# InfoSecLabs CTF Roadmap / Future Plan

## Current State Analysis
- **Total Scenarios**: 36
- **Current Categories**: 
  - Linux Forensics & Navigation (101-106)
  - Windows Forensics & Incident Response (201-206)
  - Cloud Security (AWS Focus) (301-306)
  - Network Forensics (PCAP/Log Analysis) (401-406)
  - Memory Forensics (Volatility Focus) (501-506)
  - Container Security (Docker/K8s Focus) (601-606)

---

## Phase 1: Expansion of Existing Categories (Level: Advanced)

### [LINUX] Advanced Privilege Escalation
- **CTF-107: SUID Misconfiguration**: Exploiting an unusual binary with the SUID bit set.
- **CTF-108: Capabilities Abuse**: Using `setcap` to escalate from user to root.
- **CTF-109: Wildcard Exploitation**: Exploiting a cron job that runs `tar *`.

### [WINDOWS] Advanced Persistence & AD
- **CTF-207: DLL Search Order Hijacking**: Identifying a directory where a missing DLL can be placed.
- **CTF-208: Golden Ticket Analysis**: Detecting forged Kerberos tickets in event logs.
- **CTF-209: LSASS Dump Investigation**: Finding credentials in an LSASS memory dump log.

### [CLOUD] Multi-Cloud Focus (Azure/GCP)
- **CTF-307: Azure Blob Exposure**: Finding "Anonymous access" enabled via Azure CLI mocks.
- **CTF-308: GCP IAM Key Leak**: Escaping a container via a leaked Google Service Account key.
- **CTF-309: Serverless Persistence**: Identifying a malicious Lambda Layer modification.

---

## Phase 2: New Categories (Future Implementation)

### 1. Web Application Security (700 series)
*Focus: Vulnerability analysis through logs and terminal interactions.*
- **CTF-701: SQLi via User-Agent**: Analyzing server logs where the attack vector was the User-Agent header.
- **CTF-702: SSRF in Metadata**: Identifying an attacker accessing `169.254.169.254` via a web interface.
- **CTF-703: IDOR Pattern Hunting**: Analyzing API logs to find where a user accessed another user's UUID.
- **CTF-704: JWT Secrets Leak**: Finding a weak JWT secret in a frontend config file.

### 2. OSINT & Reconnaissance (800 series)
*Focus: Gathering data from mock public sources and metadata.*
- **CTF-801: Metadata Trail**: Extracting author and software version from a "leaked" PDF.
- **CTF-802: Username Correlation**: Searching through mock LinkedIn/GitHub logs for a target.
- **CTF-803: Passive DNS Analysis**: Identifying a C2 domain from historical DNS records.

### 3. AI & Prompt Engineering Security (1000 series)
*Focus: Modern threats involving LLMs and AI pipelines.*
- **CTF-1001: Prompt Injection Escape**: Bypassing a system prompt to reveal the "Internal Secret Key".
- **CTF-1002: Model Poisoning**: Identifying malicious samples in an AI training dataset CSV.
- **CTF-1003: Sensitive Data in RAG**: Finding PII leaked in the vector database retrieved chunks.

### 4. Malicious Code Analysis (1100 series)
*Focus: Static analysis of scripts and obfuscated payloads.*
- **CTF-1101: PowerShell De-obfuscation**: Reversing a Base64/XORed PowerShell command.
- **CTF-1102: Python Stealer**: Analyzing a Python script that exfiltrates browser cookies.
- **CTF-1103: Bash Polyglot**: Analyzing a script that behaves differently in different shells.

---

## Phase 3: Gamification & Campaign Ideas

### [Campaign] The "APT-ISL" Pursuit
A series of 5 interconnected CTFs where the flag of one leads to the next:
1. **Initial Access**: Phishing analysis (Email).
2. **Execution**: Malware download analysis (Network).
3. **Persistence**: Registry key analysis (Windows).
4. **PrivEsc**: SUID exploitation (Linux).
5. **Exfiltration**: S3 Bucket leak (Cloud).

### [Difficulty Tiers]
- **Script Kiddie**: Points 50-100 (Hints enabled).
- **Cyber Analyst**: Points 200-400 (Standard).
- **Elite Phantom**: Points 500+ (No hints, complex multi-step).

---
*Plan generated on: 2026-01-24*
*Status: Draft for Implementation*