NCL Summer 2015 Skyline Thoughts and Challenges Walk through

NCL recently ran a pilot to introduce there new skyline platform. Although this will likely be the NCL Summer 2015 competition i’ll be able to compete in, I wanted to give my honest opinion on the platform and walk through some of the challenges that I thought were well done.

Review:

First of all I find that this new Skyline platform had far better performance then old NCL scoring engine. This is likely due to the lower number of players in this summer round, but I hope the stability remains. Additionally, I thought the step by step approach with hints available will make challenges far more approachable to player who are new to the infosec competition space. My only real criticism would be the web app challenge, having it embedded into the skyline interface made it much harder to work with. In the further maybe still host web app challenges in AWS.

Challenges:

QR Code Images

There were really two very similar QR image challenges. These were among my favorite present, in this NCL round. Since some of the guided questions were very similar I will just cover them once. Now the latter image is given to you in 4 pieces and you are meant to use your forensic skills to reassemble the image based on some hex headers, footers, and commonalities. However, I just wrote a quick script to cat each of the files together in each of the possible permutations; then just opened the one that showed a valid thumbnail of the image.

What is the md5 hash of the image? In both chases the following command on that trust kali box will get you the

NCL 2014 Team Challenges

Although I wont cover all of the team challenges that Kernel Panic completed during the NCL 2014 Team Post Season round, several stood out amongst the rest.

I’d also note, some of the challenges from the individual round were covered on the site of my Cyber Defense Team.

Passwords 1:

For this challenge, we were given a password hashing algorithm written in java script. I heard from some other teams, that they had successfully reverse engineered the algorithm; in order to decode the passwords. However, we had s better rate of success just running a word list through the algorithm and doing some string comparison. In the end it turned out, that the passwords were all World of Warcraft towns, and a few Google’s made a winning word list.

Recon 2:

In this challenge we were asked to find the port on a server that was actually running an HTTP 1.0 compatible server and to then to find several flags. After a very confusing start, we discovered that the server was running port spoof. This nifty piece of software, randomly generates one of roughly 400 legitimate service banners, on each of the unused ports. Several of these possible banners being Apache products. However, it turned out that the web server was running nginx, which only really has one service banner. So we were able to use nmap to request the service banner for each port and then grep through the results for nginx. We then found the correct port to be 56565, and the first 5 flags could be found from viewing the pages source.

NCLRecon2

In order to get the last flag, you would have had to guess or know from previous exercise (<- what the heck NCL), that you can just throw a /flag on the end of the site URL. You will then be served a text file with the flag information inside it.

NCLRecon2flag

Web 3:

Using the CHANGELOG.txt file of the site, we were quickly able to identify that the server was vulnerable to a string of Drupal vulnerabilities that had recently surfaced. However, due to the destructive (<- no fun NCL) nature of these SQL based exploits, we were unable to gain a strong foot hold within this box. It should be noted that towards the end of the session a metasploit module (drupal_drupageddon) was even release to exploit this vulnerability, and still very few teams were able to capture the flag.

Exploit 3:

This challenge was all about gaining access to the system and gathering flags. The exploit being the shellshock vulnerability allowing for a special string of characters to be passed into a web function that processes bash commands. In this case, the vulnerability existed in a php-cgi script called dpkglist. This allowed for a specially encoded string to be passed as the user agent of an http request, to the effected web server. This string can also be manipulated to allow for fully qualified commands to be entered and their output to be displayed, if they output only one stream. Bellow is the curl command I engineered during the challenge to run the cat command on the flag files.

curl -H “User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat flag.cgi;” -k https://54.83.28.186/cgi-bin/dpkglist.cgi

 

Special thanks to the other members of my team:

Turner “Shadow_Crux” England

Wade “HelpdeskMan” Schimmoeller

Elliot “CiscoMan”  Stidd

Michael “Seleventyeleven” Contino

NCL 2013 Challenge Walk Through

NCL 2013 Pre-Season Walk through by: Michael “Sleventyeleven” Contino

So I thought I would do a walk through of the various challenges I completed in the NCL 2013 Pre-season. Now this is the first walk through I have done, so I hope it’s useful. Also, I decided to do this walk through half way through the competition, so I don’t have as many images or logs as I would have liked, but I will do my best to explain the process I used.

Entering the competition, the first thing that I did was make a list of targets and downloaded all available files. This of course meant that I made a list of all the web targets and grabbed the password files.

Windows Passwords

The first thing I did was load up Ophcrack. For those who don’t know Ophcrack is a windows based password cracker that uses proprietary  tables. I had access to the tables because of my work, but I’ve heard the free tables will also crack most of the passwords in a few min.

Now one of the things that annoys me the most about password cracking is formatting the hashes for each tool that you want to use. Ophcrack and most other tools take NTLM windows passwords in pwdump format.

