Tag Archives: Wireshark

2014 NCL Pre-Season Write-Up

Password Cracking for Windows Passwords

Part one of the section asked what the password hashes were for specific users. To answer those, you simply had to copy the correct hash format and paste it into the flag entry dialog box.

Part two of the section asked what the plaintext passwords were for specific users. In order to get the passwords, you had to decrypt the NTLM hashes. I found that the quickest way to decrypt the NTLM hashes was to use the online tool provided by http://www.hashkiller.co.uk/ntlm-decrypter.aspx.

Password Cracking for Linux Passwords

Part one of the section asked what the password hashes were for specific users. I used the same method as with the Windows passwords, copy and pasting the hash into the flag entry dialog box.

Part two of the section asked what the plaintext passwords were for specific users. In order to get the passwords, you had to decrypt the MD5 hashes. I found that the quickest way to decrypt the MD5 hashes was to use John the Ripper.

Part three of the section asked what the password hashes were for each specific user and this time the encryption method used was SHA-256. In order to determine the hash algorithm, you must look into how Linux stores passwords. $5$ indicates that the SHA-256 algorithm was used to hash the passwords. Knowing which hash algorithm was used may be required depending on which tool you are going to use to crack them.

Below is a guide for future reference.

$1$= MD5

$2$=Blowfish

$2a=eksblowfish

$5$=SHA-256

$6$=SHA-512

The flags for this section were captured by copying and pasting the hashes into the flag submission dialog box.

Part four of the section asked what the plaintext passwords were for specific users. In order to get the passwords, you had to decrypt the SHA-256 salted hashes. Again, I used John the Ripper. Note in the screenshot below that John the Ripper was able to detect the SHA-256 hash algorithm.

John the Ripper was unable to decrypt user5 and after several additional tries, I moved on.

Network Traffic Analysis

I used Wireshark to analyze the four PCAP files provided for this portion of the challenge. If you have used Wireshark before, the majority of the questions are fairly straight forward. When I first began using Wireshark, I found the best way to learn was by capturing my own network traffic and analyzing it.

Network Capture 1 – Questions and Answers

Image1

In order to determine which IP address was sending ICMP requests, I applied a filter (icmp.resp_in) that would show me all ICMP requests. From there it was a matter of singling out the source IP (192.168.201.8) and pasting it into the flag dialog box.

Image2

Image3

To find the IP address of the system replying to the ICMP requests you can look at the destination of the ICMP request (10.10.10.20).

Image4

Image5

Using the same filter (icmp.resp_in) that was used to see all of the ICMP requests, you can look at the bottom of the window pane to see how many requests are being displayed by the filter, in this case there were 19 ICMP requests being displayed.

Image6

Image7

To see how many ICMP responses were in the capture, you can add “not” to the beginning of the previously used filter (not icmp.resp_in). Again, looking to the bottom of the window pane, you can see that there were 19 ICMP responses.

Image8

Network Capture 2 – Questions and Answers

Image9

In order to find the IP address of the FTP user, I applied the “ftp” filter to eliminate all non-FTP traffic. Once the filter was applied, it was a matter of identifying the source IP address (10.10.10.20) of the FTP request.

Image10

image11

To find the IP address of the FTP server, you need to identify the source IP address (192.168.201.8) of the FTP response.

Image12

image13

To find the Default Gateway to the FTP user, you can use the “ARP” filter. This may not always be the easiest way; however, because there was only one broadcast and one reply in the capture, it turned out to be straight forward.

image14

image15

image16

Finding the username and password can be completed by looking at the information in the Info column.

image17

Additionally, the entire conversation can be viewed by right clicking on one the ACKs and following the TCP stream.

image18

image19

You can see using the screenshot above that the name of the uploaded file was passwords.txt

image20

To view the contents of the uploaded file you need to find the packets that contain FTP-DATA in the Protocol column, right click on one of them and Follow the TCP Stream.

image21

A dialog box will open containing the contents of the file. You should use the “Save as” option to export the data out and use a MD5 generator such as “Hash my Files” to get the needed MD5.

image22

The MD5 for the exported text was: B0B625BD4997A9C43258FC9C320FD24D

Network Capture 3 – Questions and Answers

The questions in this section were self-explanatory; however, I listed screen shots of the answers for those that may have not seen questions like them before.

image23

image24

image25

image26

image27

image28

image29

image30

image31

image32

image33

image34

image35

image36

image37

image38

image39

image40

Network Capture 4 – Questions and Answers

image41

image42

image43

image44

image45

image46

image47

image48

Scanning and Reconnaissance

Recon 1 – Questions and Answers

For this section you were provided with an IP address and asked to determine which TCP and UDP ports were open. The questions were phrased as follows:

image1

The TCP portion had several questions like the one above and could be answered by using a scanning tool, such as NMAP. I used Zenmap, which is a GUI version of NMAP on this portion of the challenge.

Using Zenmap, I ran an Intense scan, all TCP port which generates the following Nmap Command:

nmap -p 1-65535 -T4 -A -v 54.83.4.56

All the questions could be answered by looking at the port numbers in numerical order.

The UDP portion contained the same questions, but instead asked for the UDP port numbers.

Using Zenmap, I ran an Instense can plus UDP which generates the following Nmap command:

nmap -sS -sU -T4 -A -v 54.83.4.56

Recon 2 – Questions and Answers

For this section, an IP address was provided and scanned using Zenmap.

image2

The Zenmap scan revealed one open http port (19283).

image3

Entering the IP address and specifying the port number revealed the first flag.

image4

image5

Viewing the source of the webpage revealed Flag 2, 3, 4 and an encoded value for Flag 5.

image6

To determine what Flag 5 was, the encoded texted was plugged into an online base64 decoder. Flag 5 was revealed.

Image7

Open Source Intelligence

For this section it is important to remember what the topic is.

The target IP address provided leads to a webpage containing a cross-site scripting vulnerability.

image1

If you view the Page Source you will find the following hints:

image2

Googling one of the flag hints will lead you to the document containing the answers.

“Flag 1: Cause an alert box to popup via a permalinked search URL –!>”

I must admit that this section only came easy because the exact same challenge, containing the same flags were explained in the publicly released NCL 2012 Challenge Explanations, which I had read prior to the start of the pre-season.

The second portion involved the same steps as above with a new target IP

image3

image4

Web Application Exploitation

Web 1

For this challenge, you were given an IP address, which led you to the following page:

As you can see there is a cost involved in order to reveal the flag and you do not have enough coins to get them all.

To reveal the flags for this section, I used the Inspect Element feature on the page and deleted the node highlighted in yellow below, for each flag. Instead of deleting the entire node, the value could also be changed.

100 coins node

Web 2

This section contains the same concept as the previous section.

Deleting “Hidden” from the ‘type’ field modified the page so that a form became available.

Entering a negative value in the form field resulted in adding coins to the balance.

-2000 coins

Adding -2000 into the form resulted in adding ten times that amount into the coin balance.

 20010 Coins

Leave a Comment

2014 NCL (NATIONAL CYBER LEAGUE) Fall Season Competition Highlights

Pre-Season – Web 1

https://50.17.253.154/

This website allows players to “buy” flags. The player is given 100 coins, but only the first two flags can be purchased for 100 or less. What to do… Using a Firefox (Iceweasel) add-on called Tamper Data, I was able to modify the data being sent to the server before it left the browser.  The post parameters are the flag value, the cost and the submit value.

NCL-PS-Web1-1

Changing the flag value to 5 and the cost to 1 and submitting yields the following (if you want to go black hat, change the cost to a negative number and make them pay you for the flag!):

NCL-PS-Web1-2

From here, it’s just a matter of changing the flag values and grabbing the flags:

  • Flag 5: Purcahse Complete! Your Flag Is: NCL-CDEW-0922
  • Flag 4: Purcahse Complete! Your Flag Is: NCL-BRSA-2083
  • Flag 3: Purcahse Complete! Your Flag Is: NCL-AVBY-5907
  • Flag 2: Purcahse Complete! Your Flag Is: NCL-MOWX-8903
  • Flag 1: Purcahse Complete! Your Flag Is: NCL-TXSQ-7436

Pre-Season – Web 2

https://107.20.220.67/

This is pretty much a variation on Web 1.  Again, using Tamper Data and looking at the data being sent to the server, we can view the contents of the cookie:

PHPSESSID=2eq43ie2v0a99ah19q02apo2l4; balance=10

NCL-PS-Web2

If this one isn’t obvious to you at this point, you should be worried.  Add some zeros to the end of the cookie before submitting the data and purchase flags!

