Standard Instructor Guide

Standard Instructor Guide

• Open Source Intelligence
• Meta
• Tutorial Video
• Lookup
• Threat Intel
• HTTP Headers
• Guide
• WHOIS
• Guide
• PGP Lookup
• SSL
• Barcode
• Cryptography
• Number Bases
• Shift
• @bash
• Beep
• Fencing
• French
• RSA
• Linux
• DIR
• File Edit
• Basic Commands
• Background
• Guide
• Strings
• Log Analysis
• SSH
• Login
• VSFTPD
• Nginx
• History
• Squid
• Log Payments
• Network Traffic Analysis
• DNS
• FTP Traffic
• HTTP
• Telnet
• Packet Dissection
• Software Security
• Bytes
• Guide
• Python 1
• Python 2
• Python 3
• egov
• Never Winter Break
• Metro Lottery
• Metro Clinic
• Guide
• Tutorial Video

Open Source Intelligence

Meta

Objectives

Students will be able to use a metadata viewer to determine information about a photo that was taken.

Prompt

This challenge will give you experience with extracting metadata from an image file. You are given an image with contains metadata and you will need to use a metadata viewer to help answer the questions.

Questions

1. When was the image created? Round down to the nearest minute.
2. What are the dimensions of the image? (ex: 800x600)
3. What is the make of the camera that took the picture?
4. What is the model of the camera that took the picture?
5. What is the exposure time for the picture? (ex: 1/200)
6. Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W)

Walkthrough

This challenge will give you experience extracting detailed metadata from a photo.

A quick Google search for “metadata viewer” will provide several websites that can be used to view the metadata from the image.

Download the image from the challenge prompt window. Upload the image to the viewer to get a table containing the metadata information. Below is a view of metadata2go.com , but other tools or sites will work as well.

Find the corresponding field in the table to get the answer to each question.

Useful Tools:

• Metadata viewer
• Convert GPS coordinates from DMS (degree, minute, second) format to decimal format
• Use the Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more about open source intelligence and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Open Source Intelligence Basics - March 17, 2022

In Cyber Skyline Live - Open Source Intelligence Basics, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to leverage online search tools to find key information. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. When was the image created? (Round to the nearest minute) How to solve: See the “Create Date” field from the metadata viewer Answer: 2015/05/15 02:14
2. What is the image size in pixels? (ex: 800x600) How to solve: See the “Image Size” field from the metadata viewer Answer: 1024x768
3. What is the make of the camera that took the picture? How to solve: See the “Make” field from the metadata viewer Answer: apple
4. What is the model of the camera that took the picture? How to solve: See the “Model” field from the metadata viewer Answer: iphone 5
5. What is the exposure time for the picture? (ex: 1/200) How to solve: See the “Exposure Time” field from the metadata viewer Answer: 1/640
6. Where was the picture taken? Please use only positive numbers with 4 decimal places. (ex: 45.4000N, 75.6667W) How to solve: See the “GPSPosition” field from the metadata viewer| Possible answers: ● 39.8750N 20.0100E ● 39.8750N, 20.0100E ● 39 deg 52' 30.00" N, 20 deg 0' 36.00" E ● 39 deg 52' 30.00" N 20 deg 0' 36.00" E ● 39.8750 20.0100 ● N 39° 52' 30'' E 20° 0' 36'’ ● Latitude 39:52:30 Longitude 20:0:36 ● 39; 52;30 20;0; 36 ● 39º 52' 30.00" N, 20º 0' 36.00" E Incorrect answers: ● 39.8750 -20.0100 ● -39.8750 -20.0100 ● -39.8750N, 20.0

Extension Activities

Lookup

Objectives

Students will be able to find and use a specification document to answer questions about DNS.

Prompt

Answer these questions about DNS. Make sure you enter the record type and not the description of the record type.

Questions

Answer these questions about DNS. Make sure you enter the record type and not the description of the record type:

1. What type of DNS record holds the DNSSEC public signing key?
2. What type of DNS record is used to map hostnames to IPv6 addresses?
3. What type of DNS record is used to delegate a DNS zone?

Walk-through

This challenge will give you experience conducting online research in order to answer specific technical questions involving the Domain Name System (DNS) protocol.

A quick online search of each question should provide several sources with the answer. Be careful to make sure that the answer that you obtain can be verified using an authoritative source. If you search for “DNS protocol specification”, you should find that the Internet Engineering Task Force (IETF) publishes the specification for DNS. You should use IETF resources as the authoritative source for answers.

Knowing how to read and understand a specification document is important because many technologies across all industries use these types of documents to keep implementation uniform.

Gym Answer Key

1. What type of DNS record hold the DNSSEC public signing key?

How to solve: DNSSEC is described in RFC 4034. The information related to the record can be found in section 2.

Answer: DNSKEY

2. What type of DNS record is used to map hostnames to IPv6 addresses?

How to solve: The DNS Extension to Support IPv6 is described in RFD 3596. The information related to the record can be found in section 2.

Answer: AAAA

3. What type of DNS record is used to delegate a DNS zone?

How to solve: The DNS record to delegate a DNS zone is described in RFC 1035. Answer this challenge require reading the specification to understand what it means to delegate a DNS zone in order to identify that they DNS record type that is need to delegate a DNS zone is the one that indicates an authoritative name server.

Answer: NS or Name Server

Extension Activities

Threat Intel

Objectives

Students will be able to use search tools to answer questions about security topics.

Prompt

Answer the following questions about security issues.

Questions

Answer the following questions about security issues:

1. What is the CVE of the original POODLE attack?
2. What version of VSFTPD contained the smiley face backdoor?
3. What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
4. What was the original RFC number that described Telnet?
5. How large (in bytes) was the SQL Slammer worm?
6. Samy is my…

Walk-through

This challenge will give you experience conducting research on common security vulnerabilities. All that is required to solve these questions is to query online search engines and find multiple sources to confirm the answers.

Wikipedia can be a good place for open source intelligence work because multiple sources for the information are often linked on the page. Always be sure to double check and verify your answer with another source!

When you want to make searching Wikipedia easier, or search any webpage or document, use CTRL + F on your keyboard and enter what you want to find into the dialog box that pops up.

Gym Answer Key

1. What is the CVE of the original POODLE attack?

How to solve: The answer to this question can be found on Wikipedia.

Answer: CVE-2014-3566

2. What version of VSFTPD contained the smiley face backdoor?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 2.3.4

3. What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 1.0.1g

4. What was the original RFC number that described Telnet?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 15

5. How large (in bytes) was the SQL Slammer worm?

How to solve: The answer to this question can be found on Wikipedia.

Answer: 376

6. Samy is my…

How to solve: The answer to this question can be found on Wikipedia.

Answer: hero

Extension Activities

HTTP Headers

Objectives

Students will be able to find resources to understand different types of HTTP request headers.

Prompt

Solve these questions about HTTP headers.

Questions

Solve these questions about HTTP headers.

1. What HTTP request header is used to denote what URI linked to the resource being requested?
2. What HTTP request header is used to identify the client software that made the HTTP request?
3. What HTTP request header is used to identify the acceptable content types that can be returned?

Walk-through

This challenge will give you experience researching HTTP headers.

The answers to these questions can be found by doing an online search. A full table of HTTP headers can be found on Wikipedia.

Guide

A useful skill for this challenge is to easily search or find keywords or phrases on a webpage. One method involves using the search function by pressing “CTRL + F” on the keyboard. This opens a dialog box where a keyword or short phrase can be entered to find specific content on the page.

It may be helpful to research and define unfamiliar terms from the question beforehand for better comprehension. Afterward, using “CTRL + F” can assist in identifying related terms or similar language within the page content.

Gym Answer Key

1. What HTTP request header is used to denote what URI linked to the resource being requested?

How to solve: The description for this header is, “This is the address of the previous web page from which a link to the currently requested page was followed.” Note that the official specification for this header has “referrer” spelled incorrectly as “referer”.

Answer: referer

2. What HTTP request header is used to identify the client software that made the HTTP request?

How to solve: The description for this header is, “The user agent string of the user agent.”

Answer: user-agent

3. What HTTP request header is used to identify the acceptable content types that can be returned?

How to solve: The description for this header is, “Media type(s) that is/are acceptable for the response. See Content negotiation.”

Answer: accept

Extension Activities

WHOIS

Objectives

Students will be able to conduct a WHOIS query to learn publicly available information about a domain name.

Prompt

Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.

Questions

Conduct open source intelligence data collection about cityinthe.cloud. Answer the following questions as they relate to the cityinthe.cloud domain.

1. Who is the registrar of this domain?
2. On what day was this domain first registered?
3. What is this domain's registry domain ID?
4. What is the Top-Level Domain (TLD) of this domain?
5. What organization manages the TLD used by cityinthe.cloud?

Walk-through

This challenge involves conducting a WHOIS query on a domain name. WHOIS is a protocol for querying databases that store information about Internet resources and domain names.

A domain name is a human-readable address that identifies resources on the Internet. Instead of the numerical IP addresses (e.g. 8.8.8.8) that computers use, domain names (e.g. google.com) provide an easier way for humans to access the Internet.

Guide

To solve this challenge, an executable tool (such as the standard whois command-line tool found on *nix systems) can be used or try a browser-based DNS lookup tool such as ICANN’s registration lookup tool.

Breaking Down a Domain Name

A quick search of the .cloud top-level domain will pull up the Wikipedia article for the .cloud TLD (shown below) which will help provide key information to solving this challenge.

This research shows that the .cloud TLD is delegated by ICANN and managed by Aruba S.p.A., making these two organizations authoritative sources regarding the .cloud TLD. Based on this information, ICANN’s registration lookup tool can be queried with confidence that its results are authoritative and should be preferred over those from third-party sources.

The results of the cityinthe.cloud query on the ICANN lookup tool (below) provide enough information to solve all the questions posed in this challenge.

Useful Resources:

• Domain Name Wikipedia page - https://en.wikipedia.org/wiki/Domain_name
• What is DNS? How DNS works Cloudflare Blog - https://www.cloudflare.com/learning/dns/what-is-dns/
• Linux command line tool—
  whois(1): client for whois service - Linux man page
• .cloud Wikipedia page - https://en.wikipedia.org/wiki/.cloud
• ICANN Registration data lookup tool - https://lookup.icann.org/en

Gym Answer Key

1. Who is the registrar of this domain?

How to solve: See the “Registrar Information” section from the ICANN lookup results

Answer: Dynadot

2. On what day was this domain first registered?

How to solve: See the “Created” field from the ICANN lookup results

Answer: 2016-02-16

3. What is this domain's registry domain ID?

How to solve: See the “Registry Domain ID” field from the ICANN lookup results

Answer: D15CD1AC4DEB54207A5048A69B9FC0558-ARI

4. What is the Top-Level Domain (TLD) of this domain?

How to solve: See the description of how the domain name can be broken down

Answer: cloud

5. What organization manages the TLD used by cityinthe.cloud?

How to solve: See the research about the TLD.

Answer: Aruba

Extension Activities

PGP Lookup

Objectives

Students will query a public key database to identify the types of information stored there.

Prompt

Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?

Questions

Individuals use PGP to securely encrypt their emails, can you find out more about the following PGP keys?

1. What is the key fingerprint for security@cpanel.net?
2. What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?
3. On what date does the above key expire (in UTC)?

Walk-through

This challenge involves conducting a lookup on a PGP (Pretty Good Privacy) database. PGP utilizes public-key cryptography wherein a public/private key pair is used to encrypt, decrypt, and sign messages.

PGP cryptography allows a message to be encrypted so that it can only be decrypted by its intended recipient. To achieve this, the sender will use the recipient’s public key to encrypt the message so that only the recipient’s private key can decrypt the message.

The premise behind this challenge is that there are public databases that store records of public keys and their owners so that a sender may obtain their recipient’s public key to encrypt a message for them. Solving this challenge requires querying these databases to obtain this information. Some popular PGP lookup databases include, keyserver.ubuntu.com, keys.openpgp.org, and pgp.mit.edu.

There is no one single authoritative source keeping records of public keys, so it is important to compare the results across multiple different databases.

Below is a query using the keyserver.ubuntu.com database:

Gym Answer Key

1. What is the key fingerprint for security@cpanel.net?

How to solve: There are two possible options. The fingerprint is the hexadecimal string that follows the rsa4096/ . See the above for a screenshot.

Answer: B6709B4CC6F42077F69841919521BEDCABD94DDF

2. What email address is associated with the key fingerprint 7A39A56B73D1E097D57435CFCDE2DE1DCB2077F2?

How to solve: The email address is to the right of uid in search results. See the above for a screenshot.

Answer: hx@liber8tion.cityinthe.cloud

3. On what date does the above key expire (in UTC)?

How to solve: The expiry date is indicated with the “key expir” column. Make sure not to confuse “cr. time” (creation time) with “key expir” (expiry time). The answer is in the second to last column on the right (including the column of blue text). See the above for a screenshot.

Answer: 2050-12-26

Extension Activities

SSL

Objectives

Students will use a browser in order to analyze a SSL certificate chain.

