Solving the 2016 NSA Codebreaker Challenge – Task 1

The first task was pretty straightforward. A client binary was provided, and some information about it was requested.

Task 1 – Information Gathering and Triage, Part 1

A military organization captured a laptop of a known explosives expert within a terrorist organization.  Further analysis revealed that the laptop contained a debug version of the remote client interface that the individual used to communicate with the IEDs. To help detect other client programs in use, we are cataloging binary signatures and basic network signatures for every version of the IED software we find. To support these efforts, your task is to compute the SHA256 hash of the client binary and identify the source and destination TCP ports that it uses when connecting to an IED.

The client binary was provided as both a Windows and a Linux binary. There are a couple of ways to generate the SHA256 hash of the client binary. On Linux:

Pretty simple

On Windows, I’m sure there’s a nice little tool to do this somewhere, but I just went to a website that generates SHA256 hashes of files. Its output:

b164ee31329cde673a87d811f3bd4316c26b9ddd577387f4344db7481cbfdafc

The second part of Task 1 was to supply the ports the client binary used to communicate. There’s likely a better way to do this, as my method was pretty mundane. First, I ran the client:

client.exe output

Then I opened it in a hex editor and started looking for interesting strings. I started with a search for the string that had been output when it ran and was fortunate enough to find some really helpful text.

Helpful Text

Not only are some commands specified, but it clearly had the ability to output the ports it utilized. Running client.exe with the -d option and we’ve found the ports we’re looking for.

-d for debug?

And with that, both parts of Task 1 were completed and it was on to Task 2.

This entry was posted in Infosec, Puzzles and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *