← All Challenges

Cloud Shadow

Forensics 200 pts standard
Challenge Description

Security detected suspicious internal email access without password resets or MFA prompts. Investigation suggests OAuth app abuse and token replay across cloud services.

Identify:

  1. Malicious OAuth application client ID.
  2. First external IP that used the stolen token.
  3. Target tenant short name.
  4. Abused high-risk permission scope.

Flag format: HackCTF{...}

Files
↓ audit_oauth.json ↓ conditional_access.txt ↓ decoy_oauth_apps.json ↓ entra_signins.csv ↓ mail_trace.log ↓ mixed_case_telemetry.log ↓ noise.log ↓ noise_expanded.log
Hints
View Hint : Hint
  1. Multiple app consents exist; only one aligns with high-risk token use.
  2. Correlate grant scopes with suspicious sign-in rows.
  3. Scope must be lowercase in the flag.
Submit Flag

Login to submit a flag.