2014 NCL (NATIONAL CYBER LEAGUE) Fall Season Competition Highlights
Pre-Season – Web 1
This website allows players to “buy” flags. The player is given 100 coins, but only the first two flags can be purchased for 100 or less. What to do… Using a Firefox (Iceweasel) add-on called Tamper Data, I was able to modify the data being sent to the server before it left the browser. The post parameters are the flag value, the cost and the submit value.
Changing the flag value to 5 and the cost to 1 and submitting yields the following (if you want to go black hat, change the cost to a negative number and make them pay you for the flag!):
From here, it’s just a matter of changing the flag values and grabbing the flags:
- Flag 5: Purcahse Complete! Your Flag Is: NCL-CDEW-0922
- Flag 4: Purcahse Complete! Your Flag Is: NCL-BRSA-2083
- Flag 3: Purcahse Complete! Your Flag Is: NCL-AVBY-5907
- Flag 2: Purcahse Complete! Your Flag Is: NCL-MOWX-8903
- Flag 1: Purcahse Complete! Your Flag Is: NCL-TXSQ-7436
Pre-Season – Web 2
This is pretty much a variation on Web 1. Again, using Tamper Data and looking at the data being sent to the server, we can view the contents of the cookie:
PHPSESSID=2eq43ie2v0a99ah19q02apo2l4; balance=10
If this one isn’t obvious to you at this point, you should be worried. Add some zeros to the end of the cookie before submitting the data and purchase flags!
- Flag 1: Purcahse Complete! Your Flag Is: NCL-NBCE-1694
- Flag 2: Purcahse Complete! Your Flag Is: NCL-CNDE-2783
- Flag 3: Purcahse Complete! Your Flag Is: NCL-KVFF-3872
- Flag 4: Purcahse Complete! Your Flag Is: NCL-BQWZ-4961
- Flag 5: Purcahse Complete! Your Flag Is: NCL-NUCY-5050
Flag 6 is a little tricky: the flag post parameter has to be changed to 6 (same as Web 1). Sure enough, out pops a flag:
Flag 6: Purcahse Complete! Your Flag Is: NCL-YJQB-7784
* A hint to future competitors: they consistently misspelled “purchase” during these events. Miss spelled words might be useful for dorking around Google in the future.
Regular Season Game #1 – Windows Passwords
https://54.83.60.127/NCL-G1-WPASS.txt
The first set of flags were simply the password hashes for users. The file contains Windows NTLM hashes. Submitting the following values scored me the first few flags:
user 1: AD2BDE9CC8E479299FBD15C3DDF0F61A:A500CBD27B12976F4804B5690A342CBF user 2: 5001A00F4650EC76B860FD51000926C2:DB80ADD99160DA0F9C281511095D07CD user 3: E10A286420A2510F62A72A32DC92B5E9:E6D3EFA8B8A5F5F59AF00545080CDD3F user 4: 63E2A1C4D243DE94143F8BD9AE9E0363:A0D8A650127E0908A9F3F703D637C844 user 5: B8E0E9DC83EA5B49502F6688C8117CC0:CBAEB336AD4D89EF3F3F6C409066A253 user 6: E820485E1EEB2630804BA7F997DB0CCB:02790417482A6C3CB102B78DD0631B25 user 7: 53B18B4865B9831CC3C7FBF701056E09:96C2D395790C07953CE6C10AF2B185EF user 8: 252E471234E267F23EE02AFCCAA01AA9:E22012526A405AB6EBC0F2ABF5276C24 user 9: 07B6E12CC2C064A84E835F1CD90F4C76:907F2593AC9EF5F725D66D6B6D0EF532
The next set of questions asks for the plaintext passwords for each user. I fired up Ophcrack and loaded one of their tables (XP free fast) along with the password dump. I got the following results:
Combining LM Pwd 1 with LM Pwd 2 allowed me to capture the rest of the flags for the Windows password cracking section.
A nice overview of NTLM vulns:
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/How-Cracked-Windows-Password-Part1.html
Regular Season Game #1 – Linux (MD5) Passwords
https://54.83.60.127/NCL-G1-LPASS-MD5.txt
Like the Windows passwords, the first set of questions asks for the MD5 hashes in the password dump. The beginning of MD5 hashes can be identified by $1$. Each hash has 34 characters, 31 without the $1$. Here are the flag values:
user 1: jQJTHNwB$2AoXu6iN9UL8cHhoTHUhG1 user 2: NrPAaXgR$dHvfNH4x59H0.JAvFKcGs. user 3: wYuvEXSE$xeyncGbFzek24RK3UALrd1 user 4: ZLuOykzb$hdtik677TIWheLL95XrNc0 user 5: 7klGL1B4$PgBFIqqafSzze2uB4Lf8n. user 6: RnZU3Asb$JhQO4pIJJnLDQLhEhOyrR/ user 7: fUXrd0XS$2Se9bmnjVe7G5SGTf6zjJ0 user 8: i1ykQed/$9NrT6ivuUZurBFwmrc2Om1 user 9: btINzqfg$2nG3KGsydv8Q8ALuyAqdl1
The second set of questions again asks for plain text passwords. I compiled a list of states with the years they joined the Union. I then ran that list through hashcat and nabbed a few points:
I tried playing with the cases and removing the last number (see Illinois above), I was unable to get any more of the passwords.
