My guides tend to be straight forward. I will provide solutions to every mission in the game and not just hints.

There are spoiler-free guides out there and I strongly recommend using them to try and solve the game by yourself before you use my guide.

>>Here<< you can find the guides LeikRad<3 wrote. They are spoiler-free so you might be better off checking his guides first.

- If you are looking for a specific achievement, you can hit CTRL+F and search for the achievement name.

- Every time you completed a phase the 'Back to certification' button will show up. Click on it followed by 'Continue training'.

- I will quite often write type ... instead of actually typing you can also copy & paste the stuff (yes, this is the *super* lazy attempt :p). While copy&pasting make sure you didn't paste a space before or after the command (especially with FoxAcid).

- If I write "type [command], [command], ..." you don't just copy/type the whole line but every command on it's own followed by enter.

- Don't close any program you ran inbetween the diffrent phases of a mission/training. You might still need it/it's content.

I recommend doing these after you completed the other missions to save yourself some work.

The 5 Terminal Operator achievements are gained by entering a specific amount of command lines into a terminal.

To increase the number open the 'DNS & VHOST Mapping' module 2 times, put both next to each other and type sfuzzer niteteam4.com -t 1 in both followed by hitting enter.

Now you switch form one to the other module by clicking with mouse and launching the command by pressing arrow up followed by enter.

For Chatterbot you need to type 200 commands into Uplink 51. I'd recommend spamming 'help' or 'hint' until you got it.

After starting the game you have to create an agent profile.
Do so and you will atuomatically be logged in.

This is about what you should see now

Click on the square with the circle in it in the top right corner.

After listening to the lady on the next screen select "Academy" (You can also skip her monologue but it's nicely done and worth your while).

It's been a while since I got the achievement but I think the Bootcamp achievement should be unlocked after starting the training.

Phase 1

Open the 'Host Fingerprint' module from the 'Information Gathering' menu.

Drag the window around and type 'help' in the console afterwards.


Phase 2

Open the 'Drone and Imagery' module (bottom of the screen, fourth symbol)

Enter 38 for lattitude and -77 for longtitude and click on the hand symbol between the coordinates.

Eye in the Sky achievement should unlock at this point.

Click on 'Back to globe'


Phase 3

Click on the big square in the top left corner.

On the next screen you click on the symbol I marked for you
Choose any avatar you like from the list in the middle and confirm by hitting 'Equip item' in the bottom right corner.

Shape Shifter achievement will be unlocked.

To also unlock the Chameleon achievement you can click on the brush-symbol show in the screenshot below and change your UI skin.




Phase 1

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type sfuzzer niteteam4.com -t 10


Phase 2

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type osintscan niteteam4.com -s google.com -d 500


Phase 3

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type osintscan 98.124.199.93 -s bing.com -d 500




Phase 1

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type sfuzzer niteteam4.com -t 5

type sfuzzer niteteam4.com -t 20


Phase 2

The 'DNS & VHOST mapping' module should already be open. If not open it.

type sfuzzer niteteam4.com -t 15

type osintscan niteteam4.com -s google.com -d 500


Phase 3

The 'DNS & VHOST mapping' module should already be open. If not open it.

type osintscan niteteam4.com -s google.com -d 1000




Phase 1

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint www.niteteam4.com


Phase 2

The 'Fingerprint' module should already be open. If not open it.

type fingerprint test.niteteam4.com


Phase 3

The 'Fingerprint' module should already be open. If not open it.

type fingerprint server.niteteam4.com




Phase 1

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint intranet.freekevin.net


Phase 2

Open the 'Exploit Database' from the 'Information Gathering' menu.

type searchsploit sharepoint-2007


Phase 3

Open the 'Exploit Database' from the 'Information Gathering' menu.

type searchsploit CRM4.0




Phase 1

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint vpn.cyberdynegroup.net


Phase 2

Open the 'Exploit Database' from the 'Information Gathering' menue.

type searchsploit CiscoVPNClient


Phase 3

Open the 'Foxacid' module from the 'Network Intrusion' menue.

Delivery: UDP
Exploit: Content Spoofing
Rootkit: AfterMidnight
Target URL: Click on the symbol next to the text field and select 'vpn.cyberdynegroup.net' from the list.

Click the hand symbol in the middle of the module.

On the next screen click on 'Nite Team 4 controlled' then on 'Cyberdyne Group VPN'

Phase 1

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

click on 'Nite Team 4 Controlled' -> 'Nite Team 4 FTP'

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Target: ftp.niteteam4.com
Username: dvoorhees

click 'Ready'

select 'John the Ripper' -> click 'Start'

Friday the 13th achievement should unlock at this point.


Phase 2

Open the 'File Browser' module from the 'Data Forensic' menu.

type 192.168.1.5

Username: dvoorhees
Password: jason

click 'connect'

On the right side of the module doubleclick 'FTP-Root' -> 'dvoorhees' -> 'Academy Training' -> 'NT4 Files' -> 'dvoorhees.nt4'


Phase 3

Open the 'File Browser' module from the 'Data Forensic' menu.

type 192.168.1.5

Username: dvoorhees
Password: jason

click 'connect'

On the right side of the module click 'FTP-Root' -> 'dvoorhees'

Now click on 'Bankofchina_savingsaccount.txt' on the bottom left side of the module.



Phase 1

Open the 'XKeyscore Forensics' module (bottom of the screen, last of the 6 symbols)

Drag 'Dylan Voorhees' and 'NITE Team 4' onto the globe.

Click on 'IDs and Records'

Click on the symbol that starts the search (it's marked in the screenshot below).


Click on the new symbol 'Agent Dylan NT4 Profile'


Phase 2

Open the 'XKeyscore Forensics' module.

Drag 'Catherine Wheeler' onto the globe.

Click the start symbol again.

Click on 'Agent Dylan under Seargent Wheeler's command'


Phase 3

Open the 'XKeyscore Forensics' module.

Remove 'Catherine Wheeler' and 'Nite Team 4' from the globe.

Drag 'The Black Watchmen' and 'John Taylor' onto the globe.

Click on 'IDs and Records' and on the symbol that starts the search.

Open 'John Taylor Mission Report'

Remove 'Dylan Voorhees' and 'John Taylor' from the globe.

Drag 'Quachil Uttaus' onto the globe.

Click on 'IDs and Records' and on the symbol that starts the search.

Click on 'Sigil Mission Report'.

Drag 'Sigil' onto the globe and click on the symbol that starts the search.

Click on 'Sigil Threat Report'



Phase 1

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Nite Team 4 Controlled'

Click on 'Cyberdyne Group VPN'

Open the 'XKeyscore Forensics' module from the 'Data Forensic' menu.

If there is still stuff on the globe remove all of it.

Drag 'Cyberdyne Group', 'Sasha Brewster' and 'John Dyson' onto the globe.

Click on 'IDs and Records' and on the symbol that starts the search.

Click on 'Employee Record' and on 'Official Employee Welcome Kit'.

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint snet.cyberdynegroup.net


Phase 2

Open the 'Phone CID Backdoor' module from the 'Network Intrusion' menu.

MAC Adress: 6A:7D:69:64:51:56
Vendor: LG

Click on 'Start Intrusion'

Click on 'Notes' (on the smartphone in the middle of the module)

Click on 'Temporary Password'


Phase 3

Open the 'File Browser' module from the 'Data Forensic' menu.

type snet.cyberdynegroup.net

username: sbrewster
password: school

Click on 'Users' -> 'administrator' -> 'Documents' -> Projects -> 'AI_Algorithms' -> 'Azurenet'

Click on the csrss.exe (bottom left in the module)

Open the 'Turbine C2 Registry' -> 'Agent controlled'

Click on 'Cyberdyne Group VPN'

Hasta la Vista achievement should be unlocked by now.
If you're only here for the achievements you can stop doing the training missions now since there aren't more to unlock in this part of the guide so you can skip to 'Operation Castle Ivy'

Phase 1

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 1, niteteam4.com


Phase 2

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 2, The Black Watchmen


Phase 3

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 2, Sunshade Corp, 2, 1, 3, 1, 4, 2, subject, alias, yes

Click on 'LEON's COMPUTER'.



Phase 1

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan


Phase 2

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

type dig /erp/it_mainframe


Phase 3

Open the 'DNS & VHost Mapping' module from the 'Information Gathering' menu.

type sfuzzer sunshade-corp.com -t 20

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Target: mail.sunshade-corp.com
Username: jvalenti

Click Ready -> John the Ripper -> Start



Phase 1

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'LEON's COMPUTER'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

type dig /erp/active_directory


Phase 2

Open the 'Active Directory' from the 'Information Gathering' menu.

type /erp/active_directory


Phase 3

Click 'CN=IT' -> 'OU=IT-users' -> 'CN=bchambers'

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Target: /erp/it_mainframe
Username: bchambers

Click John the Ripper -> Start



Phase 1

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Dialodge Support'

Open the 'MITM' module from the 'Network Intrusion' menu.