Prompt

Solve the following questions about the Cyber Skyline SSL certificate.

Note: if you see references to "BitDefender" in the process of solving this challenge, that means your BitDefender software is intercepting your SSL/TLS connection and will produce incorrect results.

Questions

1. Who is the issuer for Cyber Skyline's SSL certificate?
2. How many bits long is the SSL key?
3. How many certificates are in the certificate chain?

Walk-through

This challenge will give you experience viewing and analyzing SSL certificate chains. SSL certificates help to secure the communication between a client and a server. Most modern browsers should have an interface to view the certificates in a SSL certificate chain. In this example, Google Chrome is used.

Start by clicking the icon next to cyberskyline.com URL. Then click on the “Connection is secure” section in the dropdown.

The SSL chain can then be accessed by clicking on the “Certificate is valid” option.

The Certificate Viewer will contain all of the details needed to answer the questions.

Gym Answer Key

1. Who is the issuer for Cyber Skyline's SSL certificate?

How to solve: The issuer is listed in the “General” tab under “Issued By → Common Name”.

Possible Answers:

sectigo

comodo

2. How many bits long is the SSL key?

How to solve: The number of bits is listed in the “Details” tab under “Certificate Fields → *.cyberskyline.com → Certificate → Subject Public Key Info → Subject’s Public Key”.

Answer: 2048

3. How many certificates are in the certificate chain?

How to solve: The number of certificates can be counted by looking at how many certificates are listed in the “Details” tab under “Certificate Hierarchy”.

Answer: 3

Extension Activities

Barcode

Objectives

Students will be able to use a barcode reader to identify hidden information.

Prompt

We intercepted a barcode we think might be hiding a flag. See if you can find it.

Questions

We intercepted a barcode we think might be hiding a flag. See if you can find it.

1. What format does the barcode use?
2. What is the flag hidden in the barcode?

Walkthrough

This challenge will give you experience conducting lookups on a standard barcode. The challenge provides a .gif of the barcode.

Solve this challenge by using mobile barcode scanning apps or an online barcode reader. Below is a screenshot of the barcode using https://online-barcode-reader.inliteresearch.com/ :

Gym Answer Key

1. What format does the barcode use?

How to solve: You can find the format under the “Type” field.

Possible Answers:

1. code 39
2. code39
3. Code_39
4. USD-3
5. Code 3 of 9
6. Code 3/9
7. Alpha 39
2. What is the flag hidden in the barcode?

How to solve: You can find the hidden flag by obtaining the value of the barcode in a barcode viewer.

Answer: SKY-UZLU-5635

Extension Activities

Cryptography

Number Bases

Objectives

Students will use tools to recognize and convert various number bases.

Prompt

Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are all encoded using different number bases.

Questions

Walk-through

This challenge will give you experience recognizing and converting number bases. Text represented in a different number base is considered “encoded.” Unlike encryption, encoding is more akin to translating a language. For example, when translating from Latin to English, the content remains readable but is presented in a different format. Often what is ‘reading’ the base encoded formats are computers, but people have learned to understand some encodings (like Morse Code).

Guide

To start this challenge, an understanding of different number bases and how to convert between them is essential. A conversion chart, like the one below, can be a helpful reference. Numerous websites and tools are available to assist in this process.

The conversion chart illustrates how values are represented across various number systems. The final column, labeled “Char” for character (also known as ASCII —American Standard Code for Information Interchange), displays the typical characters or text data that humans read. Computers, however, convert this ASCII input into mathematical formats, such binary.

When decoding number bases, the goal is often to convert from a numerical base into the ASCII for character text.

Source of Conversion Table

Another Conversion Chart Page

The challenge page includes a brief introduction to binary and hexadecimal. For more detailed information about converting between number bases, additional resources are available here.

Pro Tips

While conversion charts are helpful, they typically cover only a limited range of number systems. Exploring other common bases through web searches or using tools like Cyber Chef can provide further insight into how ASCII text appears in different numerical formats.

Useful tools for decoding/encoding:

• rumkin.com
• RapidTables
• CyberChef
• See our resources on how computers store data: https://trove.cyberskyline.com/computer-fundamentals-for-cybersecurity/data
• See our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about encoding and number bases and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: How Does Binary Work? - September 22, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how binary is used to represent data, how to use binary to store human-readable characters, and how to convert between different number bases. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. 0x73636f7270696f6e

How to solve: This text is encoded in hexadecimal. This text can be converted to ASCII by hand or by using an online tool such as RapidTables or CyberChef. Note: The 0x is used to indicate that the value is hexadecimal and should not be converted.

Answer: scorpion

2. c2NyaWJibGU=

How to solve: This text is encoded in base64. You can identify this by analyzing the range of characters used in the message and recognizing that it falls within the range for base64 (A-Z, a-z, 0-9, +, /, and =). This text can be converted to ASCII by hand or by using an online tool such as Base64Decode or CyberChef.

Answer: scribble

3. 01110011 01100101 01100011 01110101 01110010 01100101 01101100 01111001

How to solve: This text is encoded in binary. You can identify this because there are only 1s and 0s in groups of 8. You can use an ASCII table to convert by hand or an online tool.

Answer: securely

4. 01100010 01000111 00111001 01110011 01100010 01000111 01101100 01110111 01100010 00110011 01000001 00111101

How to solve: This text is doubly encoded - first with base64 and then with binary. To revere the process, the message has to be converted from binary to ASCII, then base64 to ASCII. You can use the Binary Hex Converter followed by Base64Decode. It’s possible to combine these two steps using CyberChef.

Answer: lollipop

Extension Activities

Shift

Objectives

Students will decode a Ceasar shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. It seems to be using a pretty simple encryption scheme, see if you can crack them.

Questions

Walk-through

This challenge will give you experience decoding shift ciphers.

This message is encrypted using ROT-13, the standard Caesar Cipher. It is called ‘ROT’ because the letters of the alphabet are ‘rotated’. The ‘13’ indicates the number of letters are shifted; which is half of the alphabet. Therefore, ROT-13 is also considered a Caesar shift of 13.

Below, the inner loop of the wheel represents the plaintext while the outer loop represents the ciphertext of a ROT-13 shift. Often cipher disks like this were used to help manually decode ciphers.

A Caesar shift can be decrypted by manually by matching ciphertext to possible plaintext letters, or by using online tools to make shifting through combinations faster.

Useful tools for decoding/encoding:

• rumkin.com
• RapidTables
• CyberChef
• Rot 13

Gym Answer Key

1. iveghny ynxr

How to solve: This message can be decoded by hand or through an online tool such as CyberChef.

Answer: virtual lake

Extension Activities

@bash

Objectives

Students will decode an atbash shift cipher.

Prompt

Our analysts have obtained password dumps storing hacker passwords. See if you can crack them.

Questions

Walk-through

This challenge will give you experience decoding shift ciphers. This message is encrypted using the atbash cipher.

The text for this challenge, at first, looks like a Caesar shift cipher. The atbash cipher is similar in that the alphabet is shifted, however, the entire alphabet is reversed. With an atbash cipher, there is only one way that the letters are shifted; this is not the case with a Caesar shift cipher.

Plaintext: ABCDE FGHIJK LMNOP QRSTUV WXYZ

Ciphertext: ZYXWV UTSRQP ONMLK JIHGFE DCBA

To decode, replace the ciphertext letter in the alphabet above with the plaintext letter that matches its position in the alphabet. For example, “U” is the 6th letter in the ciphertext alphabet, so it should be replaced with “F” to get the plaintext message.

You can also use the other tools below to help make sure you are using the right cipher to decode. Atbash and Caesar shift ciphers look very similar, so it is not entirely possible to know at first glance which is being used.

Useful tools for decoding/encoding:

• rumkin.com
• CyberChef

Gym Answer Key

1. hzuvob lyerlfh xzev

How to solve: This message can be decoded by hand or through an online tool such as Rumkin or CyberChef.

Answer: safely obvious cave

Extension Activities

Beep

Objectives

Students will recognize and decode morse code.

Prompt

Our analysts have intercepted an encoded message. See if you can decode it.

Questions

Walk-through

This challenge will give you experience decoding a message encoded with Morse Code.

Challenges that use Morse Code can be relatively easy to point out because of the binary nature of the output; there is a dot or there is a dash. You may notice here that a ‘/’ is also used. This delineates, or indicates, the end of a word.

Be aware that when looking for Morse Code charts to help translate (or if you’re interested in learning it for fun), that there are various alphabets for different languages. Some languages use additional letters and there is Morse Code for symbols as well.

Useful tools for decoding/encoding:

• Morse Code Translator
• CyberChef

Gym Answer Key

1. - .... . / ... . -.-. .-. . - / --- ..-. / --. . - - .. -. --. / .- .... . .- -.. / .. ... / --. . - - .. -. --. / ... - .- .-. - . -.. / ... -.- -.-- / -.. -.- ...- -... / ----. ---.. .---- -.…

How to solve: The message can be decoded by hand or through an online tool such as the Morse Code Translator or CyberChef.

Answer: THESECRETOFGETTINGAHEADISGETTINGSTARTEDSKYDKVB9816

Extension Activities

Fencing

Objectives

Students will recognize and decode a rail fence cipher.

Prompt

Our analysts have obtained encrypted messages. We saw hand-written notes that indicated the keys as being "3" and "5". See if you can crack them.

Questions

Walk-through

This challenge will give you experience decoding a transposition cipher. The messages are encrypted using the rail fence cipher.

To start this challenge, you can observe that there are some uppercase letters mixed with lowercase letters. There are also letters mixed with numbers. We can tell that somewhere there must be a flag. Notice that ‘S’,’K’ and ‘Y’ are in both ciphertexts and they are both capitalized, so the text used here must be scrambled around in a pattern.

Looking back at the prompt for this challenge, and even the title of the challenge, there are some clues about what to do next. Rail fence ciphers use keys to transpose text. This means that this cipher uses a key, or a number, to determine how to move the letters. Rail fence ciphers are also known as zig-zag ciphers. The key used here indicates how many “rails” to place the text on. See the encoding example below where the key is 4.

Plaintext: THIS IS A SECRET Ciphertext: TATHSSEIIERSC

To solve by hand, you can use some simple math operations and use the zig-zag format as shown above.

Example: Ciphertext: SSDETULCENORF key = 4

Start by subtracting 1 from the key, and multiply this number by 2. The product is the number of spaces apart the letters on the top and bottom rows are from each other. Use this number to place the letters of the ciphertext sequentially in the top row.

To determine how many letters are placed in the top row, divide the total number of characters in the ciphertext by the key. This value indicates how many characters belong in the top row of the transposition.

Shown below, using the results of the calculations, the ciphertext letters in the top row are placed in order 6 spaces apart and there are three letters in the top row.

0 1 2 3 4 5 6

Once you have the top row set, you need to fill in the ciphertext (SSDETULCENORF) sequentially across the row that follows, and so on, until you form the zig-zag message.

Online tools like CyberChef can also be used, however, be careful adding or removing spacing when entering the ciphertext into online tools. These tools often include the spacing in the decoding/encoding process, thus, adding or removing spaces will displace lettering in the output and you may not be able to decode the message.

Useful tools for decoding/encoding:

• CyberChef

Gym Answer Key

1. Cair eruSA-0org sgaeudrpesr K-II98ue cn seYQ3

How to solve: This question uses the rail fence cipher with the standard 3 rails and can be decoded using an online tool such as CyberChef.

Answer: Courage is grace under pressure SKY-AIQI-9380

2. F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0. r aI2

F daS-eefn n KZ3eheadty.YI8lta oiwy-Q0 r aI2

How to solve: This question uses the rail fence cipher with a non-standard 5 rails and can be decoded using an online tool such as CyberChef.

Answer: Feel the fear and do it anyway. SKY-IQIZ-3802

Extension Activities

French

Objectives

Students will decrypt a Vigenère cipher.

Prompt

Our analysts have obtained an encrypted message. We know that the key, qizkwcgqbs was used. See if you can crack them.

Questions

Walk-through

This challenge will give you experience decoding polyalphabetic substitution ciphers. This message is encrypted using the Vigenère cipher.

To start this challenge, take a look at the ciphertext. There is clear formatting for something resembling the flag format, however, it does not start with ‘SKY’. This is a clue that the encryption method does not move the letters like the shift or transposition ciphers used in previous challenges. There is also a key: qizkwcgqbs. A Vigenère cipher, named for cryptographer Blaise de Vigenère, uses a key and encrypts letters in place as observed.

A table, like the one from dCode below, is used to encrypt and decrypt the message in conjunction with the key.

To decrypt, find the row on the left side with the first letter of the key. This challenge uses ‘Q’ as the first letter in the key. In row ‘Q’, scan across the table until you find the first letter of the ciphertext ‘Y’. Letter ‘Y’ is in the column of letter ‘I’ so the first letter of the plaintext message starts with ‘I’. Use the next letter of the key to find the next plaintext letter of the message.

The key has fewer letters than the message. Once all of the letters of the key have been used, keep using the key over and over until all of the ciphertext letters have been decrypted.

You can also use an online tools to help you decode a Vigenère cipher.

