[Warning: This mission features multiple jobs, you can accept, you only need to complete a certain few, so make sure that you are on the correct company for the correct hints]

Following your successive infiltration of HSC, you now have to go undercover. We need to know more about their motivations and how large their operation is and we also need to know who they are targeting and why, they use a simple job posting site on the dark web that is open to all members, it operates as a tiered system so the more simple work you do the more complex jobs you will get. The jobs all revolve around compromising the simplERP system and the majority of jobs you have been asked to perform involve a technique called Salami Slicing. We have loaded a 0 day exploit for the simplERP into your localhost along with instructions on how to use the job board.

This Operation contains 5 missions, each with one part.

This guide is meant to be used as a resource and will contain hints in order to help you solve the missions, but it will not contain the actual answers.

If at any time you feel like you need more help please go to either the discussion board or the Discord channel[discord.gg] and there will be fellow agents happy to help you.


The missions and parts are the following:

1. Operation Nitro Winter - Chapter 1 ( NWT.01 )
   
2. Operation Nitro Winter - Chapter 2 ( NWT.02 )
   
3. Operation Nitro Winter - Chapter 3 ( NWT.03 )
   
4. Operation Nitro Winter - Chapter 4 ( NWT.04 )
   
5. Operation Nitro Winter - Chapter 5 ( NWT.05 )

Due to your success infiltrating HSC, your new objective is to review the Intel gathered about HSC and access the zero day exploit and rootkit for SimplERP, log into the HSC system job board, accept and complete the level 1 job.

• Hint 1 – This is as easy as following instructions.
  
  
• Hint 2 – You should check around your folders, the Intel documents are probably in the Nite Team 4.
  
  
• Hint 3 – Make sure to read carefully the 3 PDFs, all of them contain useful information.
  
  
• Hint 4 – The PDF about the job board should have info about the commands and how to access it.
  
  
• Hint 5 – You can click on the Job list to choose one and accept it, that way you will know what type of bots they want you to run and what domain the company uses.

Company Name: Limbo

• Hint 6 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 7 – With just a push of a button I can get lots of physical copies of documents.
  
  
• Hint 8 – What does the Police usually dust the weapons of the crime for?
  
  
• Hint 9 – What tool can you use to gather information about a subdomain.
  
  
• Hint 10 – If you don't recognize a technology, you can always look it up with a tool you have.
  
  
• Hint 11 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 12 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 13 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

We are in but we need more Intel on HSC, we still don't understand how HSC and Dr. Ripper got access to NT4 tech in order to gather more Intel on HSC you will need to download any data on the target of the job. Your objective now is to access the level 2 jobs, download every company profile and reach clearance level 3 on the HSC job board.

• Hint 1 – This is as easy as following instructions.
  
  
• Hint 2 – Don't forget to refresh, so you can see the new jobs.
  
  
• Hint 3 – You need to download the companies' profiles luckily the HSC Job Board PDF had a list of commands you could use, and you could always ask for help.

Company Name: MyAncestree

• Hint 4 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 5 – Don't limit yourself to sfuzzer.
  
  
• Hint 6 – The job info says "Make sure to scan popular search engines to find all possible domains attached to this genetics company.".
  
  
• Hint 7 – Remember that IPs are also searchable with bing.
  
  
• Hint 8 – Now you have a new domain, time to see what subdomains you will find.
  
  
• Hint 9 – If you don't recognize a technology, you can always look it up with a tool you have.
  
  
• Hint 10 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 11 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 12 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: Gener8

• Hint 13 – Remember basic training, what commands do you have for Reconnaissance?
  
  
• Hint 14 – Don't forget to fingerprint the subdomains you find.
  
  
• Hint 15 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 16 – There seems to be an AD path in the network I wonder what tool you could use to see it's contents.
  
  
• Hint 17 – It's an employee, now which employee would have access to the ERP network.
  
  
• Hint 18 – Maybe someone that is in charge of the network.
  