Click on 'ARP Poisoning' -> 'Scan for Hosts'

Target 1: 192.168.1.66
Target 2: 192.168.1.1

Click 'Start listening' -> 'URLSnapper'


Phase 2

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Content Spoofing
Rootkit: AfterMidnight
Target URL: intranet.dialodge.net
Target Technology: Akamai
Target Port: 443

Click on 'Dialodge Intranet'.

Open the 'MITM' module from the 'Network Intrusion' menu.

Click on 'LLMNR Poisoning' -> 'Scan for Hosts'

Target 1: 192.168.11.144
Target 2: 192.168.1.1

Click 'Start Listening' -> 'Packet Sniffer'


Phase 3

Open the 'Active Directory' module from the 'Information Gathering' module.

type /erp/Dialodge_AD

Click 'CN=Policies' -> 'OU=Passwords'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Click on 'Hash'

type travis.keenan::dialodge:0F0F809FC89677344052E854A29C83A3:447D6D5AD8C57B28A6552C4CED776EE0

Click on 'John the Ripper' and check the boxes behind 'At least one number' and 'At least one symbol' on the right side of the module.

Click 'Start'.



Phase 1

Open the 'Air Crack' module form the 'Information Gathering' menu.

type airodump

type handshake 8A:FB:52:23:4B:98

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Dialodge Support'

type airodump (into 'Air Crack' module)

type handshake 1C:28:2E:C5:73:B9


Phase 2

Open the 'XKeyscore Forensics' module (bottom of the screen, last of the 6 symbols)

Remove everything from the globe.

Drag 'Wayne Spalder' and 'Dialodge' onto the globe, click on 'IDs and Records' and start the search.

Open 'Wayne Spalder Schedule'

Open the 'Air Crack' module form the 'Information Gathering' menu.

type airodump

type handshake 1C:28:2E:C5:73:B9

Click on the + signs marked in the screenshot below



Phase 3

Click on 'Settings' in the smartphone in the middle of the 'Air Crack' module then click on 'Personal Hotspot'

Click on the phones notes and then on 'Certification Information'

Open the 'File Browser' module from the 'Data Forensic' menu.

type temp0451.dialodge.net

Username: wasp
Password: !netrusion

Click on 'Wasp' -> 'ClickHere' -> 'DownloadMe' -> 'cert_complete.txt'

Phase 1

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type sfuzzer newsstreamlive.ca -t 10

Open the 'Host Fingerprint' module from the 'Information Gathering' menu.

type fingerprint extranet.newsstreamlive.ca

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP Request
Rootkit: AfterMidnight
Target URL: extranet.newsstreamlive.ca
Target Technology: Sharepoint-2007
Target Ping: 8082

Click on the hand symbol to start.

Click on 'News Stream Live'.


Phase 2

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

type dig /srv-admin/employee_registry

After 'XKeyscore' has opened remove everything from the globe.

Drag 'News Stream Live', 'Laura Walker' and 'Andy Hattaway' onto the globe, click on 'IDs and Records' and run the search.

Click on 'Camera Crew ID'

Remove 'Laura Walker' from the globe.

Drag 'Ottawa Traffic CCTV' onto the globe.

Click on 'Travelling Chatter' (needs to be blue/active) and click on 'IDs and Records' (needs to be grey/inactive). Run the search.

Click on 'Photo Radar Snapshot'.

Open the 'Drone and Imagery' module (bottom of the screen, fourth symbol)

Latitude: 45.3210
Longitude: -75.8333

Hit 'Enter'

Click on the little car symbol.

License Plate: NSL01

Click on 'Scan Wireless Signatures'


Phase 3

Open the 'DNS & VHOST mapping' module from the 'Information Gathering' menu.

type osintscan triummedia.com -s google.com -d 500

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint api.billboard.triummedia.com

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Segmentation Fault
Rootkit: AfterMidnight
Target URL: api.billboard.triummedia.com
Target Technology: mediaserver-3.0.1
Target Ping: 1935

Click on the hand symbol.

Click on 'Trium Media'.

Open the 'Drone and Imagery' module (bottom of the screen, fourth symbol)

Click on the little car symbol and enter the license plate again if it's gone (NSL01).

Scan for wireless signature and wait for the car to pass by one of the symbols on the map (those are billboards).

When the car is close, click on the symbol. Repeat that several times until only one of the smartphones in the list is blue (active/inproximity). Click on that entry.

In the 'Phone CID Backdoor' module (which opens by itself if you did everything correct) click on 'Activate Microphone' on the right side of the module.

Absolute Beginners

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Nite Team 4 Controlled' -> 'Operation CastleIvy' (scroll down if you don't see it)

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Target: /user/nlightman/c$
Username: nlightman

Start the program -> Click on 'John the Ripper' -> Start

Open the 'File Browser' module from the 'Data Forensic' menu.

type /user/nlightman/c$

Username: nlightman
Password: bcc2themoon

Click 'Connect' -> 'Backup' -> 'Important' -> 'Warez' -> 'Filez' -> 'uni74455.dll'


Master of Puppets

Open the 'XKeyscore Forensics' module (bottom of the screen, last of the 6 symbols)

Drag 'Nathan Lightman' and 'GRU Investigation Database' onto the globe.

Click on 'Financial Transactions' and 'IDs and Records'. Run the program.

Click on 'GRU Profile'

Open the 'Phone CID Backdoor' module from the 'Network Intrusion' menu.

MAC Adress: C0:90:30:F6:C2:7C
Vendor: Samsung

Click on 'Start Intrusion'

In the smartphone click on 'Notes' -> 'Trade Info'

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type connect trade.cryptnet.auction

Node-ID: A771-091C

(don't close the Hydra Terminal)


Sympathy for the Devil

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click 'home' -> 'niteteam4' -> 'Documents' -> 'INTEL' -> 'China' -> 'MSS' -> 'embassy_dictionary_password.txt'

Go back to the 'Hydra Terminal'

Click on 'Block IDs' -> select an empty Block and confirm the upload.

Auctioneer achievement will unlock.

Click on 'Dr. Ripper's Network'.

Open the 'MITM' module from the 'Network Intrusion' menu.

Click on 'ARP Poisoning' -> 'Scan for Hosts'

Target 1: 192.168.1.122
Target 2: 192.168.1.1

Click 'Start listening' -> 'URL Snapper'

Click on 'Dr. Rippers's Network'.


Seek and Destroy

Open the 'Drone and Imagery' module (bottom of the screen, fourth symbol)

Latitude: 52
Longitude: 13

Click on the hand symbol -> on the little fire symbol

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type connect hauze.systems

House-ID: house-107
Username: dfriedel

Click on 'Patio' and turn on 'BBQ Preheat Mode'

BBQ achievement will unlock.

Open the 'Drone and Imagery' module again.

Set the upper filter to 200+ and the lower filter to 50+

(If you can't change the filters - on both of my playthroughs I couldn't - click on 'back to globe', enter Latitude and Longitude again and activated the heatmap once more)

Now click on the little drone symbol and target the area seen in the screenshot below.

Click on 'Confirm Target Location'.

Which option you choose to end the mission is up to you. Just click on what you like best and confirm by typing 'yes'.

Strength and Endurance

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Dark_Sentinel' -> 'Briefing_Files' -> 'german_drone_strike_report.pdf'

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 2, Kruger Services, 2, 1, 3, 1, 4, 3, subject, name, yes

Click on 'KSPC-LUCAS'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

type dig /erp/accounting/finances

Open the Eploit Database from the 'Information Gathering' menu.

typre searchsploit SimplERP

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP Request
Rootkit: Assassin
Target URL: /erp/accounting/finances
Target Technology: SimplERP
Target Port: 9090

Drag 'Kruger ERP Database', 'Dan Friedel' and 'Martin Brandt' onto the globe, select 'Financial Transactions' and run the program.

Click on 'Dan Friedel Rental Agreement'

Remove 'Martin Brandt' and therefore add 'John Schaffer'. Run again.

Click on 'Kruger Client Transaction List'

Remove 'Dan Friedel', add 'Sophie Aachen' and run the program.

Click on 'Sophie Aachen Rental Agreement'

Remove 'Sophie Aachen' and add 'Jan Pfaff'. Run.

Click on 'Jan Pfaff Rental Agreement'

Remove 'Jan Pfaff' and add 'Martin Brandt'. Run.

Open 'Martin Brandt Rental Agreement'

Remove 'Martin Brandt' and add 'Michelle Fiedler'. Run.

Open 'Michelle Fiedler Rental Agreement'


One for all, all for one

Use the following combinations in XKeyscore (symbol 6, bottom of screen) and open the receipts you find through the searches.

(Jan Pfaff + Sophie Aachen) | (Martin Brandt+Michelle Fiedler) + German Cab Transport (Travelling Chatter)

Connecting to 2 suspect networks and identifying their internal systems

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Custom SOAP Request
Rootkit: AfterMidnight
Target URL: shop.hookshotgames.com
Target Technology: CRM4.0
Target Port: 80

Click on 'Hookshot Shop'


Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 2, Novelty Publishing, 2, 1, 3, 1, 4, 3, subject, name, yes

Click on 'Novelty Publishing Admin Server'


Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan
type dig /erp/accounting/finances

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Hookshot Shop'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan
type dig /erp/accounting/finances

Exploring any external third party that links the various companies

Open the 'MITM' module from the 'Network Intrusion' menue.

