Saturday, December 1, 2012

How I won the NCL 2012 Championship

National Cyber League 2012

Before the NCL 2012 championships, I was ranked 6th nationally and 3rd in the midwest conference. I ended up winning the NCL championships with 12,00 points or 9/25 flags. This is a write up of the challenge that won the competition for me.


Web Exploitation - Target 3

We're presented with the following page. This is the best screen shot I have of the original page. The only files that existed originally are flag_01.php, index.php, and put.php. 


After some tinkering, I discovered I could upload files to the server using the HTTP PUT method. I kept uploading blank files such as roar.html and LOLNCL.html. I didn't understand how I could upload a php file with the data I specify. Earlier on, I analyzed all of the requests and responses with a tool called Burp Suite. I realized I could simply append my code to the raw HTTP request. I sent a GET request for put.php to Repeater within Burp Suite and added my code to the end of the request. The php code I added is a system command to list all the files and permissions.


I browse to https://184.72.228.91/.pwn.php and see the same files as we saw in index.php. From here, I changed the php code to a php web shell called b374k shell.



Flag 1


I view the contents of flag_01 and find the first flag for Web Exploitation - Target 3.



Flag 3


I browsed to the /home directory. There was a user called ubuntu. I browsed to /home/ubuntu/ and looked at the files. The third flag was sitting in a file plaintext.

cat flag_03.txt


Flag 4 and 5


I browse to the root (/) directory and find flag_04.txt.asc, flag_04.txt.pgp, flag_05.tgz.asc, flag05_tgz.gpg, pub.key, and gpg.key. I downloaded all of these files to my desktop which runs Arch Linux 64 bit.

// import the public key
gpg --import ~/Downloads/pub.key 
// import the private key
gpg --allow-secret-key-import --import ~/Downloads/gpg.key 
// decrypt the file
gpg -d ~/Downloads/flag_04.txt.asc > flag_04.txt
// view the flag
cat flag_04.txt
// decrypt the file 
gpg -d ~/Downloads/flag_05.tgz.asc > flag_05.tgz
// decompress the file
tar zxvf flag_05.tgz 
// view the flag
cat flag_05.txt



That's how I won the NCL 2012 Championship. I was surprised more people didn't solve this challenge since all I really had to do was upload a web shell, look at files, download files, and decrypt them.

22 comments:

  1. I'm still not really sure how you uploaded the php shell. Did you get a chance to cat put.php?

    ReplyDelete
    Replies
    1. I used the HTTP Put Method which allowed an unrestricted file upload. Yes, I looked at all of the files created by the NCL staff once I accessed the web shell.

      Some links for you:

      https://www.owasp.org/index.php/Unrestricted_File_Upload
      https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)

      Delete
    2. Hello Chris, any idea on how to strengthen myself on CTF? It is my biggest challenge now.
      Thanks,

      Delete
  2. Should probably mention that the "tinkering" you did was someone else giving away the answer - everything else in that screenshot was done by another user.

    ReplyDelete
    Replies
    1. That was the only screen shot I took of that page during the competition. That was a few hours into it as well. At this point, I already had a hidden web shell called .pwn.php. No one gave the answer away except the NCL staff. Having a file called put.php made it easy enough to figure out what was needed to solve the challenge. However, someone did run Nikto on the web server which created some files if that's what you're referring to; if someone gave the answer away, why didn't anyone else solve the challenge?

      Delete
  3. Very nicely done. Just downloaded a copy of that b374k shell, and I have to say that I like it! Very nice tool

    ReplyDelete
  4. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    CCNA Training in Chennai

    ReplyDelete

  5. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.
    Austere Technologies |Internet Of Things

    ReplyDelete
  6. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Best Digital Transformation Services | Austere Technology Solutions

    ReplyDelete
  7. Great article, really very helpful content you made. Thank you, keep sharing.

    Best Cloud Solutions | Austere Technologies

    ReplyDelete
  8. wow...nice blog, very helpful information. Thanks for sharing.

    Best Mobility Services | Austere Technology

    ReplyDelete
  9. Really great blog, it's very helpful and has great knowledgeable information.

    Best Software Security Services | Austere Technology

    ReplyDelete
  10. Raksha Bandhan is the day when brothers and sister celebrate the special bond of love. Surely, they fight and annoy each other throughout the year, but on this special day, things take a complete degree turn and suddenly there is lost love found. Sisters tie a Rakhi on their brother’s hand and in exchange, he promises to protect his sister from all evils and give her the present.
    https://www.whatsapparound.com/raksha-bandhan-quotes-in-hindi/

    ReplyDelete
  11. Wow...Excellent informative blog, really helpful. Thank you.

    Best CMA Training in hyd | ISFS

    ReplyDelete
  12. Your article gives lots of information to me. Thanks for sharing.
    acca course in hyderabad | ISFS

    ReplyDelete
  13. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi

    ReplyDelete