Useful tools for decrypting/encrypting:

• dCode
• CyberChef

Gym Answer Key

1. Y ln xkv lubj swlzqvkht, A vmzb pjk bbua we ddgs ILQ-GQYU-8026

How to solve: This message can be decoded by hand or through an online tool such as dCode or CyberChef.

Answer: I do not fear computers, I fear the lack of them SKY-QIZK-8026

RSA

Objectives

Use an understanding of key encryption to break a weak implementation of RSA.

Prompt:

Our analysts have obtained several artifacts from a message that was encrypted with RSA. We need you to decrypt the message and figure out what the hackers are up to.

n = 1079
e = 43
c = 996 894 379 631 894 82 379 852 631 677 677 194 893

Questions:

1. What is the value of p (the smaller prime)?

2. What is the value of q (the larger prime)

3. What is the plaintext of the encrypted message?

Walkthrough

This challenge involves using math to decrypt an RSA message. The premise behind this challenge is that the prime numbers that are used to generate the RSA keypairs are too small, making it trivial to reconstruct the keypair.

RSA Primer

Before attempting to decrypt the RSA message, it is important to understand how RSA encrypts messages. The simplified RSA process is as follows:

Generate the priv/pub key pair

1. Generate two prime numbers p and q
2. Calculate n, which is the value of $p * q$
3. Calculate values d and e such that $d * e \equiv 1 \bmod(p-1)(q-1)$
4. The public key consists of n and e and the private key consists of d p and q

Encrypt the message

1. Convert the plaintext message into an integer, m
2. Encrypt the message to obtain the ciphertext c, where $c \equiv m^e \pmod n$

Decrypt the message

1. Calculate the plaintext message m, where is $m = c^d \pmod n$

A deep understanding of the math equations used in RSA is not necessary to decrypt the message - just an understanding of the relationship between the different variables and where they are used in the process.

Breaking RSA

The information provided in the prompt includes the cipher text (c) and the public key used to encrypt the message (n and e). To decrypt the message, we will need to obtain the private key (d p and q). Once we have the private key, we can calculate m, the plaintext message.

From step 2 of the key generation process, we know that $n = p * q$. By using a prime factorization calculator, we can generate possible values for p and q. There should be only two possible values: 83 and 13.

The equation from step 3 of the key generation process can also be rewritten to obtain d. A scientific calculator or RSA calculator will need to be used to perform this calculation.

All of the values needed to decrypt the ciphertext are now present.

n = 1079
e = 43
c = 996 894 379 631 894 82 379 852 631 677 677 194 893

p = 83
q = 13
d = 595

With these values, the decryption equation can be used to obtain the plaintext, m. This step must be repeated for each item within the cipher text array.

The resulting value of m = 83 can then be looked up using the ASCII table to reveal that the first character of the plaintext message is “S”.

The remainder of the plaintext message can then be calculated by plugging in the remaining values of c into the equation.

Similarly, you can perform the same operations explained above by using the python script used in the tutorial video to get the decrypted message.

import gmpy2

e = 43
p = //add p here
q = //add q here
n = p*q

c= [
996,
894,
379,
631,
894,
82,
379,
852,
631,
677,
677,
194,
893
]
phi=(p-1)*(q-1)

d= gmpy2.invert(e, phi)
print(d)

for i in c:
	m=pow(i, d, n)
	print(chr(m))

print("")

Tutorial Video

Watch our full Tutorial Video to learn more specifics about RSA and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Decrypting an RSA Message - Oct 27, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how to decrypt an RSA message. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What is the value of p (the smaller prime)?

How to solve: Use the factor calculator on the value of n (1079)

Answer: 13

2. What is the value of q (the larger prime)

How to solve: Use the factor calculator on the value of n (1079)

Answer: 83

3. What is the plaintext of the encrypted message?

How to solve: Plug in each value of the ciphertext into the decryption function

Answer: SKY-KRYG-5530

Extension Activities

Linux

DIR

Objectives

Students will use commands via the Linux Command Line (CLI) to analyze files and directories.

Prompt

One of our analysts had their laptop damaged. However, we were able to recover and mount the hard drive. Access the terminal and recover various flags from the disk.

Questions

1. What are the contents of flag1.txt, found in root's home directory?
2. What are the contents of flag2.txt, found in the root directory?
3. What are the contents of flag3.txt, found in an archive in /var/log?
4. What are the contents of flag4.txt, found in the flag user's home directory?
5. What flag is printed when you run the flag5 program?
6. What is the full path to the flag5 program?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Background

The command line interface (CLI) functions similarly to File Explorer on Windows or Finder on macOS but relies on a text-based interface rather than a graphical user interface (GUI). Like its GUI counterparts, the CLI enables navigation through directories (folders) and the launching of files or programs. Upon opening the CLI, the prompt and command input line appear.

Commands entered at the prompt tell the CLI what task to perform; like navigating directories, displaying file contents, or renaming folders. Each action uses a specific program. Typing the program name, supplying any necessary input, and pressing “Enter” runs the command and displays the result. The following includes examples of these commands and outputs.

Guide

List files in a directory: ls

In this challenge, access is provided as the root user, with the session starting in root’s home directory. Running the ls (short for ‘list’) command displays the contents of the current directory. Press enter after typing ls to get the command to run.

Display contents of a file: cat

This directory listing shows that only 1 file. In order to display the contents of a file, run the cat command (short for concatenate) followed by the name of the file you wish to display. This is the output of cat flag1.txt:

Change to another directory: cd

Try navigating to other directories using the cd command (short for change directory). Add the file path you want to go to after the cd command. To navigate to the root directory, simply use a forward slash. After changing to the root directory, the command line prompt has switched from ~ to /. This is the output after running cd / :

The ~ symbol denotes the home directory of the current user, while / indicates the root directory. The term “root” can refer either to the root user (a superuser account) or the root directory (the top-level directory in the system).

In the root directory, running ls lists the files. Running ls in the root directory reveals additional items beyond flag2.txt, most of which are directories.

Extracting tar files: tar

Use the cd command to navigate to the /var/log directory and use ls to see the files there.

The flag file in this folder is stored as a tar archive, or tarball, indicated by the “.tar” extension. Similar to a zip file, a tarball packages multiple files for easier storage and transfer. Unlike zip files, tarballs are not compressed by default and often rely on gunzip for compression, noted by the “.gz” extension.

To access the files inside, the tar program is used to decompress and extract contents. This requires configuring command line flags which are single-letter options preceded by a hyphen. Each program defines its own flags and usage patterns.

For tar, the z flag enables decompression, x extracts the archive, v (optional) activates verbose output, and f signals that the archive filename follows. The tar -zxvf flag.tar.gz command will decompress and extract the files from the tarball:

The output includes ./flag/ and ./flag/flag3.txt, indicating that a folder named flag was extracted, containing a file named flag3.txt. The flag folder now appears in the current directory. Change to the flag directory to view the contents of flag3.txt.

Users & Home Directories: ~ or /home/

From the home directory, you can list the private directory of other users (if you have permission). As with Windows or macOS, each user on a Linux system has a private home directory, typically stored under /home/ . You can navigate directly to your own home directory by entering ~. The blue text below indicates a directory for a user named “flag”.

It is not required to switch users to view the contents of the ‘flag’ user’s folder because root is the default admin. However, if it was needed to switch users and become the ‘flag’ user use the su or ‘switch user’ command as follows and enter the password for that user. Notice how the user name changes from root to flag:

Run Programs:

There a couple ways to run programs. One way is to type in the program name and press enter. Running programs in user folders might not work if that user doesn’t have permission to run the program. Navigate back to root user’s home directory (~) or to the root directory (/). Below is the output of running the flag5 program:

Identify file paths: which

Non built-in Linux programs are simply files located somewhere in the file system. While it's possible to navigate directly to their directories, the command line automatically searches a predefined set of directories when a command is entered. The which command can be used to determine the location of a given program.

Useful tools for learning Linux:

• Linux Journey
• Use our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about the Linux command line.

NCL Summer Live - Linux Command Line - Sep 14, 2021

Watch this live demonstration, especially for beginners, on Linux Command Line, presented by popular demand by the National Cyber League organizer Cyber Skyline CEO Franz Payer. Reach out with questions on NCL at info@nationalcyberleague.org. The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

www.youtube.com

Gym Answer Key

1. What are the contents of flag1.txt, found in root's home directory?

How to solve: Run cat flag1.txt from root’s home directory

Answer: SKY-FNKC-3207

2. What are the contents of flag2.txt, found in the root directory?

How to solve: Use cd / to navigate to the root directory and then run cat flag2.txt.

Answer: SKY-NPEJ-2501

3. What are the contents of flag3.txt, found in an archive in /var/log?

How to solve: Navigate to /var/log and then run tar -zxvf flag.tar.gz to extract the files from the archive.

Answer: SKY-FVHR-3562

4. What are the contents of flag4.txt, found in the flag user's home directory?

How to solve: Navigate to the /home/flag directory and then run cat flag4.txt.

Answer: SKY-SXIJ-6142

5. What flag is printed when you run the flag5 program?

How to solve: Run the flag5 program with the command flag5

Answer: SKY-UDSV-9689

6. What is the full path to the flag5 program?

How to solve: Run which flag5

Answers:

• /usr/bin/flag5
• /usr/bin/

Incorrect: ./usr/bin/flag5

Extension Activities

File Edit

Objectives

Students will use nano and Vim via the command line to create and edit files.

Prompt

Learn how to use command line file editors.

NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.

Questions

1. What key should you press in addition to the CTRL key to trigger the combination to exit nano?
2. What vim mode allows you to write new characters in the file?
3. What keyboard combination will save and quit the file with vim?
4. What keyboard combination will delete an entire line in vim?
5. What command would you use to rename a file?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Editing files in the Command Line Interface (CLI) requires a text-based editor, as graphical tools like Microsoft Word, Textedit, or Notepad aren't available. Common CLI editors include nano, vim, and Emacs. Nano is the simplest, while Vim and Emacs offer more advanced features but come with a steeper learning curve. This guide focuses on nano and Vim.

Guide

• Nano

To open nano, simply type nano into the terminal. File names can also be included as the second argument to the command. For example, nano example.txt will create a file named “example.txt” and will launch the application.

• Vim

Nano can often be too simple for certain tasks, which may be reason to use Vim. Start Vim by using the vim command and optionally providing a filename: vim example.txt

Vim relies on keyboard commands to perform editing tasks due to the lack of on-screen buttons. Only basic features are covered here. Commands like dd , which deletes lines, or shortcuts <SHIFT> + G , which jumps the cursor to the end of a file, become familiar with practice.

• Renaming, Copying and Deleting Files

After creating a file with nano or Vim, it can be renamed, copied, or deleted as needed.

Rename a File: mv

Use the mv (move) command to rename a file. Provide the original filename as the first argument and the new name as the second.

For example, mv example.txt newname.txt renames the file in the same directory. Include a different path in the second argument to move the file to another location. Below, the file “example.txt” was renamed to newname.txt, and then was moved to the “/” directory using mv newname.txt /newname.txt.

Tools to learn more about text editors:

• Linux Journey
• Vim adventures
• Use out Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about the Linux command line.

NCL Summer Live - Linux Command Line - Sep 14, 2021

Watch this live demonstration, especially for beginners, on Linux Command Line, presented by popular demand by the National Cyber League organizer Cyber Skyline CEO Franz Payer. Reach out with questions on NCL at info@nationalcyberleague.org. The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

www.youtube.com

Gym Answer Key

1. What key should you press in addition to the CTRL key to trigger the combination to exit nano?

How to solve: Start the nano from the Linux terminal. Instructions on the keyboard shortcuts should appear at the bottom of the screen. See the Trove for more detailed guidance.

Answer: x

2. What vim mode allows you to write new characters in the file?

How to solve: Search online for “vim mode to write new characters”. See the Trove for more detailed guidance.

Answer: insert

3. What keyboard combination will save and quit the file with vim?

How to solve: Search online for “how to save and quit with vim” and read the descriptions for the different keyboard combinations. See the Trove for more detailed guidance.

Answers:

1. :wq
2. wq
4. What keyboard combination will delete an entire line in vim?

How to solve: Search online for “vim delete line” and then read the descriptions for possible keyboard combinations. See the Trove for more detailed guidance.

Answer: dd

5. What command would you use to rename a file?

How to solve: Search online for “linux how to rename a file” and read about the most common commands. See the Trove for more detailed guidance.

Answer: mv

Extension Activities

Basic Commands

Objectives

Use open source tools and Linux command line knowledge to string Linux commands together.

Prompt

Learn the common basic commands used on the Linux command line.

NOTE: The terminal session is logged. Please do not perform any denial of service attacks on the Linux server provided, malicious attempts to attack the Cyber Skyline platform will result in disqualification.

Questions

1. What character can you use to redirect the output of one program as the input to another program?
2. What character can you use the redirect the output of a program to a file?
3. How many people have a first name of Jordan in names.csv?

Walk-through

This challenge will give you experience running basic Linux commands. To solve these challenges, you will be using a Linux Command Line Interface (aka terminal or shell).

