My Honest Advice About Information Security Education

Now that I am a security professional and mentor, there is one question that still haunts me to this day. It’s that simple moment when an aspiring young hacker (formal use, as in enjoys figure out how things work), looks to the future and asks for advice in furthering their education. The question is normally placed in the form of “Where should I go to school?” or “What college do you recommend”. I hesitate to answer these types of questions, because honestly my answer would be none. I find it hard to bring myself to recommend any of the schools I’ve gone to or have heard of to an InfoSec geek like myself. In fact I wish someone would have sat me down a few years ago and told me the truth about prospects for education. Instead, I got the same old sales pitches for degree’s that severe all your needs, from the big universities. So, for anyone out there who is looking for barely honest advice on the topic of information security education, I offer up my experiences in clear text for your consumption.

The first and last piece of advice I would give anyone is that you will need to do a substance amount of learning on your own time. I don’t care what college one goes to, or what program they belong to, they will not cover the material you need to know to work in the field. Most of the schools I’ve heard of do not offer any classes in information security and if they do, it’s a theory class that goes to about the level of a CompTIA Security+ certification. I think there are two main causes of these issues, based upon the colleges I’ve attended. First Is just fear, they are scared of teaching the “dark arts” to students, because of both the legality that exists and the fact that students may use their knowledge for unethical means. The second is the shear lack of student interest, accreditation, and standardization that has led to a truly sluggish development of InfoSec course work. That being said, there has been a noticeable push by several government bodies to form a basis for preparing security professionals for the future. This effort, known as Centers of Academic Excellence in Information Security, is in its infancy and still only has the backing of a few large, slow-moving institutions. So needless to say, it stands to be quite a while before we see fully developed information security degrees. In fact based on speaking with several universities, I don’t expect to see a fully accredited Information Security Bachelor’s degree from a top 10 school until around 2020.

That being said, there is a real need in the current education landscape to supplement your education, with additional work outside the class room. The good news is for us InfoSec geeks, there is a lot of free and cost effective training out there for us. The bad news is, you will have to prove you were engages in it and/or justify it to any future employer.  This learning commonly takes place online and can be video lectures like those found on Udemy.com and coursera.org. Others can be rather cost effective courses taught by security professionals online, like Georgia Weidman, Joseph McCray, and Marcus Carey. I also highly recommend going to as well InfoSec conferences as possible as well, as they are a wealth of information and networking opportunities for a future career. Many of these conferences are free of charge, the bsides events, and many others have limit student rate tickets as well. Also be sure to get involved in as many of the InfoSec competitions as possible to brush up your skills. Some may require you to be a full time student at an accredited university, but still do as many as possible. Some of the major competitions for college students are CCDC, CyberWars, and NCL.

The other huge source of knowledge is technical certifications. These certifications can be a great learning opportunity and great proof of knowledge to an employer. However, in the Information Security Industry not all companies give certifications the same weight. In fact some may require you have or acquire a certification, while others many not even give you a pat on the pack for them. In fact, many certification exams have been getting easier and more expensive over the years as demand has gone up. This devalues the certification itself, and makes the cost much higher. For this reason, I recommend not getting cert happy while in school. As a side bar, I will recommend taking all certifications for any courses that will gain you credit for passing the certification exam itself. This will save you a signification amount of money and give you something else to really shine on a resume. There is nothing wrong with doing the course work for a certification and explaining that to an employer.  They will understand and you will find that a lot of employers will pay for certifications when you are in the work force. As such I recommend doing just that, if you take a course and like it, find the certification and study the material. Simply state you completed the course work on your resume instead of the certification itself and explain the cost barrier to any prospective employer. This makes a nice conversation piece during the interview process and will help with the cost. Just do not feel the need to go out and get all the certifications, they are rather costly to maintain and may not produce the desired result.

Now I would not necessarily say there is a requirement in this industry, to go to a collegiate institution. However from personal experience I will say many large corporations will require at least a 4 year degree before they will consider you. Most of the time however, the hiring process comes down to what you have done in the past and how you present that information to a hiring manager. Never the less if you are looking for a college or need to go, here are some helpful questions to find the right place.

  1. 1.       Does the college offer a course over open source software and operating systems (linux)?

This question is where I think many colleges currently fall short. Most universities I talked to, during my search for a school, were all about teaching Windows, Cisco, and Java.  These technologies may be the most common, but they will severally limit your abilities when it comes to a career in the field. I put Linux in as an example, because if they do not even teach an introduction to Linux you are going to be really hurting. The truth of the matter is most security professionals use Linux every day and develop their tools for it as well.

  1. How many courses do you have that relate to the security, integrity, confidentiality and availability of computer networks?

This question is almost self-explanatory, it seeks to drill down and ask how many courses you will get that will be directly related to your field. This will hopefully give you some additional information about the types of course you will be taking and how they might relate to your prospects for a career.

  1. Is there a student organization on campus that focuses computing, security, InfoSec, or Cyber Defense? If so, do they engage in competitions?

It is very import to be involved with active student organizations that exist on a school’s campus. In my experience these organizations offer more of a learning experience then most classes. If a school does not have any such organization it most likely is not that school for you. If it does, try and set up a meeting with several of the members. It is just as important to make sure you will mesh with any groups that exist there. Also check and see what professional or national organizations meet on campus or nearby, these groups will offer great networking opportunities and can be a good source of knowledge as well. Most importantly, figure out if any of the organizations participate in collegiate competitions. If they don’t, check with the dean or a few professors about the policies on engaging in such events. You might find that some school will not support these academic competitions and in which case, the school is probably not a good choice.

  1. Is this school accredited or do they do research in the realm of Information security?

Once again this will really speak to the quality of any program that exists at the prospective institution. Just be sure to ensure that the school holds a current version of the accreditation that they claim they have. If, they are doing information security research ask about the projects they are working on and who is involved. If it’s a single grad student or a professor who has an interest in security and are doing some research it might not be a good reason to go. Also be sure to check that the research is current and producing useable results, there is no reason to go to an institution with bad research practices.

  1. Are there any courses that require a certification for completion or follow a certification track?

As I stated earlier in my tangent about certifications, they are a double edged sword. If the institution focuses too heavily on certifications it may not be the best choice. However, on the other hand if they encourage and support their students in acquiring certifications as opposed to requiring it, they may very well be a good choice. Be sure to ask if they school has a certification center on campus. If they do, be sure to ask which certification companies they are contacted with. Also ask if vouchers or reduced rates are available for students.

 

Once you have chosen a university or school the next step is making the most out of the experience.  Now there are several ways to maximize your learning, and I will continue to update this list with more over time, but here are my top few.

  1. Get involved with student organizations and always strive to make them that one step better.
  2. Try your best to pass your knowledge on to the other students and expect the same in return.
  3. Find the professors who encourage you to orient your assignments toward your prospective career and take as many classes with them as possible.
  4. If your professor does not allow you to orient your work or doesn’t let you do it your way (and you still fulfill the assignment criteria), do it anyway, and if issues arise go straight to the dean.
  5. Try to get local or regional security professionals to give a talk at your institution.
  6. Never forget to have fun or you will burn out.
  7. Find internship opportunities and do the work you love.

The CCDC 2014 Experince

Most of the individuals who read by blog are most likely already aware of the Collegiate Cyber Defense Competition (CCDC). For those who don’t know, it’s a defensive competition for college students. The scenario is simple, a team of students (blue team) go into a compromised mock business and secure it. They also try to run the competition in the most realistic fashion possible, so the management side (white team) is constantly giving the blue team tasks to complete while securing the network. While the hackers (red team) are trying to get back into the vulnerable systems. Just so we are all on the same page, there are two other groups of individuals involved in the competition, those who run the competition (gold team) and the technical support staff (green team).

The network we were given for CCDC 2014, was much like it was in the past few years I’ve been involved in the competition. In the DMZ there was a CentOS box running eCommerce and a Ubuntu DNS running Bind9 as well as our MySQL server. On the internal network there was a Debian email server running RoundCube, a Server 2003 running WarFTP, Server 2008 running DFS, and a Sever 2008 R2 running ADDS. There was also a Windows 7 desktop on the ISP’s network, that we also had to manage.

During the competition you get points by maintaining your professionalize through the stress of the competition, keeping business related services up, and completing business related tasks in a timely manner. There is also a small margin of points available if you are able to both block and report red team activities.

