Capstone Challenge

Final exam. Apply everything you've learned. Prove your CLI mastery.

Mission Briefing

You've been called in to investigate a suspected breach on a Linux server. The security team detected unusual network activity at 03:47 AM. Your mission: determine what happened, how the attacker got in, and what they did.

Skills You'll Need

Navigation

CLH-002

Pattern Hunting

CLH-004

Process Analysis

CLH-005

Permissions

CLH-006

Scripting

CLH-007-008

Sysadmin

CLH-009

Log Analysis

CLH-010

Incident Response

CLH-013

Investigation Checklist

Collect volatile evidence (processes, connections, logged-in users)
Review authentication logs for the attack timeframe
Identify the initial access vector
Find any persistence mechanisms (cron, services, SUID)
Determine what data was accessed or exfiltrated
Document timeline of attacker activity
Create SHA256 hashes of all evidence
Write executive summary of findings

Sample Investigation Commands

# === INITIAL TRIAGE ===

# What time is it? Document everything.
date; uptime

# Who's logged in RIGHT NOW?
w

# Active network connections
netstat -tulpn | grep ESTABLISHED

# === TIMELINE ANALYSIS ===

# Failed logins around 03:47
grep "03:4[0-9]" /var/log/auth.log | grep -i fail

# Successful logins
grep "Accepted" /var/log/auth.log | tail -20

# === PERSISTENCE HUNTING ===

# Suspicious cron jobs
cat /etc/crontab
ls -la /var/spool/cron/crontabs/

# SUID binaries (potential privesc)
find / -perm -4000 -type f 2>/dev/null

# Recently modified files
find / -mtime -1 -type f 2>/dev/null | head -50

Report Template

## INCIDENT REPORT
## Prepared by: [Your Name]
## Date: $(date)

### Executive Summary
[1-2 paragraph overview for management]

### Timeline
03:47 - Initial suspicious activity detected
[HH:MM] - [Event description]
[HH:MM] - [Event description]

### Attack Vector
[How did they get in?]

### Indicators of Compromise
- IP: [Attacker IP]
- User: [Compromised account]
- Files: [Modified/created files]

### Recommendations
1. [Immediate action]
2. [Short-term fix]
3. [Long-term improvement]

CAPSTONE LAB: Breach Investigation

A server has been compromised. Use all the skills you've learned to investigate the breach, find evidence, and determine what happened. Complete ALL objectives to earn CLI Architect!

☐Collect volatile evidence (processes, connections)

☐Analyze authentication logs

☐Hunt for SUID persistence

☐Check cron for backdoors

☐Find recently modified files

☐Hash evidence for integrity

capstone-investigation

0/6 complete

╔══════════════════════════════════════════════════════════════╗
║              CAPSTONE BREACH INVESTIGATION                     ║
╠══════════════════════════════════════════════════════════════╣
║  Server: prod-web-01 (10.0.0.50)                              ║
║  Alert Time: 03:47 AM                                         ║
║  Status: CRITICAL - Suspected Active Breach                  ║
╚══════════════════════════════════════════════════════════════╝

Investigate the breach. Find the attacker. Document everything.

Available commands:
  date, uptime, w, who, ps, netstat, lsof
  grep, cat, find, ls, stat
  sha256sum, last, lastb

Type 'help' for a complete command list.
Type 'hint' if you get stuck.

root@prod-web-01:~#

Final Challenge

Complete the quiz to earn the CLI Architect title and finish the Command Line Hacker curriculum.

Take the Final Quiz → Back to Script House

CLI ARCHITECT