<username>:<SID>:<LM hash>:<NT hash>:<comment>::

This is not the format that the hashes where given in. Oh and half of the hash points where for copy-pasting the hashes into the scorebot. They were accepted in the format <lm hash>:<nt hash> .

Anyway, back to password cracking with Ophcrack. Here is a screen cap with the free tables.

 

As can be seen to the right, even with just the few free tables, most of the passwords are cracked with no problem.

 

As can be seen with the added tables all but one NTv2 password is found.

The last password, of user11, was not cracked and at the time of writing remains as such.

Although, using hashcat or john the ripper should find the password within a few days’ time.

Linux Passwords

For the linux passwords I went straight for john the ripper. John is very good at cracking a large range of passwords and is by far the most commonly used hash smasher out there. To solve the linux hashes I used the wordlists in /usr/share/wordlists/ directory within kali linux. I solved several of the linux passwords with the following command.

John  –wordlist=/usr/share/wordlists/rockyou.txt LinuxPass

Where LinuxPass, is the list of password hashes, in the proper format

See http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats for all future john formatting.

It looks like the following as cracking continues.

 

Next I took the list of hosts I created and did a nice long, comprehensive nmap scan with it.

List of addresses

54.221.227.234, 54.221.227.237, 54.221.227.140, 54.221.227.141, 54.221.227.199, 54.221.227.216, 54.221.211.172, 54.221.227.231, 54.221.227.232

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” –iL hosts –oA nclpre

This scan collects all the majority of the port and service information for the hosts to a one of each nmap file type for later use.

 

Recon 1

For this challenge it was all about interpreting these scans and just entering the open ports as flags from low to high. Here is the basic view of the results

 

Recon 2

Again, I started with my huge nmap scan looking for the website port and service for the last two flags. It turned out that a web server was being hosted by apache on port 34567.

Then I went to website I found at http://54.221.227.237:34567 and saw flag one and a blank page, so I looked at the page source. This shows the other flags.

 

To this day I’m still not sure what to do with these <hash> things, but I found several.

Correction: these <hash> values are base64 encoded strings

TkNMLTQ2NzktRkpLTgo = NCL-4679-FJKN

Open Source Intel 1

This challenge was all about getting to know the NCL website.  I found the first set of flags by running a whois on the nationalcyberleague.org domain. It looks like this.

WHOIS information for nationalcyberleague.org:***

 

[Querying whois.publicinterestregistry.net]

[whois.publicinterestregistry.net]

Domain ID:D162323715-LROR

Domain Name:NATIONALCYBERLEAGUE.ORG

Created On:20-May-2011 14:18:45 UTC

Last Updated On:15-Apr-2013 18:11:06 UTC

Expiration Date:20-May-2014 14:18:45 UTC

Sponsoring Registrar:Network Solutions, LLC (R63-LROR)

Status:CLIENT TRANSFER PROHIBITED

Registrant ID:40102524-NSIV

Registrant Name:CyberWATCH Center

Registrant Organization:CyberWATCH Center

Registrant Street1:ATTN insert domain name here

Registrant Street2:care of Network Solutions

Registrant Street3:PO Box 459

Registrant City:Drums

Registrant State/Province:PA

Registrant Postal Code:18222

Registrant Country:US

Registrant Phone:+1.5707088780

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Admin ID:40102524-NSIV

Admin Name:CyberWATCH Center

Admin Organization:CyberWATCH Center

Admin Street1:ATTN insert domain name here

Admin Street2:care of Network Solutions

Admin Street3:PO Box 459

Admin City:Drums

Admin State/Province:PA

Admin Postal Code:18222

Admin Country:US

Admin Phone:+1.5707088780

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Tech ID:40102524-NSIV

Tech Name:CyberWATCH Center

Tech Organization:CyberWATCH Center

Tech Street1:ATTN insert domain name here

Tech Street2:care of Network Solutions

Tech Street3:PO Box 459

Tech City:Drums

Tech State/Province:PA

Tech Postal Code:18222

Tech Country:US

Tech Phone:+1.5707088780

 

The rest of the Open Source Intel was all about looking through the site to find the requested information.

The contact email is info@ nationalcyberleague.org, I just knew that one.

Casey W. O’Brien’s email can be found on http://www.nationalcyberleague.org/sponsors.shtml

The designer of the site D’BLEND, can be found at the bottom of almost every page.

The twitter handle (without the @) can be found on http://www.nationalcyberleague.org/connect.shtml

The support email for the Gymnasium can be found at the bottom of http://www.nationalcyberleague.org/gymnasiums.shtml

The coaches should contact info@nationalcyberleague.org, and can be found on http://www.nationalcyberleague.org/faq.shtml

The finally score url can be found by going to seasons, fall 2012, and selecting the national leaderboard.

http://www.nationalcyberleague.org/2012/Fall/lb_national.shtml

The Google Analytics ID is UA-30791762-1 and can be seen by looking at the source of almost any page.