Select 'ARP Poisoning' and run a scan.

Target 1: 192.168.1.15
Target 2: 192.168.1.1

Start listening and run the URLSnapper.

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint 19.16.177.159


The homeland is first

Make sure you're connected to 'Hookshot Shop'

Open the 'File Browser' module from the 'Data Forensic' menu.

type 10.212.102.180

Username: MeCacheAdmin
Password: Mecache4u!

Click 'Hookshot_Games' -> 'HR' -> 'ID_Cards' -> 'Temporary' -> 'Carl_Hoffman.id'

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click 'Novelty Publishing Admin Server'

Open the 'File Browser' module from the 'Data Forensic' menu.

type 10.212.102.180

Username: MeCacheAdmin
Password: Mecache4u!

Click 'Hookshot_Games' -> 'HR' -> 'ID_Cards' -> 'Temporary' -> 'Carl_Hoffman.id'

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menu.

type 1, 1, 3, carl@carlhoffman-it.de, no, 2, 4 , 3, 1, 4, 3 , subject, name, yes

Click on 'Carl-WorkPC'

Open the 'File Browser' module from the 'Data Forensic' menu.

type /Users/Hoffman/C$

Username: hoffman
Password: ChaosReigns

Click 'User' -> 'Documents' -> 'Important_Files' -> 'human_solutions_contract.doc'


While I breathe, I hope

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click 'Rogue Network' and then '37Alpha.Onion'

Open the 'File Browser' module from the 'Data Forensic' menu.

type /level05

Username: jmilton
Password: angel

Click on 'welcome.jpg'

New Market

Don't close the Hydra Terminal throughout the whole operation.

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click on 'home' -> 'niteteam4' -> 'Documents' -> 'Nitro_Winter' -> 'simplerp_exploit.rar'

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type connect system.hsconsulting.de

Click on the only available job and accept it.

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Crafted SNMP Packet
Rootkit: AfterMidnight
Target URL: login.limbo.com
Target Technology: PHP-7.0.4
Target Port: 80

Click on 'Limbo Login Server'

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: SCTP
Exploit: Exec Code Overflow
Rootkit: Verboten
Target URL: /erp/accounting/finances
Target Technology: SimplERP
Target Port: 9090

The 'Verboten'-rootkit will open up.

type run rock.c

type run contactstem

type exec deploy

Go back to the Hydra Terminal and enter 'NX6QP7' as confirmation code.


Black Forest

We're going to do this the super lazy way. Open the Hydra Terminal and click on a mission. Accept it and enter the confirmation code. Repeat until all jobs are done. This way the Salami Slicer Achievement will unlock.

MyAncestree: 7XXZ6K
Coronautica Navigations: DAQUTC
Aristishia Designs: 3FANQ2
Candlelite Web Design: R76JE3
Gener8 Web Hosting: 6KA3HJ

Now go back to the Hydra Terminal.

type query hsc-0486
type query hsc-9855
type query hsc-0136
type query hsc-6653
type query hsc-1246


Free Range

Go to the Hydra Terminal and type 'refresh'. Find the job for 'Nexxit GPS' and accept it.
Enter the Confirmation Code: BG63WH

Go back to the Hydra Terminal. Find the job for 'Lo Cal Health and Nutrition' and accept it.
Enter the Confirmation Code: H22TFA

Back to the Hydra Terminal.

type query hsc-000a
type query hsc-9783
type query hsc-7486
type query hsc-8812
type query hsc-0774
type query hsc-2260
type query hsc-5008
type query hsc-7802

XKeyscore will open.

Drag 'Moscone Center', 'Coronautica Navigations' and 'Nexxit GPS' onto the globe, select 'IDs and Records' and start the search.

Click on 'Moscone Center Invitation'.


Mystery Meat

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Nitro_Winter' -> 'Unredacted_Bastek_Company_Profile.pdf'

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint bio.bastek.eg

Open the 'Exploit Database' from the 'Information Gathering' menu.

type searchsploit FingrTip

XKeyscore will open.

Drag 'AccessBio' and 'Raneem Saliba' onto the globe, select 'IDs and Records' and run the search.

Click on 'FingrTip Algorithm'

Open the 'Phone CID Backdoor' module from the 'Network Intrusion' menu.

MAC Adress: 5E:93:D9:14:93:9F
Vendor: Sony

Activate the personal hotspot in the phone settings.

Open the 'Active Directory' from the 'Information Gathering' menu.

type /it/active-directory

Open the 'File Browser' module from the 'Data Forensic' menu.

type /accounting/client_files

Username: cerika
Password: !luckystar79

Click 'Transactions' -> 'Receipts' -> 'Tehran-10015951.pdf'

It's up to you what you do with the information you found. Make a choice and confirm with 'yes'


Flat Iron

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Alpha Exploit Kit
Rootkit: AfterMidnight
Target URL: 99.34.62.148
Target Technology: Apache-2.2
Target Port: 80

Click on 'Bastek CTO Private Server'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

Open the 'Password Attack' module from the 'Network Intrusion' menu.

Target: /cto/tlobeoteu/c$
Username: tlobeoteu

Select 'John the Ripper' and click 'Start'

Open the 'File Browser' module from the 'Data Forensic' menu.

type /cto/tlobeoteu/c$

Username: tlobeoteu
Password: NervesOfSteel

Click 'User' -> 'Documents' -> 'nic.cage'

XKeyscore will open. Ignore it.

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type 'connect qebai.com/remote/v2x-fe135b019d'

In the new window click on the little map symbol. Next click on 'Home' and then 'add a stop'.

type 'Sejongno Public Parking Lot' (or select ot from the list that pops up after you typed the first letter)

Now you only need to click the plus-sign next to 'Sejongno Public Parking Lot'

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP Request
Rootkit: AfterMidnight
Target URL: 05.ps-gatescan.kr
Target Technology: Apache-2.0
Target Port: 443

Click on 'Gate 05'

Open the 'MITM' module from the 'Network Intrusion' menu.

Click on 'ARP Poisoning' -> 'Scan for Hosts'

Target 1: 192.168.255.7
Target 2: 192.168.1.1

Click 'Start listening' -> 'URLSnapper' (you'll have to wait a bit)

Open the 'Drone and Imagery' module (bottom of the screen, fourth symbol)

Latitude: 37.5
Longitude: 126.9

Click on the hand symbol and then on the little car symbol.

Enter 58L0323 as license plate.

The Answer

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type 'connect system.hsconsulting.de'

Click on the only available job and accept it.

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP Request
Rootkit: AfterMidnight
Target URL: login.bixonbanking.com
Target Technology: Apache-2.0
Target Port: 80

Click on 'Bixon Banking Login Server'

Glory achievement will unlock here.

Click on the 'Andromeda Shell' symbol. (It's the new symbol on the left bottom of the screen above the game menue)

type '1', 'VERBOTEN'


Hunting Season

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Royal_Gate' -> 'RAINVEST'

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Nite Team 4 controlled' and then on 'Mossad Data Archive'

Open the 'Information Gathering' menue and click on the 4th entry.

Open the 'File Browser' module from the 'Data Forensic' menu.

type '/files/backupSrv'

Username: backupAdmin
Password: Xp2s63b6

Click '2018' -> 'App_Installers' -> 'Financial' -> 'rainvest_setup-v1.6.exe'


Ace Magnets

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'Naicho Finances'

Open the 'Andromeda Shell'

type '2', '6', 'yes', 'yes', '3', '/db/shokuin/meibo', 'yes'

Drag 'NAICHO', 'Bixon Software' and 'Kaneko Tetsuya' onto the globe, select 'IDs and Records' and run the search.

Click on 'Contract Renewal NAICHO Bixon'

Open the 'Air Crack' module form the 'Information Gathering' menu.

type 'airodump'

type 'handshake 52:E6:BA:C2:FB:24'

Click on the plus sign marked in the screenshot below


Activate the personal hotspot in the phones settings.

Open the 'Andromeda Shell' again.

type '3', '3', '/main/administration/employees', 'yes'

Remove 'Kaneko Tetsuya'. Add 'Hoke Mizuma'. Select 'IDs and Records' and run the search.

Click on 'Rainvest Press Release'

Open the 'Andromeda Shell' again.

type '3', '4', 'yes', '8', 'yes', 'yes', '4', '98:92:63:A1:5D:22', 'Makadon'


Big Brother

Open the 'Turbine C2 Registry' (bottom of your screen, first of the six symbols in the middle)

Click on 'GRU Temp Personnel Archive'

Open the 'File Browser' module from the 'Data Forensic' menu.

type '/secure-temp19478/files'

Username: temp19478
Password: f9ZE_uVk

Click on 'temp19478', 'TcheknobOg.pdf'

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'INTEL' -> 'Russia' -> 'GRU' -> 'spiez_lab_backdoor_exploit.rar'

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type 'connect trade.cryptnet.auction'

Node ID: f2n3-959p

Click on Block IDs -> choose one and confirm the upload

Click on 'Mukd3n's Private Server'

Open the 'File Browser' module from the 'Data Forensic' menu.

type '/user/mukd3n/D$'

Username: mukd3n
Password: -ruptur3d-

Click 'Users' -> 'Mukd3n' -> 'Documents' -> 'Misc' -> 'SIGIL' -> 'PUREMORNING.doc'


Dead Man's Hand

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Royal_Gate' -> 'ICM32'

Open the 'Social Engineering Toolkit' module from the 'Network Intrusion' menue.

type '1', '1', '1', 'dialodge-gaming.net', '2', '1', '3', '1', '4', '3', 'subject', 'name', 'yes'

Click on 'Jack's Office-DGaming'

Open the 'Foxacid' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Alpha Exploit Kit
Rootkit: AfterMidnight
Target URL: 37.67.18.212
Target Technology: Apache-2.2
Target Port: 9595

Click on 'ICM32 - Unknown's PC'

Open the 'MITM' module from the 'Network Intrusion' menu.

Click on 'LLMNR Poisoning' -> 'Scan for Hosts'

Target 1: 192.168.40.210
Target 2: 192.168.1.1

Click 'Start listening' -> 'Packet Sniffer' (wait for a while)


Royal Flush

Depending on if you want the Deception Achievement or not you have to follow either Route 1 or Route 2. Route 1 will fail the activation which will unlock Deception. Route 2 will activate Fay 2.0 and you will unlock the Long Live the King Achievement.
A warning though: If you choose to go for the Deception Achievement you will have to create a new account/reset yours and replay every mission since the activation of Fay2.0 will be locked and I haven't found a way to unlock it.

edit: I've been told, that you can get the Deception Achievement by playing through this mission in incognito mode (which wasn't around when I wrote this guide) so there's no need to reset your account.


Route 1

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Royal_Gate' -> 'Andromeda_Activation'

Open the 'Andromeda Shell'

type '4', 'yes' -> wait for the timer to run out -> '99', '4', 'yes' -> wait for the timer to run out -> '99', '4', 'yes' -> wait for the timer to run out

Route 2

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Royal_Gate' -> 'Andromeda_Activation' -> Open all files in that folder and put them in an order so you know where Alpha, Bravo, Delta and Echo are.

I had it organized like this


Before I tell you what to type I'm gonna explain what you'll have to do since the things you have enter seem to vary from playthrough to playthrough. After you started the activation the terminal is going to show you a Sequence ID (for example Echo-11D) and you have to find it in the documents you opened and type it into the console.
You got enough time so don't worry. You can do it :)

Open the 'Andromeda Shell'

type '4', 'yes'

In the end you will be asked 'Who was my first child?'

Answer: FAY

Book Move

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'Kotok_Analytics_Data_Buyer-Report.pdf'

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Content Spoofing
Rootkit: AfterMidnight
Target URL: email.corococoins.io
Target Technology: OutlookWebAccess
Target Port: 80

Click on 'Corococoins Internal Server'

Open the 'Active Directory' from the 'Information Gathering' menu.

type /ad/key_database/kyc

Click 'Corporations' -> 'AlphaBlue'

The 'XKeyscore Forensics' module will open automatically. (If it doesn't, it's the last symbol on the bottom of your screen)

Drag all available entities onto the globe.

Click on 'IDs and Records' and on the symbol that starts the search.

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Crafted SNMP Packet
Rootkit: AfterMidnight
Target URL: modulus.eleventenmedia.com
Target Technology: PHP-7.0.4
Target Port: 80

Click on 'Eleventen Modulus Beta'.

Open the 'Satelite Feed' module from the 'Advanced Tools' menu (or click on the fourth symbol on the bottom of your screen).

Latitude: 47.5
Longitude: 19.1

Click on the little car symbol and enter NJU-441

Click on 'Scan Wireless Signatures'.

As soon as the target gets close to one of the Smart Billboards we just hacked you click on it.
You will see a list of mobile devices that are in the vicinity of those billboards.
When there is only one highlighted device left click on it.
(It's an Apple phone - 1C:98:A2:34:BF:3D)

Now that you got access to the phone click on 'Emails' -> 'Storage Limit nearly reached'

Open the 'File Browser' module from the 'Data Forensic' menu.

type ps-4ru7f4.mecachemws.com

username: A.Gunsberg
password: M1nt_Stat3

Click 'log.htm'

Open the 'Host Fingerprint' module from the 'Information Gathering' menu.

type fingerprint ns2.farkaslearning.com

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP request
Rootkit: AfterMidnight
Target URL: ns2.farkaslearning.com
Target Technology: Apache-2.0
Target Port: 80

Click on 'Farkas Learning Intranet'

Open the 'File Browser' module from the 'Data Forensic' menu.

type /project-manager/repo/

Username: s.polgar
Password: R3ach_F0R_the_$Ky

Click 'Uplink51' -> 'uplink51_instV2.11.zip'

Open the 'Goliath-7' module. It's the third symbol on the bottom of your screen.

Select 'Uplink 51' on the right side of your screen and click 'Activate Cluster', then 'Deploy' and type 'yes' followed by pressing 'enter'.

(You might have to deactivate the cluster and repeat the steps described above to activate it again to trigger a reaction from Dylan)

Now click on the new symbol on the bottom left on your screen.

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: SST
Exploit: Segmentation Fault
Rootkit: AfterMidnight
Target URL: uplink51.farkaslearning.com
Target Technology: RemoteDesktop
Target Port: 33845

Click on 'Uplink51 Remote Desktop'

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: SST
Exploit: Content Spoofing
Rootkit: AfterMidnight
Target URL: 241.248.50.106
Target Technology: PowerShell
Target Port: 5544

Click on 'Uplink51 Satelite'

Open the 'File Browser' module from the 'Data Forensic' menu.

type /projects/uplink51/files

Username: s.polgar
Password: R3ach_F0R_the_$Ky

Click 'Uplink51' -> 'Gankai-Var-C-Ver-2.14.u51'


Building a Bridge

Open the 'File Browser' module from the 'Data Forensic' menu.

type localhost

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'Gankai-Var-C-Ver-2.14.u51'

Now you open 'Uplink 51' (it's the symbol on the left of the screen above the menu) and click the arrow on the right side of Uplink 51.
Should look like this:


Now you click on 'Gankai Variant C' and type 'D01-Guest' followed by 'Register' into Uplink 51.

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint www.quevedolabs.com

XKeyScore will open automatically. Close it.

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'Guadalajara_Tech_Universities.doc'

XKeyScore will open automatically once again.

Drag 'Carla Repetto', 'Quevedo Labs' and 'Wizeline Al Academy' onto the globe, select 'IDs and Records' and run the program.

Click on 'Tapatio Tech Article - Wizeline Al'

Remove 'Wizeline Al Academy' from the globe, add 'Joaquin Araiza' and run the program again.

Click on 'Guadalajara Spectator Article'.

Open Uplink 51.
type D01-Guest, register


Hypermodernism

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'Gankai_User_List-QL.doc'

Open the 'File Browser' module from the 'Data Forensic' menu.

type gankaiQVL214.quevedolabs.com

username: Ab1024-729
password: Proof59

click 'Gankai_Commands' -> 'ARC_TONIC_I.pdf'

Now open 'Uplink 51' again.

type Ab1024-729, RRQ, RC3DB5DIM, Kotok

Switch Uplink 51 back to 'F.A.Y.'

type -hex 416363657373204b6f746f6b20416e616c79746963732064617461736574206174207263332d6462352d64696d2e7175657665646f6c6162732e636f6d207573696e6720796f757220746563686e696369616e205573657249442e

Open the 'File Browser' module from the 'Data Forensic' menu.

type rc3-db5-dim.quevedolabs.com

username: Ab1024-729
password: Spin-The-Dagger

click 'Kotok_Analytics_DATA' -> 'kotok_data_RC3Db5DIM.axx'

Open Uplink 51 once again and switch back to Gankai Variant C

type KAplo, kotok_data_RC3Db5DIM.axx, Orson Monroy, 12


Strategic Crush

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'Quevedo_Climate_Dataset.doc'

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: UDP
Exploit: Content Spoofing
Rootkit: AfterMidnight
Target URL: jupiter.botvin.io
Target Technology: CiscoVPNClient
Target Port: 80

Click on 'Botvin Sol Intranet'

Open the 'Active Directory' from the 'Information Gathering' menu.

type /sol/active_directory

click 'CN=Research' -> 'OU=Research-users'

XKeyscore will automatically open.

Drag all entities onto the globe, select 'Financial Transactions' and run the program.

