1. Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through,
but visited their website to find contact information for their executive team. What is the
website domain that she visited?
2. Amber found the executive contact information and sent him an email. What is the CEO’s name?
Provide the first and last name.
3. After the initial contact with the CEO, Amber contacted another employee at this competitor.
What is that employee’s email address?
4. What is the name of the file attachment that Amber sent to a contact at the competitor?
5. What is Amber’s personal email address?
6. What version of TOR did Amber install to obfuscate her web browsing? Answer guidance:
Numeric with one or more delimiter.
7. What is the public IPv4 address of the server running www.brewertalk.com?
8. Provide the IP address of the system used to run a web vulnerability scan against
9. The IP address from Question 8 is also being used by a likely different piece of software to attack
a URI path. What is the URI path?
10. What SQL function is being abused on the URI path from Question 9?
11. What is Frank Ester’s password salt value on www.brewertalk.com?
12. What is user btun’s password on brewertalk.com?
13. What was the value of the cookie that Kevin Lagerfield’s browser transmitted to the malicious
URL as part of a XSS attack?
14. The brewertalk.com web site employed Cross Site Request Forgery (CSRF) techniques. What was
the value of the anti-CSRF token that was stolen from Kevin Lagerfield’s computer and used to
help create an unauthorized admin user on brewertalk.com?
15. What brewertalk.com username was maliciously created by a spear phishing attack?
16. According to Frothly’s records, what is the likely MAC address of Mallory’s corporate MacBook?
HINT: Her corporate MacBook has the hostname MACLORY-AIR13.
17. What episode of Game of Thrones is Mallory excited to watch?
18. What is Mallory Krauesen’s phone number?
19. Enterprise Security contains a threat list notable event for MACLORY-AIR13 and suspect IP
address 126.96.36.199. What is the name of the threat list (i.e. Threat Group) that is triggering the
20. Considering the threat list you found in Question 19, and related data, what protocol often used
for file transfer is actually responsible for the generated traffic?