Open Source Intel 2

This was much like the first challenge, snoop around and figure out the flag value.

The Gymansium software is called NETLAB+ and can be found on the NDG website here http://www.netdevgroup.com/products/

The CTF software is called ThreatSPACE and can be found on the isight partners website here http://www.isightpartners.com/products/threatspace/

The company hosting the Gymnasium is Network Development Group and can be found anywhere on their website here http://www.netdevgroup.com/

The company hosting the CTF is iSIGHT Partners and I found it on the FAQ page here http://www.nationalcyberleague.org/faq.shtml

Web 1

The first thing I did was go to the website and snoop around. I quickly notice that wiki had the special pages open to the public. So I went to the most popular pages here https://54.221.227.140/mediawiki/index.php/Special:PopularPages and found the first three flags. One was text, the second was an image, and the third was another one of those hashes.

Next I noticed that I was supposed to get access to a database of flags. Seeing that the page looked to be written in php, I begun to look for a MySQL database. Out of experience, one of the first things I do is check the site for /phpmyadmin/. When I did that, I get the nice login page here https://54.221.227.140/phpmyadmin/ . The first thing I did was use root as a username and no password, which is the default (for old versions only). It let me right in and I could go right to the flags database.

Next it asked for the mediawiki account password in blob form and what that password  actually was. For that I went to the wiki database and then to wiki_users table and the clicked on the user_password blob. Which netted me a binary file and looks something like this

 

With the blob itself looking like: B:cc9fd069:94d1a793d2a2fa3e5561aceeced889d4

This can be cracked once again with john and the proper format, which is $B$cc9fd069$94d1a793d2a2fa3e5561aceeced889d4 and the john command

John –format:mediawiki -w:/usr/share/wordlists/rockyou.txt blobfile

The other hash they wanted was the mysql hash and password. This could be found by going to the mysql database and then the users table.

The hash ends up being *2A9AE850D2828B510FB0360C9FAE859B984741F7 and I solved it by going to https://crackstation.net/ and getting the answer from their database.

 

 

Web 2

Web 2 ended up being much like web 1, as a begun by snooping around the webpage. So noticing again that the first flag was in the header of a wordpress page I viewed the source and searched for flags.

Finding the first flag

 

And the second flag

 

Then again the next thing they asked for was the flags form the flags database. Seeing in my nmap scans that the mysql database port was open, I went straight to the command line and tried it without a password just like before. It let me in, with root access once again and with a few sql commands I was looking at the flags table.

 

Next I went straight for the wordpress password as seen in these two screen caps.

 

After that, I cracked the word press password with john and the same old wordlist.

 

Next I went after the mysql password in the mysql database.

 

Once again at the time of this writing I have not cracked this password and the wordlist attack has failed. But here is the john command that will brute force the password.

John mysqlfile

Note you can also use crunch to generate a list of all possible flags in ncl format for cracking (~64GB)

Crunch 13 13 –t NCL-%%%%-,,,, >> wordlist.txt

Web 3

This challenge was quite a bit different from the other web ones. When you go to the page you just get a link that says login to get flags and a login box (that won’t show up cause I’ve already logged in).  The process I used to get the majority of the passwords was to simply use hydra to brute force with the following command

hydra -l user1 -P /usr/share/wordlists/rockyou.txt https://54.221.227.199/flags/

It looks like this (note: due to the pounding this server is taking it will take a very long time to brute all users)

 

 

Once you get anyone of the user’s password, you can login and see a huge directory of text files. You have to search through them and find the proper flags. (Listen to what it says) Here is one of each of the flag types.

James Ashley’s method of parsing all files at once.

wget –no-check-certificate –user=user1 –password=password -r https://54.221.227.199/flags then grep ‘This is the’ *

 

 

Linux 1

For the Linux challenge I noticed the there was a vsftp server running on port 21. From experience I knew that the exact vsftpd version, 2.3.4 that was installed had a backdoor that was exploitable. So I did just that, using the built in metasploit module. Then I used a standard ls command to make sure I had shell access. Form there I found quickly that to maintain access I would need to leverage ssh. So ran the exploit again and cated out the sshd_config file.

 

From there I noticed that public key authentication was the only thing that was available for authentication to ssh. So I added my public key to the Ubuntu user’s authorized_keys file. Form there I sshed in and found all the flags.

 

Windows 1

Sadly I didn’t get very far at all with this host. I’ll chalk it up to being a Linux guy. But if someone else with let me know what their pathway was for this host I would be grateful.

Note: This was also a box with a database (MSSQL) that had default credentials (sa and no password) and remote access.

Research 1

So this was a website that seemed to be running bash commands in the background (per some quick tests). So I quickly looked at the source and saw the bellow information designed to help out.

