{"id":24,"date":"2011-06-09T10:03:05","date_gmt":"2011-06-09T10:03:05","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=24"},"modified":"2016-09-28T10:03:32","modified_gmt":"2016-09-28T10:03:32","slug":"gchq-challenge-solution-stage-3","status":"publish","type":"post","link":"http:\/\/piratesecurityblog.com\/?p=24","title":{"rendered":"GCHQ Challenge Solution \u2013 Stage 3"},"content":{"rendered":"<p>The final stage of the GCHQ challenge was a small (5kB) x86 Windows\/cygwin binary. Analyzing it in IDA Pro, I could see that it expects a 24 byte license file with the following format:<\/p>\n<div id=\"crayon-57eb94cf0ddc6715471156\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddc6715471156-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddc6715471156-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddc6715471156-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddc6715471156-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf0ddc6715471156-1\" class=\"crayon-line\">&#8220;gchq&#8221;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: Static header<\/div>\n<div id=\"crayon-57eb94cf0ddc6715471156-2\" class=\"crayon-line crayon-striped-line\">Password\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: Eight character password, matching the DES-hash hqDTK7b8K2rvw (hq=salt)<\/div>\n<div id=\"crayon-57eb94cf0ddc6715471156-3\" class=\"crayon-line\">Key from stage 1\u00a0\u00a0: 32-bit value<\/div>\n<div id=\"crayon-57eb94cf0ddc6715471156-4\" class=\"crayon-line crayon-striped-line\">Keys from stage 2 : Two 32-bit values<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>The above could be deduced from the following reverse-engineered code:<\/p>\n<div id=\"crayon-57eb94cf0ddd5305979833\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddd5305979833-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddd5305979833-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddd5305979833-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddd5305979833-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddd5305979833-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddd5305979833-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddd5305979833-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddd5305979833-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf0ddd5305979833-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf0ddd5305979833-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf0ddd5305979833-1\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-st\">if<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">license_buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">==<\/span> <span class=\"crayon-cn\">0x71686367<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-sy\">{<\/span> <span class=\"crayon-c\">\/* 67 63 68 71 = &#8220;gchq&#8221; *\/<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">hash<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">crypt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span> <span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">license_buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span> <span class=\"crayon-s\">&#8220;hqDTK7b8K2rvw&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-3\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-st\">if<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span> <span class=\"crayon-e\">strcmp<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hash<\/span><span class=\"crayon-sy\">,<\/span> <span class=\"crayon-s\">&#8220;hqDTK7b8K2rvw&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">success<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-5\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;loading stage1 license key(s)&#8230;\\n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">keys<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">license_buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-7\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;loading stage2 license key(s)&#8230;\\n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">keys<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">license_buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-9\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">keys<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">license_buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf0ddd5305979833-10\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>If a valid license is found, it calls a function that requests the following URI from the specified host (which should obviously still be www.canyoucrackit.co.uk): \/hash\/A\/B\/C\/key.txt<\/p>\n<p>Where:<\/p>\n<ul>\n<li>A = 32-bit hex key from stage 1<\/li>\n<li>B = 32-bit hex key #1 from stage 2<\/li>\n<li>C = 32-bit hex key #2 from stage 2<\/li>\n<\/ul>\n<p>Note that the hash itself is used, and not the password corresponding to the hash. Misdirection, again, in order to waste some time for those who didn\u2019t bother to actually understand the code.<\/p>\n<p>It\u2019s now clear that we need two 32-bit values that somehow relates to stage 2, and the so called \u201cfirmware\u201d array is a rather obvious choice. It consists of two 32-bit values, and it wasn\u2019t used in the stage2 challenge itself. We also need one 32-bit value from stage 1. Remembering that the payload actually starts out with a \u201cuseless\u201d jump over four bytes (e.g a 32-bit value) that are never used in any way, this is quite an obvious choice as well.<\/p>\n<p>This gives us the following URL:<br \/>\n<a href=\"http:\/\/www.canyoucrackit.co.uk\/hqDTK7b8K2rvw\/a3bfc2af\/d2ab1f05\/da13f110\/key.txt\">http:\/\/www.canyoucrackit.co.uk\/hqDTK7b8K2rvw\/a3bfc2af\/d2ab1f05\/da13f110\/key.txt<\/a><\/p>\n<p>Which contains the following key:<br \/>\nPr0t3ct!on#cyber_security@12*12.2011+<\/p>\n<p>When entering the correct keyword, we get this page:<br \/>\n<a href=\"http:\/\/www.canyoucrackit.co.uk\/soyoudidit.asp\">http:\/\/www.canyoucrackit.co.uk\/soyoudidit.asp<\/a><\/p>\n<p>\u201cSo you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you\u2019ll help protect our nation\u2019s security and the lives of thousands. Every day will bring new challenges, new solutions to find \u2013 and new ways to prove that you\u2019re one of the best.\u201d<\/p>\n<p>Interestingly, the salary for the \u201cCyber Specialist\u201d position at GCHQ is \u00a325,446 for a GC10 (Executive Officer) and \u00a331,152 for a GC9 (Higher Executive Officer). Comparing this with the salaries in the corporate world makes it quite clear why GCHQ has to try so hard to find competent people to recruit. After all, for people with skills there are lots of opportunities for interesting work with a much higher paycheck. For juniors with potential, but no real experience, it might be an interesting opportunity though. I\u2019m sure that the work can be quite stimulating. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The final stage of the GCHQ challenge was a small (5kB) x86 Windows\/cygwin binary. Analyzing it in IDA Pro, I could see that it expects a 24 byte license file with the following format: 1 2 3 4 &#8220;gchq&#8221;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: Static header Password\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: Eight character password, matching the DES-hash hqDTK7b8K2rvw (hq=salt) Key from stage 1\u00a0\u00a0: 32-bit &hellip; <a href=\"http:\/\/piratesecurityblog.com\/?p=24\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">GCHQ Challenge Solution \u2013 Stage 3<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/24"}],"collection":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24"}],"version-history":[{"count":1,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":25,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions\/25"}],"wp:attachment":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}