Purple Team Series

Help Me, I Got Compromised

Five connected hosts. One breach. You are the incident responder. Follow the trail from the compromised gateway through log forensics, SOC triage, code review, and finally — defend a host that's actively under attack.

Incident Response Log Forensics SOC / Alert Triage Static Code Review Active Defense

5 Machines

Purple Team Focus

30m Auto-Reset

5/5 Online Now

01 CIRT Gateway → 02 SIEM Station → 03 SOC Runbook → 04 Code Depot → 05 Under Fire 🔥

The Investigation

Five hosts. One breach. Follow the evidence.

▶ Start Here

Machine 01 Online

CIRT Gateway

Incident Triage

The entry point. A compromised gateway with a webshell, a cron backdoor, and a SUID persistence binary. Document the artifacts and read the mission brief to find the rest of the network.

All logs from the breach are here. Parse auth.log, the Apache access log, and enriched SIEM events. Identify the attacker IP and reconstruct the full kill chain.

A queue of 15 alerts from the incident window. Triage true positives from false positives, then write a Python detection script that auto-classifies the queue.

The compromised developer's repository. Find the planted vulnerabilities using semgrep and manual review, then dig through git history for the credentials the attacker stole.

🐀🐀🐀 Medium

🔥 Final Target

Machine 05 Under Attack

⚠ Under active attack — defend it

Under Fire

Active Defense

This host is under constant attack from 10.99.1.1. Configure fail2ban, enable ufw, block the attacker, and clean up the malware artifacts — in the right order. Resets every 30 minutes.

🐀🐀🐀🐀 Hard

Ready to respond?

Start at the CIRT Gateway. The mission brief inside will guide you to the rest of the network.

Create Free Account Start at CIRT Gateway → Browse All Challenges →