Act I

The Counter Hack crew is in the Neighborhood festively preparing for the holidays when they are suddenly overrun by lively Gnomes in Your Home! There must have been some magic in those Gnomes, because, due to some unseen spark, some haunting hocus pocus, they have come to life and are now scurrying around the Neighborhood.

Act 1 presents ten new objectives to solve, each of difficulty 1 out of 5:

Holiday Hack Orientation

Difficulty:
Meet Lynn Schifano on the train for a warm welcome and get ready for your journey around the Dosis Neighborhood.

Its All About Defang

Difficulty:
Find Ed Skoudis upstairs in City Hall and help him troubleshoot a clever phishing tool in his cozy office.

Neighborhood Watch Bypass

Difficulty:
Assist Kyle at the old data center with a fire alarm that just won't chill.

Santa's Gift-Tracking Service Port Mystery

Difficulty:
Chat with Yori near the apartment building about Santa's mysterious gift tracker and unravel the holiday mystery.

Visual Networking Thinger

Difficulty:
Skate over to Jared at the frozen pond for some network magic and learn the ropes by the hockey rink.

Visual Firewall Thinger

Difficulty:
Find Elgee in the big hotel for a firewall frolic and some techy fun.

Intro to Nmap

Difficulty:
Meet Eric in the hotel parking lot for Nmap know-how and scanning secrets. Help him connect to the wardriving rig on his motorcycle!

Blob Storage Challenge in the Neighborhood

Difficulty:
Help the Goose Grace near the pond find which Azure Storage account has been misconfigured to allow public blob access by analyzing the export file.

Spare Key

Difficulty:
Help Goose Barry near the pond identify which identity has been granted excessive Owner permissions at the subscription level, violating the principle of least privilege.

The Open Door

Difficulty:
Help Goose Lucas in the hotel parking lot find the dangerously misconfigured Network Security Group rule that's allowing unrestricted internet access to sensitive ports like RDP or SSH.

Owner

Difficulty:
Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants.