NCL 2013 Challenge Walk Through

NCL 2013 Pre-Season Walk through by: Michael “Sleventyeleven” Contino

So I thought I would do a walk through of the various challenges I completed in the NCL 2013 Pre-season. Now this is the first walk through I have done, so I hope it’s useful. Also, I decided to do this walk through half way through the competition, so I don’t have as many images or logs as I would have liked, but I will do my best to explain the process I used.

Entering the competition, the first thing that I did was make a list of targets and downloaded all available files. This of course meant that I made a list of all the web targets and grabbed the password files.

Windows Passwords

The first thing I did was load up Ophcrack. For those who don’t know Ophcrack is a windows based password cracker that uses proprietary  tables. I had access to the tables because of my work, but I’ve heard the free tables will also crack most of the passwords in a few min.

Now one of the things that annoys me the most about password cracking is formatting the hashes for each tool that you want to use. Ophcrack and most other tools take NTLM windows passwords in pwdump format.

<username>:<SID>:<LM hash>:<NT hash>:<comment>::

This is not the format that the hashes where given in. Oh and half of the hash points where for copy-pasting the hashes into the scorebot. They were accepted in the format <lm hash>:<nt hash> .

Anyway, back to password cracking with Ophcrack. Here is a screen cap with the free tables.

 

As can be seen to the right, even with just the few free tables, most of the passwords are cracked with no problem.

 

As can be seen with the added tables all but one NTv2 password is found.

The last password, of user11, was not cracked and at the time of writing remains as such.

Although, using hashcat or john the ripper should find the password within a few days’ time.

Linux Passwords

For the linux passwords I went straight for john the ripper. John is very good at cracking a large range of passwords and is by far the most commonly used hash smasher out there. To solve the linux hashes I used the wordlists in /usr/share/wordlists/ directory within kali linux. I solved several of the linux passwords with the following command.

John  –wordlist=/usr/share/wordlists/rockyou.txt LinuxPass

Where LinuxPass, is the list of password hashes, in the proper format

See http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats for all future john formatting.

It looks like the following as cracking continues.

 

Next I took the list of hosts I created and did a nice long, comprehensive nmap scan with it.

List of addresses

54.221.227.234, 54.221.227.237, 54.221.227.140, 54.221.227.141, 54.221.227.199, 54.221.227.216, 54.221.211.172, 54.221.227.231, 54.221.227.232

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” –iL hosts –oA nclpre

This scan collects all the majority of the port and service information for the hosts to a one of each nmap file type for later use.

 

Recon 1

For this challenge it was all about interpreting these scans and just entering the open ports as flags from low to high. Here is the basic view of the results

 

Recon 2

Again, I started with my huge nmap scan looking for the website port and service for the last two flags. It turned out that a web server was being hosted by apache on port 34567.

Then I went to website I found at http://54.221.227.237:34567 and saw flag one and a blank page, so I looked at the page source. This shows the other flags.

 

To this day I’m still not sure what to do with these <hash> things, but I found several.

Correction: these <hash> values are base64 encoded strings

TkNMLTQ2NzktRkpLTgo = NCL-4679-FJKN

Open Source Intel 1

This challenge was all about getting to know the NCL website.  I found the first set of flags by running a whois on the nationalcyberleague.org domain. It looks like this.

WHOIS information for nationalcyberleague.org:***

 

[Querying whois.publicinterestregistry.net]

[whois.publicinterestregistry.net]

Domain ID:D162323715-LROR

Domain Name:NATIONALCYBERLEAGUE.ORG

Created On:20-May-2011 14:18:45 UTC

Last Updated On:15-Apr-2013 18:11:06 UTC

Expiration Date:20-May-2014 14:18:45 UTC

Sponsoring Registrar:Network Solutions, LLC (R63-LROR)

