?
  2. How to solve: Get the line count of the log. (Reminder: at the end of the command, that is a lower case ‘L’ not a number 1)

    cat login.log | wc -l

    Answer: 6063

  3. How many unique usernames appear in this log?
  4. How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get the unique usernames, and then get a line count of the number of unique usernames.

    cat login.log | cut -f 3 | sort | uniq | wc -l

    Answer: 1879

  5. What is the username with the most login attempts?
  6. How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get a frequency count of each unique username, and then sort the unique usernames by frequency.

    cat login.log | cut -f 3 | sort | uniq -c |sort -n

    Answer: ntory

  7. How many attempts were made for the username with the most login attempts?
  8. cat login.log | cut -f 3 | sort | uniq -c |sort -n

    Answer: 124

  9. What is the date with the most login attempts?
  10. How to solve: Extract the first field (with the date+time) of the log, extract just the date, sort the dates, get a frequency count of each unique date, and then sort the unique dates by frequency.

    cat login.log | cut -f 1 | cut -d " " -f 1 | sort | uniq -c | sort -n

    Answer: 2011-03-23

  11. What is the username that had logins from the most unique IP addresses?
  12. How to solve: Extract the second field (with the IP address) and third field (with the username) of the log, sort the IP/username pairs, get the unique IP/username pairs, then extract just the usernames from each pair, sort the usernames, get a frequency count of how many unique pairs each username has, and then sort by frequency.

    cat login.log | cut -f 2,3 | sort | uniq | cut -f 2 | sort | uniq -c | sort -n

    Answer: wlfla0190

Extension Activities

6-8
Login Color Code
Visually interpret log entries.
Print or display several log lines.Students highlight: Green: Successful logins Red: Failed logins Blue: IP addresses Discuss: What can logs tell us about system usage?
9-12
User Behavior Profile
Analyze and profile user activity.
Provide anonymized logs for 2–3 users. Students summarize: Login times Access locations (IP)Behavior patterns Discuss: What’s normal vs suspicious?

Walkthrough

https://trove.cyberskyline.com/7c704ee8ab0a4e959360a1486fb60bae

⬆️Topic: VSFTPD

Objective

Students will analyze a VSFTPD log file.

Prompt

Analyze a VSFTPD log file that we obtained.

Questions & Answers

  1. What IP address did "ftpuser" first log in from?
  2. How to solve: Search for any entries that include “ftpuser”. One of these lines should include an IP address. cat vsftpd.log | grep ftpuser

    Answer: 10.0.0.123

  3. What is the first directory that ftpuser created?
  4. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

    Answer: TreeSizeFree

  5. What is the last directory that ftpuser created?
  6. cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

    Answer: 110D300S

  7. What file extension was the most used by ftpuser?
  8. How to solve: Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension

    cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

    Possible Answers: jpeg, jpg, Joint Photographic Experts Group

  9. What is the username of the other user in this log?
  10. cat vsftpd.log | awk '{print $8}' | sort | uniq

    Answer: jimmy

  11. What IP address did this other user log in from?
  12. cat vsftpd.log | grep jimmy

    Answer: 10.0.0.214

  13. How many total bytes did this other user upload?
  14. How to solve: Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

    Answer: 105750628 bytes

  15. How many total bytes did ftpuser upload?
  16. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

    Answer: 13980839165 bytes

  17. How many total bytes did ftpuser download?
  18. cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

    Answer: 6008032 bytes

  19. Identify the IP address of the suspicious login (the login with no subsequent activity).
  20. How to solve: Search for all of the successful login attempts, extract the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection

    cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq

    Answer: 10.3.0.6

Extension Activities

6-8
FTP Role-Play Activity
Act out FTP log scenarios and decode them.
Assign roles (Client, Server, Logger).Simulate login attempts and file transfers.Logger writes log entries, others guess what actions they represent.
9-12
Create Your Own FTP Log Puzzle
Design a VSFTPD log mystery for peers.
Students generate fictitious VSFTPD logs with:Students generate fictitious VSFTPD logs with:One suspicious loginOne normal userA fake attack attemptPeers analyze the log and identify the risky event.

Walkthrough

https://trove.cyberskyline.com/a9aad5ab10334ac4ab37bdd04058e1ba

❎ Topic: Nginx

Objective

Students will analyze an nginx access log.

Prompt

Analyze an nginx access log and answer questions about what happened.

