NSA Codebreaker Challenge 2015: Background and Task 1
Last year, the National Security Agency held a reverse engineering competition for students. It ran from September 1st to December 31st, and consisted of four tasks. The results page lists the participating schools and students, along with tasks completed, rankings, and times. I represented Florida State University and was able to complete all four tasks in just under 53 hours.
NSA has discovered that the leadership of a terrorist organization is using a new method of communicating secret messages to its operatives in the field. Intelligence suggests that each member of the organization is provided a program that can be used to read the messages, and that a customized cryptographic implementation is used to generate a public/private key pair, which is then used to authenticate messages from leadership to each member. A copy of the program belonging to a high-ranking operative has been recovered, along with that individual's key and a text file believed to contain a hidden message. At first glance, the program appears to simply check stock information, but this is likely a ruse to make it appear innocuous. Your mission is to reverse-engineer this software and develop capabilities to exploit the secret messaging component. There are 4 different tasks for you to complete, with each increasing in difficulty and building off the previous task(s).
We need your help with decoding the message that we've captured. The text file, key file, and secret messaging program can be found below. The main objective for this task is to figure out how to decode the message with the program and report back on your findings. To complete this task, you will most likely need to analyze the program binary in order to determine how to trigger the hidden functionality and decode the secret message.
As stated in the background story, the program appeared to be a simple stock price query utility:
user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --help Help: --debug true : Show debugging information --help : Show this help message --symbol <symbol> : The ticker symbol to reference --action <action> : 'open' for the days opening price 'low' for the days lowest price 'high' for the days highest price 'last' for the last price --symbol and --action are required arguments Stock Information Powered by Yahoo!
And indeed, it seemed to work as such:
user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --symbol GOOG --action open 'open' info for 'GOOG': 708.26
The first order of business was to discover how to invoke the secret functionality.
strings on the binary "revealed" something interesting - a hidden option!
--reveal : Enter secret message mode
However, trying that option produced an error:
user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --reveal Failed binary name check
At that point, I decided to step through execution in gdb, in order to see what was happening. As it turns out, there is a check that the binary name is exactly 16 characters long
Renaming the binary to be 16 characters long didn't change the error message. So, proceeding
further in gdb with the renamed binary, I found a check that verifies that the
program was invoked as
Renaming the binary to
secret-messenger was all it took to get further.
user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal Missing required parameter. Run with --help for more info.
--help text was the same as before, and the output of
show any additional options. Rather than diving back into gdb, I decided to
follow the hunch that the existing options served a purpose in the secret mode
as well. A little trial-and-error was called for.
user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol foo --action bar Could not open 'bar' access: No such file or directory
So I passed the key file as the action
user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol foo --action tier1_key.pem Could not open 'foo' access: No such file or directory
And also the message file as the symbol
user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol tier1_msg.txt --action tier1_key.pem Could not open 'foo' Invalid (failed check 1)
Since there was no guarantee that I guessed right the first time, I thought it might be possible that I had the files matched to the wrong arguments. So I tried swapping them
user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --action tier1_msg.txt --symbol tier1_key.pem *****SIGNATURE IS VALID***** Message: Meet at 22:00 tomorrow at our secure location. Come alone, and do not tell anyone - this meeting is sensitive, as leadership will be present. To authenticate yourself, mention the pass code osb4rfmthy5dp22kd7qm at the door. *****SIGNATURE IS VALID*****
And bingo! The
action argument went with the message file, while the
symbol argument went with the key file.
With the message decoded, Task 1 was complete.