Status:CLIENT TRANSFER PROHIBITED

Registrant ID:40102524-NSIV

Registrant Name:CyberWATCH Center

Registrant Organization:CyberWATCH Center

Registrant Street1:ATTN insert domain name here

Registrant Street2:care of Network Solutions

Registrant Street3:PO Box 459

Registrant City:Drums

Registrant State/Province:PA

Registrant Postal Code:18222

Registrant Country:US

Registrant Phone:+1.5707088780

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Admin ID:40102524-NSIV

Admin Name:CyberWATCH Center

Admin Organization:CyberWATCH Center

Admin Street1:ATTN insert domain name here

Admin Street2:care of Network Solutions

Admin Street3:PO Box 459

Admin City:Drums

Admin State/Province:PA

Admin Postal Code:18222

Admin Country:US

Admin Phone:+1.5707088780

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:gf3kh6sv3bf@networksolutionsprivateregistration.com

Tech ID:40102524-NSIV

Tech Name:CyberWATCH Center

Tech Organization:CyberWATCH Center

Tech Street1:ATTN insert domain name here

Tech Street2:care of Network Solutions

Tech Street3:PO Box 459

Tech City:Drums

Tech State/Province:PA

Tech Postal Code:18222

Tech Country:US

Tech Phone:+1.5707088780

 

The rest of the Open Source Intel was all about looking through the site to find the requested information.

The contact email is info@ nationalcyberleague.org, I just knew that one.

Casey W. O’Brien’s email can be found on http://www.nationalcyberleague.org/sponsors.shtml

The designer of the site D’BLEND, can be found at the bottom of almost every page.

The twitter handle (without the @) can be found on http://www.nationalcyberleague.org/connect.shtml

The support email for the Gymnasium can be found at the bottom of http://www.nationalcyberleague.org/gymnasiums.shtml

The coaches should contact info@nationalcyberleague.org, and can be found on http://www.nationalcyberleague.org/faq.shtml

The finally score url can be found by going to seasons, fall 2012, and selecting the national leaderboard.

http://www.nationalcyberleague.org/2012/Fall/lb_national.shtml

The Google Analytics ID is UA-30791762-1 and can be seen by looking at the source of almost any page.

Open Source Intel 2

This was much like the first challenge, snoop around and figure out the flag value.

The Gymansium software is called NETLAB+ and can be found on the NDG website here http://www.netdevgroup.com/products/

The CTF software is called ThreatSPACE and can be found on the isight partners website here http://www.isightpartners.com/products/threatspace/

The company hosting the Gymnasium is Network Development Group and can be found anywhere on their website here http://www.netdevgroup.com/

The company hosting the CTF is iSIGHT Partners and I found it on the FAQ page here http://www.nationalcyberleague.org/faq.shtml

Web 1

The first thing I did was go to the website and snoop around. I quickly notice that wiki had the special pages open to the public. So I went to the most popular pages here https://54.221.227.140/mediawiki/index.php/Special:PopularPages and found the first three flags. One was text, the second was an image, and the third was another one of those hashes.

Next I noticed that I was supposed to get access to a database of flags. Seeing that the page looked to be written in php, I begun to look for a MySQL database. Out of experience, one of the first things I do is check the site for /phpmyadmin/. When I did that, I get the nice login page here https://54.221.227.140/phpmyadmin/ . The first thing I did was use root as a username and no password, which is the default (for old versions only). It let me right in and I could go right to the flags database.

Next it asked for the mediawiki account password in blob form and what that password  actually was. For that I went to the wiki database and then to wiki_users table and the clicked on the user_password blob. Which netted me a binary file and looks something like this

 

With the blob itself looking like: B:cc9fd069:94d1a793d2a2fa3e5561aceeced889d4

This can be cracked once again with john and the proper format, which is $B$cc9fd069$94d1a793d2a2fa3e5561aceeced889d4 and the john command

John –format:mediawiki -w:/usr/share/wordlists/rockyou.txt blobfile

The other hash they wanted was the mysql hash and password. This could be found by going to the mysql database and then the users table.

The hash ends up being *2A9AE850D2828B510FB0360C9FAE859B984741F7 and I solved it by going to https://crackstation.net/ and getting the answer from their database.

 

 

Web 2

Web 2 ended up being much like web 1, as a begun by snooping around the webpage. So noticing again that the first flag was in the header of a wordpress page I viewed the source and searched for flags.

Finding the first flag

 

And the second flag

 

Then again the next thing they asked for was the flags form the flags database. Seeing in my nmap scans that the mysql database port was open, I went straight to the command line and tried it without a password just like before. It let me in, with root access once again and with a few sql commands I was looking at the flags table.

 

Next I went straight for the wordpress password as seen in these two screen caps.

 

After that, I cracked the word press password with john and the same old wordlist.

 

Next I went after the mysql password in the mysql database.

 

Once again at the time of this writing I have not cracked this password and the wordlist attack has failed. But here is the john command that will brute force the password.

John mysqlfile

Note you can also use crunch to generate a list of all possible flags in ncl format for cracking (~64GB)

Crunch 13 13 –t NCL-%%%%-,,,, >> wordlist.txt

Web 3

This challenge was quite a bit different from the other web ones. When you go to the page you just get a link that says login to get flags and a login box (that won’t show up cause I’ve already logged in).  The process I used to get the majority of the passwords was to simply use hydra to brute force with the following command

hydra -l user1 -P /usr/share/wordlists/rockyou.txt https://54.221.227.199/flags/

It looks like this (note: due to the pounding this server is taking it will take a very long time to brute all users)

 

 

Once you get anyone of the user’s password, you can login and see a huge directory of text files. You have to search through them and find the proper flags. (Listen to what it says) Here is one of each of the flag types.

James Ashley’s method of parsing all files at once.

wget –no-check-certificate –user=user1 –password=password -r https://54.221.227.199/flags then grep ‘This is the’ *

 

 

Linux 1

For the Linux challenge I noticed the there was a vsftp server running on port 21. From experience I knew that the exact vsftpd version, 2.3.4 that was installed had a backdoor that was exploitable. So I did just that, using the built in metasploit module. Then I used a standard ls command to make sure I had shell access. Form there I found quickly that to maintain access I would need to leverage ssh. So ran the exploit again and cated out the sshd_config file.

 

From there I noticed that public key authentication was the only thing that was available for authentication to ssh. So I added my public key to the Ubuntu user’s authorized_keys file. Form there I sshed in and found all the flags.

 

Windows 1

Sadly I didn’t get very far at all with this host. I’ll chalk it up to being a Linux guy. But if someone else with let me know what their pathway was for this host I would be grateful.

Note: This was also a box with a database (MSSQL) that had default credentials (sa and no password) and remote access.

Research 1

So this was a website that seemed to be running bash commands in the background (per some quick tests). So I quickly looked at the source and saw the bellow information designed to help out.

 

Here are the commands in order that I used to get the first 4 flags

google.com; cat /etc/passwd

4.2.2.2; cat /etc/group

google.com && cat /etc/motd #.com

google.com | cat /etc/shells #.com

The last one is similar but you have to use some way of finding the files, without using the wildcard characters.

Research 2

I just didn’t have the time to figure out exactly what trigged these flags, but once again viewing the pages source gives you the following hints.

Update: Wade Schimmoeller offered up the answers to these puzzles, as they were apart of round one in fall 2012. http://tinyurl.com/nl7xcmf

 


PCAP 1

This one I just opened up in wireshark and noticed it was all FTP traffic. So I went straight to finding the password within the packet capture and this is what I came up with.

 

PCAP 2

This challenge was very similar to PCAP 1, but I needed to rebuild the TCP stream in order to see what the flag was.

 

 

Wireless 1

After opening this one in wireshark I noticed that it was just a bunch of WEP encrypted packets with a whole lot of IV packets in the capture so I opened my terminal and brute forced it with aircrack-ng. It looks like this

(Note: aircrack-ng adds colons to all hex values; these must be removed before submission)

 

 

Wireless 2

This one worked almost exactly like Wireless 1, but used a higher level WEP encryption, which isn’t saying much. It too falls to aircrack-ng’s brute force attack in seconds.

 

Wireless 3

When I opened this one in wireshark I noticed that the traffic was encrypted using WPAv1. But it doesn’t matter with aircrack-ng and a wordlist it falls just as quickly as the rest.

Command: aircrack-ng NCL-WIRELESS-3 -w /usr/share/wordlist/rockyou.txt

 

Wireless 4

This would be cracked using the same wordlist method as before, but the key was not found in any of my wordlist and I could not make it through my entire NCL flags wordlist during the competition.