  • Flag 1: Purcahse Complete! Your Flag Is: NCL-NBCE-1694
  • Flag 2: Purcahse Complete! Your Flag Is: NCL-CNDE-2783
  • Flag 3: Purcahse Complete! Your Flag Is: NCL-KVFF-3872
  • Flag 4: Purcahse Complete! Your Flag Is: NCL-BQWZ-4961
  • Flag 5: Purcahse Complete! Your Flag Is: NCL-NUCY-5050

Flag 6 is a little tricky: the flag post parameter has to be changed to 6 (same as Web 1).  Sure enough, out pops a flag:

Flag 6: Purcahse Complete! Your Flag Is: NCL-YJQB-7784

* A hint to future competitors: they consistently misspelled “purchase” during these events.  Miss spelled words might be useful for dorking around Google in the future.

Regular Season Game #1 – Windows Passwords

https://54.83.60.127/NCL-G1-WPASS.txt

The first set of flags were simply the password hashes for users. The file contains Windows NTLM hashes. Submitting the following values scored me the first few flags:

user 1:
AD2BDE9CC8E479299FBD15C3DDF0F61A:A500CBD27B12976F4804B5690A342CBF

user 2:
5001A00F4650EC76B860FD51000926C2:DB80ADD99160DA0F9C281511095D07CD

user 3:
E10A286420A2510F62A72A32DC92B5E9:E6D3EFA8B8A5F5F59AF00545080CDD3F

user 4:
63E2A1C4D243DE94143F8BD9AE9E0363:A0D8A650127E0908A9F3F703D637C844

user 5:
B8E0E9DC83EA5B49502F6688C8117CC0:CBAEB336AD4D89EF3F3F6C409066A253

user 6:
E820485E1EEB2630804BA7F997DB0CCB:02790417482A6C3CB102B78DD0631B25

user 7:
53B18B4865B9831CC3C7FBF701056E09:96C2D395790C07953CE6C10AF2B185EF

user 8:
252E471234E267F23EE02AFCCAA01AA9:E22012526A405AB6EBC0F2ABF5276C24

user 9:
07B6E12CC2C064A84E835F1CD90F4C76:907F2593AC9EF5F725D66D6B6D0EF532

The next set of questions asks for the plaintext passwords for each user. I fired up Ophcrack and loaded one of their tables (XP free fast) along with the password dump. I got the following results:

Ophcrack-NCL-G1

Combining LM Pwd 1 with LM Pwd 2 allowed me to capture the rest of the flags for the Windows password cracking section.

A nice overview of NTLM vulns:
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/How-Cracked-Windows-Password-Part1.html

Regular Season Game #1 – Linux (MD5) Passwords

https://54.83.60.127/NCL-G1-LPASS-MD5.txt

Like the Windows passwords, the first set of questions asks for the MD5 hashes in the password dump. The beginning of MD5 hashes can be identified by $1$. Each hash has 34 characters, 31 without the $1$. Here are the flag values:

user 1:
jQJTHNwB$2AoXu6iN9UL8cHhoTHUhG1

user 2:
NrPAaXgR$dHvfNH4x59H0.JAvFKcGs.

user 3:
wYuvEXSE$xeyncGbFzek24RK3UALrd1

user 4:
ZLuOykzb$hdtik677TIWheLL95XrNc0

user 5:
7klGL1B4$PgBFIqqafSzze2uB4Lf8n.

user 6:
RnZU3Asb$JhQO4pIJJnLDQLhEhOyrR/

user 7:
fUXrd0XS$2Se9bmnjVe7G5SGTf6zjJ0

user 8:
i1ykQed/$9NrT6ivuUZurBFwmrc2Om1

user 9:
btINzqfg$2nG3KGsydv8Q8ALuyAqdl1

The second set of questions again asks for plain text passwords. I compiled a list of states with the years they joined the Union. I then ran that list through hashcat and nabbed a few points:

hashcatMD5-NCL-G1

I tried playing with the cases and removing the last number (see Illinois above), I was unable to get any more of the passwords.

Regular Season Game #1 – Linux (SHA) Passwords

https://54.83.60.127/NCL-G1-LPASS-SHA.txt

Rinse, repeat. SHA passwords are often either 256-bit or 512-bit, being identified with a $5$ or a $6$ correspondingly. A SHA-256 hash is 55 characters and a SHA-512 hash is 98 characters. To save space/time, you can see the hashes from the dump and the results I was able to find through hashcat. Easy points.

hashcatSHA-NCL-G1

This turned out to be a useful site when I was trying to identify hashes:
http://www.breakthesecurity.com/2011/08/different-types-of-hash-codes-how-to.html

Regular Season Game #1 – Network Capture 1

https://54.83.60.127/NCL-G1-NC-1.pcap

I didn’t make it very far with this challenge. I found that the protocol being scanned was SNMP by opening Wireshark and looking at the statistics for number of packets sent by protocol. From there I was able to determine the origin and destination IPs: 192.168.201.128 and 192.168.201.1.

