diff --git a/planning_notes/overall_story_plan/mission_initializations/m03_ghost_in_the_machine/stages/stage_0/00_scenario_initialization.md b/planning_notes/overall_story_plan/mission_initializations/m03_ghost_in_the_machine/stages/stage_0/00_scenario_initialization.md new file mode 100644 index 0000000..e1b6951 --- /dev/null +++ b/planning_notes/overall_story_plan/mission_initializations/m03_ghost_in_the_machine/stages/stage_0/00_scenario_initialization.md @@ -0,0 +1,820 @@ +# Mission 3: "Ghost in the Machine" - Stage 0: Scenario Initialization + +**Mission ID:** m03_ghost_in_the_machine +**Title:** Ghost in the Machine +**Stage:** 0 - Scenario Initialization +**Date:** 2025-12-24 +**Status:** ✅ COMPLETE + +--- + +## Mission Overview + +**Tier:** Intermediate (Mission 3 of Season 1) +**Estimated Playtime:** 60-75 minutes +**ENTROPY Cell:** Zero Day Syndicate +**SecGen Scenario:** "Information Gathering: Scanning" +**Primary Mechanics:** RFID keycard cloning (NEW), network reconnaissance, lockpicking, social engineering, multi-encoding puzzles + +--- + +## Executive Summary + +Mission 3 "Ghost in the Machine" is an intelligence gathering operation where players infiltrate WhiteHat Security Services—a corporate security consulting firm that serves as a front for the Zero Day Syndicate. Players go undercover as a potential client to reconnaissance the office during daytime, then return at night to clone an RFID keycard, scan the internal network, and intercept intelligence that reveals the Zero Day Syndicate's role as ENTROPY's central exploit supplier. + +**Key Revelation:** Discovery that Zero Day sold the ProFTPD exploit used in Mission 2's hospital ransomware attack, revealing cross-cell coordination for the first time. + +**New Mechanic:** RFID keycard cloning introduces proximity-based hacking gameplay. + +**Educational Focus:** Network reconnaissance, service enumeration, multi-stage encoding, intelligence correlation. + +--- + +## CyBOK Knowledge Areas Covered + +### Primary Areas + +**NSS - Network Security (Primary):** +- Port scanning fundamentals (nmap) +- Service enumeration and banner grabbing (netcat) +- Network mapping and reconnaissance methodology +- Service identification from port numbers + +**SS - Systems Security:** +- Service exploitation (distcc vulnerability CVE-2004-2687) +- Legacy system targeting and reconnaissance +- System fingerprinting from banner information +- Understanding attack surfaces through scanning + +**ACS - Applied Cryptography:** +- Multiple encoding types (ROT13, Hex, Base64) +- Multi-stage encoding puzzles (nested decoding) +- Pattern recognition for encoded data +- Encoding vs. encryption distinction (reinforced from M2) + +**SOC - Security Operations:** +- Intelligence gathering and correlation +- Systematic investigation methodology +- Evidence collection from multiple sources (physical + digital) +- OSINT principles (reconnaissance before action) + +### Secondary Areas + +**HF - Human Factors:** +- Social engineering for undercover operations +- Cover story maintenance and deception +- Trust-building in corporate environments +- Dual-identity role-playing + +**AB - Adversarial Behaviours:** +- Exploit marketplace economics +- Zero-day vulnerability brokerage models +- Threat actor coordination patterns +- Intelligence network operations + +--- + +## Technical Challenges Breakdown + +### Break Escape In-Game Challenges + +#### 1. RFID Keycard Cloning (NEW MECHANIC) +**Difficulty:** Intermediate +**Learning Outcome:** Understanding RFID security vulnerabilities and cloning techniques + +**Mechanic Specification:** +- **Cloning Method:** Proximity-based (stand near Victoria Sterling with RFID cloner device) +- **Timing:** 10-second clone window while within 2 GU proximity +- **Visual Feedback:** Progress bar + on-screen message ("Cloning RFID signature...") +- **Success Condition:** Uninterrupted 10 seconds near target +- **Failure Condition:** Move out of range, detected by target, interrupted by guard +- **Alternative Path:** High social engineering (Victoria grants access willingly if trust >= 40) + +**Tutorial Integration:** +- Agent 0x99 explains RFID cloning before daytime visit +- On-screen prompts guide first use +- RFID cloner device obtained from SAFETYNET equipment inventory + +**Educational Context:** +- Players learn RFID security vulnerabilities +- Understanding proximity-based attacks +- Physical security bypass through technical means + +#### 2. Lockpicking (Reinforced from M1-M2) +**Difficulty:** Easy to Medium +**Locks Present:** +- Filing cabinet (easy) - Contains client list documents +- Executive office door (medium) - Access to Victoria Sterling's workspace +- Security room door (medium) - Alternative to RFID cloning + +**Learning Outcome:** Physical security bypass (reinforced skill) + +#### 3. Patrolling Guards (Reinforced from M2) +**Difficulty:** Medium +**Guard Behavior:** +- 1 security guard patrols hallway at night +- 4-waypoint patrol route (60-second loop) +- Line-of-sight detection (150px range, 120° cone) +- 15-tick pause at each waypoint + +**Player Options:** +- Stealth timing (wait for patrol gaps) +- Social engineering (convince guard you belong) +- Distraction (not implemented in M3, reserved for future) + +**Learning Outcome:** Operational security awareness, timing-based stealth + +#### 4. Social Engineering (Advanced) +**Difficulty:** Intermediate +**NPC Targets:** +- **Victoria Sterling** (Zero Day sales lead) - Build trust to gain access/intel +- **James Park** (Innocent pen tester) - Extract office layout information +- **Security Guard** (Night patrol) - Convince of legitimacy if detected + +**Influence System:** +- Track `victoria_trust` (0-100) +- Track `james_trust` (0-100) +- High trust unlocks alternative paths (keycard access, passwords, warnings) + +**Learning Outcome:** Social engineering tactics, trust exploitation, undercover operations + +#### 5. Multi-Encoding Puzzle (Reinforced from M1-M2) +**Difficulty:** Intermediate +**Encoding Types:** +- **ROT13** (Whiteboard message) - "Meet with The Architect - Prioritize infras exploits" +- **Hex** (Computer file) - Complete client list (Ransomware Inc, Critical Mass, Social Fabric) +- **Base64** (Email draft) - Victoria Sterling's quarterly pricing update +- **Double-encoded** (Hidden USB) - ROT13 + Base64 nested encoding + +**CyberChef Integration:** +- In-game CyberChef workstation in server room +- Tutorial guidance for multi-stage decoding +- Pattern recognition challenges + +**Learning Outcome:** Multi-stage decoding, pattern recognition, persistence in cryptanalysis + +--- + +### VM/SecGen Challenges + +#### SecGen Scenario: "Information Gathering: Scanning" + +**Challenge 1: Network Port Scanning** +- **Tool:** nmap +- **Objective:** Scan Zero Day's training network (192.168.100.0/24) +- **Learning:** Port scanning fundamentals, service discovery +- **Flag:** `flag{network_scan_complete}` +- **Reward:** Network map reveals 4 critical services + +**Challenge 2: Banner Grabbing (Netcat Services)** +- **Tool:** netcat (nc) +- **Objective:** Connect to 4 open ports, read service banners +- **Services:** + - Port 21 (FTP) - Banner contains `flag{ftp_intel_gathered}` + - Port 22 (SSH) - Banner contains client codenames + - Port 80 (HTTP) - Web server reveals exploit pricing + - Port 3632 (distcc) - Vulnerable service + +**Learning:** Service enumeration, banner information gathering +**Flags:** 3 flags from banner grabbing + +**Challenge 3: Base64-Encoded Flag** +- **Location:** HTTP service banner (Port 80) +- **Format:** Base64-encoded flag in HTML comment +- **Objective:** Decode Base64 to reveal flag +- **Flag:** `flag{pricing_intel_decoded}` +- **Learning:** Encoding in network services + +**Challenge 4: distcc Exploitation** +- **Vulnerability:** CVE-2004-2687 (distcc backdoor) +- **Tool:** Metasploit or manual exploitation +- **Objective:** Exploit distcc service to gain shell access +- **Flag:** `flag{distcc_legacy_compromised}` +- **Reward:** Shell access reveals operational logs +- **Learning:** Legacy service exploitation, vulnerability research + +**Educational Integration:** +- Agent 0x99 provides nmap tutorial via in-game terminal +- Drop-site terminal shows simplified nmap output with educational annotations +- Flags unlock intelligence fragments when submitted + +--- + +### Hybrid Architecture: Dead Drop Integration + +**Dead Drop System (Flag → Intelligence Unlocks):** + +| VM Flag | Narrative Context | In-Game Unlock | +|---------|-------------------|----------------| +| `flag{network_scan_complete}` | "You've mapped Zero Day's training network" | Server room terminal access | +| `flag{ftp_intel_gathered}` | "Intercepted FTP communication logs" | Client codename list document | +| `flag{pricing_intel_decoded}` | "Decoded exploit pricing spreadsheet" | ProFTPD backdoor price ($12,500) | +| `flag{distcc_legacy_compromised}` | "Accessed operational logs via legacy exploit" | M2 hospital attack evidence | + +**Integration Flow:** +1. Player scans network in VM → obtains `flag{network_scan_complete}` +2. Submits flag at drop-site terminal in server room +3. Unlocks server room workstation with client list (ERB-generated content) +4. Player decodes Hex-encoded client list → sees "Ransomware Inc - St. Catherine's Hospital" +5. Correlation moment: "Zero Day sold the hospital ransomware exploit!" + +**Dual Tracking (Objectives System):** +- VM tasks: `submit_network_scan_flag`, `submit_ftp_flag`, etc. +- In-game tasks: `decode_whiteboard_rot13`, `decode_client_list_hex`, `clone_rfid_card` +- Both types tracked in objectives JSON for mission completion + +--- + +## ENTROPY Cell Selection: Zero Day Syndicate + +### Cell Profile + +**Name:** Zero Day Syndicate +**Cell Leader:** "Cipher" (referenced but not seen in M3) +**M3 Representative:** Victoria "Vick" Sterling (Sales Lead) +**Front Company:** WhiteHat Security Services +**Specialty:** Vulnerability research, zero-day exploit brokerage, penetration testing + +### Philosophy: "The Vulnerability Marketplace" + +Victoria Sterling and Zero Day Syndicate operate on free-market principles: + +**Core Beliefs:** +- **Information asymmetry is natural:** "Security is an economic problem. Vulnerabilities have market value." +- **No moral responsibility for use:** "We provide tools. What clients do with them isn't our concern." +- **Professional legitimacy:** "We're researchers and consultants. Vulnerability disclosure is our right." +- **Free market ideology:** "Governments, criminals, corporations—all have equal right to purchase exploits." + +**Quote from Victoria:** +> "We don't cause system failures—we reveal them. If a hospital's budget prioritizes MRIs over security, that's their choice. We simply monetize the consequences of negligence." + +### Why Zero Day Fits M3 + +1. **Thematic Alignment:** Corporate front for criminal operations (undercover infiltration setting) +2. **Technical Fit:** Exploit brokerage requires network scanning knowledge (matches SecGen scenario) +3. **Narrative Role:** Central supplier to other ENTROPY cells (campaign coordination reveal) +4. **Villain Ideology:** Professional, calculated, unapologetic (strong antagonist) +5. **Campaign Arc:** Connects M2 (hospital ransomware) to broader ENTROPY network + +### ENTROPY Integration + +**Zero Day's Role in ENTROPY:** +- **Supplier:** Provides exploits to other cells (Ransomware Inc, Critical Mass, Social Fabric) +- **Coordinator:** Receives prioritization from "The Architect" +- **Revenue:** Funds broader ENTROPY operations through exploit sales +- **Intelligence:** Tracks vulnerability landscape, identifies high-value targets + +**Evidence Player Discovers:** +- Client list includes all Season 1 ENTROPY cells +- ProFTPD exploit (CVE-2010-4652) sold to Ghost for $12,500 +- "The Architect" mentioned in encrypted communications: "Prioritize infrastructure exploits per Architect's requirements" +- Systematic vulnerability research targeting healthcare, energy, social media sectors + +--- + +## Narrative Theme: "Intelligence Gathering & Network Reconnaissance" + +### Recommended Theme + +**Primary Theme:** Corporate Espionage / Undercover Operation +**Secondary Theme:** Network Reconnaissance as Intelligence Tradecraft +**Tone:** Espionage thriller with cybersecurity education + +### Theme Deep Dive + +**Setting:** WhiteHat Security Services—a professional security consulting firm that serves as Zero Day Syndicate's legitimate facade. Modern corporate office with conference rooms, executive suites, penetration testing lab, and server room. + +**Atmosphere:** +- **Daytime:** Busy, professional, corporate—players maintain cover as potential client +- **Nighttime:** Tense, quiet, high-stakes—infiltration with risk of detection +- **Discovery:** Shocking revelation when evidence connects to M2 hospital attack + +**Central Conflict:** Players must maintain cover while gathering evidence of criminal operations, culminating in the choice to arrest Victoria (blow cover, disrupt cell) or become double agent (long-term intelligence, maintain cover). + +--- + +## 3-Act Structure (Complete Preview) + +### Act 1: Undercover Infiltration (15-25 minutes, 20-30% of playtime) + +**Scene 1: Briefing (Agent 0x99)** +- Mission overview: SAFETYNET intel indicates WhiteHat Security is Zero Day front +- Cover story: Player poses as corporate client seeking penetration testing services +- Equipment: RFID cloner device provided by SAFETYNET +- Objective: Daytime reconnaissance, map office, identify Victoria Sterling's RFID card + +**Scene 2: Daytime Reconnaissance** +- Player arrives at WhiteHat Security as "prospective client" +- Meet Victoria Sterling (sales lead) - professional, charismatic, convincing +- Optional: Meet James Park (pen tester) - innocent employee, unaware of criminal clients +- Clone Victoria's RFID card via proximity (10-second window during conversation) +- Gather office layout information, identify server room location +- Build trust (victoria_trust variable) for potential alternative paths +- **Objective Complete:** Daytime recon finished, return after hours + +**Scene 3: Extraction and Planning** +- Leave office, regroup with Agent 0x99 +- Plan nighttime infiltration based on daytime intel +- Agent 0x99 provides network reconnaissance tutorial (nmap basics) + +### Act 2: Investigation & Escalation (30-40 minutes, 50-55% of playtime) + +**Scene 4: Nighttime Infiltration** +- Return to WhiteHat Security after hours +- Navigate guard patrol (stealth or social engineering) +- Use cloned RFID card to access server room +- Encounter locked server room door (lockpicking or keycard backup) + +**Scene 5: Network Reconnaissance** +- Access VM terminal in server room +- Scan Zero Day's training network (nmap challenge) +- Banner grab from netcat services (flags in service banners) +- Exploit distcc vulnerability for shell access +- Submit flags at drop-site terminal → unlock intelligence + +**Scene 6: Physical Evidence Collection** +- Discover whiteboard message (ROT13): "Meet with The Architect - Prioritize infras exploits" +- Access computer with client list (Hex-encoded): Ransomware Inc, Critical Mass, Social Fabric +- Find email draft (Base64): Victoria's quarterly pricing update +- Hidden USB drive (double-encoded): Confirms M2 hospital ransomware exploit sale + +**Scene 7: Correlation & Discovery** +- Decode all messages using in-game CyberChef workstation +- Correlate VM flags + physical evidence +- **MAJOR REVELATION:** Zero Day sold ProFTPD exploit to Ghost for $12,500 +- Player realizes: "This is the exploit used in Mission 2's hospital ransomware!" +- **PATTERN EMERGES:** "The Architect" mentioned in multiple sources + +### Act 3: Climax & Choice (10-15 minutes, 20-25% of playtime) + +**Scene 8: Mid-Mission Discovery (Optional Moral Choice)** +- Player discovers James Park (innocent pen tester) will be collateral if entire firm exposed +- **Choice:** + - **Protect James:** Warn him privately or document his innocence + - **Focus on Mission:** Let James face consequences for cleaner operation + +**Scene 9: Victoria Confrontation / Double Agent Offer** +- Victoria discovers player's true identity (or player reveals) +- **Major Choice:** + - **Option A: Arrest Victoria** + - Consequences: Cell disrupted, Victoria imprisoned, long-term intelligence lost + - SAFETYNET gains evidence but loses future Zero Day insight + - Zero Day Syndicate weakened for rest of campaign + - **Option B: Become Double Agent** + - Consequences: Victoria free, long-term intelligence feeds established, risk of exposure + - SAFETYNET maintains inside source on ENTROPY exploit operations + - Risk: Player might be discovered as double agent in later missions + +**Scene 10: Closing Debrief (Agent 0x99)** +- Agent 0x99 reviews mission outcomes +- Acknowledges player choices: + - Victoria's fate (arrested / double agent) + - James Park's fate (protected / exposed / ignorance maintained) + - Evidence quality (complete / partial intelligence picture) + - M2 connection discovered (Zero Day's role in hospital ransomware) + - The Architect pattern (cross-cell coordination confirmed) +- **Campaign Arc Progression:** "We've suspected ENTROPY cells coordinate, but you've found proof. 'The Architect' isn't just a rumor—it's real. We need to find out who they are." + +--- + +## Key NPCs + +### Victoria "Vick" Sterling (Zero Day Sales Lead) + +**Role:** Primary antagonist, true believer, double agent/arrest choice target +**Age:** 38 +**Background:** Former NSA contractor turned vulnerability broker, MBA from MIT +**Personality:** Professional, charismatic, calculating, ideologically committed + +**Philosophy:** +- Believes in "free market of vulnerabilities" as natural economic system +- Sees zero-day brokerage as legitimate consulting business +- No moral responsibility for how clients use exploits +- Views herself as researcher and disclosure advocate, not criminal + +**Voice Examples:** +- "Security is an economic problem, not a moral one. Vulnerabilities have market value." +- "I don't control what clients do with our research. That's their ethical burden, not mine." +- "Governments weaponize zero-days every day. We simply level the playing field." + +**Dialogue Patterns:** +- Corporate professional language (ROI, market dynamics, consulting services) +- Defends actions with economic/libertarian logic +- Refuses cooperation if arrested (ideologically committed) +- Respects competence (if player demonstrates skill, offers double agent role) + +### James Park (Innocent Pen Tester) + +**Role:** Innocent employee, moral complexity character, optional protection choice +**Age:** 29 +**Background:** OSCP certified, works in WhiteHat's legitimate penetration testing division +**Awareness:** Genuinely believes WhiteHat is legitimate security firm, unaware of criminal clients + +**Function:** +- Provides office layout information during daytime (innocent small talk) +- Represents moral complexity (collateral damage of exposing entire firm) +- Player choice: protect innocent or sacrifice for mission efficiency + +**Voice Examples:** +- "WhiteHat's a great place to work. We do security audits for Fortune 500 companies." +- "Victoria's really professional. She's been mentoring me on client relations." +- (If warned) "Wait, what? Criminal exploits? I had no idea..." + +### "Cipher" (Zero Day Syndicate Cell Leader) + +**Role:** Referenced antagonist, builds mystery for later missions +**Status:** Not physically present in M3, only mentioned in documents + +**References:** +- Email subject line: "Per Cipher's approval: Q3 pricing update" +- Operational log: "Cipher authorized ProFTPD sale to external cell" +- Victoria's comment: "I report to Cipher. They handle strategic decisions." + +**Purpose:** Establish Zero Day hierarchy, create future villain for potential M6-M10 + +### Agent 0x99 (SAFETYNET Handler) + +**Role:** Mission briefing, tutorial support, closing debrief +**Function:** +- Provides undercover operation briefing +- Gives RFID cloning tutorial +- Explains network reconnaissance fundamentals +- Closing debrief reflects player choices + +**Voice:** Professional intelligence officer, tactical guidance, non-judgmental about choices + +--- + +## LORE Opportunities + +### LORE Fragment 1: Zero Day Client List (Intermediate Difficulty) +**Location:** Executive office computer (Hex-encoded file) +**Requirement:** Lockpick executive office OR high Victoria trust (keycard access) + +**Content:** +``` +ZERO DAY SYNDICATE - CLIENT ROSTER (Q3 2024) + +ACTIVE CLIENTS: +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +Ransomware Incorporated (Ghost) + - ProFTPD 1.3.5 backdoor (CVE-2010-4652): $12,500 + - Healthcare sector reconnaissance package: $15,000 + - Client Status: PRIORITY (Architect directive) + +Critical Mass (Vanguard) + - SCADA zero-day (Unreleased): $45,000 + - ICS exploitation toolkit: $22,000 + - Client Status: HIGH VALUE + +Social Fabric (Cascade) + - OAuth implementation flaw: $8,500 + - Session hijacking exploit chain: $11,000 + - Client Status: RECURRING + +[15 more clients listed...] +``` + +**Significance:** Reveals cross-cell coordination, connects M2 hospital attack directly to Zero Day + +### LORE Fragment 2: Exploit Catalog & Pricing (Intermediate Difficulty) +**Location:** Server room safe (PIN-protected: 2010) +**Requirement:** Crack safe PIN (clue: company founding year in reception plaque) + +**Content:** +``` +ZERO DAY SYNDICATE - EXPLOIT CATALOG (2024 EDITION) + +PRICING MODEL: +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +CVE Severity Base Price Exclusivity Fee Sector Premium +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +CRITICAL $35,000 +$15,000 Healthcare: +40% +HIGH $18,000 +$8,000 Energy: +60% +MEDIUM $7,500 +$3,000 Finance: +50% +LOW $2,500 +$1,000 Social Media: +30% + +FEATURED EXPLOITS: +1. ProFTPD 1.3.5 Backdoor (CVE-2010-4652) + - Severity: HIGH + - Price: $12,500 (Healthcare premium applied) + - Buyer: Ransomware Incorporated + - Status: SOLD - 2024-05-15 + +2. distcc Daemon RCE (CVE-2004-2687) + - Severity: CRITICAL + - Price: $8,000 (Legacy discount) + - Buyer: Training Network (Internal Use) + - Status: DEPLOYED +``` + +**Significance:** Shows systematic vulnerability research, economic model, ProFTPD M2 connection + +### LORE Fragment 3: The Architect's Requirements (Advanced Difficulty) +**Location:** Hidden USB drive in Victoria's desk drawer (double-encoded: ROT13 + Base64) +**Requirement:** Lockpick desk drawer + multi-stage decoding + +**Content:** +``` +FROM: The Architect +TO: Cipher +SUBJECT: Q4 Strategic Priorities +DATE: 2024-10-01 +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +Cipher, + +Q4 priorities for Zero Day Syndicate: + +1. INFRASTRUCTURE EXPLOITS (PRIORITY) + - Focus on healthcare sector SCADA systems + - Energy grid ICS vulnerabilities + - Municipal water treatment exploits + - Critical Mass requires these for Phase 2 + +2. CROSS-CELL COORDINATION + - Provide Ransomware Inc with hospital targeting packages + - Supply Social Fabric with OAuth/session exploits + - Crypto Anarchists need financial sector zero-days + +3. OPERATIONAL SECURITY + - WhiteHat Security front must remain convincing + - Victoria Sterling authorized to recruit double agents + - Pen testing division (Park, etc.) kept unaware + +4. REVENUE TARGETS + - $850K minimum Q4 sales + - Healthcare premium pricing (40% markup) + - Architect's Cut: 15% of gross to coordination fund + +The network strengthens. Each cell serves the whole. + +- The Architect +``` + +**Significance:** +- **First direct communication from The Architect** (campaign arc progression) +- Reveals ENTROPY is coordinated hierarchy, not loose network +- Shows strategic planning across cells +- References "Phase 2" (foreshadowing future missions) +- Mentions Crypto Anarchists (sets up M6) + +### LORE Fragment 4: Victoria Sterling's Manifesto (Optional) +**Location:** Conference room whiteboard (photographable) +**Requirement:** Access conference room (unlocked during daytime recon) + +**Content (visible on whiteboard):** +``` +INFORMATION ASYMMETRY IS MARKET VALUE + +"Security through obscurity is dead. + Security through economics is evolution. + + Vulnerabilities exist. They have value. + Disclosure has a price. Market sets it. + + We don't exploit systems. + We monetize the consequences of negligence. + + Free market doesn't judge buyers. + Neither do we." + + - V. Sterling, Zero Day Syndicate Philosophy +``` + +**Significance:** Shows Victoria's true believer status, free-market ideology, moral framework + +--- + +## Victory Conditions and Failure States + +### Full Success (100% Completion) +- ✅ All 4 VM flags submitted (network scan, FTP intel, pricing, distcc exploit) +- ✅ All 4 in-game encoded messages decoded (ROT13, Hex, Base64, double-encoded) +- ✅ All 3 LORE fragments collected +- ✅ RFID card cloned successfully +- ✅ Server room accessed +- ✅ Evidence correlated: M2 connection discovered +- ✅ Victoria choice made (arrest OR double agent) +- ✅ James Park choice made (protect OR ignore) +- ✅ Never detected by guard (stealth bonus) + +**Reward:** Complete intelligence picture, strong evidence for campaign arc, double agent asset OR cell disruption + +### Standard Success (80% Completion) +- ✅ 3/4 VM flags submitted (minimum: network scan, FTP intel, distcc) +- ✅ 3/4 in-game messages decoded +- ✅ 2/3 LORE fragments collected +- ✅ Server room accessed +- ✅ M2 connection discovered +- ✅ Victoria choice made + +**Reward:** Solid intelligence, campaign arc progresses, some gaps in evidence + +### Minimal Success (60% Completion) +- ✅ 2/4 VM flags submitted +- ✅ 2/4 in-game messages decoded +- ✅ Server room accessed +- ✅ Victoria choice made + +**Reward:** Basic intelligence gathered, mission objectives met, but incomplete picture + +### Failure States + +**Mission Failed - Cover Blown:** +- Player detected by guard multiple times +- Victoria discovers infiltration prematurely +- Alarm triggered +- **Consequence:** Mission abort, Zero Day alerted, no intelligence gathered + +**Mission Failed - Soft Lock (Preventable):** +- Cannot access server room (failed RFID cloning, no alternative path) +- **Prevention:** Multiple paths (RFID cloning, social engineering, lockpicking security room for backup keycard) + +**Partial Failure - Incomplete Intelligence:** +- Player completes minimum objectives but misses LORE fragments +- **Consequence:** Mission succeeds but intelligence gaps limit campaign arc insights + +--- + +## Educational Objectives + +### Primary Learning Outcomes + +**After completing Mission 3, players should be able to:** + +1. **Network Reconnaissance (NSS):** + - Explain the purpose of port scanning in penetration testing + - Identify common port numbers and their associated services (21=FTP, 22=SSH, 80=HTTP) + - Understand banner grabbing as intelligence gathering technique + - Describe nmap's role in network mapping + +2. **Service Exploitation (SS):** + - Recognize legacy service vulnerabilities (distcc CVE-2004-2687) + - Understand that older services may have known exploits + - Apply vulnerability research to exploitation (CVE lookup → exploit) + +3. **Encoding Types (ACS):** + - Distinguish ROT13, Hex, and Base64 encoding + - Decode multi-stage nested encoding (ROT13 + Base64) + - Recognize encoded data patterns in network services + - Use CyberChef for multi-step decoding + +4. **Intelligence Correlation (SOC):** + - Combine physical evidence with digital intelligence + - Recognize patterns across multiple data sources + - Systematic investigation methodology + - OSINT principles (reconnaissance, correlation, analysis) + +5. **RFID Security (Physical Security):** + - Understand RFID cloning vulnerabilities + - Proximity-based security attacks + - Physical security bypass techniques + +### Secondary Learning Outcomes + +**Social Engineering:** +- Undercover operation tactics +- Trust exploitation in professional environments +- Cover story maintenance + +**Operational Security:** +- Timing-based stealth around patrols +- Risk assessment (when to abort vs. continue) +- Evidence collection without detection + +**Ethical Complexity:** +- Consequences of infiltration (innocent bystanders like James) +- Double agent ethics (deception for greater good?) +- Balancing mission objectives with collateral damage + +--- + +## Integration with Season 1 Campaign Arc + +### Connection to Previous Missions + +**Mission 1 (First Contact - Social Fabric):** +- Social Fabric appears in Zero Day client list +- Confirms ENTROPY cells are interconnected +- OAuth exploit used by Cascade was sold by Zero Day + +**Mission 2 (Ransomed Trust - Ransomware Inc):** +- **MAJOR REVEAL:** ProFTPD exploit (CVE-2010-4652) sold by Zero Day to Ghost for $12,500 +- Hospital ransomware attack directly traceable to Zero Day +- Player experiences "aha moment": "ENTROPY cells coordinate!" +- Ghost's operation funded by Zero Day exploit sales + +### Connection to Future Missions + +**Mission 4 (Critical Mass - Unknown Cell):** +- Critical Mass appears in client list +- SCADA/ICS exploits sold to Vanguard +- Sets up infrastructure attack in M4 + +**Mission 6 (Crypto Anarchists - Financial Sector):** +- Crypto Anarchists mentioned in Architect's requirements +- Financial sector exploits referenced +- Sets up cryptocurrency/financial crime arc + +**Mission 7-9 (The Architect Reveal Arc):** +- First direct communication from The Architect discovered +- "Phase 2" referenced (future campaign escalation) +- Coordination model revealed (cells serve central coordinator) + +### Campaign Arc Progression + +**Before M3:** Players suspect ENTROPY cells are independent criminals +**After M3:** Players realize ENTROPY is coordinated network under "The Architect" + +**Evidence Trail:** +- M1: Social Fabric mentioned (cell exists) +- M2: Ransomware Inc mentioned (another cell) +- M3: **Client list shows all cells, The Architect coordinates them** +- M4+: Investigation shifts to uncovering The Architect's identity + +--- + +## Post-Mission Debrief Revelation + +**Agent 0x99's Debrief (Summary):** + +> "Let me review your operation, Agent. +> +> **Victoria Sterling's Fate:** +> [If arrested] You arrested Victoria Sterling. Zero Day Syndicate's sales operations are disrupted. We've seized exploit catalogs and client lists. Victoria refuses to cooperate—true believer in the 'vulnerability marketplace.' Cipher will rebuild, but you've bought us time. +> +> [If double agent] You've established Victoria as a double agent. Risky, but potentially invaluable. We'll feed her disinformation and track Zero Day's operations long-term. If she discovers you're SAFETYNET... well, you know the risks. +> +> **James Park's Fate:** +> [If protected] You protected James Park. Documentation shows he's innocent—just a pen tester who believed WhiteHat was legitimate. He's cooperating with our investigation now. Good call. +> +> [If exposed] James Park was arrested with the others. He's facing charges despite having no knowledge of criminal operations. Sometimes innocents get caught in the crossfire. That's on all of us. +> +> **The Critical Discovery:** +> This changes everything. Zero Day Syndicate sold the ProFTPD exploit used in Mission 2's hospital ransomware attack. Ghost paid $12,500 for the backdoor that killed 4-6 patients. +> +> **ENTROPY isn't a loose network. They're coordinated.** +> +> You found communications from 'The Architect'—someone coordinating cells, prioritizing targets, directing operations. We've suspected this for months, but you've found proof. +> +> Social Fabric, Ransomware Incorporated, Zero Day Syndicate, Critical Mass... they're all connected. And someone called The Architect is pulling the strings. +> +> Your mission is evolving, Agent. We're not just disrupting individual cells anymore. We're hunting the coordinator. And if The Architect is real... we're in for a much bigger fight. +> +> Good work. We'll debrief fully back at SAFETYNET HQ." + +--- + +## Stage 0 Completion Checklist + +### Deliverables + +- [✅] `00_scenario_initialization.md` - This document (COMPLETE) +- [🔄] `technical_challenges.md` - Detailed breakdown of VM + in-game challenges (NEXT) +- [🔄] `narrative_themes.md` - Expanded narrative details (NEXT) +- [🔄] `hybrid_architecture_plan.md` - VM + ERB integration specification (NEXT) + +### Critical Decisions Made + +- [✅] RFID cloning mechanics: Proximity-based (10 seconds) + social engineering alternative +- [✅] Network scanning interface: Automated flag collection + guided tutorial +- [✅] Double agent consequences: Long-term intelligence vs. immediate disruption +- [✅] The Architect reveal level: Name only + coordination evidence (identity reserved for M7-M9) +- [✅] Zero Day front company: WhiteHat Security Services (corporate security consulting) +- [✅] Daytime/nighttime structure: Undercover recon → nighttime infiltration + +### Cross-References Documented + +- [✅] Mission 1 connection (Social Fabric client) +- [✅] Mission 2 connection (ProFTPD exploit sale to Ghost) +- [✅] Mission 4 setup (Critical Mass client, SCADA exploits) +- [✅] Mission 6 setup (Crypto Anarchists mention) +- [✅] Mission 7-9 setup (The Architect introduction) +- [✅] Zero Day Syndicate philosophy documented +- [✅] SecGen scenario compatibility confirmed + +--- + +## Next Steps: Stage 1 + +**Proceed to:** Stage 1 - Narrative Structure Development + +**Reference Prompt:** `story_design/story_dev_prompts/01_narrative_structure.md` + +**Key Tasks for Stage 1:** +- Expand 3-act structure into scene-by-scene breakdown (12-15 scenes) +- Identify key story beats and dramatic moments (M2 connection reveal, Architect discovery) +- Map emotional arc (professional undercover → discovery → revelation) +- Design pacing chart (daytime recon 20% → nighttime 55% → climax 25%) +- Create narrative beat timeline + +--- + +**Document Version:** 1.0 +**Last Updated:** 2025-12-24 +**Status:** ✅ STAGE 0 COMPLETE - READY FOR STAGE 1 + +**"In the shadows of the vulnerability marketplace, who profits from chaos? When systems are weaponized, who decides the rules of engagement?"** + +---