Background

When running a Linux command, different options can be provided to get a specific behavior. One of these is arguments. Arguments always follow the name of the program and could provide information such as the file you wish to run the program on. You may also see arguments referred to as “options” or “flags”.

The syntax for arguments is set by the author of the program. You can often type in the name of the command followed by --help to get information on how to use the program.

For some programs, you can use the man (manual) program to pull up the instructions. If a program has a manual entry, you can open the manual by typing man followed by the name of the program.

Below is the man page for the ls command. You can view it by entering man ls into the command line:

If the -a argument is used with the ls command, all of the files, even the hidden ones which start with . , will be listed.

Multiple arguments can be added together. The -l argument will list the read, write, execute permissions, the users who can access the file, the file size, and the date modified.

Guide

Useful tools for learning Linux:

• Linux Journey

Gym Answer Key

1. What character can you use to redirect the output of one program as the input to another program?

How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to another program (and not to a file). See the Trove for additional guidance.

Answer: |

2. What character can you use the redirect the output of a program to a file?

How to solve: Search online for this question as-is. Make sure to find an answer that is specific to redirecting from output from one program to a file (and not to another program). See the Trove for additional guidance.

Answer: >

3. How many people have a first name of Jordan in names.csv?

How to solve: Use cut to grab only the column of first names, then use grep to search for “Jordan” and then use wc -l to get a line count.

cut -d "," -f 1 < names.csv | grep Jordan | wc -l

Answer: 2

Extension Activities

Strings

Objectives

Use the strings command to find hidden information in a file.

Prompt

The hackers have hidden a message in this image. Find out what it is.

Questions

1. What is the hidden flag in the image?

Walk-through

This challenge involves using the strings Linux command to find a hidden message. A random portion of the image file was modified to insert the message, which is why there is a distortion in the image. The horizontal distortion that occurs near the eye is a result of the corruption caused by inserting the hidden message randomly within the image data.

Background

Recall from the bases challenge about how data can be converted from one form to another. Some values in binary that are used in files are not convertible to text characters. strings will pull any binary data out of the file that corresponds to a text character. Text characters would include letters (abc), numbers (123), or symbols (&^,*).

Here is the output of the strings command used on the STEG.jpg file:

Guide

Searching Standard Output (stdout) : grep

The output of the strings command can be searched with another command; grep.

grep is a powerful search command that looks for characters matching the exact string entered by the user. grep is often used with the pipe character ( | ) to search the output of other commands or to format the output of grep.

This challenge specifies that a flag is contained in the image, therefore, grep could be used to look for binary data that converts to characters resembling the standard flag format. This can be done using the command below:

strings STEG1.jpg | grep SKY

Pro Tip

Using strings is a quick way to see if a flag is hidden within the file without needing to open other programs. However, this challenge could also be solved using a hex editor and searching for SKY in the ASCII data as shown below:

Gym Answer Key

1. What is the hidden flag in the image?

Answer: SKY-RCLO-4839

Extension Activities

Log Analysis

SSH

Objectives

Students will analyze the contents of an SSH log to identify adversarial behavior.

Prompt

Analyze this SSH log file to answer the following questions.

Questions

1. What is the hostname of the ssh server that was compromised?
2. What was the first IP address to attack the server?
3. What was the second IP address to attack the server?
4. What was the third IP address to attack the server?
5. Which user was targeted in the attack?
6. From which IP address was the attacker able to successfully log in?

Walk-through

This challenge will give you experience doing a manual analysis of an SSH (Secure Shell Protocol) log file. SSH is a service that allows a device to provide remote terminal access. No additional tools are required to solve this challenge, only the ability to infer the meaning of the data in the log.

To start, look at the content of the log. If you’re unfamiliar with SSH logs, you can query the internet to find out more about how they are structured and what different terms used in the log mean.

The message field will often include warnings or errors. The event details field will include when sessions initiate or authentication attempts.

The questions for this challenge imply that there is an attack on the server. To understand what that could mean, look at more of the log file. There seem to be a lot of failed password attempts for a certain account trying to connect to the server.

Looking more closely at the messages, it’s evident that connections are coming from various IP addresses for the same user in a very short amount of time. That seems like odd behavior for a legitimate user trying to login; therefore, looking at the “Failed password” attempts is critical to finding which IP addresses are attacking the server and which account is being targeted.

In order to determine which IP address the attacker was successfully able to login from, we need to find a message that communicates a login attempt was successful. Scroll through the log file to find the line that includes “Accepted password”.

Gym Answer Key

1. What is the hostname of the SSH server that was compromised?

How to solve: This can be solved by finding the hostname, which is listed directly after the timestamp for each entry in the log.

Copy

Oct 11 10:12:00 myraptor sshd[29459]: Server listening on 0.0.0.0	port 22.

Answer: myraptor

2. What was the first IP address to attack the server?

How to solve: This can be solved by identifying the IP address of the attacker in the first “Failed password” entries.

Copy

Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh2

Answer: 169.139.243.218

3. What was the second IP address to attack the server?

How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.

Answer: 56.13.188.38

4. What was the third IP address to attack the server?

How to solve: This can be solved in the same way as the previous question by looking at the subsequent “Failed password” entries.

Answer: 30.167.206.91

5. Which user was targeted in the attack?

How to solve: This can be solved by identifying the name of the account that had failed password attempts. Search for “Failed password” and then look for the account name.

Copy

Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273	ssh

Answer: harvey

6. From which IP address was the attacker able to successfully log in?

How to solve: This can be solved by searching for the entry that has “Accepted password”.

Copy

Oct 11 10:36:59 myraptor sshd[30003]: Accepted password for harvey from 30.167.206.91 port 55326	ssh2

Answer: 30.167.206.91

Extension Activities

Login

Objectives

Students will use command line tools to analyze a custom application log format.

Prompt

Analyze a custom application login event log to help us understand user behavior.

Questions

1. How many total login attempts were made in this log?
2. How many unique usernames appear in this log?
3. What is the username with the most login attempts?
4. How many attempts were made for the username with the most login attempts?
5. What is the date with the most login attempts?
6. What is the username that had logins from the most unique IP addresses?

Walk-through

This challenge involves analyzing a custom application log format that uses tab-delineated columns. The tab-delineated format is well-suited for the cut tool to extract specific columns from the log. cut can be used in combination with several other Linux command line utilities to obtain the answers to the questions.

Using head and tail to see the first few or last few lines:

To start, use ls to list the files in the directory, you should see login.log. The cat command can be used to display the contents of the file. Sometimes, log files can be quite long, so to avoid having to scroll back up through several lines, use head or tail to just see the first few lines or the last few lines. Used with no arguments, they will display 10 lines by default:

This can be helpful for log files that have column headers - using head instead of cat will display the column names and the first few lines of data.

Counting words or lines in the output:

Piping the wc command (short for word count), along with the -l flag (lower case L for “lines”) will count the lines in the output:

Display only one column with cut:

To display only the usernames, use the cut command with the -f flag to extract field 3 (the username column). The default delimiter for cut is a tab space.

Sorting a list alphabetically and displaying unique output:

The usernames can be sorted alphabetically by piping the output through the command sort:

Some usernames are listed twice. To list only the unique entries, use the uniq command.

The -c flag will show the number of times an entry occurs in the output:

This list can be sorted again, this time numerically, with the -n flag:

Other features of cut:

The output can be piped throughcut -f 1,3 to display the first column (Date and Time) and the third column (usernames):

To display only the date (without the timestamp), use cut -d " " -f 1. This tells cut to split the line by spaces (instead of the default tab) and extract the first field:

Gym Answer Key

1. How many total login attempts were made in this log?

How to solve: Get the line count of the log. (Reminder: at the end of the command, that is a lower case ‘L’ not a number 1)

cat login.log | wc -l

Answer: 6063

2. How many unique usernames appear in this log?

How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get the unique usernames, and then get a line count of the number of unique usernames.

cat login.log | cut -f 3 | sort | uniq | wc -l

Answer: 1879

3. What is the username with the most login attempts?

How to solve: Extract the third field (with the usernames) of the log, sort the usernames, get a frequency count of each unique username, and then sort the unique usernames by frequency.

cat login.log | cut -f 3 | sort | uniq -c |sort -n

Answer: ntory

4. How many attempts were made for the username with the most login attempts?

How to solve: Use the same command as the question above.

cat login.log | cut -f 3 | sort | uniq -c |sort -n

Answer: 124

5. What is the date with the most login attempts?

How to solve: Extract the first field (with the date+time) of the log, extract just the date, sort the dates, get a frequency count of each unique date, and then sort the unique dates by frequency.

cat login.log | cut -f 1 | cut -d " " -f 1 | sort | uniq -c | sort -n

Answer: 2011-03-23

6. What is the username that had logins from the most unique IP addresses?

How to solve: Extract the second field (with the IP address) and third field (with the username) of the log, sort the IP/username pairs, get the unique IP/username pairs, then extract just the usernames from each pair, sort the usernames, get a frequency count of how many unique pairs each username has, and then sort by frequency.

cat login.log | cut -f 2,3 | sort | uniq | cut -f 2 | sort | uniq -c | sort -n

Answer: wlfla0190

Extension Activities

VSFTPD

Objectives

Students will analyze a VSFTPD log file.

Prompt

Analyze a VSFTPD log file that we obtained.

Questions

1. What IP address did "ftpuser" first log in from?
2. What is the first directory that ftpuser created?
3. What is the last directory that ftpuser created?
4. What file extension was the most used by ftpuser?
5. What is the username of the other user in this log?
6. What IP address did this other user log in from?
7. How many total bytes did this other user upload?
8. How many total bytes did ftpuser upload?
9. How many total bytes did ftpuser download?
10. Identify the IP address of the suspicious login (the login with no subsequent activity)

Walkthrough

This challenge involves analyzing the log file of a VSFTPD server. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

VSFTPD stands for “Very Secure FTP Daemon” and is used on Linux servers to create a secure way to users to upload and download files. This type of server is implemented for different purposes, but the logs created from its use convey similar information like timestamps, process IDs (PID), event types, client IP addresses, as well as usernames.

To find an IP address of a specific user use grep as shown:cat vsftpd.log | grep ftpuser

Sometimes, log files can be quite long, so to avoid having to scroll back up through several lines, use head or tail to just see the first few lines or the last few lines. Used with no arguments, they will display 10 lines by default.

The actions performed by ftpuser (like making directories) can be filtered by searching the output of the previous command and using the head command to see the first results. Using -i with grep will ignore the case of what you want to search for. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

The same can be done with tail to see actions performed by the user at a later time:

cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

Using awk and custom delimiters to isolate file types:

To determine what file type was most commonly uploaded, use grep to get an idea of what the uploads look like. This will help determine how to structure a command to filter the log down such that only file extensions are output. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD'

As shown below, the file path where the file was uploaded contains the file extension. There is a comma used after the file path— this can be used to set a custom delimiter with the awk command. Using awk, the specific column of data segmented by the commas can be printed. The second column has the file path with the file extension.

To use a custom delimiter with awk, use the -F option and enter the keyboard character you want to use as a delimiter between two single quotes as follows:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | head

Now lets isolate the file extension using the period as the delimiter. The output needed will come after the period, so be sure to use to tell awk to print the second field. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | awk -F '.' '{print $2}' | head

From here, all that’s needed is to sort and print the unique file types using the following command:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field. Be sure to use sort and uniq so you can more easily see how many different users are in the log file.

Enter another command using grep and the username in question to find their IP address.

Using awk to calculate a total:

To determine how many bytes are uploaded or downloaded by a particular user, lets grep for the desired user, use grep to determine if we’re looking for uploaded or downloaded files, and then use the commas as a delimiter to see the file size.

Those are just the bytes for each individual file, not the total. awk can be used to get the total bytes using this command: awk '{s+=$1} END {print s}' . This will take the value of the first column ($1) and add it to variable s — creating a running total through each line of the log. When the log file ends (END), awk will print the value of s—the sum of the bytes. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3}'| awk '{s+=$1} END {print s}’

To identify the IP address associated with a suspicious login, or logins without any other activity, lets grep for successful logins, and then filter out the field with IP addresses. Use a double quote (”) as the delimiter. Syntax-wise this is used between two single quotes. Don’t forget to sort for unique IP addresses and count the total.

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq -c

Gym Answer Key

1. What IP address did "ftpuser" first log in from?

How to solve: Search for any entries that include “ftpuser”. One of these lines should include an IP address. cat vsftpd.log | grep ftpuser

Answer: 10.0.0.123

2. What is the first directory that ftpuser created?

How to solve: Search for the first entry of the ftpuser account running the mkdir command. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

Answer: TreeSizeFree

3. What is the last directory that ftpuser created?

How to solve: Search for the last entry of the ftpuser account running the mkdir command. cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

Answer: 110D300S

4. What file extension was the most used by ftpuser?

How to solve: Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

Possible Answers:

1. jpeg
2. jpg
3. Joint Photographic Experts Group
5. What is the username of the other user in this log?

