In the training module - blue team

• autonomous
  -- Malicious File on System

Write a file on the Windows machine under the C:\Users\Public directory. Get the SHA256 hash of this file, and write it to C:\Users\Public\malicious_files.txt. The autonomous defender should automatically find and delete the file.

File is removed but flag is not granted and I cannot move on in the training.

In the GUI of Caldera, one can only see the instructions where to send the final flag to, if no certificate is selected.

It would be nice to have the line also here in the project readme and in the documentation:

"If you earn a code, send it to [email protected]. We will validate it and send back an authenticated code as proof of completion."

So i'm on exercise 2 of the "manual" section (the flag check for this is blue_2a.py https://github.com/mitre/training/blob/master/app/flags/manual/blue_2a.py)
And it claims to create a "pretend malicious file" and "malicious_files.txt" within a minute so i can run a manual operation.

1. The file(s) do(es) not get created. I have an active red client in the "cert-win" category so it should work.
2. After a while i created the file myself, like we were asked in "malicious file on system" in the autonomous section. and created a potential link "acquire suspicious files" in my "Blue Manual" operation. The "malicious_files" file got found and deleted, but still the flag doesn't get acquired.

Am i misunderstanding this exercise ? or what am i doing wrong ? Also, is the "acquire suspicious files" ability supposed to remove files automatically?

I'm doing Task #13 which uses the Hunter adversary profile with base64 obfuscation and 10/20 seconds jitter, with 1 agent (Windows 10 VM, which is part of a domain). I noticed that the output of the base64-encoded powershell commands return XML streams.

e.g. for "Identify local users", this is the output of powershell -Enc RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AQwBsAGEAcwBzACAAVwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0AA==:

#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>

When I run the same powershell command directly on the command line in the Win10 VM, the output comes out fine:

How do we go about getting the correct output in CALDERA instead of the XML streams?

Describe the bug

Installation of training module throws error referencing airbnb-base

To Reproduce
Steps to reproduce the behavior:

Running the following...

Caldera Version: 4.0.0-alpha
NPM version: 8.1.0
node version: 16.13.0

Following steps, I have run

npm ci

followed by

npm run init

from /opt/caldera/plugin/training

It throws the following error...

> lint
> eslint ./static/js/*.js


Oops! Something went wrong! :(

ESLint: 8.3.0

ESLint couldn't find the config "airbnb-base" to extend from. Please check that the name of the config is correct.

The config "airbnb-base" was referenced from the config file in "/opt/caldera/.eslintrc.js".

If you still have problems, please stop by https://eslint.org/chat/help to chat with the team.

have also tried running the command

npm run lint -- --fix

without success.

Expected behavior

Installation of training module

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. Mac, Windows, Kali]
• Browser [e.g. chrome, safari]
• Version [e.g. 2.8.0]

Additional context
Add any other context about the problem here.

Hi.
I am facing an issue whiile creating a custom agent. Please find the below script details:

profile=$(echo '{"server":"http://10.2.222.60:8888/", "platform": "linux", "executors":["sh"]}' | base64 -w O)
curl -S -X POST -d $profile http://10.2.222.60:8888/beacon | base64 --decode

Can someone kindly guide me as to what mistake I am making at this point?

For 'plugins/training/app/flags/advanced/flag_1.py', the training plug-in web page displays the 'challenge =' text and asks the user to create "better_basic", but the body of the flag checking code checks for "better basic" instead.

Describe the bug
The bug appears when you need to complete the flag 15 under manual "FIND CHANGES TO POWERSHELL PROFILE". The abilities to complete this flag are not present in the operations. Also the abilities some times are the same when you click "+potential links" it shows 2-3 times the same ability or shows abilities for Linux in even if the agent is for windows. Also the ability to complete the flag 16 is not present as well.

To Reproduce
Steps to reproduce the behavior:
1.Run a blue Golang agent elevated for windows & a red agent for windows
2. Start Manual operation and try to find the ability down below.
3. After completing flag 14 in the blue cert under manual flag 15 appears, and at this time you need to run the ability 930236c2-5397-4868-8c7b-72e294a5a376 to complete the flag where is not present.

Expected behavior
Some abilities not present, abilities may shown 2-3 time the same commands, Linux abilities even if the agent is for windows,

Screenshots

Same abilities shown 3 times
Desktop (please complete the following information):

• OS: Kali Linux & Ubuntu 20.4
• Browser [Chrome]
• Version [Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux]

Additional context
Add any other context about the problem here.

Hey i got a code in the end of the training. Do i have to submit it somewhere?

This probably also needs to be an issue for Manx itself, but the Manx UDP mode is not available in release 2.6.6. Only TCP options are displayed in the "deploy an agent" UI. Modifying the reverse-shell agent for ubuntu to contact="udp" will run, but Caldera does not recognize the communication method (shows "unknown").

https://github.com/mitre/training/blob/master/app/flags/plugins/manx/flag_1.py

I went through the training for User Certificate, and when I reached the flag 24 Blue operation, Caldera process was complaining about missing executor see here in the incident responder profile.

When I investigated this, I found the following:

1. All incident responder abilities are missing the executor part, see for example the Suspicious URLs in mail. In fact, it seems that all abilities in are missing the executor.
2. Most of the abilities only support Windows and not Linux, when I run it in Linux the operation is stuck at Suspicious URLs in mail ability and doesn't go beyond that, see here, and the Server complains about the executor.

Setup: Caldera version 2.8.0-909597268607e7cbca77bd22c462fb22 in Docker version 18.09.7 in Ubuntu 16.04, the blue agent is running via sudo in the host.

Is this part of the training, should I fix the executors (I tried for the suspicious URLs, but still I am getting the same error).

If we don't finish all the training in the same session, all the progress is lost.
and for example we have a step named mock to enable a mock module, but this step require a restart of the server. after the restart all the progress is lost and we need to start again from the begening.
the application should store the progress of training over sessions and even after a restart.

Hi, I'm going through the training plugin and all's good so far. I'm now at Task 11 and have followed the solution guide step by step (please refer to screenshots):

However, task 11 is still not marked as complete. Am I missing something?

Hi,

How long does it take for the user certificate proof validation? I sent a mail with code 2 days ago, no reply yet.
No hurry, just curious.

Thanks.