This year our team at Indiana Tech did very well. I was on the Linux side of the competition this year as opposed to last year when I managed the Windows desktops. My primary goal was to keep the services on the Debian email box up throughout the competition. However, the credit goes to our entire Linux sub-team as a whole, for keeping our services up. That being said the only real issue we had was with the CentOS box hanging after the initial reboot, forcing us to scrub the box, about an hour into the competition. Other than that, we were able to pull together as a team and had about 80%-85% service up time and completed 40 out of 43 of the business related injects. Our performance over the 8 hour window was said to be one of the schools best and netted us a second place finish. With first place going to Rose-Hulman, who I wish the best on their conquest to the national title.

As always, we learned a few lessons during this year’s competition. First of all, it’s incredibly valuable to figure out exactly how they are scoring services as early as possible. This helps get full points on each of the service categories throughout the entire competition. We too discovered that it’s better to scrub a box early in the competition then fight with it for hours. We also found great value in setting up centralized logging and automated log checking packages like Kiwi and OSSEC.

Now, I would just like to take the time to make a few recommendations about how the competition might be improved. First I would like to recommend better communication between the blue and white team in an effort to help students more effectively improve communication skills. I say this because submitting an inject to the scoring system that I think is well written does not mean it is, and without a score report its hard to justify using builds communication skills as a selling point. The simply addition of having an inject, where an individual or group blue team members have to go present an idea, to someone would be a great place to start. Second consider better defining or allowing question on how services are technically scored. I recommend this because, I personally have seen some truly strange things happen with scoring and the rules clearly state that any interference with scoring is grounds for desertification. That being said, if you state in the team pack that access to web mail via an http site is being scored. It seems hardly fair to additionally score a random chat client as well, when its technically against the rules to investigate as to weather it indeed is being scored. Lastly I would like to simply request that those who compete in the competition receive some sort of acknowledgement, certificate, or web posting that includes placement. This request is simply to provide some tangible proof to an employer or future employer in the event that such a request should be made.

As an added bonus, here are the pictures of the CCDC 2014 commemoration dinner, hosted by Ivy Tech, that were made public the last few years.

http://www.flickr.com/photos/ivytechfortwayne/sets/72157640781466374/

Please note: In 2013 I was a senior on the Ivy Tech team.

http://www.flickr.com/photos/ivytechfortwayne/sets/72157632800411224/

Please note: In 2012 I was a substitute for the Ivy Tech team and did not make it into their limited photo set.

http://www.flickr.com/photos/ivytechfortwayne/sets/72157629404992103/

NCL 2013 Challenge Walk Through

NCL 2013 Pre-Season Walk through by: Michael “Sleventyeleven” Contino

So I thought I would do a walk through of the various challenges I completed in the NCL 2013 Pre-season. Now this is the first walk through I have done, so I hope it’s useful. Also, I decided to do this walk through half way through the competition, so I don’t have as many images or logs as I would have liked, but I will do my best to explain the process I used.

Entering the competition, the first thing that I did was make a list of targets and downloaded all available files. This of course meant that I made a list of all the web targets and grabbed the password files.

Windows Passwords

The first thing I did was load up Ophcrack. For those who don’t know Ophcrack is a windows based password cracker that uses proprietary  tables. I had access to the tables because of my work, but I’ve heard the free tables will also crack most of the passwords in a few min.

Now one of the things that annoys me the most about password cracking is formatting the hashes for each tool that you want to use. Ophcrack and most other tools take NTLM windows passwords in pwdump format.

<username>:<SID>:<LM hash>:<NT hash>:<comment>::

This is not the format that the hashes where given in. Oh and half of the hash points where for copy-pasting the hashes into the scorebot. They were accepted in the format <lm hash>:<nt hash> .

Anyway, back to password cracking with Ophcrack. Here is a screen cap with the free tables.

 

As can be seen to the right, even with just the few free tables, most of the passwords are cracked with no problem.

 

As can be seen with the added tables all but one NTv2 password is found.

The last password, of user11, was not cracked and at the time of writing remains as such.

Although, using hashcat or john the ripper should find the password within a few days’ time.

Linux Passwords

For the linux passwords I went straight for john the ripper. John is very good at cracking a large range of passwords and is by far the most commonly used hash smasher out there. To solve the linux hashes I used the wordlists in /usr/share/wordlists/ directory within kali linux. I solved several of the linux passwords with the following command.

John  –wordlist=/usr/share/wordlists/rockyou.txt LinuxPass

Where LinuxPass, is the list of password hashes, in the proper format

See http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats for all future john formatting.

It looks like the following as cracking continues.

 

Next I took the list of hosts I created and did a nice long, comprehensive nmap scan with it.