How to solve: To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field.

cat vsftpd.log | awk '{print $8}' | sort | uniq

Answer: jimmy

6. What IP address did this other user log in from?

How to solve: Search for any entries that include jimmy. One of these lines should include an IP address. cat vsftpd.log | grep jimmy

Answer: 10.0.0.214

7. How many total bytes did this other user upload?

How to solve: Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer:

8. How many total bytes did ftpuser upload?

How to solve: Search for successful file upload entries from ftpuser, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer: 13980839165 bytes

9. How many total bytes did ftpuser download?

How to solve: Search for successful file download entries from ftpuser, extract the number of bytes transferred, then sum the bytes cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}’

Answer: 6008032 bytes

10. Identify the IP address of the suspicious login (the login with no subsequent activity).

How to solve: Search for all of the successful login attempts, extract the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq

Answer: 10.3.0.6

Extension Activities

Nginx

Objectives

Students will analyze an nginx access log.

Prompt

Analyze an nginx access log and answer questions about what happened.

Questions

1. How many different IP addresses reached the server?
2. How many requests yielded a 200 status?
3. How many requests yielded a 400 status?
4. What IP address rang at the doorbell?
5. What version of the Googlebot visited the website?
6. Which IP address attempted to exploit the shellshock vulnerability?
7. What was the most popular version of Firefox used for browsing the website?
8. What is the most common HTTP method used?
9. What is the second most common HTTP method used?
10. How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

Walk-through

This challenge involves analyzing an nginx access log. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

Looking through the first few lines of the log, it is apparent that the IP addresses are the first field in each line:

To answer the first question, the IPs need to be extracted, sorted to filter for only unique ones, and counted. This can be done with cut, sort, uniq and wc :

For a more thorough explanation of these commands, refer to the Walkthrough for Log Analysis Challenge Login.

Extracting data from a column in a log file:

Looking at the first screenshot, the HTTP return codes are in the fourth field from the last:

The field right before it is enclosed in double quotes, so " can be used as a delimiter with cut. The first field before the " will contain data from the IP address to the timestamp. The second field, starting with GET, is the actual HTTP request. Therefore, the return codes will be the third field when a double quote is used as the delimiter.

A portion of the output of cat access.log | cut -d '"' -f3 is shown here :

To eliminate the second column from this output, the output can be piped through another cut command using a space as the delimiter. It looks like there is a space before the HTTP return codes as well, so the codes will be the second field after the first “space”:

Now that we are working with the HTTP return codes, we can sort and count the code occurrences:

Matching patterns with grep:

The remaining parts of this challenge require using grep , a tool that can be used to search entries for a keyword. Refer to the Linux: Basic Commands Walkthrough for more information on using grep. Using grep with the -o flag tells grep to print only the part of the line that matches the pattern, instead of the entire line.

Extracting columnar data with awk

Before answering the questions about HTTP methods is may be helpful to learn more about them here. Solving the questions about the HTTP methods used can be approached in two ways; using cut or awk.

cut can be used to extract the field containing the HTTP request methods ( the second field enclosed in double quotes). Then cut will be used to extract the first field of that output (which contains the actual HTTP request method). The output of that will be sorted, and counted using uniq.

sort -rn will list the output in reverse numeric order, so the term with the highest number of occurrences is listed at the top.

awk can also be used to get the desired output. It is a powerful text processing tool that treats any amount of whitespace as a single field separator by default, as compared to cut, which treats only a tab space as a default field separator. For awk, the HTTP Request Method would be the 6th field from the left.

Backslash - Escape character:

The last question prompts us to look for a raw byte sequence in the log file. If grep '\41' access.log was used, the Linux shell is going to convert the byte to ASCII, and look for ‘A’ instead. To prevent the shell from interpreting the backslash as an escape character, it needs to be escaped with another backslash as follows: grep ‘\\41’ access.log. This ensures grep receives the full byte sequence and not the translated character.

Tutorial Video

Watch our full Tutorial Video to learn more specifics about crafting SQL queries and injections and see a walkthrough of how to solve this challenge:

NCL Summer Live - Log Analysis 1 - July 8 2021

Learn tips and tools of the trade with the National Cyber League's NCL Summer Live video tutorial series. This episode covers a demo of how to solve a problem in Log Analysis, one of the 9 NCL competition categories. Perfect for beginners! The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

www.youtube.com

Gym Answer Key

1. How many different IP addresses reached the server?

How to solve: Extract the first field (with the IP addresses), sort the IP addresses, get the unique IP addresses, and then get a line count.

cat access.log | cut -d " " -f 1 | sort | uniq | wc -l

Answer: 47

2. How many requests yielded a 200 code?

How to solve: Extract the third field after double quotes as the delimiter (which includes the HTTP codes), sort the codes, get the unique values with a count of the occurrences of each. Optional: sort in descending numeric order.

cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn

Answer: 19

3. How many requests yielded a 400 code?

How to solve: Same as the question above.

cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn

Answer: 38

4. What IP address rang at the doorbell?

How to solve: Search for “bell”

cat access.log | grep "bell"

Answer: 186.64.69.141

5. What version of the Googlebot visited the website?

How to solve: Search for “Googlebot”

cat access.log | grep "Googlebot"

Answer: 2.1

6. Which IP address attempted to exploit the shellshock vulnerability?

How to solve: Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. With this knowledge, search the log for any lines with that sequence of characters.

cat access.log | grep '() { :; };'

Answer: 61.161.130.241

7. What was the most popular version of Firefox used for browsing the website?

How to solve: Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.

cat access.log | grep -o "Firefox/.*" | sort | uniq -c

Answer: Firefox/31.0

8. What is the most common HTTP method used?

How to solve: Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

Answer: GET

Incorrect:

• POST
• PUT
• DELETE
• HEAD
• CONNECT
9. What is the second most common HTTP method used?

How to solve: Use the same command as the question above.

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

Answer: CONNECT

Incorrect:

• GET
• POST
• PUT
• HEAD
• DELETE
10. How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

How to solve: Search the log for all lines that contain that sequence of characters and then get a line count. Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.

cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l

Answer: 6

Extension Activities

History

Objectives

Students will use SQL commands to analyze a SQlite database.

Prompt

Analyze a Firefox SQlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/

Questions

1. What did the user search for on craigslist?
2. What was the current price (USD) of bitcoin when the user was browsing?
3. What Bitcoin exchange did the user log in to?
4. What is the email that was used to log into the exchange?
5. What was the ID of the Bitcoin transaction that the user looked at?
6. What was the total BTC value of all the inputs of the Bitcoin transaction?
7. Which bitcoin address received the majority of the Bitcoin in the transaction?

Walk-through

This challenge will give you experience analyzing a SQLite database. The answers can be obtained by using the sqlite3 Linux program or a GUI-based viewer. There are also browser-based SQLite viewers such as https://inloop.github.io/sqlite-viewer/.

Click into the terminal on the Cyber Skyline platform. Thebrowser.sqlite file in the current directory. Use the command sqlite3 browser.sqlite to start the SQLite program.

Use the command .tables to see all of the database tables available to view.

Use the command SELECT * FROM moz_hosts; (or use any of the other table names) to view the information contained in the tables. The wildcard indicates that we want to select all the columns, and the semicolon at the end of the query signal the end of the query.

Searching for Firefox Sqlite Database can help narrow down which tables to look through. This site mentions that moz_places contains the sites visited, so that might be helpful for the first few questions:

Places.sqlite - MozillaZine Knowledge Base

There is a way to list of the columns in the moz_places table with PRAGMA table_info(moz_places); :

For the first question, look for the user’s search on craigslist. This information is most likely to be in the ‘url’ column, so we can display that with the query select url from moz_places;

The price of bitcoin when the user was browsing will show up in the “title” column in this table. Search for the $ sign with select * from moz_places where title like '%$%'; :

For question 3, run select url from moz_places; and scroll to see where the user signs in.

To find the user’s gmail account, query the table for any titles containing ‘gmail’ with select * from moz_places where title like '%gmail%'; :

Scrolling further down from the output of select url from moz_places; , we can see the transaction ID that the user looked at:

The remaining questions can be answers by visiting the URLs that are listed inside the database. The URL with id 290 is for a bitcoin transaction listed on blockchain.info. The main page displays the ID as well as the total value of the inputs.

The Bitcoin transaction ID and the amounts that were transferred are all listed on the blockchain.info page.

Alternatively for this challenge, you can upload the SQLite database file to the

SQLite Viewer Web App

Useful resources for this challenge:

SQLite Viewer Web App

Tutorial Video

Watch our full Tutorial Video to learn more specifics about SQL databases and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Analyzing an SQL Database - Nov 3, 2022

Learn from Franz Payer, CEO of Cyber Skyline, about how to crack open a SQL database and extract the data you’re looking for. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

youtu.be

Gym Answer Key

1. What did the user search for on craigslist?

How to solve: The user’s search can be seen in row 23 inside the “query’ parameter in the URL.

Answer: bitcoin

2. What was the current price (USD) of bitcoin when the user was browsing?

How to solve: The current price is listed in row 23 in of the “title” of Bitstamp’s homepage.

Answer: $239.50

3. What Bitcoin exchange did the user log in to?

How to solve: The Bitcoin exchange is identified in row 253, which shows the user successfully loading their account page after logging in.

Answer: Coinbase

4. What is the email that was used to log into the exchange?

How to solve: The email can be found on row 47 in the “title” of the Gmail webpage.

Answer: b1gbird@gmail.com

5. What was the ID of the Bitcoin transaction that the user looked at?

How to solve: The ID of the Bitcoin transaction is the “Hash” value listed on the blockchain.info page.

Answer: 5274cfba585a4b5681527a37f95c76340428916bb7480cef6c545f0a28dcd2d7

6. What was the total BTC value of all the inputs of the Bitcoin transaction?

How to solve: The total BTC value of the inputs can be obtained by adding up the values of all the BTC inputs on theblockchain.info page.

Answer: 0.22616302

7. Which Bitcoin address received the majority of the Bitcoin in the transaction?

How to solve: The right side of theblockchain.info page contains the addresses and amounts that were sent to each recipient. The address that received the majority of the Bitcoin was that one that was sent the most BTC.

Answer: 18z6bTFjxkXCmhfp8YBetR2wgmoVjXGJZz

Extension Activities

Squid

Objectives

Students will analyze a Squid proxy log.

Prompt

Analyze this Squid proxy log to answer the following questions.

Questions

1. In what year was this log saved?
2. How many milliseconds did the fastest request take?
3. How many milliseconds did the longest request take?
4. How many different IP addresses did the proxy service in this log?
5. How many GET requests were made?
6. How many POST requests were made?
7. What company created the antivirus used on the host at 192.168.0.224?
8. What URL is used to download an antivirus update?

Walk-through

This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.

Use head to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.

Converting a timestamp from Epoch to Unix:

Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date command to convert it within linux:

Using awk to extract column data:

To answer questions about the speed of the request, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shown in milliseconds. To extract this field, use awk '{print $2}' and sort -n to sort numerically.

To answer how many different ip addresses that the proxy serviced in this log, use awk to output the ip addresses found in field 3. awk '{print $3}' | sort | uniq | wc -l.

For other examples of using awk, refer to Log Analysis challenge Nginx.

The GET and POST requests are found in the 6th column. Usecat squid_access.log | awk '{print $6}' | sort | uniq –c to see the number of GET and POST requests made.

To find information about the antivirus used on 192.168.0.224, use grep to find that ip address in the log file: cat squid_access.log | grep "192.168.0.224"

Tutorial Video

Watch our full Tutorial Video to learn more specifics about log analysis and see a walkthrough of how to solve this challenge:

NCL Summer Live - Log Analysis 2 - July 15 2021

Learn tips and tools of the trade with the National Cyber League's NCL Summer Live video tutorial series. This episode goes deep into Log Analysis, one of the 9 NCL competition categories. As a follow-up to the July 8 Log Analysis Tutorial, Franz Payer, CEO of Cyber Skyline, demonstrates: 1. How to convert an epoch timestamp into human-readable format 2. Identifying the smallest or largest value in a column 3. Counting unique number of values in a column 4. Counting number of times a value repeats 5. Searching for an IP address in a file 6. Counting how many times an event happens for each IP address. The National Cyber League, powered by Cyber Skyline, is a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details.

youtu.be

Gym Answer Key

1. In what year was this log saved?

How to solve: Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.

Answer: 2010

2. How many milliseconds did the fastest request take?

How to solve: Extract the second field (the response time) and then sort the results numerically

cat squid_access.log | awk '{print $2}' | sort -n

Answer: 5

3. How many milliseconds did the longest request take?

How to solve: Same as the question above.

cat squid_access.log | awk '{print $2}' | sort -n

Answer: 41762

4. How many different IP addresses did the proxy service in this log?

How to solve: Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count.

cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l

Answer: 4

Extension Activities

Log Payments

Objectives

Students will analyze a SOAP log using the command line and a spreadsheet editor.

Prompt

A payment transaction log was compromised in a data breach. Help us determine what information was stolen.

Questions

1. How many transactions are contained in the log?
2. What is the transaction ID of the largest purchase made in the log?
3. Which state made the greatest number of purchases?