 

Here are the commands in order that I used to get the first 4 flags

google.com; cat /etc/passwd

4.2.2.2; cat /etc/group

google.com && cat /etc/motd #.com

google.com | cat /etc/shells #.com

The last one is similar but you have to use some way of finding the files, without using the wildcard characters.

Research 2

I just didn’t have the time to figure out exactly what trigged these flags, but once again viewing the pages source gives you the following hints.

Update: Wade Schimmoeller offered up the answers to these puzzles, as they were apart of round one in fall 2012. http://tinyurl.com/nl7xcmf

 


PCAP 1

This one I just opened up in wireshark and noticed it was all FTP traffic. So I went straight to finding the password within the packet capture and this is what I came up with.

 

PCAP 2

This challenge was very similar to PCAP 1, but I needed to rebuild the TCP stream in order to see what the flag was.

 

 

Wireless 1

After opening this one in wireshark I noticed that it was just a bunch of WEP encrypted packets with a whole lot of IV packets in the capture so I opened my terminal and brute forced it with aircrack-ng. It looks like this

(Note: aircrack-ng adds colons to all hex values; these must be removed before submission)

 

 

Wireless 2

This one worked almost exactly like Wireless 1, but used a higher level WEP encryption, which isn’t saying much. It too falls to aircrack-ng’s brute force attack in seconds.

 

Wireless 3

When I opened this one in wireshark I noticed that the traffic was encrypted using WPAv1. But it doesn’t matter with aircrack-ng and a wordlist it falls just as quickly as the rest.

Command: aircrack-ng NCL-WIRELESS-3 -w /usr/share/wordlist/rockyou.txt

 

Wireless 4

This would be cracked using the same wordlist method as before, but the key was not found in any of my wordlist and I could not make it through my entire NCL flags wordlist during the competition.

Recon 3

This one I couldn’t finish because my internet cut out several times during the competition and killed my scans, but it starts out the same as all the others. First thing I did was full nmap scan, for each host.

Nmap –sS –A –p 1-65535 <IP>

For the second part you have to do some intense service scanning, which just takes a lot of time. Also some others have said you had to manually discovery some of the harder ones.

Recon 4

Again this is just a host with open ports behind a firewall of some kind, which will drop most of your packets. So you just scan away to find open ports and then test what you find, It just takes a lot of time.

Recon 5

Port knocking is somewhat simple to do. Basically the firewall will only allow you to access a port if you attempt to connect to other ports in the right order first. So basically you just send a SYN packet to the ports in the order listed and the firewall will open up a flag port.

Windows Passwords 2+3

Same old deal, enter hashes and crack the passwords

Here is a pretty picture of the windows passwords #3 being cracked

Note: I only get the first half of the final password so I simply need a wordlist with crunch to find what it was

Crunch 6 6 –t %-,,,, >> wordlist.txt

Then just use john

John hash.txt wordlist.txt

 

Linux Passwords 2+3

There were two types of passwords here type 6 (sha512crypt) and type 1 (md5(unix)). For these password sets I switched to using my GPU and oclHashcat-plus to crack them.

The commands to do so are as follows

This is for type 6

oclHashcat-plus64.exe –hash-type 1800 –attack-mode 1 linuxpass rockyou.txt

this is for type 1

oclHashcat-plus64.exe –hash-type 500 –attack-mode 1 linuxpass2 rockyou.txt

due to time restrictions I was only able to get 5/22 passwords cracked, even with a rather nice GPU.

Note: Most Password challenges are themed, figuring out this theme and creating your own wordlist is

Web 4

I honestly didn’t know where to even begin

Linux 2 +3

I spent most of my time hacking away at these boxes and got a whole lot of nowhere.

Pivot 1 (A+B)

Again I got nowhere with this challenge.

Pivot 2 (A+B)

On this one, I somehow got an anonymous ssh shell once for about 3 seconds and was discounted, only to have no luck every again.

Pivot 3 (A+B)

On this one, I went to the web page and saw some files, so I snooped around and found some ftp credentials of ftp:test. I then used those to upload a  php shell (b374k.php) to the /var/www directory. Form there I went to https://54.209.16.204/b374k.php and typed in the password of b374k. I then used to script to find the first three flags in the directory structure. (I can’t access the box at the time of this writing)

PCAP 3

This seemed surprisingly easy to me for the amount of points it was worth. All I did was open this bad boy in wireshark and filtered for what they asked. (Note: there was some scanning in there to throw you off I guess) But the majority of the capture is a 172.17.1.109 address attacking a 192.168.6.45 address.

As can be seen the tool used was pwdump2. This can be viewed by following your way through the tcp streams of the attacker.

 

As can be seen here the attacker logged in with the credentials anonymous:lj, to the server 10.10.10.6.