List of addresses

54.221.227.234, 54.221.227.237, 54.221.227.140, 54.221.227.141, 54.221.227.199, 54.221.227.216, 54.221.211.172, 54.221.227.231, 54.221.227.232

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” –iL hosts –oA nclpre

This scan collects all the majority of the port and service information for the hosts to a one of each nmap file type for later use.

 

Recon 1

For this challenge it was all about interpreting these scans and just entering the open ports as flags from low to high. Here is the basic view of the results

 

Recon 2

Again, I started with my huge nmap scan looking for the website port and service for the last two flags. It turned out that a web server was being hosted by apache on port 34567.

Then I went to website I found at http://54.221.227.237:34567 and saw flag one and a blank page, so I looked at the page source. This shows the other flags.

 

To this day I’m still not sure what to do with these <hash> things, but I found several.

Correction: these <hash> values are base64 encoded strings

TkNMLTQ2NzktRkpLTgo = NCL-4679-FJKN

Open Source Intel 1

This challenge was all about getting to know the NCL website.  I found the first set of flags by running a whois on the nationalcyberleague.org domain. It looks like this.

WHOIS information for nationalcyberleague.org:***

 

[Querying whois.publicinterestregistry.net]

[whois.publicinterestregistry.net]

Domain ID:D162323715-LROR

Domain Name:NATIONALCYBERLEAGUE.ORG

Created On:20-May-2011 14:18:45 UTC

Last Updated On:15-Apr-2013 18:11:06 UTC

Expiration Date:20-May-2014 14:18:45 UTC

Sponsoring Registrar:Network Solutions, LLC (R63-LROR)

Status:CLIENT TRANSFER PROHIBITED

Registrant ID:40102524-NSIV

Registrant Name:CyberWATCH Center

Registrant Organization:CyberWATCH Center

Registrant Street1:ATTN insert domain name here

Registrant Street2:care of Network Solutions

Registrant Street3:PO Box 459

Registrant City:Drums

Registrant State/Province:PA

Registrant Postal Code:18222

Registrant Country:US

Registrant Phone:+1.5707088780

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Admin ID:40102524-NSIV

Admin Name:CyberWATCH Center

Admin Organization:CyberWATCH Center

Admin Street1:ATTN insert domain name here

Admin Street2:care of Network Solutions

Admin Street3:PO Box 459

Admin City:Drums

Admin State/Province:PA

Admin Postal Code:18222

Admin Country:US

Admin Phone:+1.5707088780

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Tech ID:40102524-NSIV

Tech Name:CyberWATCH Center

Tech Organization:CyberWATCH Center

Tech Street1:ATTN insert domain name here

Tech Street2:care of Network Solutions

Tech Street3:PO Box 459

Tech City:Drums

Tech State/Province:PA

Tech Postal Code:18222

Tech Country:US

Tech Phone:+1.5707088780

 

The rest of the Open Source Intel was all about looking through the site to find the requested information.

The contact email is info@ nationalcyberleague.org, I just knew that one.

Casey W. O’Brien’s email can be found on http://www.nationalcyberleague.org/sponsors.shtml

The designer of the site D’BLEND, can be found at the bottom of almost every page.

The twitter handle (without the @) can be found on http://www.nationalcyberleague.org/connect.shtml

The support email for the Gymnasium can be found at the bottom of http://www.nationalcyberleague.org/gymnasiums.shtml

The coaches should contact info@nationalcyberleague.org, and can be found on http://www.nationalcyberleague.org/faq.shtml

The finally score url can be found by going to seasons, fall 2012, and selecting the national leaderboard.

http://www.nationalcyberleague.org/2012/Fall/lb_national.shtml

The Google Analytics ID is UA-30791762-1 and can be seen by looking at the source of almost any page.

Open Source Intel 2

This was much like the first challenge, snoop around and figure out the flag value.

The Gymansium software is called NETLAB+ and can be found on the NDG website here http://www.netdevgroup.com/products/

The CTF software is called ThreatSPACE and can be found on the isight partners website here http://www.isightpartners.com/products/threatspace/

The company hosting the Gymnasium is Network Development Group and can be found anywhere on their website here http://www.netdevgroup.com/

The company hosting the CTF is iSIGHT Partners and I found it on the FAQ page here http://www.nationalcyberleague.org/faq.shtml

Web 1

The first thing I did was go to the website and snoop around. I quickly notice that wiki had the special pages open to the public. So I went to the most popular pages here https://54.221.227.140/mediawiki/index.php/Special:PopularPages and found the first three flags. One was text, the second was an image, and the third was another one of those hashes.

