Like Tree15Likes

Anyone fancy becoming a spook?

This is a discussion on Anyone fancy becoming a spook? within the General Discussions forums, part of the Community Boards category; This final stage of the challenge is a windows-only affair. You get an executable file without much else. *This challenge ...

  1. #31
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,789
    This final stage of the challenge is a windows-only affair. You get an executable file without much else.


    *This challenge is a straight cracking/reverse-engineering exercise. I will not detail how I do this, but I will detail the puzzle that exists in the code.


    Running the executable (in a safe, disposable virtual machine of course!) reveals that the executable needs an extra dll. A quick Google search reveals that this is the crypt module of cygwin, so I installed the correct libraries and tried again:

    Name:  Console1.jpg
Views: 148
Size:  20.0 KB

    Entering the hostname of the challenge website at least told me that the program also wanted a licence file. From there I dived into the code and found the following:
    • A rather interesting string - "hqDTK7b8K2rvw".
    • Code that searches for a file named "licence.txt", sets aside 24 bytes of zeroed memory and then uses this memory to load the contents of the file.
    • The first 4 bytes of this data are checked against a hard coded value - 0x67636871. This is "gchq" in ascii. So far so good!
    • The next 20 bytes are then passed to the unix "crypt" function with the mystery string ("hqDTK7b8K2rvw") as a salt. The return is again checked against the mystery string and if its the same, the code continues.
    • At this point, the final 12 bytes of the licence are loaded onto the stack and the code branches to a new procedure.
    • This new procedure tries to contact the hostname you specified on port 80 and perform a HTTP GET request. The URL used for this is interesting: "GET /%s/%x/%x/%x/key.txt HTTP/1.0\r\n\r\n". For the first string in this format specifier, the program passes the mystery string ("hqDTK7b8K2rvw"). The other 3 hex values are the 12 bytes read at the end of the licence.
    Here's where it gets interesting. Looking at the crypt man-page, the function discards all but the first 8 bytes of the password and all but the first 2 bytes of the salt. The salt then becomes the first 2 bytes of the encrypted password (that is how the salt and encrypted password can be compared to see if the correct password is given).

    So I need to find a 20 byte password. How about "canyoucrackit.co.uk" a NULL char at the end? Nope. That didn't work

    I realised that if I tried a brute force attack on this encrypted string it would take ages. Also, as all but the first 8 chars are discarded, the final 12 bytes would not be revealed by the attack, and this was the information I needed. At this point I was stuck.

    Then I remembered the weird information from the other 2 stages:
    • The jumped DWORD in stage 1 - 0xa3bfc2af
    • The firmware values from stage 2 - 0xd2ab1f05, 0xda13f110
    Now, trying these values in the URL gives me www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt


    Go to that page and instead of a 404 page asking you to try again you get the following text: "Pr0t3ct!on#cyber_security@12*12.2011+". Put this into the form on Can you crack it - behind the code and you get through to this:

    Name:  Success.jpg
Views: 216
Size:  61.2 KB

    You get a chance to apply for:
    • Cyber Security Specialist - GC10 (25,446)
    • Senior Cyber Security Specialist - GC9 (31,152)
    And that's that for this year, unless there more in that final block of memory on stage 2!

  2. #32
    Registered User rogster001's Avatar
    Join Date
    Aug 2006
    Location
    Liverpool UK
    Posts
    1,438
    i dont want to give it away, and nor do i want o pretend i got this all on my own, a few of us in work got together to have a go, thank goodness some of them guys are ' maybe ' on a par wit brewbuck...anyway... you probably wont want to give up the day job for the offer! :->
    Thought for the day:
    "Are you sure your sanity chip is fully screwed in sir?" (Kryten)
    FLTK: "The most fun you can have with your clothes on."

