Operation Glass Labyrinth

black_meridian_scenario.png

Overview

Black Meridian is a fictional cybercriminal group that uses layered tunnels, reverse relays, and cloud bootstrap scripts to obscure its operators and infrastructure. You are assigned to the Forensics Division after multiple organizations report suspicious encrypted flows, unusual loopback listeners, and reverse connections to rented infrastructure.

Your objective is not to attack outside systems. Your objective is to reconstruct the tunnel paths inside local Docker Compose stacks, preserve evidence, and submit the runtime proof flag for each lab.

Mission rules

  1. Work only inside the provided local lab stacks.
  2. Do not inspect Docker volumes or use docker exec to bypass the scenario unless the instructor authorizes troubleshooting.
  3. Record the commands you run and the evidence files you rely on.
  4. Submit the exact runtime flag produced by the lab.
  5. Treat every tunnel as a forensic artifact. Explain what created it, where it listened, where it forwarded, and how a defender could detect it.

Challenge path

Lab Scenario Core technique Proof
Lab 1 Four-Hop SSH Evidence Chain SSH local forwarding, key recovery, controlled privileged evidence access LAB1{...}
Lab 2 TCP Redirectors and Chisel Relay socat, Chisel reverse tunnels, relay analysis LAB2{...}
Lab 3 WireGuard Overlay and Reverse Proxy Evidence WireGuard peer recovery, Host header and token reconstruction LAB3{...}
Lab 4 Cloud User-Data Tunnel Reconstruction AWS user-data, Azure customData, reverse tunnel bootstrap LAB4{...}

Getting started

Download the student bundle attached to the first challenge or the per-lab bundle attached to the challenge you are solving. From a lab directory, run:

docker compose up -d --build
docker compose logs secrets

The secrets service prints the initial connection information only. It does not print the final flag.

Good luck, operator.