Recon 3

This one I couldn’t finish because my internet cut out several times during the competition and killed my scans, but it starts out the same as all the others. First thing I did was full nmap scan, for each host.

Nmap –sS –A –p 1-65535 <IP>

For the second part you have to do some intense service scanning, which just takes a lot of time. Also some others have said you had to manually discovery some of the harder ones.

Recon 4

Again this is just a host with open ports behind a firewall of some kind, which will drop most of your packets. So you just scan away to find open ports and then test what you find, It just takes a lot of time.

Recon 5

Port knocking is somewhat simple to do. Basically the firewall will only allow you to access a port if you attempt to connect to other ports in the right order first. So basically you just send a SYN packet to the ports in the order listed and the firewall will open up a flag port.

Windows Passwords 2+3

Same old deal, enter hashes and crack the passwords

Here is a pretty picture of the windows passwords #3 being cracked

Note: I only get the first half of the final password so I simply need a wordlist with crunch to find what it was

Crunch 6 6 –t %-,,,, >> wordlist.txt

Then just use john

John hash.txt wordlist.txt

 

Linux Passwords 2+3

There were two types of passwords here type 6 (sha512crypt) and type 1 (md5(unix)). For these password sets I switched to using my GPU and oclHashcat-plus to crack them.

The commands to do so are as follows

This is for type 6

oclHashcat-plus64.exe –hash-type 1800 –attack-mode 1 linuxpass rockyou.txt

this is for type 1

oclHashcat-plus64.exe –hash-type 500 –attack-mode 1 linuxpass2 rockyou.txt

due to time restrictions I was only able to get 5/22 passwords cracked, even with a rather nice GPU.

Note: Most Password challenges are themed, figuring out this theme and creating your own wordlist is

Web 4

I honestly didn’t know where to even begin

Linux 2 +3

I spent most of my time hacking away at these boxes and got a whole lot of nowhere.

Pivot 1 (A+B)

Again I got nowhere with this challenge.

Pivot 2 (A+B)

On this one, I somehow got an anonymous ssh shell once for about 3 seconds and was discounted, only to have no luck every again.

Pivot 3 (A+B)

On this one, I went to the web page and saw some files, so I snooped around and found some ftp credentials of ftp:test. I then used those to upload a  php shell (b374k.php) to the /var/www directory. Form there I went to https://54.209.16.204/b374k.php and typed in the password of b374k. I then used to script to find the first three flags in the directory structure. (I can’t access the box at the time of this writing)

PCAP 3

This seemed surprisingly easy to me for the amount of points it was worth. All I did was open this bad boy in wireshark and filtered for what they asked. (Note: there was some scanning in there to throw you off I guess) But the majority of the capture is a 172.17.1.109 address attacking a 192.168.6.45 address.

As can be seen the tool used was pwdump2. This can be viewed by following your way through the tcp streams of the attacker.

 

As can be seen here the attacker logged in with the credentials anonymous:lj, to the server 10.10.10.6.

 

Do you even Policy?

I’m not the kind of person who normally rants, reviews, or rages, but this is an infosec blog and policies are the basis of a strong information plan. That being said there are two policies from two separate companies that have negatively affected my life lately. I figured I would explain why I think these policies need some work.

Before we get into these “failicies”, I’d like to explain what I believe makes a strong policy with four simple rules.  The first part is simple; the policy has to be well defined and accessible. Second, the policy has to be enforceable with a known consequence. Third, the policy needs to be enforced as an approved document by organization leadership. Lastly, the policy needs to be maintained to fulfill an overall all goal, in the most effective way possible.

 The first one has been rage blogged to death, so I won’t dwell on it too much. It’s a Walmart policy, with noble intentions and less than desired, or “fail”, executions. Simply put, if you try to buy alcohol and someone in your party is under the age of 21, they won’t let you complete your sale. I don’t drink and as of this posting I’m not quite 21, so needless to say my friends/family have experienced this policy up close and personal several times.

