NSA Codebreaker Challenge 2015: Background and Task 1


Last year, the National Security Agency held a reverse engineering competition for students. It ran from September 1st to December 31st, and consisted of four tasks. The results page lists the participating schools and students, along with tasks completed, rankings, and times. I represented Florida State University and was able to complete all four tasks in just under 53 hours.

Background Story

NSA has discovered that the leadership of a terrorist organization is using
a new method of communicating secret messages to its operatives in the
field. Intelligence suggests that each member of the organization is
provided a program that can be used to read the messages, and that a
customized cryptographic implementation is used to generate a
public/private key pair, which is then used to authenticate messages from
leadership to each member.

A copy of the program belonging to a high-ranking operative has been
recovered, along with that individual's key and a text file believed to
contain a hidden message. At first glance, the program appears to simply
check stock information, but this is likely a ruse to make it appear
innocuous. Your mission is to reverse-engineer this software and develop
capabilities to exploit the secret messaging component. There are 4
different tasks for you to complete, with each increasing in difficulty and
building off the previous task(s).

Task 1

We need your help with decoding the message that we've captured. The text
file, key file, and secret messaging program can be found below. The main
objective for this task is to figure out how to decode the message with the
program and report back on your findings.

To complete this task, you will most likely need to analyze the program
binary in order to determine how to trigger the hidden functionality and
decode the secret message.

As stated in the background story, the program appeared to be a simple stock price query utility:

user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3  --help
Help:
--debug true : Show debugging information
--help : Show this help message
--symbol <symbol> : The ticker symbol to reference
--action <action> :
    'open' for the days opening price
    'low'  for the days lowest price
    'high' for the days highest price
    'last' for the last price

--symbol and --action are required arguments

Stock Information Powered by Yahoo!

And indeed, it seemed to work as such:

user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --symbol GOOG --action open
'open' info for 'GOOG': 708.26

The first order of business was to discover how to invoke the secret functionality.

Running strings on the binary "revealed" something interesting - a hidden option!

    --reveal : Enter secret message mode

However, trying that option produced an error:

    user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --reveal
    Failed binary name check

At that point, I decided to step through execution in gdb, in order to see what was happening. As it turns out, there is a check that the binary name is exactly 16 characters long

The basename length check in gdb

Renaming the binary to be 16 characters long didn't change the error message. So, proceeding further in gdb with the renamed binary, I found a check that verifies that the program was invoked as secret-messenger

The basename comparison in gdb

Renaming the binary to secret-messenger was all it took to get further.

    user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal
    Missing required parameter.  Run with --help for more info.

The --help text was the same as before, and the output of strings didn't show any additional options. Rather than diving back into gdb, I decided to follow the hunch that the existing options served a purpose in the secret mode as well. A little trial-and-error was called for.

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol foo --action bar
Could not open 'bar'
access: No such file or directory

So I passed the key file as the action

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol foo --action tier1_key.pem
Could not open 'foo'
access: No such file or directory

And also the message file as the symbol

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol tier1_msg.txt --action tier1_key.pem
Could not open 'foo'
Invalid (failed check 1)

Since there was no guarantee that I guessed right the first time, I thought it might be possible that I had the files matched to the wrong arguments. So I tried swapping them

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --action tier1_msg.txt --symbol tier1_key.pem
*****SIGNATURE IS VALID*****
Message: Meet at 22:00 tomorrow at our secure location.  Come alone, and do not tell anyone - this meeting is sensitive, as leadership will be present.  To authenticate yourself, mention the pass code osb4rfmthy5dp22kd7qm at the door.
*****SIGNATURE IS VALID*****

And bingo! The action argument went with the message file, while the symbol argument went with the key file.

With the message decoded, Task 1 was complete.