Bill Blough

Information Security | Software Development | System Administration

NSA Codebreaker Challenge 2015: Background and Task 1

Last year, the National Security Agency held a reverse engineering competition for students. It ran from September 1st to December 31st, and consisted of four tasks. The results page lists the participating schools and students, along with tasks completed, rankings, and times. I represented Florida State University and was able to complete all four tasks in just under 53 hours.

Background Story

NSA has discovered that the leadership of a terrorist organization is using
a new method of communicating secret messages to its operatives in the
field. Intelligence suggests that each member of the organization is
provided a program that can be used to read the messages, and that a
customized cryptographic implementation is used to generate a
public/private key pair, which is then used to authenticate messages from
leadership to each member. 

A copy of the program belonging to a high-ranking operative has been
recovered, along with that individual's key and a text file believed to
contain a hidden message. At first glance, the program appears to simply
check stock information, but this is likely a ruse to make it appear
innocuous. Your mission is to reverse-engineer this software and develop
capabilities to exploit the secret messaging component. There are 4
different tasks for you to complete, with each increasing in difficulty and
building off the previous task(s).

Task 1

We need your help with decoding the message that we've captured. The text
file, key file, and secret messaging program can be found below. The main
objective for this task is to figure out how to decode the message with the
program and report back on your findings. 

To complete this task, you will most likely need to analyze the program
binary in order to determine how to trigger the hidden functionality and
decode the secret message.

As stated in the background story, the program appeared to be a simple stock price query utility:

user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3  --help
--debug true : Show debugging information
--help : Show this help message
--symbol <symbol> : The ticker symbol to reference
--action <action> : 
    'open' for the days opening price
    'low'  for the days lowest price
    'high' for the days highest price
    'last' for the last price

--symbol and --action are required arguments

Stock Information Powered by Yahoo!

And indeed, it seemed to work as such:

user@host:~/nsa_codebreaker_2015/task_1$ ./codebreaker3 --symbol GOOG --action open
'open' info for 'GOOG': 708.26

The first order of business was to discover how to invoke the secret functionality.

Investigation with IDA immediately showed some interesting things.

First, the program checks the length of the name used to invoke it,

and later on, checks whether or not the name matches secret-messenger.

Another interesting bit was a hidden command line option, reveal.

Hidden command line option "reveal"

This seemed like enough to give it a try. Creating a symlink from the codebreaker3 to secret-messenger bypassed the name checks. But running the command with the hidden option still wanted more

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal
Missing required parameter.  Run with --help for more info.

The --help text was the same as before. But before heading back to IDA to look for more hidden options, or to figure out what has to happen next… what if the existing options behave differently in “reveal” mode?

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --symbol tier1_msg.txt --action tier1_key.pem
Invalid (failed check 1)

Hmmm… Maybe those are backwards?

user@host:~nsa_codebreaker_2015/task_1$ ./secret-messenger --reveal --action tier1_msg.txt --symbol tier1_key.pem
Message: Meet at 22:00 tomorrow at our secure location.  Come alone, and do not tell anyone - this meeting is sensitive, as leadership will be present.  To authenticate yourself, mention the pass code osb4rfmthy5dp22kd7qm at the door.

Bingo! The action argument gets the message file, and the symbol argument gets the key file.

We’ve decoded the message, which completes task 1.