  
• Hint 19 – Now that you have the mac address and the vendor you can connect to the phone.
  
  
• Hint 20 – Look around the phone, you might find a way to connect to the network.
  
  
• Hint 21 – The email mentions that the employees can use the hotspot to connect to work from.
  
  
• Hint 22 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 23 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 24 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: Coronautica

• Hint 25 – Remember basic training, what commands do you have for Reconnaissance?
  
  
• Hint 26 – Don't limit yourself to sfuzzer.
  
  
• Hint 27 – One of those IPs is too different maybe it means something.
  
  
• Hint 28 – Maybe it's the one that isn't secured as it says in the provided info for the job.
  
  
• Hint 29 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 30 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 31 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: CandleLite

• Hint 32 – Remember basic training, what commands do you have for Reconnaissance?
  
  
• Hint 33 – With just a push of a button I can get lots of physical copies of documents.
  
  
• Hint 34 – What does the Police usually dust the weapons of the crime for?
  
  
• Hint 35 – What tool can you use to gather information about a subdomain.
  
  
• Hint 36 – Now that you are inside the network, look around see if you find anything new.
  
  
• Hint 37 – Maybe there are internal subdomains?
  
  
• Hint 38 – If you don't recognize a technology, you can always look it up with a tool you have.
  
  
• Hint 39 – Don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 40 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 41 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: Aristishia

• Hint 42 – The job info provides you with a mac address and a vendor, what could you do with that information?
  
  
• Hint 43 – You have access to a curator's phone and the job information says it could be a potential entry point, maybe if you look around you will find something useful.
  
  
• Hint 44 – The phone seems to have something in the settings that could help us.
  
  
• Hint 45 – You are inside a network but there is no ERP path in WMI, maybe Aristishia's domain will be useful now.
  
  
• Hint 46 – Remember basic training, what commands do you have for Reconnaissance?
  
  
• Hint 47 – Don't forget the -i
  
  
• Hint 48 – Now that you're inside Aristishia's network you should scan and dig around, you might find something.
  
  
• Hint 49 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 50 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Good job, your actions are being rewarded by HSC and your covert actions continue to go unnoticed, from the profiles you have download we have noted that they are based in the middle east, there's probably something more that links them, complete the next contracts while we look into their motives. Your objectives are to download the remaining profiles, complete enough contracts to reach clearance 4 and download the level 4 target profile, and confirm or deny a clear connection between all the targets.

• Hint 1 – This is as easy as following instructions.
  
  
• Hint 2 – How did you download the profiles in Chapter 2?
  
  
• Hint 3 – Don't forget to refresh, so you can see the new jobs.
  
  
• Hint 4 – You need to download the companies' profiles luckily the HSC Job Board PDF had a list of commands you could use, and you could always ask for help.

Company Name: Bulletin

• Hint 5 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 6 – Don't forget about fingerprint.
  
  
• Hint 7 – Now that you are inside the network, the job info had the schedule of the CEO maybe that will help.
  
  
• Hint 8 – What module uses a day and time to keep track of things.
  
  
• Hint 9 – Now that you have the CEO's phone, you may want to take a look around it for a way to connect to their network.
  
  
• Hint 10 – Don't forget to check Settings, Emails, Notes, etc...
  
  
• Hint 11 – Now that you are inside the network don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 12 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 13 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: RowBoat

• Hint 14 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 15 – There seems to be a sequence, one is missing but which one?
  
  
• Hint 16 – Ancient Greece was a powerful civilization for it's time.
  
  
• Hint 17 – You can try to fingerprint subdomains even if you didn't find them with sfuzzer or Osintscan.
  
  
• Hint 18 – Now that you are inside the network don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 19 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 20 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: ArgosSecur

• Hint 21 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 22 – Don't limit yourself to sfuzzer.
  
  
• Hint 23 – Remember that IPs are also searchable with bing.
  
  
• Hint 24 – That seems like a new domain, maybe running it through sfuzzer/osintscan will yield something new.
  