Click on 'AtkinSlate Receipt Pages 1-3'

Next you want 'Dr. Dana Chen', 'Dr. Ahmed al-Sayed' and 'Bonanza Labs' on the globe. Select 'IDs and Records' and run the program.

Click on 'New Dataset Email - Bonanza Labs'

Open the 'Phone CID Backdoor' module from the 'Network Intrusion' menu.

MAC: 3D:1F:00:89:39:3F
Vendor: Samsung

Click on 'Start Intrusion'

click 'Messages' -> 'Juan Zamora'

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: H.264 SIP Session Header
Rootkit: AfterMidnight
Target URL: chat.walkerailab.com
Target Technology: ChitChat-v2.34
Target Port: 9922

Click on 'Walker AI Intranet - Logs'

Open the 'WMI Scanner' module from the 'Information Gathering' menu.

type netscan

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: SPX
Exploit: Segmentation Fault
Rootkit: AfterMidnight
Target URL: login.northwesternsecurity.com
Target Technology: ATS-5.2.1
Target Port: 121

Click on 'North Western Customer Database'

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type connect vcr.niteteam4.com

Enter the live feed ID: nws-wai-0141

Enter the following start times for the clips:
Clip 1: 2 seconds
Clip 2: 1 second
Clip 3: 7 seconds
Clip 4: 4 seconds
Clip 5: 3 seconds

Symmetrical Defense

Open the 'File Browser' module from the 'Data Forensic' menu.

type 'localhost'

Click 'home' -> 'niteteam4' -> 'Documents' -> 'Withering_Dusk' -> 'gankai_Prime.u51'

Open 'Uplink 51' and switch it to 'Gankai Prime'

type hello, Authenticate Signal

Open the 'Phone CID Backdoor' module from the 'Network Intrusion' menu.

MAC: 3D:1F:00:89:39:3F
Vendor: Samsung

Click on 'Start Intrusion'

In the phone you will find an app called 'Auth'. Open it. Copy&Paste the code it shows you into Uplink 51.

type Continue

type fail safe, RA:B:C>RABC

Switch Uplink 51 back 'to Gankai Variant C'

type Ab1024-729, WolfSec, Titanium

Open the 'Fingerprint' module from the 'Information Gathering' menu.

type fingerprint sf-moxon.surefirearms.com

Xkeyscore will open automatically. Remove everything from the globe and add 'SureFire Arms' and 'Moxon Security', select 'IDs and Records' and run the program.

click on 'Moxon Security Memorandum'

Open the 'Foxacid Server' module from the 'Network Intrusion' menu.

Delivery: TCP/IP
Exploit: Custom SOAP Request
Rootkit: AfterMidnight
Target URL: database.pec-districts.za
Target Technology: OracleAppServer
Target Port: 1521

Click on 'Pecomm District Database'

Open the 'Active Directory' from the 'Information Gathering' menu.

type /districts/directory

click 'CN=Power Plants' -> 'OU=Districts-plants' -> 'CN=09_Western_Cape' -> 'CN=Koeberg'

Open the 'Hydra Terminal' module from the 'Network Intrusion' menu.

type connect powernu.pecomm.za

click 'Guest' -> 'Recycle Bin'

At this point the Earth Day 1990 Achievement will be unlocked.

Go back to the desktop. Now click on 'POWERNu'

username: ADMIN
password: PASSWORD

Play the mini-game and make everything look like in the screenshot below.


Now click 'Init Sequence' and after Dylan gave you his little speech click the button again.

At this point the Attempted Atomic Arsonist Achievement will be unlocked.

Next you make everything look like in the next screenshot.


Click 'Init Sequence' again and wait for the timer to run down.

To get the missing achievements type the following things into Uplink 51 (to F.A.Y.)

"Dylan says hi" - Work friends achievement should unlock now.
"Open the pod bay doors" - F.A.Y. 9000 achievement should unlock now.
"A/S/L" - None/All/Everywhere achievement should unlock now.

Open the 'Satelite Feed' module from the 'Advanced Tools' menu (or click on the fourth symbol on the bottom of your screen).

Latitude: -33.9
Longitude: 18.4

At this point the Extended Forecast achievement will be unlocked.

You can find the bounties where you also can find the story missions. (big square with circle in it in the top right corner of the screen)

I actually didn't plan on doing more than one bounty but I was bored. Might do some more in the future but here is what I got for now.

After entering the solution the Bounty Hunter achievement will unlock.

Bounty -> Solution

Global News -> G-NOME

globalpharmacorp.com -> login.gpc-extranet.com

aventech.com -> /server-03/accounting/erp

mightmedia.net -> media-srv01.mightmedia.net

DGSE / Soldier of Fortune -> Bakri Hakeem Touma

forcsec.net -> 74:35:D9:EB:84:2C

militic.net -> Devon M. Houston

vpn-01.infille.com -> MySQL-8.0.12

spartantitans.com -> eya-arms.com

(M4LO) First trial (foundyou.nt4) -> 43A1N77ZC
(M4LO) Second trial (therealculprit.nt4) -> roastednready.com
(M4LO) Third trial (roastednready.com) -> owa.batesbeverages.com
(M4LO) Fourth trial (stopthekiller.nt4) -> Pumpkin Spice Flavored Syrup
(M4LO) Fifth trial -> George Bush Center for Intelligence


The following solutions were given to me by Dimir

-D-
DGSE / Soldier of Fortune -> Bakri Hakeem Touma

-DGSE-
Media server: http://media-srv01.mightmedia.net
Recruiting officer: Devon M. Houston
Supplier URL: http://www.eya-arms.com

-CIA-Person name: Zi Feng

-CSIS-
ERP server: /server-03/accounting/erp
Sub-domain: http://login.gpc-extranet.com
Infected station IP: 23.220.36.187

-GCHQ-
Company name: G-NOME
Project name: Project Upward Spiral
Privet key: 0x1Eb0cBc6b247f4e5925AFCB74Bf2AC
Buyer name: Seshata Group
Adress: 13 Rusper Rd, Horsham
-COMPLETE-

-ASIS-
CCTV IL-server: http://wireless.il-cane.gov
CCTV WiFi enc.: twofish
CCTV footage: 07rec201810171500.wmv
Group name: AAZ
Poison name: Batrachotoxin
-COMPLETE-

-DGSE-
Media server: http://media-srv01.mightmedia.net
Recruiting officer: Devon M. Houston
Supplier URL: http://www.eya-arms.com
Recruitment officer: Bakri Hakeem Touma
Owner: Jessie W. Kennedy
-COMPLETE-

Another contribution to bounty solutions by Zhen-Xlogic
-MOSSAD & ASIS-
MOSSAD needs to know the substance used for the attack.
Solution: Batrachotoxin

- MOSSAD & ASIS -
OVERVIEW : Help the ASIS find information about a missing Australian journalist.
PROVIDED INFO : Your target: canberraembassies.gov
OBJECTIVE : Find a vulnerable sub-domain on the Israeli embassy server.
Solution: wireless.il-cane.gov

- CSIS - GCHQ -
OVERVIEW : CSIS wants to help a Canadian company that is competing against a British pharmaceutical company.
PROVIDED INFO : Your target: sepract.com
OBJECTIVE : What is the maximum length allowed by their password polices
Solution: 12

- CSIS -
OVERVIEW : CSIS wants to help a Canadian company that is competing against a Chinese pharmaceutical company.
PROVIDED INFO : Your target: nanofi.com
OBJECTIVE : Find a suspicious bank account ID
Solution: HSBC-018-11175-1921

Another contribution to bounty solutions by Yourop
- RAW -
OVERVIEW: Help RAW investigate the other companies related to the Danbacheng camp operation.
PROVIDED INFO: Your target: AE:21:D2:DF:CC:AA, Google
OBJECTIVE: Find a password for either Egilic or Aqua-worx's employee intranet portal
SOLUTION: Aqua-worx: verycool!!!

