2021 National Cyber Scholarship Write Up
Bio: Hello! My name is Megan Howell, aka CyberQueenMeg, and I am a junior in high school. I am a cybersecurity and programming enthusiast always seeking opportunities to further my knowledge in the field of cybersecurity. As a novice in the field, I hope that this write-up will consider other newcomers to pursue their interests and try a CTF out! I am a CyberPatriot and SkillsUSA Cybersecurity competitor as well, and these experiences have helped to grow my knowledge of cybersecurity and ethical hacking. I have spoken at several security and CS conferences about my perspective as a student in the field.
Equipment and Tools Used:
Computer: Toshiba Satellite A665-S5170OS: Parrot Linux
Most Used Tools: GIMP, nmap, WireShark, command line, FireFox/Chromium, Visual Studio Code, Pluma (text editor), MetaSploit, OWASP-ZAP, BurpSuite
Completed Competition Challenges:
BE01
Instructions: Download chicken.pdf and find a way to get the flag.
When you open the file you get a pdf with a picture of a chicken. However, when I changed the file type to chicken.zip, it worked! I got a file named egg.zip. I then extracted that file to get chicken.zip (2), which I extracted to get egg.zip (2). I then extracted egg.zip (2) to get chicken.zip (3), which revealed egg.pdf! I opened it in GIMP which revealed the flag, ‘wh1ch_came_f1rst?’.
FE04
Instructions: Download 50k-users.txt and filter down to the username that is the flag according to this criteria: The username you are looking for has x as the 3rd character, followed immediately by a number from 2 to 6, it has a Z character in it and the last character is S.
Since this file contains 50,000 usernames, it would be silly to look through every username. I initially tried programming a Java script to search for the name but it wasn’t working. A quick google search of how to filter documents in the Linux terminal revealed that I needed to use the grep command. Grep is an extremely powerful keyword that allows the user to search for files/folders/words in a file that contain certain keyword(s). I started by sorting for the characters located in specific places in the username. All of the usernames were the same length, so that made my life easier! I saved the results to a file called results.txt. My first search for the last character got me down to 786 usernames. I then applied a few more filters and was able to filter down to the flag, YXx52hsi3ZQ5b9rS!
BASH Commands:
cat results.txt | grep ‘S$’ 50k-users.txtgrep
‘ZZ*’ results.txtgrep ‘xx*’ results.txt
Manually look through the few remaining usernames for x as the third character and a number 2–6 following it
FM01
Instructions: Download fm01.jpg and find a way to get the flag.
When you open the file, it is a big mess of ugly-looking pixels. If you open the image into GIMP and view the meta-data, the flag is the layer name, tr4il3r_p4rk
NE01
Instructions: There is a TCP network service running on cfta-ne01.allyourbases.co. Find it to get the flag after you connect.
This challenge requires you to use nmap, a network and port scanner. When you execute the command ‘nmap -v -A -Pn cfta-ne01.allyourbases.co’, you get the flag, Nmap_0f_the_W0rld! at port 1061 (TCP), id ne01
WE01
Instructions: Navigate to the webpage and try to get the flag.
The web page appears and it contains strange looking characters. When you copy and paste those characters into the console when you inspect the element, you get the flag, unicode+obfuscation=js*fun
WE02
Instructions: Navigate to the webpage and try to get the flag.
The web page appears with several pages and when you look at and inspect all of the pages, nothing comes up. However, when you type /robots.txt at the end of the URL, you receive a message that says “Disallow: /4ext6b6.html”. When you navigate to the web page with that at the end of the URL, you get the flag, Shhh_robot_you_said_too_much!
Competition Blog:
4/3/2021: 2 days until the hackathon starts.
Today, I am finalizing my preparations for the National Cyber Scholarship CTF. I’ve got my machine, my applications, and my files all ready. Since this is my first CTF, I am rather nervous. However, I know that I will learn a lot as well and the learning experience will be well worth it, no matter if I win or lose. I hope I do win because if I do, I will receive professional training that will further my knowledge in the field.
4/4/2021: 1 day until the hackathon starts.
One day to go! I almost had to find a different computer last minute because my wifi drivers broke for a little while, but all ended up being fine.
4/5/2021: Day 1 of NCS.
I’m doing pretty good for not knowing a ton about hacking, but it is still pretty challenging! I’m learning a lot though, which is exciting!
4/6/2021: Day 2 of NCS.
Today I only got 2 challenges compared to four yesterday. I tried really hard on two but couldn’t get them.
Overall Summary:
Wow!!! It was so hard but I learned so much. I need to focus on mastering my command line commands and some of the basic hacking apps and techniques, as that is where I struggled the most. I did really well considering I came in with limited knowledge. This all goes to show that even if you are inexperienced, you should consider competing in a CTF if you have the chance. I ended up becoming a National Cyber Scholar, meaning I placed in the top 600 Juniors and Seniors that competed. You will learn so much while having fun!
