← All Challenges

Hypervisor Haunt

Forensics 100 pts standard
Challenge Description

Multiple VMs were encrypted after suspicious actions in vCenter and ESXi shell history. Your task is to reconstruct the infrastructure compromise path.

Recover:

  1. Exploited CVE ID.
  2. Ransom extension used on virtual disks.
  3. Target datastore name.
  4. External staging host used by attacker script.

Flag format: HackCTF{...}

Files
↓ datastore_events.csv ↓ decoy_cves.txt ↓ esxi_shell_history.txt ↓ mixed_case_telemetry.log ↓ noise.log ↓ noise_expanded.log ↓ vmkernel.log ↓ vpxd.log
Hints
View Hint : Hint
  1. One CVE mention is noisy and not on the true execution chain.
  2. Pull host data from command staging line.
  3. Use extension without the leading dot in flag.
Submit Flag

Login to submit a flag.