Saturday, December 1, 2012

How I won the NCL 2012 Championship

National Cyber League 2012

Before the NCL 2012 championships, I was ranked 6th nationally and 3rd in the midwest conference. I ended up winning the NCL championships with 12,00 points or 9/25 flags. This is a write up of the challenge that won the competition for me.


Web Exploitation - Target 3

We're presented with the following page. This is the best screen shot I have of the original page. The only files that existed originally are flag_01.php, index.php, and put.php. 


After some tinkering, I discovered I could upload files to the server using the HTTP PUT method. I kept uploading blank files such as roar.html and LOLNCL.html. I didn't understand how I could upload a php file with the data I specify. Earlier on, I analyzed all of the requests and responses with a tool called Burp Suite. I realized I could simply append my code to the raw HTTP request. I sent a GET request for put.php to Repeater within Burp Suite and added my code to the end of the request. The php code I added is a system command to list all the files and permissions.


I browse to https://184.72.228.91/.pwn.php and see the same files as we saw in index.php. From here, I changed the php code to a php web shell called b374k shell.



Flag 1


I view the contents of flag_01 and find the first flag for Web Exploitation - Target 3.



Flag 3


I browsed to the /home directory. There was a user called ubuntu. I browsed to /home/ubuntu/ and looked at the files. The third flag was sitting in a file plaintext.

cat flag_03.txt


Flag 4 and 5


I browse to the root (/) directory and find flag_04.txt.asc, flag_04.txt.pgp, flag_05.tgz.asc, flag05_tgz.gpg, pub.key, and gpg.key. I downloaded all of these files to my desktop which runs Arch Linux 64 bit.

// import the public key
gpg --import ~/Downloads/pub.key 
// import the private key
gpg --allow-secret-key-import --import ~/Downloads/gpg.key 
// decrypt the file
gpg -d ~/Downloads/flag_04.txt.asc > flag_04.txt
// view the flag
cat flag_04.txt
// decrypt the file 
gpg -d ~/Downloads/flag_05.tgz.asc > flag_05.tgz
// decompress the file
tar zxvf flag_05.tgz 
// view the flag
cat flag_05.txt



That's how I won the NCL 2012 Championship. I was surprised more people didn't solve this challenge since all I really had to do was upload a web shell, look at files, download files, and decrypt them.