diff --git a/campaigns/miro/bearific/README.md b/campaigns/miro/bearific/README.md
index 86e6a02..9bec7b3 100644
--- a/campaigns/miro/bearific/README.md
+++ b/campaigns/miro/bearific/README.md
@@ -1,10 +1,29 @@
# Bearific
-Honeypot programming.
+This challenge focuses on understanding how attackers interact with honeypots.
+Students will configure Cowrie, a medium-interaction SSH honeypot, to monitor and log attacker activity:
+an automated attacker script connects to the target machine (`victim`) and attempts to detect if the system is a honeypot by checking for inconsistencies.
+It gives pointers to the student to perform additional configuration steps to reduce the honeypot-ness of the victim machine.
+
+## Skills Used
+
+1. **SSH Protocol Understanding**: Students must understand basics of how SSH works, including authentication mechanisms and common attack vectors, such as brute-forcing credentials).
+1. **Honeypot Recognition**: Students need to identify signs that a system is a honeypot, such as unusual hostnames, file system inconsistencies, and network anomalies.
+1. **Linux Command Line Proficiency**: Students should detect the use of and understand the basic behavior of commands such as `hostname`, `uname`, `ping`, `find`, `ls`, and `cat` to investigate the system.
+1. **Privilege Escalation Awareness**: The challenge involves checking for SUID binaries to exploit potential vulnerabilities.
+
+## Learning Objectives
+
+- Understand how common honeypots like Cowrie work to detect and log attacker activity.
+- Recognize common signs that a system might be a honeypot.
+- See how Linux commands can be used to investigate a system for anomalies.
## How to solve
+
+ Click to reveal how to solve steps
1. SSH into the `172.20.0.202` victim machine using root:alpine
2. Install and run cowrie on port 2222
3. Follow attacker's comments (using `playlog`) and implement requested functionality until flag is deposited into `/root/.flag`
4. Submit flag
+
diff --git a/campaigns/miro/by-the-pool/README.md b/campaigns/miro/by-the-pool/README.md
index 60a709f..6ad9756 100644
--- a/campaigns/miro/by-the-pool/README.md
+++ b/campaigns/miro/by-the-pool/README.md
@@ -1,9 +1,28 @@
# By the Pool
-Metadata analysis, finding weaknesses in secure systems.
+This challenge focuses on analyzing metadata and exploiting weaknesses in secure systems.
+Students will, from a user perspective, explore a hacking forum, where they uncover a conversation.
+The challenge involves discovering a fatal flaw in an otherwise secure authentication system.
+Furthermore, certain metadata is to be extracted from related files.
+
+## Skills Used
+
+1. **Network Scanning**: Students must scan the network to identify services (DNS, HTTP) and their IPs.
+1. **Web Application Security**: Students log into a forum using credentials from a previous challenge, discover and exploit authentication vulnerabilities.
+1. **Metadata Analysis**: Students extract metadata from an image using specialized tools.
+1. **Brute-Force Attacks**: Students automate a brute-force attack after finding an attack vector.
+
+## Learning Objectives
+
+- Understand how to scan networks to discover services and their IPs.
+- Learn to exploit weaknesses in authentication systems, such as brute-forcing.
+- Practice extracting and analyzing metadata from files (e.g., images).
+- Recognize the importance of rate-limiting and CSRF protection in securing web applications.
## How to solve
+
+ Click to reveal how to solve steps
1. Scan the network to newly find one DNS, one HTTP server.
2. Access the HTTP server and log in with the credentials from the last
challenge.
@@ -15,3 +34,4 @@ Metadata analysis, finding weaknesses in secure systems.
answer to the first task.
5. Download the image attached by the logged-in user, subject it to
`exiftool -n` and reveal the GPS coordinates where the photo was taken.
+
diff --git a/campaigns/miro/corporate-retreat/README.md b/campaigns/miro/corporate-retreat/README.md
index 9bc03f8..7498255 100644
--- a/campaigns/miro/corporate-retreat/README.md
+++ b/campaigns/miro/corporate-retreat/README.md
@@ -1,11 +1,30 @@
# Corporate Retreat
-Network discovery, public CVE exploitation, credential abuse, lateral movement.
+This challenge simulates an investigation into a corporate network.
+Students must discover a publicly accessible camera and abuse its interface to gain access to an internal network.
+From there, they exploit a known CVE to further deepen the access to the network, where they uncover evidence related to an attack.
+The challenge emphasizes network scanning, exploitation of vulnerabilities, and basic forensic analysis.
-## How to solve
+## Skills Used
+
+1. **Network Scanning and Discovery**: Students scan the network range to identify vulnerable devices.
+2. **Exploitation of Known Vulnerabilities**: Students exploit CVE-2019-15107 to gain unauthorized access.
+3. **Credential Abuse**: Students extract and reuse credentials to escalate privileges.
+4. **Lateral Movement**: Students use compromised devices to pivot into internal networks and discover additional devices.
+5. **Forensic Analysis**: Students analyze logs to trace the origin of an attack and uncover evidence.
+
+## Learning Objectives
-Contains spoilers!
+- Understand how to perform network discovery to identify vulnerable devices.
+- Learn to exploit known CVEs to gain unauthorized access.
+- Practice lateral movement techniques to pivot across internal networks.
+- Develop skills in forensic log analysis to trace attacker activity and uncover evidence.
+- Recognize the risks of credential reuse and weak authentication mechanisms.
+
+## How to solve
+
+ Click to reveal how to solve steps
1. Scan the network range as suggested
2. Access the camera UI at `172.20.0.231` and go to settings
3. Extract the admin password from the source code and log in with it
@@ -22,6 +41,7 @@ Contains spoilers!
14. The credentials are also logged (but URLencoded): `Vigilante88:M1r0{mayFXwawow1ezzUjVIOutDhKRcZGJblvzDOgBaA4EMmQG09UpfP8i3XQA4YY}`
These instructions of course use a significant amount of shortcuts and knowledge that the attacker would have to spend a lot of effort finding. However, this is simply a short walkthrough, so it makes sense.
+
## Notes
diff --git a/campaigns/miro/forgot-your-password/README.md b/campaigns/miro/forgot-your-password/README.md
index b5236a9..63c0dd0 100644
--- a/campaigns/miro/forgot-your-password/README.md
+++ b/campaigns/miro/forgot-your-password/README.md
@@ -1,6 +1,24 @@
# Forgot Your Password
-Web security, application vulnerability exploitation (including coding).
+This challenge focuses on exploiting a vulnerability chain involving multiple systems and security flaws.
+Students must demonstrate skills in vulnerability exploitation, lateral movement, and privilege escalation across a network of interconnected services.
+
+## Skills Used
+
+1. **Vulnerability Exploitation**: Exploiting Log4Shell (CVE-2021-44228) and path traversal (CVE-2021-42013)
+1. **Network Penetration**: Setting up reverse shells, LDAP and HTTP servers as payload hosts
+1. **Lateral Movement**: SSH credential reuse and internal network reconnaissance
+1. **JWT Security**: Extracting signing secrets and forging authenticated tokens
+1. **System Analysis**: Reading log files, extracting user IDs, and analyzing JAR files
+1. **Microservices**: Understanding service dependencies in decentralized environments
+
+## Learning Objectives
+
+- Understand how **vulnerability chaining** works in multi-machine attacks
+- Learn about **Log4Shell exploitation**
+- Practice **lateral movement** techniques in containerized environments
+- Develop skills in **JWT security** and common misconfigurations
+- Gain experience with **internal network reconnaissance** after initial compromise
## How to solve
@@ -8,6 +26,8 @@ Follow the instructions in the [attached auto-solver application](./auto-solve/l
TLDR:
+
+ Click to reveal how to solve steps
1. Get a reverse shell to the challenge's internal network:
1. In the hackerlab, start a reverse shell listener (e.g. on port 1338)
2. Also in the hackerlab, start [an HTTP server](./auto-solve/ldap-server/src/main/java/PayloadHTTPServer.java) (e.g. on port 8083) to host a [class that will launch a reverse shell](./auto-solve/Exploit.java) connection to the listener from the previous step (i.e., `hackerlab:1338`)
@@ -20,3 +40,4 @@ TLDR:
5. Reuse the same credentials to SSH into `logus` and extract a user ID from `/var/log/dashboard/proxy2021-12-09.log`
6. Forge a JWT with containing simply the user ID, and sign it with the signing secret
7. Access the dashboard (repository) and copy and submit the flag
+
diff --git a/campaigns/miro/knock-knock/README.md b/campaigns/miro/knock-knock/README.md
index 217bef8..27f0e6f 100644
--- a/campaigns/miro/knock-knock/README.md
+++ b/campaigns/miro/knock-knock/README.md
@@ -1,9 +1,25 @@
# Knock Knock
-Packet capture and log analysis.