This policy is well defined and accessible within Walmart’s lengthy list of policies on their corporate website (linked below). I won’t bore you with the details or legal jargon, however it passes first muster from the well defined and accessible standpoint. The second rule however is another story; this policy, however well intentioned, is not enforceable. The simple truth is this policy is now widely known and as such people are more likely to dip out or split orders. These changes in client beehive only lead to line congestion, increased order processing, and more company time, making the bottom line the only thing that’s affected. The policy is clearly enforced by most employees, as I can personally attest, so they pass rule three (enforcement) as well. This policy has not been updated in the roughly 5 months it has been in place, but we will give them a pass here, in hopes that they are hard at work on their policies enforceability.

The second is policy is one that many credit unions have adopted because of the vast amount amounts of fraud coming from the west coast. Although I could not find any documentation on this policy or reasoning, thus knocking out rule one, I believe it stems from the several high profile data breaches in the last year. The policy is essentially to block all transactions over the amount of $100 if it is processed in any state on a flocculating list. Now this is indeed helpful to most people, in helping to prevent fraud and surely saves a lot of money. But after talking to both the credit unions I’m a member of it would seem the system and/or policy is flawed. This is because the only way to get a transaction that would have been blocked to go through is to temporarily suppress all fraud protection on your account. This was hard to hear. Even worse, in most cases you need to call ahead at least one business day before the purchase to get the suppression activated, for a minimum of one business day. This means that ones account is entirely open to attack for a whole day. I was able to talk to account managers about both CU’s and was told in both cases that there is no customization on this policy. Even worse the manager at one location told me it is their policy to activate the same suppression while someone is traveling, which in my opinion is when credit fraud is most likely to occur. The good news is these policies are full heartedly enforced by automated processing system, so we will check the rule number three box. Rule number four is up in the air on this one, some people I talked to said they’re working on making these system more robust and trying to make the policy more customizable to the customers needs. I’m still unsure if they were just trying to get me out of their hair or not. However, because there is some indication of maintaining and improving these polices we will give them a pass on rule four as well. However I feel that these policies are by no means effective at stop fraud and such cases should be handled on a company instead of state basis.

failicies: A word I probably just made up, that refers to a policy(s)

http://corporate.walmart.com/policies

Just Dash Out: Getting root by Just Running the Dash Shell

I often find myself building up vulnerable and/or misconfigured systems for a wide range of actives in my efforts to learn all the things. In doing so, I’ve found my first step is always the same, a simple one liner at the shell prompt that flips a machine on its head.

sudo chmod +s /bin/dash

This command, as many may very well know, sets the sticky bit on the dash shell, which is install in most debian based systems by default. Dash is a lot like the standard bash prompt that most users running Linux are accustom to.  That being said the purpose of the sticky bit, in this case the setuid bit, is to launch the executable with the rights of the owner of the executable. In this case, the owner of dash is root by default, so all users with read and execute permission can run dash and get a root shell. So any user on the system could simply run dash from their shell and gain root access.

user@dashtest:~$  whoami

user

user@dashtest:~$  dash

# whoami

root

But the fun doesn’t stop there. By default on Lenny, Squeeze, and most other debain based distro’s the default shell, /bin/sh is just a system link to dash.

lrwxrwxrwx  1 root root       4 Mar 29  2012 sh -> dash

This means that by default all service accounts on the system and possibly even users now have root access on their default shells. In fact most daemon users installed on debian systems with aptitude or dpkg are given the default shell /bin/sh. This can easily be seen in /etc/passwd.

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

Most daemon’s these days do not need to shell out so my first recommendation is to just go through your /etc/passwd file and change all the /bin/sh to either /bin/bash a proper shell or /bin/false to disable the ability to gain an shell from a popped daemon in the first place.

My second recommendation is rather simple as well, just cast two commands to set up bash as the default shell and then remove dash.

dpkg-reconfigure dash

dpkg –r dash

Of course there is no prefect fix for this issue, because even if you change your default shell and remove dash, it’s just three commands as a privileged user to be back in the same place. This is why I highly recommend setting non-user shells to /bin/false in your passwd file, while we all hope for a developer fix.

https://wiki.debian.org/DashAsBinSh