Thread: Anyone fancy becoming a spook?

This final stage of the challenge is a windows-only affair. You get an executable file without much else.


*This challenge is a straight cracking/reverse-engineering exercise. I will not detail how I do this, but I will detail the puzzle that exists in the code.


Running the executable (in a safe, disposable virtual machine of course!) reveals that the executable needs an extra dll. A quick Google search reveals that this is the crypt module of cygwin, so I installed the correct libraries and tried again:



Entering the hostname of the challenge website at least told me that the program also wanted a licence file. From there I dived into the code and found the following:

• A rather interesting string - "hqDTK7b8K2rvw".
• Code that searches for a file named "licence.txt", sets aside 24 bytes of zeroed memory and then uses this memory to load the contents of the file.
• The first 4 bytes of this data are checked against a hard coded value - 0x67636871. This is "gchq" in ascii. So far so good!
• The next 20 bytes are then passed to the unix "crypt" function with the mystery string ("hqDTK7b8K2rvw") as a salt. The return is again checked against the mystery string and if its the same, the code continues.
• At this point, the final 12 bytes of the licence are loaded onto the stack and the code branches to a new procedure.
• This new procedure tries to contact the hostname you specified on port 80 and perform a HTTP GET request. The URL used for this is interesting: "GET /%s/%x/%x/%x/key.txt HTTP/1.0\r\n\r\n". For the first string in this format specifier, the program passes the mystery string ("hqDTK7b8K2rvw"). The other 3 hex values are the 12 bytes read at the end of the licence.

Here's where it gets interesting. Looking at the crypt man-page, the function discards all but the first 8 bytes of the password and all but the first 2 bytes of the salt. The salt then becomes the first 2 bytes of the encrypted password (that is how the salt and encrypted password can be compared to see if the correct password is given).

So I need to find a 20 byte password. How about "canyoucrackit.co.uk" a NULL char at the end? Nope. That didn't work

I realised that if I tried a brute force attack on this encrypted string it would take ages. Also, as all but the first 8 chars are discarded, the final 12 bytes would not be revealed by the attack, and this was the information I needed. At this point I was stuck.

Then I remembered the weird information from the other 2 stages:

• The jumped DWORD in stage 1 - 0xa3bfc2af
• The firmware values from stage 2 - 0xd2ab1f05, 0xda13f110

Now, trying these values in the URL gives me www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt


Go to that page and instead of a 404 page asking you to try again you get the following text: "Pr0t3ct!on#cyber_security@12*12.2011+". Put this into the form on Can you crack it - behind the code and you get through to this:



You get a chance to apply for:

• Cyber Security Specialist - GC10 (£25,446)
• Senior Cyber Security Specialist - GC9 (£31,152)

And that's that for this year, unless there more in that final block of memory on stage 2!

i dont want to give it away, and nor do i want o pretend i got this all on my own, a few of us in work got together to have a go, thank goodness some of them guys are ' maybe ' on a par wit brewbuck...anyway... you probably wont want to give up the day job for the offer! :->

There is another thing you can try though for a laugh, Its for MI5, I cant post the link because i would be assasinated later on tonite obviously. But its like a propensity test' and they ask you a few questions about how you would react in certain situations. It was hilarious because i did it myself, and the reply came back 'you may consider applying with us'.... But then my manager at the time, a nice, pleasant suburban mum of three kids, also did the test.... and the answer came back... you should immediately apply, excellent candidate

Originally Posted by SMurf

I did find it a bit cheeky that you have to play with a Windows program that is reliant on Cygwin functionality (so really it's a Linux program shoe-horned into Windows for no good reason), but what was really disappointing was that for all that effort they are only offering ~1% more than what I already earn doing a significantly easier (for me, at least) job.

Looks to be for newly-graduated fodder only.

I think the reason was that the details of the crypt function (well document, with standard usage on *nix) showed that cracking wouldn't work.You could build a a linux password file and set a program like "john" , to find a suitable plain-text, but that would not give you the answer - as I said, crypt loses all but the first 8 chars and its chars 8-19 that give the answer so it wasn't the challenge to break the encryption, it was the knowledge of this that was what you needed before realising what the answer was. Knowing when not to crack gave rise to the solution.

And for those lamenting their inability to work this puzzle, a suggestion: get better at debugging.

There was far more than debugging required to solve this puzzle so I fail to see how your suggestion relates. Most everyone got to the point of the assembly (especially after brewbuck's post) and realized it needed some data that just was not there. Fordy found that data in the image file and moved on from there. What impressed me most about the solution was all the javascript code in stage 2. Since I'm not an avid javascript guy I doubt I could have moved passed that part or have gone through the trouble to write all of it.

Job well done to all who contributed and especially Fordy for the solution.