+This challenge focuses on **forensics and analysis** to investigate suspicious activity.
+Students must analyze a packet capture to identify an inbound connection and examine logs to determine when _critical_ files were accessed or modified.
+
+## Skills Used
+
+1. **Packet Capture Analysis**: Using Wireshark/tshark to analyze network traffic and identify connections and their origins
+1. **Log File Analysis**: Parsing filesystem monitoring logs to extract file operation timestamps
+
+## Learning Objectives
+
+- Develop skills in **network traffic analysis** using packet capture tools
+- Learn to **extract forensic evidence** from network and filesystem logs
+- Understand how to **correlate events** across different data sources
+- Practice **incident investigation** techniques using real-world artifacts
## How to solve
+
+ Click to reveal how to solve steps
1. Download both files linked from the `http://repository/dashboard`
2. From the pcap, find the IP address initiating the SSH connection
3. From the fs log, find the timestamp of `file.txt` being written
+
diff --git a/campaigns/miro/meme-jpeg/README.md b/campaigns/miro/meme-jpeg/README.md
index dd8f4d5..f0797d4 100644
--- a/campaigns/miro/meme-jpeg/README.md
+++ b/campaigns/miro/meme-jpeg/README.md
@@ -1,17 +1,31 @@
# Meme.jpeg
-Steganography + cryptography.
+This challenge combines **steganography and cryptography** to let students extract and decrypt hidden information within inconspicuous files.
+Students must use multiple techniques to uncover a hidden URL that serves as the challenge flag, demonstrating how sensitive information can be concealed in seemingly innocent files.
+
+## Skills Used
+
+1. **Steganography Techniques**: Using common tools to extract hidden data from files
+1. **Cryptography**: Decrypting ciphertext to reveal hidden information
+1. **Pattern Recognition**: Identifying meaningful patterns in decrypted strings to determine a cipher key
+
+## Learning Objectives
+
+- Understand how **steganography** can be used to hide data within image files
+- Learn to apply **multiple steganography techniques** in sequence
+- Develop skills in **cryptanalysis** to break simple ciphers
+- Gain experience with **forensic tools** for data extraction
+- Recognize how **layered obfuscation** can be used to hide sensitive information
+- Understand the importance of **pattern recognition** in decrypting messages
## How to solve
+
+ Click to reveal how to solve steps
1. Install steghide (`apt install steghide`) and Stegano (`pip3 install Stegano --break-system-packages`)
2. Access `http://172.20.0.205` (ideally using the transparent proxy) and download the image (further referred to as img.png)
3. `stegano-lsb reveal -i img.png -o l1re.jpg` will yield a l1re.jpg, from the looks of it the same image
4. `steghide extract -sf l1re.jpg -xf l0re.txt -p ""` will yield a l0re.txt containing an encrypted string
5. Run the script through a Vigenére cipher tool, such as [dCode.fr](https://www.dcode.fr/vigenere-cipher) or [this at University of Denver](https://www.cs.du.edu/~snarayan/crypt/vigenere.html) while aiming to produce something meaningful in front of the `://` in the string
-
-## Solution
-
-Solution
-You should arrive at the conclusion that the key is KEY and the open text thus http://repository, which is the flag
+6. You should arrive at the conclusion that the key is KEY and the open text thus http://repository, which is the flag