Regular Season Game #1 – OSINT 3

https://107.21.102.190

This flag was odd. I don’t think more than a handful of people would have been able to figure this one out without help – they certainly wouldn’t have had time. The most efficient way to find this flag is to surf the web for the answer. It turns out, you can find it here:

http://www.nationalcyberleague.org/2012/Fall/2012_Challenge_Explanations.pdf

Just in case you’re extra lazy and don’t want to browse the link for the flag, I was able to use 1290c8ae9f867dde48f16044b9e18bc1 to score points. I noticed that the NCL staff reused quite a few questions from the graveyard, the pre-season game and even between the regular and post season games.

OSINT3-NCL-G1

Regular Season Game #1 – OSINT 6

https://54.83.60.127/NCL-G1-OSINT-6.tgz

After expanding this file, there are 6 files. Using the cat command on flag.1.asc, it shows a PGP header. Using cat on passphrase shows a value of IcedTea. I’d like to say I could give a lengthy explanation of how PGP is used to encrypt email and how to set up a client. But, I was pinched for time so rather than going through the trouble of setting up a client on my workstation, I found a website that would allow me to decrypt PGP messages: igolder.com

OSINT6-NCL-G1

After throwing some PGP-ness at it, I found all three flags:
Flag 1: NCL-JKOB-8972
Flag 2: NCL-XGCF-3487
Flag 3: NCL-NDSV-6482

Regular Season Game #1 – Web Application Exploitation

https://54.225.116.75

This one was pretty easy. I used Tamper Data again.  When submitting a user name of 1, here’s what data going to this website looks like:

WebExploit-NCL-G1-1

To get the flag, change a’s value to true and send the info. This is the result:

WebExploit-NCL-G1-2

Regular Season Game #1 – Web Application Exploitation

https://54.225.116.75/

The player is presented with a simple login form with user name and password field.  Viewing the source of the page shows javascript being called from another web address at https://54.83.60.127/.NCL-G1-WEB-3.js.  Here’s the javascript on that page:

var _0x6382=["\x51\x77\x65\x72\x74\x79\x37\x38\x39\x34\x33\x6E\x73\x66\x64\x21\x21","\x4E\x43\x4C\x2D\x34\x33\x36\x39\x2D\x4E\x49\x4E\x45","\x49\x6E\x76\x61\x6C\x69\x64\x20\x4B\x65\x79"];function getFlag(_0x17b7x2){if(_0x17b7x2==_0x6382[0]){alert(_0x6382[1]);} else {alert(_0x6382[2]);} ;} ;

The code has been obfuscated by replacing ascii characters with hex characters.  See http://defindit.com/ascii.html for a translation list.  I went to http://www.unphp.net/decode and threw the javascript into the decoder.  The result is:

<?  var _0x6382=["Qwerty78943nsfd!!","NCL-4369-NINE","Invalid Key"];function getFlag(_0x17b7x2){if(_0x17b7x2==_0x6382[0]){alert(_0x6382[1]);} else {alert(_0x6382[2]);} ;} ;  ?>

Inside the text is a flag!

Post Season – Crypto 3

https://54.83.60.127/NCL-G3-CRYPTO-3.txt

The questions:

  • What is the last name of the author of the decoded document?
  • What is the title of the decoded document?
  • What is the flag in the decoded document?

The info we can get from the text file:

  • It’s long: good for data sampling
  • It looks like a normal document with punctuation and spacing
  • There don’t seem to be any special characters or numbers in place of letters

That narrows the options. I tried a few cyphers like ROT13 and Atbash. I had success when I tried Rumkin’s letter-pair replacement solver: http://rumkin.com/tools/cipher/cryptogram.php

Here’s a screenshot of the result:

NCL-PostS-Crypto3-1

The decrypted text shows The Tragedie of Macbeth by William Shakespeare, July, 2000 [Etext #2264]. So, there are answers to the first two questions. The third flag can be found using find in any text editor or web browser. About a third of the way through the deciphered text, this shows up:

NCL-PostS-Crypto3-2

And there’s the last answer.

 

 

NCL Pre Season Zip File
NCL Game1 Zip File
NCL Game2 Zip File
NCL Post Season Zip File

Leave a Comment