For Task 3 the server component (that the client from Task 2 would communicate with) is provided, along with an encrypted key. The goal of the task is to decrypt the key.
Task 3 – Disarm Capability, Part 1
Thanks to your hard work we were able to eventually geolocate the device and work with military partners to retrieve the system for further analysis. It turned out to be a test system that one of the IED developers had been using in lieu of a live device. We provided the system to a team of software reverse engineers and their preliminary assessment is that we have a fully functional copy of the IED software, a key file, and a dummy driver that emulates the various IED states. Analysts believe that this key file contains the information needed to authenticate to a real IED (somewhere in the field) and send commands to it. Presumably this test system was used to validate the software and key file before it was deployed to an actual IED. Since the key file appears to be encrypted, we are going to need your help to figure out a way to decrypt it. This should enable us to disarm the fielded IED that uses this key, though we will still need to figure out exactly how it is being used for authentication (next task). The goal of this task is for you to obtain the decrypted contents of the key file.
Having the client and server communicate is fairly straightforward. The server is started with the encrypted key file and waits until a client connects.
By default, the client tries to connect to a server running on the localhost. It then waits for your input, but that’s for a later task.
The encrypted key file, 559018485.key.enc in my case (each user’s problems were slightly different), is a 256 byte file. A quick peek at its contents revealed very little.
Since this key must be decrypted to be used, the obvious place to start looking was the server executable. Taking an educated guess, I opened the file in a hex editor and searched for “==”. RSA private keys are base64 encoded and their length often dictates they end with the double equal sign for padding. Turns out this was correct.
This was also really easily found using IDA.
The key in all its glory:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAybhaURwzV74sQlxNInRVIHRgc45MZBoN6uBVeclxWxNX8vHk Kt5Wic2pp55+iXyTN8lFnl5lA5TrrkogGkgc4wQcYfGMcJQ+0c26lCJoolPhUqmp jWYGsSlfu0tvI6AcWDK44JSCKsSGrjBXGw5zhXiSX3aFsveWUrp1UJR9G7pmoUK2 noBLU3govRHvGBw3Y/fxa6O+qiU6M1O6Qe5uLnYq626mcqo8JtUXnfBplwRXW1nZ SqC6ob5zTqIZRN0o5a4I46/HOaAwEhWJdR2ZRFtiudfaHEEpKsxxgdBfBtX6loM2 Veqc8z2EKxyKG7Oa16JWSZGaAv/9wzoAP8oWzwIDAQABAoIBAFOn47TdmCFcWeiP dOHEEwWpndJughnFgF4W+PvP4fXeWMwFKxXoLUVrCF/eaCXGhxtMmlWqWgQZP4CB dzzPCUPQkaDA1vhdUowZ4LXMa05esQRiHlHorP/N48i96PKCVR7ysh9ZF357EEuu +oDbBmek8Dcs5ReqfCoE7+AiJJxZfVoitf4sAKLXp8vFLhWKvwAAbXU53v7X9FpF 6gDcB6AyJFCu0jvr3l1YOh/oGvZD/J+KrEeqG7zU0wMCP123GlZnXzbzVA8aX38f yNgHSk1JD7A2ZjqH6BNssBGKoFKBNkOTVatFTXzYzFpo+afm+Q42RUr6k8QGe8qv Zl1Qy8ECgYEA9mYibavs+dvFIKcJtICAPxxlTyqSmpE0IjFn9bw6eBQ7uWORPPXF Idy8AzGbhHb2R8Jf0dzU/SQjc09nNg7hx+Na+5ynp52J9cXM/NR+Acw1UmzEt2s7 aaz9L7csVwjgo+PiWipU0FSKmr5ghb3YijvRSq1E8Y5oV9sbvm3HD2ECgYEA0ZSK WfzaB1wslnD99D56f7fhoH7+eGtZcghSyl09DQRP+HgwuWbCXNLRsqlnCY33VXaH SbnvicVy1rScJ4cJqsibeBFFrUIv/hii2/52yQlK6UQY+wdRgk/KWFRD4gqfNpJJ g9edXXR9TmKr/DhmU2NMnkzes92aVY+Ml1t4xC8CgYEAglowFpMg8GJK3GZiJQLi VgEAu6wLGQh+ayR2GjO1Pvd9TSuWl4hx/OMY+BuTabXBvt7e8FiCuVUYCBXWxWuE GMp3xKrwqyUV6lb1hkAoVW0iPHPcciihqttgqpCePYEtzqZthkPk0L4ZAZp71+VC nIbex0H5Ok2bd/crq0fKSqECgYEAve0N3/TrpOXcJk2pZrFEFAAQwYC0nW4zNcrj NC6AyA4TZsmM5keAddw7Wtx32snDzbhHbAHLWSANLROpu4x9rz5y3cFRUmz7zxqG ZDVbcl4we+pRdRQxwpUKezeJ+QvFMxAo/QjlvC537BQxZbW6zXDcm0xwObHmTglz 0Cp969MCgYBAAe2O7li+npOF1BFJt4AeMu5AQGJOzJVScjhsJ0j65FflTh7INHrc KiBH2U/TxFJrPDkzZPNpQbDzFv/kZzp1E4X02UZ68lkOVsVlac3jaUGYDt3rDhCm C/GGMYe7H3Zy5Ygtczxl/tmXm1jHSPAnsEnjjOqS4uxButoWLWsZDw== -----END RSA PRIVATE KEY-----
I was also able to easily find the public key in IDA when examining the client executable.
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybhaURwzV74sQlxNInRV IHRgc45MZBoN6uBVeclxWxNX8vHkKt5Wic2pp55+iXyTN8lFnl5lA5TrrkogGkgc 4wQcYfGMcJQ+0c26lCJoolPhUqmpjWYGsSlfu0tvI6AcWDK44JSCKsSGrjBXGw5z hXiSX3aFsveWUrp1UJR9G7pmoUK2noBLU3govRHvGBw3Y/fxa6O+qiU6M1O6Qe5u LnYq626mcqo8JtUXnfBplwRXW1nZSqC6ob5zTqIZRN0o5a4I46/HOaAwEhWJdR2Z RFtiudfaHEEpKsxxgdBfBtX6loM2Veqc8z2EKxyKG7Oa16JWSZGaAv/9wzoAP8oW zwIDAQAB -----END PUBLIC KEY-----
After saving the private key to a file, it could then be used to decrypt the encoded key file:
openssl rsautl -decrypt -in 559018485.key.enc -out 559018485.key -inkey private.key
The decrypted key file’s contents:
otpauth://totp/559018485?secret=Z5ELZYDJ2ZSTXMXCEIQLETFWS25AGZVWOGTEDUEOWB4JFALL5RAQ