  
• Hint 25 – The ERP would be located at the HQ subdomain, the job board offers a command that gives you a detailed resume on ArgosSecur including where they're HQ is located.
  
  
• Hint 26 – Now that you have the HQ location and some IPs of subdomains from different locations from Osintscan, just cross-reference the two.
  
  
• Hint 27 – Remember that IPs are also searchable with bing.
  
  
• Hint 28 – You have found another new domain, maybe you will find something if you sfuzzer it.
  
  
• Hint 29 – Don't forget to use fingerprint.
  
  
• Hint 30 – Now that you are inside the network don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 31 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 32 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: Nexxit

• Hint 33 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 34 – Don't forget to use fingerprint.
  
  
• Hint 35 – It asks you to spy on their activity, what module could do that?
  
  
• Hint 36 – What module can sniff out packets and snap URLs?
  
  
• Hint 37 – All you need to do is be the middle man.
  
  
• Hint 38 – That subdomains in the URL with ERP seems suspicious.
  
  
• Hint 39 – You can try to fingerprint subdomains even if you didn't find them with sfuzzer or Osintscan.
  
  
• Hint 40 – Now that you are inside the network don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 41 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 42 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

Company Name: Lo Cal Health and Nutrition

• Hint 43 – According to the job info, the employees are not "tech savvy", what module could exploit that?
  
  
• Hint 44 – Set Information Gathering tools aside, you've got a great toolkit elsewhere.
  
  
• Hint 45 – Now that you are inside the network don't forget to scan and dig around the network for paths and other stuff.
  
  
• Hint 46 – The SimplERP exploit PDF explained what you needed to use in foxacid.
  
  
• Hint 47 – The job board says what they require access to, and the Verboten setup PDF had an explanation on which bot did what.

The companies end here.

• Hint 48 – How did you download the profiles in Chapter 2?
  
  
• Hint 49 – Don't forget to refresh, so you can see the new jobs.
  
  
• Hint 50 – You need to download the companies' profiles luckily the HSC Job Board PDF had a list of commands you could use, and you could always ask for help.
  
  
• Hint 51 – Some of the companies seem to have properties that would synergize, like robotics and security, maybe that will help in XKeyscore.
  
  
• Hint 52 – Dylan also suspects that Moscone Center is involved.
  

Our understanding of HSC's targets is much clearer, all the targets are part of a tech initiative, this is a sensitive area and any indication that the initiative is under attack can cause serious problems, there is one last piece of the puzzle, Bastek, you will need to infiltrate the Cyber security company and find more about the company. Your objective is to investigate Bastek's network, find a way to bypass their security, access their employee directory and look for and research Bastek's client list.

• Hint 1 – This is as easy as following instructions.
  
  
• Hint 2 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 3 – Don't forget to use fingerprint.
  
  
• Hint 4 – Follow Dylan's instructions.
  
  
• Hint 5 – If you don't recognize a technology, you can always look it up with a tool you have.
  
  
• Hint 6 – You should check around your localhost, Wheeler said she had found some basic information on Bastek.
  
  
• Hint 7 – Read very carefully the product overview and see the demonstration of how it works.
  
  
• Hint 8 – You should check around your localhost, Dylan has uploaded the Fingrtip data for the IT personnel at Bastek and all the unique fingerprint signatures for the company's phone.
  
  
• Hint 9 – Now you need to cross-reference Sara Hajjar's FingrTip ID with the fingerprint signatures Dylan has uploaded.
  
  
• Hint 10 – Maybe drawing out a rough shape of Sara's Fingerprint will help.
  
  
• Hint 11 – Look around the phone's settings, notes, messages, etc... to find a way to connect to the network.
  
  
• Hint 12 – You should scan and dig around the network to find that Employee Directory.
  
  
• Hint 13 – Now what module can you use to see the contents of that directory?
  
  
• Hint 14 – You need to gain access to the client list, and for that we need a username and a password, who would normally be in charge of the accounting?
  
  
• Hint 15 – That Head of Finance definetely has access to the client list, we just need to find out her password.
  
  
• Hint 16 – You know the path and you have a username, what module could you use to find the password?
  
  
• Hint 17 – It might seem like a shot in the dark, but maybe Sara's phone has clues for Erika's variables for the password attack.
  
  
• Hint 18 – They have messages between each other.
  
  
• Hint 19 – It would seem Sara and Erika are dating, maybe that's a clue, but also Erika is missing a show, maybe the name of it would work as a variable.
  
  
• Hint 20 – We also know Erika's mom's name from the messages, maybe that will help.
  
  
• Hint 21 – Since they seem to be dating, it would make sense Sara is planning a surprise for Erika, maybe she has something in the notes.
  
  
• Hint 22 – Maybe she's planning to buy a gift, maybe concert tickets or something else.
  
  
• Hint 23 – If they are dating it would make sense they would be together at each other's places, maybe Erika has a special name for her apartment.
  
  
• Hint 24 – The apartment must have WiFi, and phones are always looking to connect themselves to it.
  
  
• Hint 25 – Now that you have her password, you can browse the Client list's files.

Agent, you have uncovered something very sensitive, we need to act quickly to understand what damage this will cause, our PR people are crafting a cover story for when this will inevitably get noticed, we need to interrogate a senior Bastek employee and also tell us how they did it and if they got anything else, sergeant Wheeler has prepared a background file on Lobeoteu Tapan, the CTO of Bastek, as head of tech for the company he must have been involved in acquiring the NT4 cipher chip, he keeps a low profile but he is our best shot, Wheeler uncovered an IP address connected to Tapan along with Intel, which suggest he uses a smart car provided by the company, this is how we get him, first you will need to infiltrate his network and look for anything we can use as leverage against him, then find a way to compromise his car and reroute it to an intercept point, from there a ONIGRU team will take him to a black site outside of Seoul, work quickly and carefully. Your objectives are to gain entry to Tapan's network and research the contents of the files, access an Internet of things device to track his movements, reroute the GPS on the smart car and find the car's license plate, intercept the target.

• Hint 1 – This is as easy as following instructions.
  
  
• Hint 2 – Dylan said he put the details about the conversation in your localhost.
  
  
• Hint 3 – There's a mention of an IP.
  
  
• Hint 4 – Make sure that you are connected to Bastek's network through the phone.
  
  
• Hint 5 – Fingerprint can also work on subdomains and IPs you haven't found through sfuzzer and Osintscan.
  
  
• Hint 6 – You heard Dylan, you have a path and a username, might as well try a password attack.
  
  
• Hint 7 – You will need to use your heads to figure out that Qebai URL.
  
  
• Hint 8 – Now that you have access to his smartwatch, you can add a stop to his route.
  
  
• Hint 9 – The stop that ONIGRU thought ideal to intercept him should be in your localhost, maybe check around there again.
  
  
• Hint 10 – Look around the smartwatch where a lead on the car can be found.
  
  
• Hint 11 – Maybe even a garage domain would work as a lead.
  
  
• Hint 12 – Remember basic training, what commands do you have for reconnaissance?
  
  
• Hint 13 – Don't limit yourself to sfuzzer.
  
  
• Hint 14 – Don't forget that Osintscan can scan IPs with bing.
  
  
• Hint 15 – You have found a new domain, I wonder what you will find if you sfuzzer and Osintscan it.
  
  
• Hint 16 – Don't forget to use fingerprint.
  
  
• Hint 17 – Dylan said to try an MITM attack to try and find a Qebai license plate.
  
  
• Hint 18 – To track his car, first we need to set up the satellite map, and we know where he lives.
  
  
• Hint 19 – He lives in Seoul, maybe there's a place where you can find out it's coordinates.
  
  
• Hint 20 – Google might help with that.
  
  
• Hint 21 – Now that you have the satellite set up you can track his license plate that you got from MITM.