- RAW -
OVERVIEW: Help RAW investigate the other companies related to the Danbacheng camp operation.
PROVIDED INFO: Your target: projects-cn.masklance.com
OBJECTIVE: Find the project manager for Masklance's upcoming surveillance project
SOLUTION: Fai Tien

- RAW -
OVERVIEW: Help RAW investigate the other companies related to the Danbacheng camp operation.
PROVIDED INFO: Target's schedule: Friday 0900, URL: Nenstruct.com
OBJECTIVE: Find the senior engineer's phone IP address
SOLUTION: 54.124.77.65

- RAW -
OVERVIEW: Help RAW find railglobal.co's waste disposal contractor.
PROVIDED INFO: 73.171.139.158 was found to be vulnerable
OBJECTIVE: Find a vulnerable domain on the contractor's network
SOLUTION: system-cl3.uquare.com


Another contribution to bounty solutions by Mr.Nobody

G7.0005
SAD,CIA

SAD needs help to identify which part of the US airspace surefire is conducting its aircraft expreiments

Surefirearms.com R&D
TBW archive 43946D

Find the city or the region associated:
answer - SOUTH FRANKLIN, VERMONT

CSIS +10 GRU -10
CSIS suspects Surefire of selling experimental technology to the russians.
Surefirearms.com R&D Division
Find the region where the technology was shipped to
Answer - noatak

Find the awner of the cellphone
forcsec.net , Friday 19
Answer - Jessie Kennedy

Open World
January 2019 - Honey Badger
Part 1 - Alexis Ballard
Part 2 - Philip Woolfe
Part 3 - Smart Card Reader

Open World
Disinformation Sharing
Part 1 - Polycom HDX9002 VCU
Part 2 - citi.064L05QPPMRK6.vaultdata.zip
Part 3 - VRE5DQ

Open World - Ransom Where
Part 1 - Charlie Mast
Part 2 - 127.119.2.63
Part 3 - Karl Zimmerman

Naichi +10
Pieces of a surefire device were found in the debris of Japann.s latest earthquake. Part of its serial number is still readable.
Surefirearms.com weapons division serial number contain x1411-

Find the device`s full product name
answer - jiJinx1411-0519


Straw Sandal
Part One - Dalian
Part two - BIRYONG
Part three - Songwol Presbyterian Church

Halloween
part 1 - 43A1n77ZC
part 2 - Roasted N Ready
part 3 - owa.batesbeverages.com
part 4 - Pumpkin spice flavored syrup
Part 5 - George Bush Center for intelligence

Haloween part 2 (nasa)

Part 1 - /satcat/25544/iss_zarya
Part 2 - 128.245.0.5
Part 3 - 33-5C2 (if not workin try 335C2)
Part 4 - BL4CKH0L3
Part 5 - SPIRITU4LM4CHIN3

Surefirearms black mail
germany - sfdeparkinson.wmv

Another contribution by Retr0_Kid1984

"G7 Chapter 2: Executive Error "

Part 1: Ratko Boskoski
Part 2: fxmsp
Part 3: nsa_hr

"Re-Education"

Part 1 : chinatelecom.tech
Part 2 : dabancheng-project-plans.pdf
Part 3 : 18DW66

Not sure what the name of the next bounty is but the solution was provided by Ω omega-man-x Ω

DGSE lost the anonymous bid for the MobileDawn Surefire contract. They want to know who won it. Infos: surefirearms.com Weapons Division. Objective: Identify the auction winner. Solution is: Bundeswehr



If you should find a solution not listed here, feel free to leave it in the comments. It will be added.

Since there are no achievements to get here and I won't piss off any achievement hunters by wasting their time I decided to show the approach I took and to also hide the solution under spoiler tags.



Part 1:
- Archive ID 2D8H9J
- Husbands phone (Phone CID Backdoor)
Mac: E8:21:B3:20:59:33
Vendor: Makadon
- check messages (Mom); find Eloy (Arizona) -> google -> wiki
Solution: Eloy Detention Center

Part 2:
- Click on 'Maltego NT4 Entities' in the mission briefing; xkeyscore; all left + ids and records; find 098108097
- intrude echelon-sec.com (social engineering); wmi -> netscan -> find //Eloy-AlienRegistryDatabase; enter in active directory; CN=PBNDS-Low-Medium -> OU=Guatemala -> click on ARN=098108097 -> click on ExpediteTransport.exe
- dns&vhost; sfuzzer echelon-sec.com -t 100; hydra -> connect registry.echelon-sec.com; enter 098108097; check Transport Status
Solution: 030480

Part 3
- Click on 'Maltego NT4 Entities' in the mission briefing; xkeyscore; ICE/Maria/Phoenix + Shipping Transactions -> Deportation Notice
- Archive Call Number: G728W2 -> cross-reference the Deportation Notice and the Document from the Archive and find the license plate (don't ask me why it's the one I used; bruteforced it)
- Satelite feed; GPS 14.579,-90.537; enter GUA40237 as license plate
- connection to cell towers needed. comtelgt.com
- dns&vhost sfuzzer comtelgt.com -t 20; fingerprint remote.comtelgt.com; access via foxacid
(TCP/IP - Content Spoofing - AfterMidnight - remote.comtelgt.com - Copssh - 23)
- after connecting back to satelite feed, enter the license plate again, do the mini game, access the phone (10:68:3F:75:41:1E Google) -> check messages and notes
- Xkeyscore will open; Jorje/Maria/Commando Aéreo Central + IDs and Records; read the documents; next search; replace Maria through Emmanuel; read the documents; next search:
-> at this point i started googling. 1. commando aéreo central -> La Aurora; 2. "La Aurora" cicig -> https://abcnews.go.com/International/wireStory/guatemala-bars-entry-sponsored-corruption-investigator-60193382 (tried the names in this article till I had the right one)
Solution: Roxana Baldetti



Part 1
- archive 5Q96F8 (found in briefing document) gives us the email adress of Dupuis (fdupuis@frmail.com) -> social engineering to intrude network (target her directly)
- wmi scanner; netscan; find //vpn-repfr/fdupuis
- enter //vpn-repfr/fdupuis into filebrowser; login: fdupuis;
use this info to find the pw through password attack; Flora Dupuis, calculate age: bday March 13, 1979 so she's 42 in 2021, Paris, Sciences Po, Paris Diderot University. Takes around 10 minutes, can probably be done faster with more variables.
password: dujardin1972
- download list of work contacts -> xkeyscore opens
- Flora/Sophie/ETEC + IDs&records -> Flight details
- dns&vhost bregancon.fr; fingerprint mail.bregancon.fr
- foxacid (SST, Custom SOAP, AfterMidnight, mail.bregancon.fr, Axigen, 24)
- wmi scanner; netscan; //fdb-mail/User_Directory -> active directory; fb-security/ou=security-users click vallis.gagnon; xkeyscore opens
- Paul/Ray/Fort + IDs&records = Guest List (open);new entities for xkeyscore
- Mounir Mahjoubi/Florence Parly/Alexis Kohler + IDs&Records = Updated Memo for review
- we get this pw-protected link https://go.aws/2Q1BBuK how to find the password: the pw is the last name of EM!s second father. EM! is a french party (La République En Marche!) which was founded my Emmanuel Macron and Ismaël Emelien.
pw: EMELIEN
Solution: Olivier Beaufort

Part 2

- Archive call number: K7A1A0 contains 2 mail addresses and mac address of a phone;
- send mail to dispatch@division-66.com (they'll reply with info on what's needed for a deepfake)
- phone cid backdoor
mac: D2:C0:BD:05:59:E0
vendor: Apple
check notes. you'll find an instagram (https://www.instagram.com/julesbeaufort/) where you can find pics of Olivier; info is in the following pics:
-> bw pic 2 people laying down
-> bw pic of dude with a lady
-> second pic of the tattoo
back to phone; read messages - you'll find account.doccalendar.fr username: olivierbeaufort
- DNS&vhost mapping; osintscan doccalendar.fr -s bing.com -d 2000
fingerprint schedules.doccalendar.fr
- foxacid (tcp/ip, alpha exploit script, AfterMidnight, schedules.doccalendar.fr, MSExchange, 993)
- wmi scanner - netscan
- filebrowser - /doccalendar-srv1/users/schedules username: olivierbeaufort password (via pw attack): hanshot1st
- find a date where he'll have no alibi (Out of office email text.doc)

- mail for deepfake (use subject "Subject 6W23BY Form 41303-A."):

// SET-6 MALE VIDEO REQUIREMENTS//

//FORM 41303-A START//

Skin Tone: FITZ-2
Hair Color: Brown
Hair Length: Short
Facial Hair: Mustache and Beard
Build: Lean
Height: Average
Tattoos: I know / Han Solo
Large Scars: Leg

Additional Notes: [11/09/21]

//FORM 41303-A END//

Solution: 4R8Q2A

Part 3

- The briefing document tells us to infiltrate bdlegal.fr
DNS&Vhost mapping -> sfuzzer bdlegal.fr -t 30
fingerprint www1.bdlegal.fr
foxacid (TCP/IP, Alpha Exploit Script, AfterMidnight, www1.bdlegal.fr, Apache-2.2, 443)
- xkeyscore: Dominique/Olivier/Marcelle + IDs&Records = Beaufort Office Schedule
- air crack; airodump; handshake F5:E5:B5:03:45:C6; compare this with the schedule you found through xkeyscore; if you can't figure it out, it's mac: 98:22:1C:8E:85:4F vendor: Apple
- look through the phone; activate the personal hotspot in settings
- from the notes we also know they got a hauze system and we get a hint for the pw. RIP Yann - Toujours Present PSG (MM/DD/YY)
- man in the middle to find the hauze link; arp poisoning; 1: 179.213.80.225 2: 192.168.1.1 - url snapper - that gives you the house id and username
-hydra terminal: connect hauze.systems; House-ID: house-981 username: obeaufort
go to living room -> settings -> factory reset log; password: 02/28/10
Solution: 283011