Walkthrough

This challenge involves parsing a log file from a SOAP web server. SOAP is used to send messages using the Extensible Markup Language (XML). Solving this challenge requires a mechanism to parse the XML and query the underlying data. This can be done by extracting the relevant XML from the log file, converting the XML to CSV format, and then using a spreadsheet editor to query the data.

Extracting the XML

There are many debug lines within this log file; however, the only relevant lines for this scenario are the ones that begin with PPAPIService: Request: and PPAPIService: Response:. These lines appear to contain the plaintext payment data that are being sent to/from the server. A regular expression can quickly match these lines and extract the raw XML to be saved as a separate file.

sed -nr 's/PPAPIService: Request: (.*)/\1/p' payments.log > requests.xml
sed -nr 's/PPAPIService: Response: <\?.*\?>(.*)/\1/p' payments.log > responses.xml

Get-Content payments.log | ForEach-Object {if ($_ -match 'PPAPIService: Request: (.*)') {$matches[1] | Out-File -Append requests.xml}
}

Get-Content payments.log | ForEach-Object {if ($_ -match 'PPAPIService: Response: <\?.*\?>(.*)') {$matches[1] | Out-File -Append responses.xml}
}

Converting the XML to CSV

Once you have extracted the payment requests into a separate file, you can now convert the XML into a CSV (or .xlsx file). There are various tools that can do this conversion, such as convertcsv.

Using a Spreadsheet Editor

Any common spreadsheet editor should provide tools that can be used to answer the questions from the prompt.

To determine how many transactions occurred, count the number of rows of data from either csv file.

To determine the largest purchase made in the log and its associated transaction ID, use the “requests” spreadsheet. Sort the column for the order total (column ‘F’) with the largest transaction at the top. Then unsort and find the row number for the highest value.

Use the row number to find the corresponding response in the “responses” spreadsheet. Look for the transaction ID (column ‘Z’).

To determine which state had the greatest number of purchases, use the “requests” spreadsheet. Right click on the column header for the state of the ship-to address and selecting “Column Stats”.

Useful tools

• convertcsv.com

Gym Answer Key

1. How many transactions are contained in the log?

How to solve: Count the number of lines that start with PPAPIService: Request:

Answer: 192

2. What is the transaction ID of the largest purchase made in the log?

How to solve: Sort the requests by the order total column to find the largest purchase, then get the transaction ID from the corresponding response.

Answer: 3a4da8c8-6934-4655-9ec5-335ab4540a2b

3. Which state made the greatest number of purchases?

How to solve: Get a count of the unique values for the state of the ship-to address

Answer: massachusetts

Incorrect: maryland

Extension Activities

Network Traffic Analysis

DNS

Objectives

Students will analyze a network packet capture to communicate an understanding of DNS.

Prompt

DNS is what enables us to access much of the internet without remembering IP addresses, analyze the network packet capture to understand more about DNS.

You can read this guide to learn more about computer networking.

Questions

1. What is the type of the DNS query requested?
2. What domain was requested?
3. How many items were in the response?
4. What is the TTL for all of the DNS records?
5. What is the IP address for the "welcome" subdomain?

Walkthrough

This challenge evaluates the user’s ability to understand a packet capture containing network traffic using the DNS protocol. Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge.

Background

The DNS (Domain Name Service) protocol enables a system that allows devices to lookup the IP address of a domain name. This is useful because, as humans, it is much easier for us to remember “google.com” instead of the specific IP address that you should use when you want to reach any website’s services.

All of the questions and answers in this challenge are specific to the DNS protocol, so it may be helpful to learn more about DNS through our video explanation or on the web:

Cyber Skyline Live - DNS - Oct 28, 2021

What does DNS (Domain Name System) do, and why should you care? In this episode of the Cyber Skyline Live tutorial series, Franz Payer, CEO of Cyber Skyline, gives an in-depth explanation of DNS - what it does, how you can interact with DNS in cybersecurity context, and how to use Wireshark to to solve cybersecurity challenges. Comes in super-handy for the National Cyber League competitions! Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Guide

Questions 1 and 2 can be solved by looking for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for Domain Name System (DNS) will yield the answers.

Questions 3 – 5 can be solved by looking for a packet with “Standard query response” in the info column (packet #5). When you click on the packet, it will say “(response)” next to the DNS portion of the frame (indicated in the image below with a red circle). Once found, expand the packet dissectors for the ‘Answers’ section under DNS.

Gym Answer Key

1. What is the type of the DNS query requested?

How to solve: Look for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for DNS will yield the answers.

Answer: AXFR

2. What domain was requested?

How to solve: Look for a packet with “Standard query” in the info column (packet #4). Once found, expanding the packet dissectors for DNS will yield the answers.

Answer: etas.com

3. How many items were in the response?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 4

4. What is the TTL for all of the DNS records?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 3600

5. What is the IP address for the "welcome" subdomain?

How to solve: Look for a packet with “Standard query response” in the info column (packet #5). Once found, expanding the packet dissectors for ‘Answers’ under DNS will yield the answers.

Answer: 1.1.1.1

Extension Activities

FTP Traffic

Objectives

Students will analyze a network packet capture to communicate an understanding of FTP traffic.

Prompt

We found some interesting FTP traffic, analyze the network packet capture to identify what was transferred.

You can read this guide to learn more about computer networking.

Questions

1. What was the first username:password combination attempt made to log in to the server? ex. 'user:password'
2. What software is the FTP server running? (Name and version)?
3. What is the first username:password combination that allows for successful authentication?
4. What is the first command the user executes on the ftp server?
5. What file is deleted from the ftp server?
6. What file is uploaded to the ftp server?
7. What is the filesize (in bytes) of the uploaded file?
8. What file does the anonymous user download?

Walkthrough

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. FTP (File Transfer Protocol) is a basic protocol used to transfer files from one computer to another. All of the questions and answers are specific to FTP, so it is suggested that you learn more about FTP. FTP is an insecure protocol because it does not use encryption.

Questions 1 and 2 can be solved by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option.

Using CloudShark, clicking on the first packet and then clicking on “TCP Stream” at the bottom will have the same effect. Doing so will yield the following results:

From this view, the username and password listed on the “USER” and “PASS” lines (in blue text) are visible. The server version is on the first line of the stream.

Questions 4 - 6 can be solved by applying the filter: ftp.response.code == 230. Once filtered, following the TCP stream on the first packet will yield the following results:

Question 7 can be solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

There are 4 different interactions that can be seen from the filtered packets. These can be most easily identified by the timing shown on the “Time” column. Notice there are packets at 58 seconds, 92 seconds, 152 second and 162 seconds. By default, the time column displays the time offset (in seconds) that the packet was recorded since the beginning of the packet capture.

Look at packet No. 17, at approx. 58 seconds into the capture. In the “Info” column, it shows a “LIST” command in parentheses. The LIST command provides a listing of the current directory. Follow the TCP stream of this packet to see the contents of the directory when the command was run.

Below that packet, you can see packet No. 25 at approx. 92 seconds, which shows a “STOR” command in parentheses. The STOR command uploads the file and stores it on the FTP server and the packets in this stream are the pieces of data being uploaded. This explains why there are so many packets occurring at this time.

Packet No. 65 at approx. 152 seconds shows another listing of the current directory after the file was uploaded in the previous TCP stream. You can follow the TCP stream on this packet to see the new directory listing with the uploaded file included. From here, you can see the file size listed in one of the columns to get the answer to question 7.

Question 8 can be solved by using the ftp.response.code == 230 filter. However, this time the 2nd TCP stream should be followed. Following the first stream reveals the user who uploaded the file, and the second stream shows the activity of a USER named “anonymous”:

Tutorial Video

Cyber Skyline Live - Analyzing FTP Traffic - Feb 3, 2022

In Cyber Skyline Live - Analyzing FTP Traffic, you'll learn from Franz Payer, CEO of Cyber Skyline, about what FTP is, extracting files from a FTP packet capture, and setting up your own FTP server. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What was the first username:password combination attempt made to log in to the server? ex. 'user:password'

How to solve: Solve by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option. If you are using CloudShark, you can select the first packet in the capture and then go to: “Analysis Tools > Follow Stream”. From this view, you can see the username and password listed on the “USER” and “PASS” lines. You can find the server version on the first line of the stream.

Answer:

1. user1/cyberskyline
2. user1:cyberskyline
2. What software is the FTP server running? (Name and version)?

How to solve: Solve by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option. If you are using CloudShark, you can select the first packet in the capture and then go to: “Analysis Tools > Follow Stream”. From this view, you can see the username and password listed on the “USER” and “PASS” lines. You can find the server version on the first line of the stream.

Answer: FileZillaServer0.9.53

3. What is the first username:password combination that allows for successful authentication?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, following the TCP stream on the first packet will yield results.

Answer:

1. user1/metropolis
2. user1/metropolis
3. user1:metropolis
4. What is the first command the user executes on the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer:

1. dir
2. list
5. What file is deleted from the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer: bank.cap

6. What file is uploaded to the ftp server?

How to solve: Solve by applying the filter: ftp.response.code == 230. Once filtered, follow the TCP stream on the first packet.

Answer: compcodes.zip

7. What is the filesize (in bytes) of the uploaded file?

How to solve: Solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

Answer:

1. 3303628E25D43BE4E11CC8878C5C5878
2. 28183
3. 28183 bytes
8. What file does the anonymous user download?

How to solve: Solve by again using the ftp.response.code == 230 filter. (See packet 52)

Answer: compcodes.zip

Extension Activities

HTTP

Objectives

Students will analyze a network packet capture to communicate an understanding of HTTP.

Prompt

HTTP is how we're sending you this message, analyze the provided capture to answer the following questions about a HTTP download.

You can read this guide to learn more about computer networking.

Questions

1. What Linux tool was used to execute a file download?
2. What is the name of the web server software that handled the request?
3. What IP address initiated the request?
4. What is the IP address of the server?
5. What is the MD5 sum of the file downloaded?

Walkthrough

Use Wireshark or the web-based CloudShark tool to solve the challenge. HTTP, or Hypertext Transfer Protocol, is used to deliver and present the information you see on a webpage. All of the questions and answers are specific to the HTTP, so it is suggested that you learn more about HTTP:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP

Guide

To find what Linux tool was used to execute a file download, apply the http.request filter at the top of Cloudshark and look at the Hypertext Transfer Protocol (HTTP) section of the packet dissector. The filter restricts the results to packets that contain the request that the client sent to the server.

Questions 2 - 4 can be solved by applying the http.response filter and looking at the HTTP packet dissection. This filter restricts the results to packets that the server responded with.

Recall that this is a http.response packet, which means we are currently looking at a packet that the server (source) is sending in response to the client (destination). This means that the source is the IP address of the server (answer to question 4) and the destination is the IP address that initiated the request (answer to question 3). If you go back to the packet from question 1, you will notice that the Source and Destination are flipped - this is because the packet was traveling from the client to the server.

For Question 5, we need more information about what file was sent in this exchange to know what the client was downloading. Using Cloudshark, filter using http and inspect packet 36— the packet that has “(PNG)” in the info section of the Cloudshark.

In order to determine the MD5 sum of this file, the data to create this image file will need to be taken from the frame. To do this, highlight the Hex data (see image below) starting at the PNG Signature (89 50 4E 47 0D 0A 1A) and end at the very bottom of the frame (49 45 4E 44 AE 42 60 82). You can click on “PNG Signature” at the left to automatically highlight where to start. Once this data is highlighted, right click and wait until the copy option appears.

Open CyberChef. Paste the Hex data you copied into the Input portion. Check that the bytes at the beginning and the end match the Cloudshark data.

Right now, CyberChef is not interpreting the content pasted as Hex data. To ensure it does this, type “From Hex” in the Operations box and add it to the Recipe.

Select the magic wand icon next to “Output”. An image should render.

Now let’s calculate the MD5 sum of the file. Type “MD5” into the operations section and move it to the recipe.

Question 5 can also be solved in Wireshark by selecting the option, “File > Export Objects > HTTP”. This exports the files transferred via HTTP from the packet capture to a local copy on your computer. Then use the Linux “md5sum” program to calculate the MD5 sum.

Tutorial Video

Cyber Skyline Live: Analyzing HTTP Traffic with Wireshark - Feb 16, 2023

One of the most common uses of HTTP is file transfers. Every time you load a page in your browser, HTTP requests are being made to fetch all the assets on the page - from images to fonts. Learn how to follow and analyze packets from a HTTP file transfer. You’ll learn how to identify the devices involved, establish a timeline of events, and even extract a file that was transferred. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What Linux tool was used to execute a file download?

How to solve: Apply thehttp.request filter and looking at the HTTP dissection. The “User-Agent” field in the HTTP portion of the packet is used to identify the software making the HTTP request.

Answer: wget

2. What is the name of the web server software that handled the request?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The “Server” field in the HTTP portion of the packet is used to identify the software responding to the HTTP request.

Answer: nginx

3. What IP address initiated request?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The Destination is the IP address that initiated the request.

Answer: 192.168.1.140

4. What is the IP address of the server?

How to solve: Apply the http.response filter and looking at the HTTP packet dissection. The Source is the IP address of the server.

