Saturday, December 1, 2012

How I won the NCL 2012 Championship

National Cyber League 2012

Before the NCL 2012 championships, I was ranked 6th nationally and 3rd in the midwest conference. I ended up winning the NCL championships with 12,00 points or 9/25 flags. This is a write up of the challenge that won the competition for me.

Web Exploitation - Target 3

We're presented with the following page. This is the best screen shot I have of the original page. The only files that existed originally are flag_01.php, index.php, and put.php. 

After some tinkering, I discovered I could upload files to the server using the HTTP PUT method. I kept uploading blank files such as roar.html and LOLNCL.html. I didn't understand how I could upload a php file with the data I specify. Earlier on, I analyzed all of the requests and responses with a tool called Burp Suite. I realized I could simply append my code to the raw HTTP request. I sent a GET request for put.php to Repeater within Burp Suite and added my code to the end of the request. The php code I added is a system command to list all the files and permissions.

I browse to and see the same files as we saw in index.php. From here, I changed the php code to a php web shell called b374k shell.

Flag 1

I view the contents of flag_01 and find the first flag for Web Exploitation - Target 3.

Flag 3

I browsed to the /home directory. There was a user called ubuntu. I browsed to /home/ubuntu/ and looked at the files. The third flag was sitting in a file plaintext.

cat flag_03.txt

Flag 4 and 5

I browse to the root (/) directory and find flag_04.txt.asc, flag_04.txt.pgp, flag_05.tgz.asc, flag05_tgz.gpg, pub.key, and gpg.key. I downloaded all of these files to my desktop which runs Arch Linux 64 bit.

// import the public key
gpg --import ~/Downloads/pub.key 
// import the private key
gpg --allow-secret-key-import --import ~/Downloads/gpg.key 
// decrypt the file
gpg -d ~/Downloads/flag_04.txt.asc > flag_04.txt
// view the flag
cat flag_04.txt
// decrypt the file 
gpg -d ~/Downloads/flag_05.tgz.asc > flag_05.tgz
// decompress the file
tar zxvf flag_05.tgz 
// view the flag
cat flag_05.txt

That's how I won the NCL 2012 Championship. I was surprised more people didn't solve this challenge since all I really had to do was upload a web shell, look at files, download files, and decrypt them.

Tuesday, January 31, 2012

How a random question changed my default search engine to DuckDuckGo

Last semester I created a registered student organization for those interested in penetration testing and security at my university. The club I created is focused on self motivated students interested in getting their hands dirty to fill the gap with the theory from class. I'm commonly asked questions about penetration testing, security, networking, Linux, and anything vaguely related. Some questions I don't give answers to because I feel the answer is easily obtainable using Google or a manual page. A fellow student from my university's security club asked me a question about a tool called Ettercap. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.

This is where the problem arose; he asked if there's was an option in Ettercap to create a log file and claimed he couldn't find the answer on Google. This person is usually pretty good about finding information on his own so I assumed he was making a simple mistake. I checked the man page for Ettercap on my own machine and found the proper command line option, -L. Even though I found the answer quickly, I began to wonder why he couldn't find the manual page on Google or even a guide detailing how to use Ettercap; this just didn't make any sense. I started to investigate the issue and quickly realized that both of us were logged into our Google accounts; both of us have search history and personalization enabled as well. I realized that Google was filtering both of our results, and I couldn't simply tell someone to Google a subject anymore; giving the answer "Google it" could potentially return different results when two different people research a given subject. I began to wonder how I could tell two people to research a topic and get the same search results from a given query. This is where I learned about what Eli Pariser calls the "filter bubble".

This made me investigate some of the alternatives to Google. There are quite a few different Google anonymity services such as Scroogle. However, this wasn't exactly getting away from Google. I wanted an alternative that could utilize Google and the other search engines available as well as provide encrypted communications. I remember reading about a search engine called DuckDuckGo on Reddit. I decided to look into DuckDuckGo and give it a try. DuckDuckGo is exactly what I was looking for to solve this problem. I found out you can even utilize DuckDuckGo to search Google, Bing, and other websites. For example:

  • !g ettercap
  • !gi ettercap
  • !gv ettercap
  • !b ettercap
  • !bi ettercap

The first query (!g ettercap) searches Google for Ettercap, the second (!gi ettercap) does a Google image search for Ettercap, and the third (!gv ettercap) searches Google videos for Ettercap. The other queries search using Bing instead of Google. The best part is the results you get will be the same as everyone else. I decided to change my Firefox configuration to use the encrypted version of DuckDuckGo in the address bar much like Google Chrome functions. Here's the steps to do it:

  1. Type about:config in the address bar and press ENTER
  2. Locate and double-click the entry for keyword.URL
  3. Set the value to
Anyway, that's why I switched to DuckDuckGo. It's a much more feature rich search engine. Last time I checked you can't query every search engine available with Google.