NCL 2013 Pre-Season Walk through by: Michael “Sleventyeleven” Contino
So I thought I would do a walk through of the various challenges I completed in the NCL 2013 Pre-season. Now this is the first walk through I have done, so I hope it’s useful. Also, I decided to do this walk through half way through the competition, so I don’t have as many images or logs as I would have liked, but I will do my best to explain the process I used.
Entering the competition, the first thing that I did was make a list of targets and downloaded all available files. This of course meant that I made a list of all the web targets and grabbed the password files.
Windows Passwords
The first thing I did was load up Ophcrack. For those who don’t know Ophcrack is a windows based password cracker that uses proprietary tables. I had access to the tables because of my work, but I’ve heard the free tables will also crack most of the passwords in a few min.
Now one of the things that annoys me the most about password cracking is formatting the hashes for each tool that you want to use. Ophcrack and most other tools take NTLM windows passwords in pwdump format.
<username>:<SID>:<LM hash>:<NT hash>:<comment>::
This is not the format that the hashes where given in. Oh and half of the hash points where for copy-pasting the hashes into the scorebot. They were accepted in the format <lm hash>:<nt hash> .
Anyway, back to password cracking with Ophcrack. Here is a screen cap with the free tables.
As can be seen to the right, even with just the few free tables, most of the passwords are cracked with no problem.
As can be seen with the added tables all but one NTv2 password is found.
The last password, of user11, was not cracked and at the time of writing remains as such.
Although, using hashcat or john the ripper should find the password within a few days’ time.
Linux Passwords
For the linux passwords I went straight for john the ripper. John is very good at cracking a large range of passwords and is by far the most commonly used hash smasher out there. To solve the linux hashes I used the wordlists in /usr/share/wordlists/ directory within kali linux. I solved several of the linux passwords with the following command.
John –wordlist=/usr/share/wordlists/rockyou.txt LinuxPass
Where LinuxPass, is the list of password hashes, in the proper format
See http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats for all future john formatting.
It looks like the following as cracking continues.
Next I took the list of hosts I created and did a nice long, comprehensive nmap scan with it.
List of addresses
54.221.227.234, 54.221.227.237, 54.221.227.140, 54.221.227.141, 54.221.227.199, 54.221.227.216, 54.221.211.172, 54.221.227.231, 54.221.227.232
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” –iL hosts –oA nclpre
This scan collects all the majority of the port and service information for the hosts to a one of each nmap file type for later use.
Recon 1
For this challenge it was all about interpreting these scans and just entering the open ports as flags from low to high. Here is the basic view of the results
Recon 2
Again, I started with my huge nmap scan looking for the website port and service for the last two flags. It turned out that a web server was being hosted by apache on port 34567.
Then I went to website I found at http://54.221.227.237:34567 and saw flag one and a blank page, so I looked at the page source. This shows the other flags.
To this day I’m still not sure what to do with these <hash> things, but I found several.
Correction: these <hash> values are base64 encoded strings
TkNMLTQ2NzktRkpLTgo = NCL-4679-FJKN
Open Source Intel 1
This challenge was all about getting to know the NCL website. I found the first set of flags by running a whois on the nationalcyberleague.org domain. It looks like this.
WHOIS information for nationalcyberleague.org:***
[Querying whois.publicinterestregistry.net]
[whois.publicinterestregistry.net]
…
Domain ID:D162323715-LROR
Domain Name:NATIONALCYBERLEAGUE.ORG
Created On:20-May-2011 14:18:45 UTC
Last Updated On:15-Apr-2013 18:11:06 UTC
Expiration Date:20-May-2014 14:18:45 UTC
Sponsoring Registrar:Network Solutions, LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:40102524-NSIV
Registrant Name:CyberWATCH Center
Registrant Organization:CyberWATCH Center
Registrant Street1:ATTN insert domain name here
Registrant Street2:care of Network Solutions
Registrant Street3:PO Box 459
Registrant City:Drums
Registrant State/Province:PA
Registrant Postal Code:18222
Registrant Country:US
Registrant Phone:+1.5707088780
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:gf3kh6sv3bf@networksolutionsprivateregistration.com
Admin ID:40102524-NSIV
Admin Name:CyberWATCH Center
Admin Organization:CyberWATCH Center
Admin Street1:ATTN insert domain name here
Admin Street2:care of Network Solutions
Admin Street3:PO Box 459
Admin City:Drums
Admin State/Province:PA
Admin Postal Code:18222
Admin Country:US
Admin Phone:+1.5707088780
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:gf3kh6sv3bf@networksolutionsprivateregistration.com
Tech ID:40102524-NSIV
Tech Name:CyberWATCH Center
Tech Organization:CyberWATCH Center
Tech Street1:ATTN insert domain name here
Tech Street2:care of Network Solutions
Tech Street3:PO Box 459
Tech City:Drums
Tech State/Province:PA
Tech Postal Code:18222
Tech Country:US
Tech Phone:+1.5707088780
…
The rest of the Open Source Intel was all about looking through the site to find the requested information.
The contact email is info@ nationalcyberleague.org, I just knew that one.
Casey W. O’Brien’s email can be found on http://www.nationalcyberleague.org/sponsors.shtml
The designer of the site D’BLEND, can be found at the bottom of almost every page.
The twitter handle (without the @) can be found on http://www.nationalcyberleague.org/connect.shtml
The support email for the Gymnasium can be found at the bottom of http://www.nationalcyberleague.org/gymnasiums.shtml
The coaches should contact info@nationalcyberleague.org, and can be found on http://www.nationalcyberleague.org/faq.shtml
The finally score url can be found by going to seasons, fall 2012, and selecting the national leaderboard.
http://www.nationalcyberleague.org/2012/Fall/lb_national.shtml
The Google Analytics ID is UA-30791762-1 and can be seen by looking at the source of almost any page.
Open Source Intel 2
This was much like the first challenge, snoop around and figure out the flag value.
The Gymansium software is called NETLAB+ and can be found on the NDG website here http://www.netdevgroup.com/products/
The CTF software is called ThreatSPACE and can be found on the isight partners website here http://www.isightpartners.com/products/threatspace/
The company hosting the Gymnasium is Network Development Group and can be found anywhere on their website here http://www.netdevgroup.com/
The company hosting the CTF is iSIGHT Partners and I found it on the FAQ page here http://www.nationalcyberleague.org/faq.shtml
Web 1
The first thing I did was go to the website and snoop around. I quickly notice that wiki had the special pages open to the public. So I went to the most popular pages here https://54.221.227.140/mediawiki/index.php/Special:PopularPages and found the first three flags. One was text, the second was an image, and the third was another one of those hashes.
Next I noticed that I was supposed to get access to a database of flags. Seeing that the page looked to be written in php, I begun to look for a MySQL database. Out of experience, one of the first things I do is check the site for /phpmyadmin/. When I did that, I get the nice login page here https://54.221.227.140/phpmyadmin/ . The first thing I did was use root as a username and no password, which is the default (for old versions only). It let me right in and I could go right to the flags database.
Next it asked for the mediawiki account password in blob form and what that password actually was. For that I went to the wiki database and then to wiki_users table and the clicked on the user_password blob. Which netted me a binary file and looks something like this
With the blob itself looking like: B:cc9fd069:94d1a793d2a2fa3e5561aceeced889d4
This can be cracked once again with john and the proper format, which is $B$cc9fd069$94d1a793d2a2fa3e5561aceeced889d4 and the john command
John –format:mediawiki -w:/usr/share/wordlists/rockyou.txt blobfile
The other hash they wanted was the mysql hash and password. This could be found by going to the mysql database and then the users table.
The hash ends up being *2A9AE850D2828B510FB0360C9FAE859B984741F7 and I solved it by going to https://crackstation.net/ and getting the answer from their database.
Web 2
Web 2 ended up being much like web 1, as a begun by snooping around the webpage. So noticing again that the first flag was in the header of a wordpress page I viewed the source and searched for flags.
Finding the first flag
And the second flag
Then again the next thing they asked for was the flags form the flags database. Seeing in my nmap scans that the mysql database port was open, I went straight to the command line and tried it without a password just like before. It let me in, with root access once again and with a few sql commands I was looking at the flags table.
Next I went straight for the wordpress password as seen in these two screen caps.
After that, I cracked the word press password with john and the same old wordlist.
Next I went after the mysql password in the mysql database.
Once again at the time of this writing I have not cracked this password and the wordlist attack has failed. But here is the john command that will brute force the password.
John mysqlfile
Note you can also use crunch to generate a list of all possible flags in ncl format for cracking (~64GB)
Crunch 13 13 –t NCL-%%%%-,,,, >> wordlist.txt
Web 3
This challenge was quite a bit different from the other web ones. When you go to the page you just get a link that says login to get flags and a login box (that won’t show up cause I’ve already logged in). The process I used to get the majority of the passwords was to simply use hydra to brute force with the following command
hydra -l user1 -P /usr/share/wordlists/rockyou.txt https://54.221.227.199/flags/
It looks like this (note: due to the pounding this server is taking it will take a very long time to brute all users)
Once you get anyone of the user’s password, you can login and see a huge directory of text files. You have to search through them and find the proper flags. (Listen to what it says) Here is one of each of the flag types.
James Ashley’s method of parsing all files at once.
wget –no-check-certificate –user=user1 –password=password -r https://54.221.227.199/flags then grep ‘This is the’ *
Linux 1
For the Linux challenge I noticed the there was a vsftp server running on port 21. From experience I knew that the exact vsftpd version, 2.3.4 that was installed had a backdoor that was exploitable. So I did just that, using the built in metasploit module. Then I used a standard ls command to make sure I had shell access. Form there I found quickly that to maintain access I would need to leverage ssh. So ran the exploit again and cated out the sshd_config file.
From there I noticed that public key authentication was the only thing that was available for authentication to ssh. So I added my public key to the Ubuntu user’s authorized_keys file. Form there I sshed in and found all the flags.
Windows 1
Sadly I didn’t get very far at all with this host. I’ll chalk it up to being a Linux guy. But if someone else with let me know what their pathway was for this host I would be grateful.
Note: This was also a box with a database (MSSQL) that had default credentials (sa and no password) and remote access.
Research 1
So this was a website that seemed to be running bash commands in the background (per some quick tests). So I quickly looked at the source and saw the bellow information designed to help out.
Here are the commands in order that I used to get the first 4 flags
google.com; cat /etc/passwd
4.2.2.2; cat /etc/group
google.com && cat /etc/motd #.com
google.com | cat /etc/shells #.com
The last one is similar but you have to use some way of finding the files, without using the wildcard characters.
Research 2
I just didn’t have the time to figure out exactly what trigged these flags, but once again viewing the pages source gives you the following hints.
Update: Wade Schimmoeller offered up the answers to these puzzles, as they were apart of round one in fall 2012. http://tinyurl.com/nl7xcmf
PCAP 1
This one I just opened up in wireshark and noticed it was all FTP traffic. So I went straight to finding the password within the packet capture and this is what I came up with.
PCAP 2
This challenge was very similar to PCAP 1, but I needed to rebuild the TCP stream in order to see what the flag was.
Wireless 1
After opening this one in wireshark I noticed that it was just a bunch of WEP encrypted packets with a whole lot of IV packets in the capture so I opened my terminal and brute forced it with aircrack-ng. It looks like this
(Note: aircrack-ng adds colons to all hex values; these must be removed before submission)
Wireless 2
This one worked almost exactly like Wireless 1, but used a higher level WEP encryption, which isn’t saying much. It too falls to aircrack-ng’s brute force attack in seconds.
Wireless 3
When I opened this one in wireshark I noticed that the traffic was encrypted using WPAv1. But it doesn’t matter with aircrack-ng and a wordlist it falls just as quickly as the rest.
Command: aircrack-ng NCL-WIRELESS-3 -w /usr/share/wordlist/rockyou.txt
Wireless 4
This would be cracked using the same wordlist method as before, but the key was not found in any of my wordlist and I could not make it through my entire NCL flags wordlist during the competition.
Recon 3
This one I couldn’t finish because my internet cut out several times during the competition and killed my scans, but it starts out the same as all the others. First thing I did was full nmap scan, for each host.
Nmap –sS –A –p 1-65535 <IP>
For the second part you have to do some intense service scanning, which just takes a lot of time. Also some others have said you had to manually discovery some of the harder ones.
Recon 4
Again this is just a host with open ports behind a firewall of some kind, which will drop most of your packets. So you just scan away to find open ports and then test what you find, It just takes a lot of time.
Recon 5
Port knocking is somewhat simple to do. Basically the firewall will only allow you to access a port if you attempt to connect to other ports in the right order first. So basically you just send a SYN packet to the ports in the order listed and the firewall will open up a flag port.
Windows Passwords 2+3
Same old deal, enter hashes and crack the passwords
Here is a pretty picture of the windows passwords #3 being cracked
Note: I only get the first half of the final password so I simply need a wordlist with crunch to find what it was
Crunch 6 6 –t %-,,,, >> wordlist.txt
Then just use john
John hash.txt wordlist.txt
Linux Passwords 2+3
There were two types of passwords here type 6 (sha512crypt) and type 1 (md5(unix)). For these password sets I switched to using my GPU and oclHashcat-plus to crack them.
The commands to do so are as follows
This is for type 6
oclHashcat-plus64.exe –hash-type 1800 –attack-mode 1 linuxpass rockyou.txt
this is for type 1
oclHashcat-plus64.exe –hash-type 500 –attack-mode 1 linuxpass2 rockyou.txt
due to time restrictions I was only able to get 5/22 passwords cracked, even with a rather nice GPU.
Note: Most Password challenges are themed, figuring out this theme and creating your own wordlist is
Web 4
I honestly didn’t know where to even begin
Linux 2 +3
I spent most of my time hacking away at these boxes and got a whole lot of nowhere.
Pivot 1 (A+B)
Again I got nowhere with this challenge.
Pivot 2 (A+B)
On this one, I somehow got an anonymous ssh shell once for about 3 seconds and was discounted, only to have no luck every again.
Pivot 3 (A+B)
On this one, I went to the web page and saw some files, so I snooped around and found some ftp credentials of ftp:test. I then used those to upload a php shell (b374k.php) to the /var/www directory. Form there I went to https://54.209.16.204/b374k.php and typed in the password of b374k. I then used to script to find the first three flags in the directory structure. (I can’t access the box at the time of this writing)
PCAP 3
This seemed surprisingly easy to me for the amount of points it was worth. All I did was open this bad boy in wireshark and filtered for what they asked. (Note: there was some scanning in there to throw you off I guess) But the majority of the capture is a 172.17.1.109 address attacking a 192.168.6.45 address.
As can be seen the tool used was pwdump2. This can be viewed by following your way through the tcp streams of the attacker.
As can be seen here the attacker logged in with the credentials anonymous:lj, to the server 10.10.10.6.