Answer: 174.143.213.184

5. What is the MD5 sum of the file downloaded?

How to solve: Copy data into Cyberchef and add the following operations to the Recipe: Ensure data is in Hex, Determine file type, Calculate MD5 sum.

Answer: 966007c476e0c200fba8b28b250a6379

Extension Activities

Telnet

Objectives

Students will analyze a network packet capture to communicate an understanding of Telnet.

Prompt

Telnet is an older protocol that allowed an interactive text-oriented communication with remote systems, use the provided capture to answer the following questions about telnet.

Questions

1. What is the username that was used to log in?
2. What is the password that was used to log in?
3. What command was executed once the user was authenticated?
4. In what year was this capture created?
5. What is the hostname of the machine that was logged in to?
6. What CPU architecture does the remote machine use?

Walkthrough

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. The Telnet protocol is an old, insecure protocol used to remotely login to and administer computers. Additional information about Telnet is included at the beginning of the tutorial video for this challenge.

Guide

Questions 1- 6 can be solved by following the TCP stream on any of the packets. Following the TCP stream yields the following:

Tutorial Video

Cyber Skyline Live - What is Telnet - March 24, 2022

In Cyber Skyline Live - What is Telnet, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to use telnet and analyze telnet traffic. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What is the username that was used to log in?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: test

2. What is the password that was used to log in?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: capture

3. What command was executed once the user was authenticated?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: uname

4. In what year was this capture created?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: 2011

5. What is the hostname of the machine that was logged in to?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: cm4116

6. What CPU architecture does the remote machine use?

How to solve: Follow the TCP stream on any of the packets. Keep in mind that telnet will echo (repeat) back what is typed (except for passwords).

Answer: armv4tl

Extension Activities

Packet Dissection

Objectives

Students will analyze a portion of a packet to identify how IP packet headers are structured.

Prompt

Dissect an IP packet header to understand how the protocol works.

You can read this guide to learn more about computer networking.

Data:

Questions

1. What is the header checksum in hexadecimal representation?
2. What is the TTL of the packet?
3. What is the source IP address?
4. What is the destination IP address?

Walkthrough

This challenge involves following the IPv4 specification to interpret the data using the raw binary of an IP packet. A data manipulation tool, such as the programmer version of your computer calculator or cyberchef, will help simplify certain data conversion steps to interpret the data in the packet.

Before attempting the challenge, be sure you understand the IPv4 header format reference provided.

Below, the first 8 bits (0-7) are enclosed by a red shape. You may see bits represented as 1s and 0s. Recall that 8 bits make up 1 byte. Therefore, we could say that byte ‘0’ is also enclosed by the shape.

The first four bytes (0,1,2,3) of the packet are highlighted by a rectangle below. Notice how the different fields use only a few bits or multiple bytes.

The red circle below indicates the octet (group of 8). There are four bytes (or four octets) that occur before the fields shown on the line with the red circle. This was calculated in the previous image, where bytes 0, 1, 2, and 3 occur.

However, since we are counting zero, the area enclosed in the rectangle below is considered octet 4 (or byte 4). Keep this in mind when following the guide below.

Guide

To get the header checksum in hexadecimal representation, follow the reference given. The header checksum is 2-bytes long, starting at an offset of 10 bytes (0,1,2,3,4,5,6,7,8,9,10 — don’t forget zero is counted!) from the beginning of the data packet.

Copy these 2 bytes into CyberChef and then run a binary to hex conversation. (try it out).

To determine the TTL for question 2, follow the reference, which indicates that the Time-to-Live (TTL) is 1-byte , starting at an offset of 8 bytes from the beginning of the packet.

Copy this byte into CyberChef and then convert the binary into a decimal value will reveal the answer to this first question (try it out).

To find the source and destination IP addresses for questions 3 and 4, follow the reference, which indicates that the source IP address is 4-bytes long, starting at an offset of 12 bytes from the beginning of the packet and that the destination IP address is 4-bytes long, starting at an offset of 16 bytes from the beginning of the packet.

These IP addresses can be parsed one-at-a-time by copying each 4-byte values into CyberChef and then utilizing the “From Binary” recipe, followed by the “To Hex” recipe, followed by the “Change IP format” recipe with “Hex” selected as the input format (try it out).

Gym Answer Key

1. What is the header checksum in hexadecimal representation?

How to solve: Convert the 2 bytes starting at an offset of 10 bytes from binary into hexadecimal

Answer: 4F93

2. What is the TTL of the packet?

How to solve: Convert the byte starting at an offset of 8 bytes from binary into decimal

Answer: 64

3. What is the source IP address?

How to solve: Convert the 4 bytes starting at an offset of 12 bytes from binary into decimal dot notation

Answer: 192.168.128.128

4. What is the destination IP address?

How to solve: Convert the 4 bytes starting at an offset of 16 bytes from binary into decimal dot notation

Answer: 159.203.96.154

Extension Activities

Software Security

Bytes

Objectives

Students will analyze a Python script to identify the value that will return ‘True’ from the program.

Prompt

Determine the secret password that will validate successfully against the verify function. We've been having trouble getting it to run, but we saw it running properly on a different system. The code seems to be a bit old, maybe you can find the right environment/configuration to get it to run.

Questions

1. What language is this program written in?
2. What is the password that will successfully pass the verify function?

Walkthrough

This challenge requires you to analyze a Python script to bypass the insecure verify function. There appears to be some type of password used in the verify function; however, it is not cryptographically secure and it is possible to reverse engineer the code to obtain the value that’s stored. The task for this challenge is to find a value for submission that will cause the verify function to return True.

Using a terminal, you can get a better understanding of the code by entering your own submissions. Create a file named bytes.py. Copy the code provided in the code window on the platform and paste into the new file using your mouse. Save the program. Then enter python bytes.py on the command line to run the program.

Guide

This guide will review the lines of the verify function in order to better understand how to get the correct password value.

In lines 7-8, if the length of submission is not an even number, then verify returns false. Therefore, the length of submission will need to be an even number.

def verify(submission):
    processed = [ ]
    if len(submission) % 2 != 0:
        return False

Next, for lines 10-11, there is a loop that will run through submission. In each iteration, the loop will combine two characters together and convert them from hexadecimal into an integer that is added to the processed list, which was initialized in line 6.

    for i in range(0, len(submission) / 2):
        processed.append(int(submission[i * 2] + submission[(i * 2) + 1], 16)

Through the use of a command line interface, you can see how the input is processed by adding a print statement to the Python file you created.

Add this line of code to right under processed.append... within the verify function:

Copy

print("This was processed", processed)

Through lines 13-15, the function then checks if the length of processed is equal to the length of ekc. If the lengths are not the same, then verify will return false.

    ekc = [ 0x53, 75, 0x59, 0x2D, 0110, 0x45, 88, 72, 0x2D, 0x35, 0x36, 0x38, 0x30 ]
    if len(processed) != len(ekc):
        return False

The last check in the function is to iterate through the processed list and check to see if there are any values that do not match between processed and ekc. If there are any values that do not match, then verify returns ‘False’.

    for i in range(len(processed)):
        if ekc[i] != processed[i]:
            return False

Even if the correct characters were entered in the initial submission, the problem remains that the processed list (containing only integer values) is being compared to the ekc list, which contains a mix of integers and hexadecimal values. Thus, the verify function (as is) will never return ‘True’ unless we make changes so that the lists contain values of the same type.

However, doing this is not necessary. Fixing the program is not required. What is required is that we find a value that could pass the verify function.

The program interprets characters entered as hexadecimal and will compare whatever is entered with the contents of ekc. Therefore, a conversion of the ekc list to hexadecimal will provide a value that will pass the verify function.

Using a terminal, add the following line of code to the program after the line containing submission = raw_input… :

ekc = [ 0x53, 75, 0x59, 0x2D, 0110, 0x45, 88, 72, 0x2D, 0x35, 0x36, 0x38, 0x30 ]
print(''.join('%02x' % i for i in ekc))

Running the program again will print ekc as a hexadecimal string— this value will pass the verify function.

This could also be solved by converting the three decimal values in ekc to Hex through the use of CyberChef or other conversion tools. Most of the list already contains Hex values, so the 0x in front can be removed to get the correct string of characters.

Gym Answer Key

1. What language is this program written in?

How to solve: The programming language is indicated in the first line of the code

Answer: Python

2. What is the password that will successfully pass the verify function?

How to solve: Convert the values of ekc into a hexadecimal string

Answer: 534b592d484558482d35363830

Extension Activities

Python 1

Objectives

Students will analyze a Python script to calculate an input that will authenticate with the program.

Prompt

We have created a python script for you to break into as training. See if you can figure out a password that will authenticate with the program. Note: The password cannot contain special characters.

#!/usr/bin/python
import sys

def main():
if len(sys.argv) != 2:
print("Invalid args")
return
password = sys.argv[1]
builder = 0
for c in password:
builder += ord(c)
if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
print("correct")
else:
print("incorrect")

if **name** == "**main**":
main()

Questions

1. What is a secret key that will pass validation?

Walkthrough

This challenge involves involves analyzing vulnerabilities in a poorly implemented password verification function.

Using a terminal, you can get a better understanding of the code by entering your own submissions. Create a file named python1.py. Copy the code provided in the code window on the platform and paste into the new file using your mouse. Save the file. Then enter python python1.py on the command line to run the program.

Guide

This guide will review the lines of the main function in order to better understand how to get the correct password, or ‘secret key’— as referred to in the question— that can pass validation. For this challenge, we want to get the output “correct” to print after running the program.

Below are lines 5-8, the first few lines of the main function. Line 6 is checking that the length of sys.argv is or is not equal to 2. This means that there needs to be 2 entries stored in sys.argv. If there aren’t two, then the program will print “Invalid args” and end.

def main():
  if len(sys.argv) != 2:
    print("Invalid args")
    return

Temporarily add a line to the program that allows us to see what is contained in sys.argv.

print(sys.argv)

Add the line print(sys.argv) right above the ‘if’ statement on line 6.

Watch the Tutorial Video below or query the web to learn more about sys.argv.

Line 9 in the main function takes a new variable, password, and makes it equal to sys.argv[1]— this is the new element that will be added when calling the program. On the next line, a new variable, builder, is set to equal zero before lines 11 and 12 where a ‘for’ loop takes each character of password and returns the Unicode number to be added to builder.

password = sys.argv[1]
  builder = 0
  for c in password:
    builder += ord(c)

Temporarily add a few lines to the program that to see how ord works with elements we enter for sys.argv[1]. Add value=ord(c) below line 11. And add a print line at the end of the ‘for’ loop. It should look similar to the following:

  for c in password:
    value = ord(c)  
    builder += ord(c)
    print("Added {} (ord('{}')), builder is now {}".format(value, c, builder))

Test the code to verify what’s happening.

Understanding lines 13-14 are going to help us determine what to enter for the ‘password’ since line 14 will return “correct” if all of the conditions in line 13 are met. First, builder will need to add up to 1000 exactly. Next, the length of password (or the number of characters in password ) is equal to 10, and the Unicode for the second character in password is equal to 83.

  if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
    print("correct")
  else:
    print("incorrect")

Use the command line to determine what the ASCII for “83” is. Enter the following:

printf "\\$(printf '%o' 83)\n"

Now we need an easy way to solve for the rest of the characters. We know that one is 83. The remaining characters are then equal to 917 (1000-83=917).

Unfortunately, 917 isn’t divisible by 9 evenly (917/9=101.899), but 8 characters could be 101 in Unicode and the last character could equal the remainder.

The only remaining task is to look up what ASCII character the numbers translate to and make sure that none of the characters used in the password are symbols.

This is one path to solve for the password, but it is certainly not the only path. A variety of answers are accepted for this challenge.

Gym Answer Key

1. What is a secret key that will pass validation?

How to solve: This can be solved by finding a string of length 10 whose ASCII values sum to 1000 and also has an S (ASCII code 83) as the second character in the string. The values of the other nine character in the string is any combination of characters whose ASCII values sum to 917 (the remaining sum after accounting for the necessary S character).

Answer: mSeeeeeeee

Extension Activities

Python 2

Objectives

Students will analyze a compiled Python script to calculate an input that will authenticate with the program.

Prompt

We have created a python script for you to break into as training. See if you can figure out a password that will authenticate with the program.

Questions

1. What is a secret key that will pass validation?

Walkthrough

This challenge involves analyzing vulnerabilities in a compiled Python program. Notice that the contents of the file are not initially human readable. A .pyc filetype is Python compiled bytecode of a Python (.py) source file, so it is meant to be machine readable. We’ll need to convert this file back to the source code.

The uncompyle program can be used to convert the compiled program back into Python code. It is a decompiler that accepts bytecode from Python versions 1.5 up to 3.7. If you already have uncompyle installed, be sure to check for the correct version number. No matter what version you use, the syntax used in the command below should decompile the .pyc file:

uncompyle2 PYTHON2.pyc > python2.py

The result of running uncompyle2 PYTHON2.pyc > python2.py can be seen below:

Guide

This guide will review the lines of the main function in order to better understand how to get the correct password, or ‘secret key’— as referred to in the question— that can pass validation. For this challenge, we want to get the output “correct” to print after running the program.