Questions & Answers

  1. How many different IP addresses reached the server?
  2. Answer: 47

  3. How many requests yielded a 200 code?
  4. How to solve: Extract the third field after double quotes as the delimiter (which includes the HTTP codes), sort the codes, get the unique values with a count of the occurrences of each. Optional: sort in descending numeric order.

    cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn

    Answer: 19

  5. How many requests yielded a 400 code?
  6. cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn

    Answer: 38

  7. What IP address rang at the doorbell?
  8. cat access.log | grep "bell"

    Answer: 186.64.69.141

  9. What version of the Googlebot visited the website?
  10. cat access.log | grep "Googlebot"

    Answer: 2.1

  11. Which IP address attempted to exploit the shellshock vulnerability?
  12. How to solve: Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. With this knowledge, search the log for any lines with that sequence of characters.

    cat access.log | grep '() { :; };'

    Answer: 61.161.130.241

  13. What was the most popular version of Firefox used for browsing the website?
  14. How to solve: Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.

    cat access.log | grep -o "Firefox/.*" | sort | uniq -c

    Answer: Firefox/31.0

  15. What is the most common HTTP method used?
  16. How to solve: Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.

    cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

    Answer: GET

    Incorrect: POST, PUT, HEAD, DELETE, CONNECT

  17. What is the second most common HTTP method used?
  18. cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

    Answer: CONNECT

    Incorrect: GET, POST, PUT, HEAD, DELETE

  19. How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?
  20. Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.

    cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l

    Answer: 6

Extension Activities

6-8
Website Detective
Match access log lines to website actions.
Give students fictional scenarios (e.g., visiting a page, clicking a link).Match them to the correct NGINX access log line. Match errors to mis-clicks (e.g., 404 for broken links).
9-12
Traffic Pattern Analysis
Analyze a set of access logs for usage trends.
Provide a few dozen real or simulated NGINX access log lines. Have students: Count total visits Identify top-requested URLs Chart visit frequency over time Use spreadsheets or visual tools for analysis.

Walkthrough

https://trove.cyberskyline.com/7884f0c64e8b46cea64332a77b5ef56e

🕰️ Topic: History

Objective

Students will use SQL commands to analyze a SQlite database.

Prompt

Analyze a Firefox SQlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/

Questions & Answers

  1. What did the user search for on craigslist?
  2. Answer: bitcoin

  3. What was the current price (USD) of bitcoin when the user was browsing?
  4. Answer: $239.50

  5. What Bitcoin exchange did the user log in to?
  6. Answer: Coinbase

  7. What is the email that was used to log into the exchange?
  8. Answer: b1gbird@gmail.com

  9. What was the ID of the Bitcoin transaction that the user looked at?
  10. Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7 blockchain.info

  11. What was the total BTC value of all the inputs of the Bitcoin transaction?
  12. Answer: 0.22616302

  13. Which Bitcoin address received the majority of the Bitcoin in the transaction?
  14. Answer: 18z6bTFjxkXCmhfp8YBetR2wgmoVjXGJZz

Extension Activities

6-8
Log Story Sequencing Game
Reconstruct a digital activity timeline.
Provide: Cut-out log line cards with mixed-up order. User logs in at 8:00User opens a document. User edits document. User deletes a file User logs out Activity: Students rearrange the cards into the correct order. They write a one-paragraph summary of what happened based on the log.
9-12
Command Frequency Analysis
Determine behavior based on command frequency.
Provide a long history list with command repetition. Students: Tally top 5 used commands. Infer the user’s job (developer, admin, attacker?). Discuss what's "normal" vs "abnormal" usage.

Walkthrough

https://trove.cyberskyline.com/038f8feecbf4489a9ee68d8c2131b49c

🦑 Topic: Squid

Objective

Students will analyze a Squid proxy log.

Prompt

Analyze this Squid proxy log to answer the following questions.

Questions & Answers

  1. In what year was this log saved?
  2. How to solve: Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.

    Answer: 2010

  3. How many milliseconds did the fastest request take?
  4. How to solve: Extract the second field (the response time) and then sort the results numerically

    cat squid_access.log | awk '{print $2}' | sort -n

    Answer: 5

  5. How many milliseconds did the longest request take?
  6. How to solve: Same as the question above.

    cat squid_access.log | awk '{print $2}' | sort -n

    Answer: 41762

  7. How many different IP addresses did the proxy service in this log?
  8. How to solve: Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count.

    cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l

    Answer: 4

  9. How many GET requests were made?
  10. How to solve: Extract the 6th field (the HTTP Request type), sort, and then get the unique values with a count of their occurrences. cat squid_access.log | awk '{print $6}' | sort | uniq –c

    Answer: 35

  11. How many POST requests were made?
  12. Answer: 78

  13. What company created the antivirus used on the host at 192.168.0.224?
  14. How to solve: The name of the company is found within the URLs of the requests made 192.168.0.224 . cat squid_access.log | grep "192.168.0.224"

    Answer: Symantec

  15. What URL is used to download an antivirus update?
  16. How to solve: Use the command from the question above and then find the URL that includes “virus” and “definitions”

    Answer: http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip

Extension Activities

6-8
URL Scavenger Hunt
Explore responsible internet use.
Provide fake Squid logs with safe and unsafe URLs .Students highlight URLs that are: Educational Entertainment Suspicious or inappropriate Discussion: Why might schools block certain content?
9-12
Attack Simulation: Malicious Site Detection
Detect unsafe browsing behavior.
Some logs include suspicious URLs (e.g., phishing sites).Students must: Identify risky URLs Explain why they are suspicious Suggest how the network should respond (block? notify? educate?)

Walkthrough:

https://trove.cyberskyline.com/b2ca66f2ed8747139b26ba3539e6b4f7

Module: Network Traffic Analysis

Topic: WiFi PCAP 1

Objective

Crack a WEP-encrypted wireless network by analyzing captured initialization vectors.

Prompt

We have created a packet capture from our test lab to see if you can handle the challenges of wireless password cracking.

Questions & Answers

  1. How many IVs are in the packet capture?
  2. Answer: 14337

  3. What is the key size of the wireless network data encryption method in bits?
  4. Answer: 64

  5. What is the IV for the first packet in the capture in hexadecimal representation?
  6. Answer: 003a33

  7. What is the WEP key?
  8. Answer: A4:81:53:B4:C

  9. What is the TCP checksum, in hexadecimal representation, of the first packet in the capture?
  10. Answer: 897b

Walkthrough

https://trove.cyberskyline.com/288b1672a3824de0b3cd6386057b348b

Topic: WiFi PCAP 2

Objective

Crack a WEP-encrypted wireless capture to recover the network key and packet data.

Prompt

We have created a packet capture from our test lab to see if you can handle the challenges of wireless password cracking.

Questions & Answers

  1. How many IVs are in the packet capture?
  2. Answer: 24592

  3. What is the key size of the wireless network data encryption method in bits?
  4. Possible Answers: 128, or 104

  5. What is the IV for the first packet in the capture in hexadecimal representation?
  6. Answer: 0994ff

  7. What is the WEP key?
  8. Answer: DE:AD:10:CC:D1:5E:A5:EC:DC:C2:D6:7A:CA

  9. What is the TCP checksum, in hexadecimal representation, of the first packet in the capture?
  10. Answer: 08f0

Walkthrough

https://trove.cyberskyline.com/ca95b65b466c4d3fa3f6b9eb37338b15

Topic: WiFi PCAP 3

Objective

Crack a WPA wireless capture and investigate router configurations and network activity.

Prompt

We have created a packet capture on a temporary wireless network that a couple of hackers have set up. Break into their network and see what you can learn.

Questions & Answers

  1. What is the MAC address of the router?
  2. Answer: C0:4A:00:80:76:E4

  3. What is the ESSID of the wifi network?
  4. Answer: TP-LINK_8076E4

  5. What is the password for the wireless network?
  6. Answer: blueberrymuffin

  7. What is the IP address of the router?
  8. Answer: 192.168.0.254

  9. What company manufactured the router?
  10. Answer: tp link

  11. What is the model of the router?
  12. Answer: WR702N

  13. What firmware version is installed on the router?
  14. Answer: 4.19.1

  15. What release number is the router using?
  16. Answer: 52704n

  17. What is the IP address of the user who logged into the router admin panel?
  18. Answer: 192.168.0.101

  19. What is the MAC address of the first victim of the deauth attack?
  20. Answer: B8:E8:56:47:44:38

  21. What is the MAC address of the second victim of the deauth attack?
  22. Answer: 80:E6:50:0B:26:BA

Walkthrough

https://trove.cyberskyline.com/5c795a418e19432ca84093f469c0d25e

Module: Password Cracking

Module: Forensics

Module: Scanning & Reconnaissance

Module: Enumeration & Exploitation

Module: Web Application Exploitation