Next I noticed that I was supposed to get access to a database of flags. Seeing that the page looked to be written in php, I begun to look for a MySQL database. Out of experience, one of the first things I do is check the site for /phpmyadmin/. When I did that, I get the nice login page here https://54.221.227.140/phpmyadmin/ . The first thing I did was use root as a username and no password, which is the default (for old versions only). It let me right in and I could go right to the flags database.

Next it asked for the mediawiki account password in blob form and what that password  actually was. For that I went to the wiki database and then to wiki_users table and the clicked on the user_password blob. Which netted me a binary file and looks something like this

 

With the blob itself looking like: B:cc9fd069:94d1a793d2a2fa3e5561aceeced889d4

This can be cracked once again with john and the proper format, which is $B$cc9fd069$94d1a793d2a2fa3e5561aceeced889d4 and the john command

John –format:mediawiki -w:/usr/share/wordlists/rockyou.txt blobfile

The other hash they wanted was the mysql hash and password. This could be found by going to the mysql database and then the users table.

The hash ends up being *2A9AE850D2828B510FB0360C9FAE859B984741F7 and I solved it by going to https://crackstation.net/ and getting the answer from their database.

 

 

Web 2

Web 2 ended up being much like web 1, as a begun by snooping around the webpage. So noticing again that the first flag was in the header of a wordpress page I viewed the source and searched for flags.

Finding the first flag

 

And the second flag

 

Then again the next thing they asked for was the flags form the flags database. Seeing in my nmap scans that the mysql database port was open, I went straight to the command line and tried it without a password just like before. It let me in, with root access once again and with a few sql commands I was looking at the flags table.

 

Next I went straight for the wordpress password as seen in these two screen caps.

 

After that, I cracked the word press password with john and the same old wordlist.

 

Next I went after the mysql password in the mysql database.

 

Once again at the time of this writing I have not cracked this password and the wordlist attack has failed. But here is the john command that will brute force the password.

John mysqlfile

Note you can also use crunch to generate a list of all possible flags in ncl format for cracking (~64GB)

Crunch 13 13 –t NCL-%%%%-,,,, >> wordlist.txt

Web 3

This challenge was quite a bit different from the other web ones. When you go to the page you just get a link that says login to get flags and a login box (that won’t show up cause I’ve already logged in).  The process I used to get the majority of the passwords was to simply use hydra to brute force with the following command

hydra -l user1 -P /usr/share/wordlists/rockyou.txt https://54.221.227.199/flags/

It looks like this (note: due to the pounding this server is taking it will take a very long time to brute all users)

 

 

Once you get anyone of the user’s password, you can login and see a huge directory of text files. You have to search through them and find the proper flags. (Listen to what it says) Here is one of each of the flag types.

James Ashley’s method of parsing all files at once.

wget –no-check-certificate –user=user1 –password=password -r https://54.221.227.199/flags then grep ‘This is the’ *

 

 

Linux 1

For the Linux challenge I noticed the there was a vsftp server running on port 21. From experience I knew that the exact vsftpd version, 2.3.4 that was installed had a backdoor that was exploitable. So I did just that, using the built in metasploit module. Then I used a standard ls command to make sure I had shell access. Form there I found quickly that to maintain access I would need to leverage ssh. So ran the exploit again and cated out the sshd_config file.

 

From there I noticed that public key authentication was the only thing that was available for authentication to ssh. So I added my public key to the Ubuntu user’s authorized_keys file. Form there I sshed in and found all the flags.

 

Windows 1

Sadly I didn’t get very far at all with this host. I’ll chalk it up to being a Linux guy. But if someone else with let me know what their pathway was for this host I would be grateful.

Note: This was also a box with a database (MSSQL) that had default credentials (sa and no password) and remote access.

Research 1

So this was a website that seemed to be running bash commands in the background (per some quick tests). So I quickly looked at the source and saw the bellow information designed to help out.

 

Here are the commands in order that I used to get the first 4 flags

google.com; cat /etc/passwd

4.2.2.2; cat /etc/group

google.com && cat /etc/motd #.com

google.com | cat /etc/shells #.com

The last one is similar but you have to use some way of finding the files, without using the wildcard characters.

Research 2

I just didn’t have the time to figure out exactly what trigged these flags, but once again viewing the pages source gives you the following hints.