The first few lines of the main function are exactly like the Python1 challenge; refer there for an explanation of sys.argv.

Lines 9-12 initializes the variablevals with a list of characters. If the length (in characters) of password and vals does not match then the program outputs ‘incorrect’ and the program ends.

    vals = list('tfzbwlyzljylawhzzdvyk')
    if len(password) != len(vals):
        print 'incorrect'
        return

On line 13 a ‘while’ loop is initialized and only executes if the counter variable is less than the length of password. On lines 14-16, ‘7’ is added to the Unicode value of the characters of password. If the value of x goes beyond the Unicode value for letter ‘z’, 26 is subtracted from the Unicode value so it loops back to a value for a letter at the beginning of the alphabet. This is very similar to how a Caesar Cipher would work.

The second ‘if’ condition checks to see that the character for the calculated x variable matches the vals list. If any value doesn’t match, the program will print ‘incorrect’ and end.

    while counter < len(password):
        x = ord(password[counter]) + 7
        if x > ord('z'):
            x -= 26
        if chr(x) != vals[counter]:
            print 'incorrect'
            return
        counter += 1

To solve the challenge, you would need to shift each character in vals backwards 7 positions in the alphabet to make it look like the ‘secret key’ that should be entered. This could be done manually or by using a tool like CyberChef.

Helpful tools for this challenge:

• uncompyle2
• CyberChef
• Use the Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about python and injections and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Code Reverse Engineering Basics - March 10, 2022

In Cyber Skyline Live - Code Reverse Engineering Basics, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to analyze source code and bypass basic authentication mechanisms. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What is a secret key that will pass validation?

How to solve: Shift each character in the vals array backwards 7 positions in the alphabet. You can use a tool such as cyberchef to do this.

Answer:

1. mysupersecretpassword
2. m_s[persecreZpass]ord

Incorrect:

3. M_supersecretpassword

Extension Activities

Python 3

Objectives

Students will analyze a Python script to calculate an input that will authenticate with the program.

Prompt

We have created a python script for you to break into as training. See if you can figure out a password that will authenticate with the program.

Questions

1. What is an input to this program that will result in a correct validation?

Walkthrough

This challenge involves analyzing vulnerabilities in a compiled Python program. The uncompyle program can be used to convert the compiled program back into Python code. See Python2 for more information on decompiling this file.

The result of running uncompyle can be seen below:

Guide

This challenge presents some elements similar to Python1. However, there are some new functions performed to builder.

An analysis of the code reveals that the sum of the ASCII codes for the characters in the password list will have a specific value after several transformations.

Below is an example of code in Python that can reverse the transformations to get the total for builder before it is transformed. This can be run in its own program, or referenced to calculate the answer by hand. This process will help determine the total Unicode value of the characters entered.

The code will subtract the value of the first character (’N’=78) to get the sum of the next ten remaining characters. Dividing that sum by 10 will yield the Unicode for a character repeated ten times.

target = 12645638
temp = ~target
temp = temp ^ 12648430
temp = ~temp
totalUnicode = temp // 4
totalUnicode = totalUnicode-78
print("Total for 10 remaining characters: ", totalUnicode)
x = totalUnicode // 10
print("x value:", x)
print("There are 10 characters like this: ", chr(x))

Gym Answer Key

1. What is an input to this program that will result in a correct validation?

How to solve: Solve by hand by reversing the transformations. Below is a solution created with the aid of some JavaScript code.

Answer:

1. N>>>>>>>>>>
2. NOTC0FFEE

Incorrect:

3. NAAAAAAAANZ

Extension Activities

egov

Objectives

Students will utilize web cookies to check the permission level of the user.

Prompt

Conduct a security audit on the egov login panel.

Scope: This challenge is limited to HTTPS in scope, please do not attack any other ports on this server.

Questions

1. What is the flag obtained from logging in?

Walkthrough

Web security involves understanding the interaction between servers and clients, typically web browsers like Chrome, Firefox, or Safari. It’s important to understand web communication before understanding web security, so please read the “Web Communication Fundamentals” page to get up to speed on the basics.

After understanding how websites communicate, the first step in analyzing a web application is reconnaissance —identifying pages with security features to exploit or data to leak. Examples of this could be a login page, admin panel or search page.

Advanced reconnaissance includes locating unintended public pages and reviewing JavaScript code. In this challenge, the website only has a single page that is navigable from the user interface - a login form.

Guide

This guide will show examples using the Google Chrome developer tools. Developer tools are included in most modern browsers and provide access to data about the web page which is not easily accessible otherwise.

Developer tools also allows for the tampering of data stored by the website and manipulation of the code running in the browser.

From here, it is important to get a better understanding of how the page is working by analyzing any data being saved by the website in the browser (cookies, localstorage) as well as viewing any source code, particularly JavaScript.

Go to the “Application” tab on the top of developer tools and click on “Cookies” from the left menu that appears. If you haven’t submitted anything to the form yet, this section will be empty because the server hasn’t received a login request from your client. Try submitting anything you like.

To change the cookie to “true” look up the syntax for changing the value of cookies in JavaScript (JavaScript Cookies). Set the cookie to “true” using the “Console” tab. The cookie name is “admin” so be sure to use that as your input.

Verify the value has been changed.

Another way to change the cookie from ‘false’ to ‘true’ is to double click in the value section where it says ‘false’ and type in ‘true’.

Refresh the page to ensure that the changes stay. No noticeable change in the page indicates there is more to investigate.

Analyzing the code for additional clues may be useful. This can be done directly in the developer console by going to the “Sources” tab. Alternatively, using “View Source” on the page can help identify what external scripts are being loaded on the page, but that is not necessary for this challenge.

There are a number of sources, however, the login.js script looks interesting. You can see that this script defines what happens when a login is successful or fails.

The naming of the /admin page on line 7 indicates that this may be a sensitive page that has information of interest. Add /admin to the end of your page URL and see if anything changes.

If the cookie was changed correctly and the URL is changed, you will be brought to the admin panel and receive the flag!

Another solve path is to enter any password with ‘admin’ as the username in the webpage after changing the cookie to ‘true’. After submitting you’ll be brought to the page shown above.

Tutorial Video

Watch our Tutorial Video to learn more about web cookies and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Manipulating Web Cookies - March 3, 2022

In Cyber Skyline Live - Manipulating Web Cookies, you'll learn from Franz Payer, CEO of Cyber Skyline, about common security risks associated with browser cookies and manipulating a browser cookie to bypass security on a website. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What is the flag obtained from logging in?

How to solve: Open the developer tools in your browser, run document.cookie = 'admin=true' to set the admin value to true in your cookies, and then add /admin to the end of the URL.

Answer: ⚠️ The flag is randomly generated so the correct flag for you will be different.

Extension Activities

Never Winter Break

Objectives

Analyze Java script code on a website to find an exploit to utilize.

Prompt

You have been hired to run a pentest on this bank's old out of date system. Can you find the vulnerability in the code and drain this user's account?

Questions

1. What is the path of the leaked file?
2. What is the flag?

Walkthrough

This challenge requires you to identify a vulnerability in the web application that allows you to drain another user’s account, implying some sort of logic error is involved.

To start, let’s inspect the web server for any interesting files or behavior. Try to access /robots.txt to see if there are any files that the web developer do not want search engines to index. This is usually a good sign of something interesting to probe.

Here’s what the /robots.txt file shows:

Disallow: *
/dev/rel.js

Try to access a page with dev/rel.js in the URL to see what is contained in that file.

Here’s the output of that .js file:

// TODO auditor says something is wrong with this code....
if (parseInt(amount) < account.amount) {
  if ((account.amount - parseInt(amount)) < account.minimum) {
    return res.status(400).send('Error: Account is not allowed to have a balance lower than 10');
  }
  var transferAmount = parseInt(amount, 10);
  account.amount -= transferAmount;

}

You don’ t need to understand what the code is doing to notice something wrong with this code.

The thing that stands out the most is the use of parseInt, specifically that its usage is inconsistent. The first two times that parseInt is used, it is called only with one argument.

but the third time that parseInt is used, it is called with two arguments.

Referring to the parseInt() documentation, we can see that there are two different function prototypes: parseInt(string) and parseInt(string, radix).

In the above code snippet, parseInt(string, radix) uses 10 as the radix, meaning that the parsing function will treat the string parameter (or the value entered for “amount”) as a base 10 integer, or decimal number.

However, the parseInt(string) does not specify any base system to use so the input is unclear. In older versions of JavaScript runtimes, there is a vulnerability that exists such that you can actually pass in confusing strings into parseInt.

Let’s visualize this here:

console.log(parseInt('01000')); // 1. returns 512

console.log(parseInt('01000', 10)); // 2. return 1000

The above code snippet shows that if we do not include a specific radix, the parseInt function will treat strings that start with 0 as an octal (base 8) string. This means that it’ll parse the string "01000" as octal and output the decimal value for that number.

This leads to different data values for the same input string depending on if you specify a radix base or not. This is precisely the vulnerability that we will take advantage of.

In the original /dev/rel.js code snippet, we can see that the conditionals (if statements) that check if you have enough balance is using parseInt without a radix.

At the end of the program, the transfer uses parseInt with a specific base 10 radix. Since the string is parsed initially as an octal number, we can successfully pass the check and transfer more money than is in the account.

For example, if we use "01000" as the string, that means the code will only check if we have $512 to cover the transaction, but it will transfer $1000 in the end. However, “01000” is not the only value that can be entered to get the flag.

To get the flag, the value entered (in octal) must be less than or equal to the equivalent of 990 (in decimal). This is because of the error line in the script that says that the minimum in the account must be at least 10. The value entered (in octal) also needs to end up being interpreted as at least 1000 in decimal as well.

Keep in mind, the input value is evaluated before the transfer is made. Therefore, any value in octal between "01000" and "01736" (octal for a decimal value of 990) will yield the flag.

Useful resources for this challenge:

• parseInt() Documentation: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/parseInt
• Radix: https://en.wikipedia.org/wiki/Radix

Gym Answer Key

1. What is the path of the leaked file?

How to solve: Look in the /robots.txt endpoint for the leaked file path

Answer: /dev/rel.js

2. What is the flag?

How to solve: Exploit the text to number conversion by submitting 01000 as the amount of money to transfer. This will transfer more money than the account has and a flag will appear on your screen.

Answer: ⚠️ The flag is randomized, follow the guide to capture the flag

Extension Activities

Metro Lottery

Objectives

Analyze Javascript on a webpage in order to exploit trusted client input.

Prompt

Players of the Metropolis online lottery are able to get a win percentage of more than 80% resulting in more people winning than should be statistically possible. Conduct a security audit to determine the cause.

Scope: This challenge is limited to HTTPS in scope, please do not attack any other ports on this server and do not brute force attack this web server.

Questions

1. What is the flag obtained after winning the lottery?

Walkthrough

This challenge involves exploiting trusted client input. The objective of the challenge is to “win the lottery” which is not possible with the balance of money allotted to each user. Using all the allotted money will only yield a 3.85% chance of winning. The conditions for winning the lottery are to have a win percentage greater than 80%.

Guide

Use the developer tools to see the specific HTTP request which processes a purchase and to see the values for the number of tickets purchased and the cost of the purchase. To do this, navigate to the “Network” tab before making a purchase. Then, make a purchase.

A request to the “purchase” page should appear. Click on the request to view additional details.

Lets look at the sources for this page, specifically main.js. Starting at line 5, there is code about purchasing the tickets and how that information in the form is sent to the server. See below for the particular snippet:

The form uses AJAX to send the data to the web server. Understanding more about AJAX can help in understanding how the request is processed.

The vulnerability with this website is that the server will blindly trust the values supplied by the user when a request to purchase tickets is being made. It is possible for an attacker to adjust these values so that they can purchase more tickets than would normally be possible with the funds that they have. A quick way to exploit the vulnerability is to copy the code that the purchase form uses and to make some modifications.

Copy the code where the AJAX request is made and paste it into the “Console” in developer tools. Then, adjust the values in the “cost” and “tickets” fields.

By adjusting the data to indicate a small cost and a large number of tickets, it is possible to rig the odds of winning the lottery, triggering the flag to appear.

After waiting a few seconds for the end of the round, the flag should appear.

Tutorial Video

Watch our full Tutorial Video to learn more about exploiting untrusted web data and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Exploiting Untrusted Web Data - Feb 17, 2022

In Cyber Skyline Live - Exploiting Untrusted Web Data, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to conduct a code review on a web application, exploit a number-rounding vulnerability by hand, and identify possible ways to secure the code. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Gym Answer Key

1. What is the flag obtained after winning the lottery?

How to solve: Open the Metro Lottery webpage in a separate tab, then open the developer tools in your browser and execute this command: $.ajax({method : 'POST', url : '/purchase' + window.location.search, data : JSON.stringify({ cost : 5, tickets : 1000000, }), dataType : 'json', contentType : 'application/json' });

Answer: ⚠️ The flag is randomly generated so the correct flag for you will be different.