NCAE Mapping Hub
Overview Scoreboard Data Roles Exercised Checklists Lessons Skill Drills Practice Terminal Progress

Pre-competition week. practice drills

Check these off as your team practices each skill. Everyone on the team should be able to do each of these in under two minutes under pressure.

of complete. 100 percent.
Progress saves in this browser only.
  1. 01 Run the persistence-hunt substeps on a fresh Kali VM and discuss each finding
    Practice the nine-step persistence hunt from checklist 1 on a dummy host. Pick three findings and explain what each is and how to remediate.
    DCWF CS-531. Cyber Defense Incident Responder DCWF CS-212. Cyber Defense Forensics Analyst DCWF CS-541. Vulnerability Assessment Analyst DCWF CE-463. Host Analyst Security+. Persistence Security+. Indicators of Compromise (IoC)
    Why this matters
    Under competition pressure you will not read documentation. You will run commands from muscle memory. This drill is how the muscle memory gets built.
    Walkthrough
    1. 1.Stand up a throwaway Ubuntu VM (fresh, no hardening)
      # Create via UTM/VirtualBox/multipass. Target: 4 GB RAM, 20 GB disk, Ubuntu 22.04.
      Expect VM boots to login. Ubuntu default user.
      Interpret: The point is to practice on something disposable. Do not practice on the actual competition image.
    2. 2.Run the nine-step persistence hunt from checklist 1 item 9
      # Execute each of the six commands from that item, one at a time.
      Expect You should complete the hunt in under 10 minutes the first time
      Interpret: Time yourself. Under pressure it will be slower, so aim for 5 minutes in practice.
    3. 3.Discuss three findings with a teammate
      # Pick three results that seemed surprising. Explain what they are and how to remove.
      Expect Plain-English explanation and a remediation command for each
      Interpret: If you cannot explain, the command is not muscle memory yet. Re-read the relevant lesson and repeat the hunt.
    DCWF work roles exercised by this step
  2. 02 Time yourself setting up Samba and scoring-user accounts from scratch
    Target: under 10 minutes. Fresh VM, Samba installed, six users added, share defined, addict_with_a_pen.data present, smbclient -L works.
    DCWF IT-451. System Administrator DCWF CE-463. Host Analyst DCWF IT-411. Technical Support Specialist
    Why this matters
    SMB is 3x weight. You will rebuild this service multiple times during a round. Muscle memory cuts the recovery time from half an hour to three minutes.
    Walkthrough
    1. 1.Install Samba
      apt-get install -y samba
      Expect 'Installed.' and smbd running
      Interpret: On a fresh Ubuntu this takes under a minute. If network is slow, pre-stage the deb files.
    2. 2.Add the six scoring users (Linux-side)
      for u in keons henri_cartan listo nills reisdro lisdn; do useradd -m -s /bin/bash $u && echo "$u:TempPass123" | chpasswd; done
      Expect No output
      Interpret: TempPass is only used for Linux login. Samba passwords are separate and set next.
    3. 3.Add each user to Samba with the scored password
      for u in keons henri_cartan listo nills reisdro lisdn; do (echo '<scored-password>'; echo '<scored-password>') | smbpasswd -s -a $u; done
      Expect 'Added user <name>' per iteration
      Interpret: Scored-password is whatever the competition packet specifies. Keep it consistent across users if that is the packet's convention.
    4. 4.Define the files share
      cat >> /etc/samba/smb.conf <<'EOF' [files] path = /srv/samba/files browseable = yes read only = no valid users = keons, henri_cartan, listo, nills, reisdro, lisdn EOF mkdir -p /srv/samba/files && chmod 775 /srv/samba/files
      Expect No output
      Interpret: Path must exist and be writeable by the scoring users for SMB Write scoring. Adjust chmod/chown if Write fails.
    5. 5.Validate and start
      testparm -s && systemctl restart smbd
      Expect Loaded services without errors; smbd active
      Interpret: testparm errors = syntax issue. Fix before restart.
    6. 6.Smoke-test as a scoring user
      smbclient -L //localhost -U keons
      Expect Sharename Type Comment\n ... files Disk ...
      Interpret: If connection refused, smbd is not running. If NT_STATUS_LOGON_FAILURE, the Samba password did not take. Stopwatch should read under 10:00 total.
    DCWF work roles exercised by this step
  3. 03 Configure MikroTik NAT rules from empty to fully working
    Use a MikroTik emulator or a spare router. Target: under 5 minutes, all 7 rules in place.
    DCWF IT-441. Network Operations Specialist DCWF CE-442. Network Technician Security+. NAT (Network Address Translation) Security+. Port forwarding
    Why this matters
    NAT is the easiest high-impact thing to get wrong under pressure. Practicing on a non-live device removes the fear and teaches the syntax.
    Walkthrough
    1. 1.Boot a MikroTik CHR (cloud hosted router) in GNS3 or as a VM
      # CHR ships as an ova. Boot it, log in as admin with no password the first time.