Update: Wade Schimmoeller offered up the answers to these puzzles, as they were apart of round one in fall 2012. http://tinyurl.com/nl7xcmf

 


PCAP 1

This one I just opened up in wireshark and noticed it was all FTP traffic. So I went straight to finding the password within the packet capture and this is what I came up with.

 

PCAP 2

This challenge was very similar to PCAP 1, but I needed to rebuild the TCP stream in order to see what the flag was.

 

 

Wireless 1

After opening this one in wireshark I noticed that it was just a bunch of WEP encrypted packets with a whole lot of IV packets in the capture so I opened my terminal and brute forced it with aircrack-ng. It looks like this

(Note: aircrack-ng adds colons to all hex values; these must be removed before submission)

 

 

Wireless 2

This one worked almost exactly like Wireless 1, but used a higher level WEP encryption, which isn’t saying much. It too falls to aircrack-ng’s brute force attack in seconds.

 

Wireless 3

When I opened this one in wireshark I noticed that the traffic was encrypted using WPAv1. But it doesn’t matter with aircrack-ng and a wordlist it falls just as quickly as the rest.

Command: aircrack-ng NCL-WIRELESS-3 -w /usr/share/wordlist/rockyou.txt

 

Wireless 4

This would be cracked using the same wordlist method as before, but the key was not found in any of my wordlist and I could not make it through my entire NCL flags wordlist during the competition.

Recon 3

This one I couldn’t finish because my internet cut out several times during the competition and killed my scans, but it starts out the same as all the others. First thing I did was full nmap scan, for each host.

Nmap –sS –A –p 1-65535 <IP>

For the second part you have to do some intense service scanning, which just takes a lot of time. Also some others have said you had to manually discovery some of the harder ones.

Recon 4

Again this is just a host with open ports behind a firewall of some kind, which will drop most of your packets. So you just scan away to find open ports and then test what you find, It just takes a lot of time.

Recon 5

Port knocking is somewhat simple to do. Basically the firewall will only allow you to access a port if you attempt to connect to other ports in the right order first. So basically you just send a SYN packet to the ports in the order listed and the firewall will open up a flag port.

Windows Passwords 2+3

Same old deal, enter hashes and crack the passwords

Here is a pretty picture of the windows passwords #3 being cracked

Note: I only get the first half of the final password so I simply need a wordlist with crunch to find what it was

Crunch 6 6 –t %-,,,, >> wordlist.txt

Then just use john

John hash.txt wordlist.txt

 

Linux Passwords 2+3

There were two types of passwords here type 6 (sha512crypt) and type 1 (md5(unix)). For these password sets I switched to using my GPU and oclHashcat-plus to crack them.

The commands to do so are as follows

This is for type 6

oclHashcat-plus64.exe –hash-type 1800 –attack-mode 1 linuxpass rockyou.txt

this is for type 1

oclHashcat-plus64.exe –hash-type 500 –attack-mode 1 linuxpass2 rockyou.txt

due to time restrictions I was only able to get 5/22 passwords cracked, even with a rather nice GPU.

Note: Most Password challenges are themed, figuring out this theme and creating your own wordlist is

Web 4

I honestly didn’t know where to even begin

Linux 2 +3

I spent most of my time hacking away at these boxes and got a whole lot of nowhere.

Pivot 1 (A+B)

Again I got nowhere with this challenge.

Pivot 2 (A+B)

On this one, I somehow got an anonymous ssh shell once for about 3 seconds and was discounted, only to have no luck every again.

Pivot 3 (A+B)

On this one, I went to the web page and saw some files, so I snooped around and found some ftp credentials of ftp:test. I then used those to upload a  php shell (b374k.php) to the /var/www directory. Form there I went to https://54.209.16.204/b374k.php and typed in the password of b374k. I then used to script to find the first three flags in the directory structure. (I can’t access the box at the time of this writing)

PCAP 3

This seemed surprisingly easy to me for the amount of points it was worth. All I did was open this bad boy in wireshark and filtered for what they asked. (Note: there was some scanning in there to throw you off I guess) But the majority of the capture is a 172.17.1.109 address attacking a 192.168.6.45 address.

As can be seen the tool used was pwdump2. This can be viewed by following your way through the tcp streams of the attacker.

 

As can be seen here the attacker logged in with the credentials anonymous:lj, to the server 10.10.10.6.