    Stroustrup:
    "If I had thought of it and had some marketing sense every computer and just about any gadget would have had a little 'C++ Inside' sticker on it'"

  3. #33
    Registered User rogster001's Avatar
    Join Date
    Aug 2006
    Location
    Liverpool UK
    Posts
    1,438
    There is another thing you can try though for a laugh, Its for MI5, I cant post the link because i would be assasinated later on tonite obviously. But its like a propensity test' and they ask you a few questions about how you would react in certain situations. It was hilarious because i did it myself, and the reply came back 'you may consider applying with us'.... But then my manager at the time, a nice, pleasant suburban mum of three kids, also did the test.... and the answer came back... you should immediately apply, excellent candidate
    Thought for the day:
    "Are you sure your sanity chip is fully screwed in sir?" (Kryten)
    FLTK: "The most fun you can have with your clothes on."

    Stroustrup:
    "If I had thought of it and had some marketing sense every computer and just about any gadget would have had a little 'C++ Inside' sticker on it'"

  4. #34
    Registered /usr
    Join Date
    Aug 2001
    Location
    Newport, South Wales, UK
    Posts
    1,266
    I did find it a bit cheeky that you have to play with a Windows program that is reliant on Cygwin functionality (so really it's a Linux program shoe-horned into Windows for no good reason), but what was really disappointing was that for all that effort they are only offering ~1% more than what I already earn doing a significantly easier (for me, at least) job.

    Looks to be for newly-graduated fodder only.

  5. #35
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,789
    Quote Originally Posted by SMurf View Post
    I did find it a bit cheeky that you have to play with a Windows program that is reliant on Cygwin functionality (so really it's a Linux program shoe-horned into Windows for no good reason), but what was really disappointing was that for all that effort they are only offering ~1% more than what I already earn doing a significantly easier (for me, at least) job.

    Looks to be for newly-graduated fodder only.
    I think the reason was that the details of the crypt function (well document, with standard usage on *nix) showed that cracking wouldn't work.You could build a a linux password file and set a program like "john" , to find a suitable plain-text, but that would not give you the answer - as I said, crypt loses all but the first 8 chars and its chars 8-19 that give the answer so it wasn't the challenge to break the encryption, it was the knowledge of this that was what you needed before realising what the answer was. Knowing when not to crack gave rise to the solution.

  6. #36
    Registered /usr
    Join Date
    Aug 2001
    Location
    Newport, South Wales, UK
    Posts
    1,266
    Ohhhhh.

    I knew about that limitation in crypt (and its consequent effect on most password systems on websites worldwide) but I would always pull the thing apart before trying decryption methods, I can do the former more quickly. My fatal flaw I guess.

    And for those lamenting their inability to work this puzzle, a suggestion: get better at debugging. If you can get to the stage where you understand what the computer sees in your own programs, you will get significantly better at programming (you can see code from the computer's perspective, so you can tailor it to that) and you could, if need be, take apart other programs (within legal restrictions of course, caveat emptor... )

  7. #37
    Super Moderator VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,596
    And for those lamenting their inability to work this puzzle, a suggestion: get better at debugging.
    There was far more than debugging required to solve this puzzle so I fail to see how your suggestion relates. Most everyone got to the point of the assembly (especially after brewbuck's post) and realized it needed some data that just was not there. Fordy found that data in the image file and moved on from there. What impressed me most about the solution was all the javascript code in stage 2. Since I'm not an avid javascript guy I doubt I could have moved passed that part or have gone through the trouble to write all of it.

    Job well done to all who contributed and especially Fordy for the solution.
    Last edited by VirtualAce; 12-26-2011 at 11:42 AM.

Page 3 of 3 FirstFirst 123
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Fancy apps/components
    By Ionsurge in forum C++ Programming
    Replies: 5
    Last Post: 06-27-2003, 10:34 AM
  2. fancy strcpy
    By heat511 in forum C++ Programming
    Replies: 34
    Last Post: 05-01-2002, 05:29 PM
  3. how'd ya'll get them fancy pictures?
    By mithrandir in forum A Brief History of Cprogramming.com
    Replies: 2
    Last Post: 08-28-2001, 09:33 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21