Part 1

- archive call number EAC457 gives us the ransom note. one of the two sites tells us to send a mail to ratking@ratpaxjioaf93f.onion with the solution to his riddle.
-> the approach here is a little diffrent than what we usually do since the riddle will be part of our SET approach.
Part 1: the specific file that needs to be attached that comes from software that was the wave of the future in 1995.
Part 2: the name of the bubonic plague 600 years before it was known as Bubonic.
- For our SET approach we're gonna build our email database, manual entry ratking@ratpaxjioaf93f.onion; then we're gonna choose our file format (flash) and our template needs to use the subject "Ratking Trial" and the Name "Justinian".
- wmi scanner; netscan; we'll find /ad/phone_info and use that in our active directory
- more riddles;
1.Start-CLUE tells us to run man in the middle using arp poisoning. Target 1: 192.168.17.20; Target 2: 192.168.124.1; select real-time messaging protocol and you'll see a video clip of rats and a chinese symbol.
2. MAC gives us the order in which we gotta enter the dates we need to find as the mac address; dd:mm:yy:dd:mm:yy ; first date is the start, second date the end of what was hinted at in the first clue
3. VENDOR gives us hints to the vendor of the phone. Chinese brand the United state imposed sanctions on.
-> chinese year of the rat, start and end date will give you the mac address
- phone CID backdoor; MAC: 25:01:20:11:02:21 ; Vendor: Huawei
- in the notes of the phone we find yet another riddle - google it
Solution: Decameron

Part 2

- Click on 'Rat's Bailey' in the mission briefing and connect to the network.
- wmi scanner; netscan; find /users/rtmp_element/C$ and use in file browser; username+pw required; username is in the link; the password is gonna be element_ATOMNUMBER; now we need to find the element.
- there's rtmp in the address we found which tells me to check MITM; Target 1: Hydrogen; Target 2: Fluorine; select RTMP and watch the video
-the video gives us: flint water plant; via google you find the flint water crisis in which the water was poisoned with lead.
old petrol pumps: my guess here is that it's also about the lead fuel used to contain in the time of those petrol pumps
a roman aqueduct: here I googled for pollutants in roman aqueducts and once again we find lead.
- back to file browser; username: rtmp_element ; pw: lead_82
- the folder is called 'next_step_is_on_the_wireless' so we start air crack; airodump; handshake 52:3F:C6:0B:9A:D8;
- back to the file browser. I did reverse image search on the pictures provided and all 3 of them lead me to radium which was discovered December 21, 1898 which was a Wednesday; the pic in the second folder contains a woman holding a clock, which shows 3p.m. (15:00)
- back to air crack and pick the phone that's active on wednesday at 3p.m. (61:74:6F:6D:69:63; Apple)
- new riddle; yay; the solution to part 2 is the concoction you'd receive if you were to mix the following things
1. basic element of fowler's solution = arsenic
2. a can of dutch boy paint from 1910 (white) = lead
3. a bottle of homeopatic eyedrops for my beautiful lady = belladonna
Solution: Aqua Tofana

Part 3

This was messy...

- Click on 'Rat's Keep' in the mission briefing and connect to the network and read the briefing document (which gives us archive call number HFEF53)
- I first looked into the poem; no clue
- dns&vhost; sfuzzer ratpaxjioaf93f.onion -t 30; fingerprint the results; cry a little
- next I ran air crack; airodump; handshake 86:57:66:4C:BB:2D; bruteforced the solution; Monday, 10 a.m.; 70:61:72:64:65:65, Apple;
- looked through the phone; the to-do list in the notes relates to the Winchester House (which was built from 1886-1992)
- ran MITM; LLMNR poisoning; recognized the dates from the last step; Target 1: 192.168.18.86; Target 2: 192.168.19.22; packet sniffer, google for the name of the man - H.H.Holmes - also found his real name (think back to the sfuzzer results)
- foxacid (UDP, Crafted SNMP, AfterMidnight, mudgett.ratpaxjioaf93f.onion, NETMON, 1894)
- wmi scanner; netscan; find 6 paths, enter them into the file browser; crack the one we need (username: rat_king)
Solution: bQeThWmZ

- - - Please be aware that you're going to need the Assassin Rootkit which is obtained in Dark Sentinel for this mission - - -

Part 1

- Archive call number 2E282E - gives us mfrey@feedpaths.com
- dns&vhost - sfuzzer feedpaths.com -t 30 - fingerprint mail.feedpaths.com
- foxacid (UDP, Content Spoofing, AfterMidnight, mail.feedpaths.com, OutlookWebAccess, 4443)
- wmi scanner, netscan -> /data/projects_directory -> active directory
- we know the elections are in february through archive and also that APC and PDP are interested in those elections; google helped me figure out which country we need to look into
- go to the cn=nigeria folder; in ou=facebook you'll find the name of the project lead
Solution: Alexis Ballard

Part 2

- Archive call number F11Y2S - gives us a license plate number: 4A2 7552; and her address: Římská 46, 120 00 Praha 2, CZ - use google to find the coordinates of that address
- open the satellite feed and enter the coordinations lat: 50.07648 long: 14.435613; enter the license plate
- get into smartmarket.cz to access smart billboards
-> dns&vhost; sfuzzer smartmarket.cz -t 30; fingerprint media.smartmarket.cz; foxacid (SPX; Segmentation fault; AfterMidgnight; media.smartmarket.cz; ATS-5.2.1; 600)
- back to satelite feed; do the mini game to get into her phone (mac: 75:13:0C:9C:89:19 vendor: Apple)
- look through the phone - in her emails we'll find an mail address. get in there. (rose-square.com)
- dns&vhost; sfuzzer rose-square.com -t 20 - fingerprint login.rose-square.com
- foxacid (SST, Custom SOAP, AfterMidnight, login.rose-square.com, Axigen, 8080)
- wmi scanner - netscan - /data/employee-directory into active directory - xkeyscore opens
- Marcela/Ken/Rodrigo + IDs&Records = Update from GP email (contains a link; http:// bit.ly /2rFWSBr - remove the spaces; steam removes the link from the guide without them) / LastPass Access email (contains a riddle to get the password)
- to find the password I googled "infinity hexagon/5/32/410/40/80" and found https://en.wikipedia.org/wiki/The_Library_of_Babel - Spanish: La biblioteca de Babel
-password: labibliotecadebabel
- check the file from the bit.ly link and you got your solution
Solution: genpec

Part 3

- We're supposed to infiltrate inecnigeria.org
- dns&vhost sfuzzer inecnigeria.org -t 30; fingerprint register.inecnigeria.org; foxacid (UDP, Custom SOAP, AfterMidnight, register.inecnigeria.org, CRM4.0, 443)
- wmi scanner; netscan; enter /srv-data/directory/employees into active directory
- in ou=foreign-assistance-users you'll find csalazar@greyshadowsecurity.com
- social engineering this time (target greyshadowsecurity.com)
- wmi scanner; netscan; dig /main/data/employees; foxacid (UDP, Custom SOAP request, Assassin, /main/data/employees, CRM4.0, 4040) - xkeyscore opens with new entities
- Chris/Delia/INEC + IDs&records = Delivery Method email - read it
- In the mail we find tizeti network (a provider for wifi internet), Cool Link (an ISP in Nigeria) and the INEC Registration Center Lekki. Here I started reading up on both of those ISPs. I found this https://www.tizeti.com/expresswifi/ and after looking at the map I knew I had it.
- I sent a mail to dispatch@division-66.com with subject "01.019.01 Method" and content "Express Wi-Fi by Facebook"
- New archive call number 3S5D2Q which gives us pmd.ng
- dns&vhost sfuzzer pmd.ng -t 30; fingerprint admin.pmd.ng; foxacid (TCP/IP, Alpha Exploit, AfterMidnight, admin.pmd.ng, Apache-2.2, 8080)
- wmi scanner; netscan; dig /srv/network/wireless/logs; foxacid (UDP, Custom SOAP request, Assassin, /srv/network/wireless/logs, IBM-Cognos, 1011); xkeyscore opens
- Alysia/Internet.org/PMD + IDs&records = Express WiFi Update Email; read it
- At this point I didn't know what to do so I read the briefing document and realised that I hadn't looked at the OSINT document provided there yet ( http://archive.blackwatchmen.com/view/file/B284F7/648 ) so I looked through that document and found the solution within a minute.
Solution: Smart Card Reader

Part 1

- archive call no. E7CF3F - gives us acces to Turgun's phone (MAC EC:C2:7F:2E:99:0F Vendor Huawei), a number sequence 105 115 46 103 100 47 and a hint towards a a common brand of rice with the logo of a crab
- phone cid backdoor; read the note
- convert the numbers into text; is.gd; looked into the url; it's used to shorten urls;
- googled for "Harmonious crab"; found stuff about chinese censorship;
- started looking into re-education camps close to the capital of xinjiang since the note mentioned Turgun sneaked his phone into a facility; found this link https://medium.com/@shawnwzhang/largest-re-education-camp-d7d6ce15e273
- go to the satelite feed and enter lat: 43.23018 long: 88.17182; enter the mac address of the phone; find the domain name we're looking for
Solution: chinatelecom.tech