      Expect RouterOS banner and CLI prompt
      Interpret: If you cannot run CHR, the Webfig interface on a spare physical MikroTik works too. The CLI commands are identical.
    2. 2.Clear any existing NAT
      /ip firewall nat remove [find]
      Expect No output
      Interpret: Starting from zero is the whole point of the drill. Skip if you already have meaningful rules you want to keep.
    3. 3.Add the seven scoring rules
      /ip firewall nat add chain=dstnat protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.10 to-ports=22 /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.10 to-ports=80 /ip firewall nat add chain=dstnat protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.1.10 to-ports=443 /ip firewall nat add chain=dstnat protocol=tcp dst-port=445 action=dst-nat to-addresses=192.168.1.10 to-ports=445 /ip firewall nat add chain=dstnat protocol=tcp dst-port=5432 action=dst-nat to-addresses=192.168.1.10 to-ports=5432 /ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=dst-nat to-addresses=192.168.1.12 to-ports=53 /ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=dst-nat to-addresses=192.168.1.12 to-ports=53
      Expect No errors. Each add returns silently.
      Interpret: Adjust to-addresses per the lab topology. DNS goes to a different VM than the rest in typical NCAE layouts.
    4. 4.Print and verify
      /ip firewall nat print where action=dst-nat
      Expect Seven rows. Stopwatch should read under 5:00.
      Interpret: Missing a row = typo or silent error in the add. Rerun the specific add line. Time-over = practice again.
    DCWF work roles exercised by this step
  4. 04 Write the golden-tarball + cron-restore script from memory
    No googling. Should take under three minutes once you have internalized the pattern.
    DCWF SE-627. DevSecOps Specialist DCWF IT-451. System Administrator
    Why this matters
    This is the highest-leverage defense in the playbook. It must be muscle memory. Writing it while sweating under ncat connect attempts is very different from writing it comfortably.
    Walkthrough
    1. 1.In a scratch file, write the golden tarball command
      # Aim for: tar -czf /root/golden-configs-$(date +%H%M).tar.gz /etc/ssh /etc/samba /etc/bind /etc/apache2 /etc/postgresql /etc/passwd /etc/shadow /etc/group /etc/sudoers
      Expect Command typed from memory
      Interpret: Forgot a path? That is a config file red team can tamper with undetected. Add it to the mental list.
    2. 2.Write the restore script
      # Aim for: cat > /root/restore.sh <<'EOF' ... EOF; chmod +x /root/restore.sh
      Expect Script on disk
      Interpret: Forgot the heredoc quoting? The tar path will expand at write time, not at restore time. The single-quoted EOF keeps it literal.
    3. 3.Install the cron
      (crontab -l 2>/dev/null; echo '* * * * * /root/restore.sh') | crontab -
      Expect Cron list has the new line
      Interpret: crontab -l shows it? Pass. Missing? You likely dropped the subshell.
    4. 4.Prove it works by editing a config and waiting
      echo '# test drift' >> /etc/ssh/sshd_config; sleep 65; tail -3 /etc/ssh/sshd_config
      Expect The test drift line is gone after 65 seconds
      Interpret: Still present? restore.sh did not fire. Check `grep CRON /var/log/syslog` for the minute boundary.
    DCWF work roles exercised by this step
  5. 05 Regenerate an SSL cert with correct CN and SAN and restart Apache
    Target: under two minutes.
    DCWF IT-451. System Administrator DCWF CS-622. Secure Software Assessor Security+. TLS (Transport Layer Security) Security+. X.509 certificate
    Why this matters
    Scored SSL checks validate the certificate. A cert with a mismatched hostname fails every check. The fix is one openssl invocation. Practice it.
    Walkthrough
    1. 1.Set the team number
      export TEAM_NUM=10
      Expect No output
      Interpret: Replace 10 with your team number from the packet. The subject string interpolates it.
    2. 2.Generate the cert and key with SAN
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/CN=team${TEAM_NUM}.ncaecybergames.org" -addext "subjectAltName=DNS:team${TEAM_NUM}.ncaecybergames.org"
      Expect 'Generating a RSA private key' followed by '-----' spinner, then 'Writing new private key'
      Interpret: Errors about -addext mean your openssl is older than 1.1.1. Use a config file with v3_req instead.
    3. 3.Restart Apache
      systemctl restart apache2
      Expect No output
      Interpret: If restart fails: `journalctl -u apache2 -n 30`. The most common error is a key with wrong permissions.
    4. 4.Validate externally
      echo | openssl s_client -connect localhost:443 -servername team${TEAM_NUM}.ncaecybergames.org 2>/dev/null | openssl x509 -noout -subject -dates
      Expect subject= /CN=team<N>.ncaecybergames.org and a notAfter ~1 year out
      Interpret: Stopwatch should read under 2:00 from step 2 to here.
    DCWF work roles exercised by this step