BTL1 Prep: Boss of the SOC v1 on Proxmox

In this post, I walk you through the steps of running on Proxmox the Boss of the SOC v1 challenge from CyberDefenders.
BTL1 Prep: Boss of the SOC v1 on Proxmox
In: BTL1 Prep, Certifications, Defend, Splunk, SIEM, Threat Hunting, Home Lab, Proxmox

Blue Team Level 1

I am currently preparing for the Blue Team Level 1 certification offered by Security Blue Team. It is a 24-hour practical exam that requires the student to run through an entire incident response lifecycle; looking at simulated data and reporting how a security breach occurred.

Blue Team Level 1 Certification » Security Blue Team
Blue Team Level 1 is a practical cybersecurity certification focusing on defensive practices, security investigations, and incident handling.

At this time, I have completed the training material and my lab time has expired. And while I could purchase additional lab time, I am currently seeking some free hands-on training materials to brush up my Splunk investigative skills.

⚠️
I am not advocating that the content here is a legitimate replacement for actual lab time in the vendor's environment. This is just supplemental practice that I have decided to use.





Boss of the SOC v1

Boss Of The SOC v1 Blue team challenge.
Training platform for Blue Teams, SOC analysts, and DFIR professionals to advance CyberDefense skills.

This is an interactive Splunk challenge with simulated security data already bundled in. The only requirement is that you host the machine, boot it up, open the Splunk search console, and get to work.

That said, this challenge was designed for VirtualBox and VMware. I am going to demonstrate how to get it running on Proxmox.



Download the Challenge Files

Sign in and download the .zip file and transfer to Proxmox



Unzip and Inspect the Files

Enter the password: cyberdefenders.org
Expand the .ova archive to reveal the VM's files
We can look at the .ovf file for the VMs hardware specifications
    <OperatingSystemSection ovf:id="94">
      <Info>The kind of installed guest operating system</Info>
      <Description>Ubuntu_64</Description>
      <vbox:OSType ovf:required="false">Ubuntu_64</vbox:OSType>
    </OperatingSystemSection>

It's a 64-bit Ubuntu VM

      <Item>
        <rasd:Caption>2 virtual CPU</rasd:Caption>
        <rasd:Description>Number of virtual CPUs</rasd:Description>
        <rasd:ElementName>2 virtual CPU</rasd:ElementName>
        <rasd:InstanceID>1</rasd:InstanceID>
        <rasd:ResourceType>3</rasd:ResourceType>
        <rasd:VirtualQuantity>2</rasd:VirtualQuantity>
      </Item>

It has 2 CPU cores

      <Item>
        <rasd:AllocationUnits>MegaBytes</rasd:AllocationUnits>
        <rasd:Caption>4096 MB of memory</rasd:Caption>
        <rasd:Description>Memory Size</rasd:Description>
        <rasd:ElementName>4096 MB of memory</rasd:ElementName>
        <rasd:InstanceID>2</rasd:InstanceID>
        <rasd:ResourceType>4</rasd:ResourceType>
        <rasd:VirtualQuantity>4096</rasd:VirtualQuantity>
      </Item>

It has 4096 MB of RAM

      <Item>
        <rasd:Address>0</rasd:Address>
        <rasd:Caption>sataController0</rasd:Caption>
        <rasd:Description>SATA Controller</rasd:Description>
        <rasd:ElementName>sataController0</rasd:ElementName>
        <rasd:InstanceID>5</rasd:InstanceID>
        <rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
        <rasd:ResourceType>20</rasd:ResourceType>
      </Item>

It uses a SATA controller for the VM disk





Stage the VM

Delete the disk
Choose your bridge and any VLAN as necessary





Import and Attach the Disk

# Change your VMID and storage pool as needed
# This is just an example command
qm importdisk 610 botsv1-disk001.vmdk local-lvm --format qcow2

Import the disk file to the storage pool for Proxmox guests

Example output from my Proxmox node
# Change the VMID and storage pool as needed
# This is just an example command
qm set 610 --sata0 local-lvm:vm-610-disk-0
Example from my Proxmox node
# Update the VMID as needed
# This is just an example command
qm set 610 --boot order=sata0

Set the disk as the primary boot method

Example from my Proxmox node





Let the Fun Begin

The VM shown on my Proxmox node
Right-click and choose 'Start'
These errors are nothing to worry about
Check your DHCP server for the VM's IP address
Navigate to http://x.x.x.x:8000 to open the Splunk search console
Boss Of The SOC v1 Blue team challenge.
Training platform for Blue Teams, SOC analysts, and DFIR professionals to advance CyberDefense skills.

Consult the challenge home page for any questions and write-ups

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.