Part 2

- look into the OSINT provided to you; the facility is in Dabacheng; find the bidding site; infiltrate their network
- dns&vhost sfuzzer bidchance.com -t 10; fingerprint sales.bidchance.com; foxacid (UDP, Content Spoofing, AfterMidnight, sales.bidchance.com, CiscoVPNClient, 443)
- wmi scanner; netscan; /srv/bids/activedirectory -> active directory; look through the folders; find the building company
- dns&vhost; sfuzzer omnisectorglobal.com -t 20; fingerprint careers.omnisectorglobal.com; foxacid (TCP/IP, Alpha Exploit, AfterMidnight, careers.omnisectorglobal.com, Apache-2.2, 82)
- wmi scanner; netscan; file browser -> /ftp/files/completed_projects; we need a username
- started looking into omni sector global's employees; found http://www.omnisectorglobal.com/teammates/
- pw attack; target: /ftp/files/completed_projects; username: daryl.cobbs; LinkedIn; Daryl, Cobbs, Houston, Engineer, Texas Tech University, Red; RockYou
- back to file browser; username: daryl.cobbs; pw: FrancieNolan; look through the folders to find the filename of the project plan
Solution: dabancheng-project-plans.pdf

Part 3

- archive call number EF821E gives us the url we need; xj.sgcc.cn; fingerprint; foxacid (SST, Segmentation Fault, AfterMidnight, xj.sgcc.cn, RemoteDesktop; 73)
- wmi scanner; netscan; /xj/srv/activedirectory -> active directory; find the energy plant; use the OSINT ressources from the briefing to find the substation; you'll find the name somewhere here https://cdm.unfccc.int/filestorage/W/J/F/WJF74ZDMUAHLECRIN893Y16PG5QK0B/01%20PDD-Xinjiang%20Huaran%20Wind-V2%202-clean-20110528.pdf?t=RnF8cjB1dWhnfDCu-FqAGG2QP2ReOR1R6bko
- send a mail to dispatch@division-66.com with the subject "12.018.01 Substation" and the content "Dafeng substation"
- archive call no. 9BC187 gives us #S9D4Q2 which contains floor plans of the facility
- through archive #EF821E we learned that domains for governmental bodies/state ministries/state owned enterprises follow a similar naming structure as the one we see in that document; read up on it; figure out the domain we need
- dns&vhost; sfuzzer moj.cn -t 30; fingerprint intranet-xj.moj.cn; foxacid (TCP/IP, Custom SOAP, AfterMidnight, intranet-xj.moj.cn, Sharepoint-2007, 8082)
- wmi scanner; netscan; /xj-moj/employee_directory -> active directory; xkeyscore opens
- Dabancheng/Lian/Ye + IDs&Records = Prisoner Distribution & Guard Schedule; read them; compare them to the floor plans we got;
- Prisoner Distribution tells us that Turgun Bozan is being held in Dorm M01 (Building 12)
- power is supposed to be cut at 19:30; guard unit C will be on meal break from 19:20-20:00;
- I made a plan and sent it via email to dispatch@division-66.com but I haven't received an answer. Gonna have to wait for the solution.
- I still haven't gotten a reply despite sending the mail over 20 times from diffrent hosters. The Code you need to send is A02B01C04D31F08 and the confirmation code was provided by Carl_Oyster in the comments.
Solution: 18DW66

Part 1

- archive call number F1S23D gives us a mac adress and a vendor
- phone cid backdor, Mac: 1B:AB:96:FB:FD:68 Vendor: Apple
- check the emails -> you'll find several web adresses. the one you want is northstarauto.cn
- run an osintscan on that domain and you'll find 4 sub-domains. fingerprint all of them till you figure out that sales.northstarauto.cn is the right one.
- foxacid to get into their network sst, soap request, after midnight, sales.northstarauto.cn, axigen, 9000)
-connect to their network
- wmi scanner, netscan, find /data/employee-directory, dig /data/employee-directory, enter into active directory, find nothing specific
- foxacid: SPX, Crafted SNMP Packet, Assassin, /data/employee-directory, ActiveDirectory, 9944, connect
- xkeyscore; Huang Yijun + Zhan Ru + Financial Transactions = Full Rental Agreement; here we got our answer
Solution: Dalian

Part 2

- Check the briefing document, find harbourview.hotel00.com, check everything on that site, accidently book a room in a chinese hotel, find chinaholiday.com under attractions
- do sfuzzer chinaholiday.com -t 30, find ip1.chinaholiday.com, fingerprint it, foxacid (tcp/ip, alpha exploit kit, after midnight, ip1.chinaholiday.com, Apache-2.2, 443), connect
- wmi scanner, netscan, find and dig /data/customer-relations/employee-directory, use in active directory; don't find anything in there
- foxacid; spx, crafted snmp packet, assassin, /data/customer-relations/employee-directory, ActiveDirectory, 9090, connect
- Xkeyscore; Use all entities from the left and Drug + Financial Transactions on the right, find Hotel Room Receipt, check it, find out that Ru bought a ferry ticket from Dalian to Incheon.
- From here on out Google is your friend; look up the name of the Ferry operator, if you found it look up the names of their ferries, the solution is BIRYONG

Part 3

- Check the briefing document, find dainferry.kr, dns&vhost, find remote.dainferry.kr, fingerprint, foxacid sst, segmentation fault, after midnight, remote.dainferry.kr, RemoteDesktop, 3389, connect
- mitm, llmnr, Target 1: 192.168.1.149 Target 2: 192.168.1.1, rtmp, find simtrans.com, dns&vhost, find and fingerprint dispatch.simtrans.com, foxacid tcp/ip, custom soap, aftermidnight, dispatch.simtrans.com ,OracleAppServer, 80, connect
- wmi scanner, find and us /data/vehicle-directory in active directory, cn=fleet, cn=trucks, cn=license-no, ou=88-7113
- xkeyscore, zhan ru + lee sang-ki + ids and records = saturday meeting
- Google for 'incheon village noah's ark', find Songwol-dong Fairy Tale Village, open google maps and llok around till you find noah's ark, look aorund some more and find out what the 'large cross' is.
Solution: Songwol Presbyterian Church

I completed this mission with a lot of help from LeikRad<3 and Ω omega-man-x Ω

Part 1

- Check the briefing document, archive call number 77B352, look through the documents provided and find the name of the domain of the company that's hosting the FS-ISAC event in June in North America, don't fall for the emai adress, focus on the physical location, https://vantagevenues.com/ (site no longer available)
- dns&vhost for vantagevenues.com, fingerprint chatsupport.vantagevenues.com, foxacid tcp/ip, H.264 SIP session header, aftermidnight, chatsupport.vantagevenues.com, ChitChat-v2.34, 5222, connect
- wmi scanner, netscan, use /main/employees/active_directory in active directory, check folders, find information about password encryptin and other pw requirements, not helpful
-foxacid, SPX, crafted snmp packet, assassin, /main/employees/active_directory, ActiveDirectory, 8989, connect
- xkeyscore; Kevin Chu + Valery Rosas + FS-ISAC +IDs and Records = Booking Confirmation
- We got the document but there is nothing specific in there so I accessed the no longer functioning website through the wayback machine and managed to find the solution. https://web.archive.org/web/20190322042333/http://vantagevenues.com/av-rentals/
Solution: Polycom HDX9002 VCU

Part 2

- Briefing document, open shelteredharbor.org in your browser and figure out the location of their offices by scrolling down, clicking join and reading through ther Operating rules; send the location via email to dispatch@division-66.com with the subject G7.019.01 Office Address
Email content: Sheltered Harbor Membership Operations 12020 Sunrise Valley Drive Suite 230 Reston, Virginia 20191
- you'll receive an email with the archive call number D67A72 which gives us backup.vaultharbor.com; dns&vhost is no use here but the briefind doc gives us another archive call numer TD8G1S which provies us with information on how to successfully get into their network through social engineering
- you can find the email subject in the operating rules from the sheltered harbor website and the alias by searching for the ceo of sheltered harbor, finding him in linkdin and checking his work experience. for the database choose email crawler, file format is pdf and for the template we go with IT Support. subject: TLP RED; alias: Lewis & Clark Bank
- wmi scanner, netscan; foxacid, SPX, crafted snmp packet, assassin, /data/employee_directory, ActiveDirectory, 9900 to get the xkeyscore entities
- mitm, llmnr poisoning, target 1: 10.193.97.123; target 2: 192.168.1.189 (vault04), packet sniffer, don't close this window
- xkeyscore: Chelsea May + Ash Dowling + Minnie Townsend + IDs & Records = Updated Backup Details, provides the following link: http://chilp.it/59b4760 and the password hint "our braves in 1898"; google it.
- The password is Beaneaters; check the document
- we know through the pdf that the file is being sent to vault 04 and the log file for encrypted customer data looks something like this citi.064xxxxxxxxxx.vaultdata.zip; now check the packet sniffer data again and you got your solution
Solution: citi.064L05QPPMRK6.vaultdata.zip

Part 3: