🚫 Closed till DEF CON 34, see y'all next year! 🚫
Project Obsidian LogoBTV CTF
Ekoparty 2025 CTF

Ekoparty Bluespace

Immerse yourself in realistic security incidents that mirror real-world threats. Practice containment, analysis, and remediation techniques used by professional incident response teams.

Wazuh SIEM

Self-Paced

1-4 Members

Intermediate

Ekoparty 2025 - Bluespace Challenge

Welcome to the Bluespace challenge! Developed by BTV's Project Obsidian team, this CTF offers an immersive incident response exercise designed to challenge and engage participants of all skill levels. Dive into a detailed, realistic scenario that tests your ability to handle complex security incidents and sharpen your cyber defense skills.

ARM Mac Compatibility

This guide specifically addresses the challenges of running Wazuh on Apple Silicon Macs, including x86_64 emulation requirements and OpenSearch compatibility issues.

By the end of this challenge, you'll have a fully functional Wazuh SIEM instance running on your Mac, complete with pre-configured data and ready for security analysis.

Challenge Access

CTFd Platform

Access the full Ekoparty 2025 Bluespace CTFd platform with all kill chain challenges, scoring, and leaderboards.

Access CTFd Platform

CTF Setup Guide

Follow these step-by-step instructions to set up your Wazuh SIEM environment for the Ekoparty 2025 Bluespace challenge.

Prerequisites

System Requirements

  • • Windows: 10 or later
  • • macOS: 12.0 (Monterey) or later
  • • RAM: Minimum 8GB, Recommended 12GB+
  • • Storage: 100GB+ free space
  • • Architecture: Apple Silicon (M1/M2/M3) or x86_64

Required Software for Windows

Perform the following steps:

  1. 1. Download Setup-WazuhCTF.ps1
  2. 2. Run the script as Administrator
  3. 3. Follow the prompts to install Wazuh SIEM and configure the CTF environment

Required Software for macOS

Install Homebrew and Docker
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install required tools
brew install docker docker-compose

Docker Desktop Setup

  1. 1. Download Docker Desktop for Mac (Apple Silicon)
  2. 2. Enable "Use Rosetta for x86/amd64 emulation"
  3. 3. Allocate 12GB+ RAM
  4. 4. Allocate 6+ CPU cores
  5. 5. Allocate 100 GB of Disk usage
  6. 6. Ensure Docker Desktop is running before proceeding
Step 1: Clone the Repository
Clone Wazuh Docker repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.13.1
cd wazuh-docker/single-node
Step 2: Generate Certificates
Generate SSL certificates
# Generate SSL certificates
docker compose -f generate-indexer-certs.yml run --rm generator

# Fix permission issues
chmod 755 config/wazuh_indexer_ssl_certs/
chmod 644 config/wazuh_indexer_ssl_certs/*.pem
chmod 644 config/wazuh_indexer_ssl_certs/*.key

# Create missing root-ca-manager files (required for ARM Mac)
cp config/wazuh_indexer_ssl_certs/root-ca.pem config/wazuh_indexer_ssl_certs/root-ca-manager.pem
cp config/wazuh_indexer_ssl_certs/root-ca.key config/wazuh_indexer_ssl_certs/root-ca-manager.key
Step 3: Create x86_64 Override File

Create docker-compose.x86-simple.yml:

Create x86_64 override file
# docker-compose.x86-simple.yml
services:
  wazuh.manager:
    platform: linux/amd64
  wazuh.indexer:
    platform: linux/amd64
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g -Dopensearch.bootstrap.system_call_filter=false"
  wazuh.dashboard:
    platform: linux/amd64

Key Points:

  • platform: linux/amd64 forces x86_64 emulation for ARM Mac compatibility
  • • OpenSearch Java options disable seccomp filter (critical for ARM Mac)
  • • Service names match the official Wazuh Docker setup
Step 4: Deploy with x86 Emulation
Deploy with x86_64 emulation (REQUIRED for ARM Mac)
# Deploy with x86_64 emulation (REQUIRED for ARM Mac)
docker compose -f docker-compose.yml -f docker-compose.x86-simple.yml up -d

# Check status
docker compose ps
Step 5: Restore Docker Volumes

This will hydrate your Wazuh environment to support CTF challenges:

Download and restore Wazuh data
curl -L -o wazuh-backup-20251017-192456.tar.gz \
	--progress-bar \
	https://s3.us-west-2.amazonaws.com/media.blueteamvillage.org/DC33/CTF-OBSIDIAN/DOCKER_VOLUMES/wazuh-backup-20251017-192456.tar.gz

tar -xzvf wazuh-backup-20251017-192456.tar.gz

cd wazuh-backup-20251017-192456/

./restore-wazuh-volumes.sh

Restart Docker Deployment

Restart containers
docker rm -f $(docker ps -a -q)
cd ..
docker compose -f docker-compose.yml -f docker-compose.x86-simple.yml up -d

Access Wazuh

After the Wazuh instance comes up again, go to https://localhost/ and log in with:

username: admin
password: SecretPassword
Docker Deployment

Master Docker deployment techniques for complex applications, including multi-container orchestration and volume management.

  • • Docker Compose configuration
  • • Container orchestration
  • • Volume management
  • • ARM64 compatibility
SIEM Configuration

Learn to configure and customize Wazuh SIEM for your specific security monitoring needs.

  • • SSL certificate management
  • • User authentication setup
  • • Dashboard configuration
  • • Data ingestion setup
Troubleshooting

Develop skills in diagnosing and resolving common deployment issues and configuration problems.

  • • Permission troubleshooting
  • • Container health monitoring
  • • Log analysis
  • • Performance optimization
Security Analysis

Practice using Wazuh for real-world security monitoring and incident response scenarios.

  • • Log analysis techniques
  • • Threat detection rules
  • • Incident investigation
  • • Reporting and alerting