Regular Season Game #1 – Linux (SHA) Passwords
https://54.83.60.127/NCL-G1-LPASS-SHA.txt
Rinse, repeat. SHA passwords are often either 256-bit or 512-bit, being identified with a $5$ or a $6$ correspondingly. A SHA-256 hash is 55 characters and a SHA-512 hash is 98 characters. To save space/time, you can see the hashes from the dump and the results I was able to find through hashcat. Easy points.
This turned out to be a useful site when I was trying to identify hashes:
http://www.breakthesecurity.com/2011/08/different-types-of-hash-codes-how-to.html
Regular Season Game #1 – Network Capture 1
https://54.83.60.127/NCL-G1-NC-1.pcap
I didn’t make it very far with this challenge. I found that the protocol being scanned was SNMP by opening Wireshark and looking at the statistics for number of packets sent by protocol. From there I was able to determine the origin and destination IPs: 192.168.201.128 and 192.168.201.1.
Regular Season Game #1 – OSINT 3
This flag was odd. I don’t think more than a handful of people would have been able to figure this one out without help – they certainly wouldn’t have had time. The most efficient way to find this flag is to surf the web for the answer. It turns out, you can find it here:
http://www.nationalcyberleague.org/2012/Fall/2012_Challenge_Explanations.pdf
Just in case you’re extra lazy and don’t want to browse the link for the flag, I was able to use 1290c8ae9f867dde48f16044b9e18bc1 to score points. I noticed that the NCL staff reused quite a few questions from the graveyard, the pre-season game and even between the regular and post season games.
Regular Season Game #1 – OSINT 6
https://54.83.60.127/NCL-G1-OSINT-6.tgz
After expanding this file, there are 6 files. Using the cat command on flag.1.asc, it shows a PGP header. Using cat on passphrase shows a value of IcedTea. I’d like to say I could give a lengthy explanation of how PGP is used to encrypt email and how to set up a client. But, I was pinched for time so rather than going through the trouble of setting up a client on my workstation, I found a website that would allow me to decrypt PGP messages: igolder.com
After throwing some PGP-ness at it, I found all three flags:
Flag 1: NCL-JKOB-8972
Flag 2: NCL-XGCF-3487
Flag 3: NCL-NDSV-6482
Regular Season Game #1 – Web Application Exploitation
This one was pretty easy. I used Tamper Data again. When submitting a user name of 1, here’s what data going to this website looks like:
To get the flag, change a’s value to true and send the info. This is the result:
Regular Season Game #1 – Web Application Exploitation
The player is presented with a simple login form with user name and password field. Viewing the source of the page shows javascript being called from another web address at https://54.83.60.127/.NCL-G1-WEB-3.js. Here’s the javascript on that page:
var _0x6382=["\x51\x77\x65\x72\x74\x79\x37\x38\x39\x34\x33\x6E\x73\x66\x64\x21\x21","\x4E\x43\x4C\x2D\x34\x33\x36\x39\x2D\x4E\x49\x4E\x45","\x49\x6E\x76\x61\x6C\x69\x64\x20\x4B\x65\x79"];function getFlag(_0x17b7x2){if(_0x17b7x2==_0x6382[0]){alert(_0x6382[1]);} else {alert(_0x6382[2]);} ;} ;
The code has been obfuscated by replacing ascii characters with hex characters. See http://defindit.com/ascii.html for a translation list. I went to http://www.unphp.net/decode and threw the javascript into the decoder. The result is:
<? var _0x6382=["Qwerty78943nsfd!!","NCL-4369-NINE","Invalid Key"];function getFlag(_0x17b7x2){if(_0x17b7x2==_0x6382[0]){alert(_0x6382[1]);} else {alert(_0x6382[2]);} ;} ; ?>
Inside the text is a flag!
Post Season – Crypto 3
https://54.83.60.127/NCL-G3-CRYPTO-3.txt
The questions:
- What is the last name of the author of the decoded document?
- What is the title of the decoded document?
- What is the flag in the decoded document?
The info we can get from the text file:
- It’s long: good for data sampling
- It looks like a normal document with punctuation and spacing
- There don’t seem to be any special characters or numbers in place of letters
That narrows the options. I tried a few cyphers like ROT13 and Atbash. I had success when I tried Rumkin’s letter-pair replacement solver: http://rumkin.com/tools/cipher/cryptogram.php
Here’s a screenshot of the result:
The decrypted text shows The Tragedie of Macbeth by William Shakespeare, July, 2000 [Etext #2264]. So, there are answers to the first two questions. The third flag can be found using find in any text editor or web browser. About a third of the way through the deciphered text, this shows up:
And there’s the last answer.
NCL Pre Season Zip File
NCL Game1 Zip File
NCL Game2 Zip File
NCL Post Season Zip File