So, while browsing the internet I came across a challenge created by the NSA. It is basically competition between universities to complete the most tasks. From what I can see this challenge was created back in 2013 and has been run annually ever since. I decided to take a shot at it.
The challenge is on a timer, but after the timer runs out you can still do the tasks. By the time I saw it the timer had run out. I'm still doing them.
The tasks revolves a fictitious story of government networks being infected by new ransomware. Here is a text from the challenge:
A new strain of ransomware has managed to penetrate several critical government networks and NSA has been called upon to assist in remediating the infection to prevent massive data losses. For each infected machine, an encrypted copy of the key needed to decrypt the ransomed files has been stored in a smart contract on the Ethereum blockchain and is set to only be unlocked upon receipt of the ransom payment. Your mission is to ultimately find a way to unlock the ransomware without giving in to the attacker’s demands and figure out a way to recover all of the funds already paid by other victims. Are YOU up to the challenge? - NSA website link
I will cut solving these into several post as each task requires quite a bit of work, except for the first one. Also, I present task 2 before task 1 since task 2 is easier.
In the first task, we are given a pcap file that shows the network traffic between a newly infected computer and a listing post. We are asked for the IP address.
Solution - We can use a program called wireshark to parse the pcap file. It will look like this:
In the file, there is an exchange between two computers, 10.9.18.241 and 172.16.149.92. Now, because, logically, the infected computer has to initiate contact with the listening post, we can say that the first packet has to be from the infected computer to the listening post. So, the listing post's IP is 172.16.149.92.
In task 2, we are given two dynamic linux dynamic library binaries, a communications library (libclient_comms.so) and a cryptography library (libclient_crypt.so), both belonging to the ransomware. We are told that
Since OTP values are only valid for a narrow window of time, we can deduce that the ransomware must be generating the OTP value during the infection process and therefore the secret key must exist in the ransomware binaries.
The NSA recently release a reverse engineering framework with tool like a decompiler that we need. There are tools similar, like the Hex-Ray decompiler, but they extremely expensive. The tool is called Ghindra and here is a link to it. The tool requires a java runtime so make sure you have one installed with the path to it in your environmental variables.
Since an OTP is more of cryptography thing, I was sure it was in the cryptography library,
My first thought was that it was stored as a string somewhere, so I opened up it's decompiler and ran a string search.
Unfortunately, no string look like a base32 key, the kind of string the input the code challenge's input dialog wants. In the symbol tree dialog there is a list of functions extracted from the binary.
After going through each function, decompiled into C, I noticed that a lot of them are from the OpenSSL library or from the standard library, so we can safely ignore them. They include functions like: HMAC, time, malloc, memcmpy, free, calloc, EVP_sha1, etc... . Plus, in a string search on all blocks the following string appears:
Here is the link to a list of functions in OpenSSL.
After going through each of the remaining function that didn't just have a couple lines of C decompiled code (c_hh, cid, v_hh, get_totp_token, and the FUN_* function), I found that the function FUN_00101930 has a suspiciously large amount of consecutive variable initialization.
After converting the hexadecimal values:
4c 54 57 55 50 34 57 4e 49 48 45 5a 59 5a 56 34 59 58 59 4c 42 51 44 34 47 54 4a 52 5a 59 55 55