2016 was the 4th year the NSA ran its Codebreaker Challenge. It’s targeted at US college students, but anyone with a .edu email address at their disposal can join in the fun. Each year they have a series of challenges based on a unique scenario. This year the challenges revolved around remotely controlled IEDs.
Terrorists have recently developed a new type of remotely controlled Improvised Explosive Device (IED), making it harder for the U.S. Armed Forces to detect and ultimately prevent roadside bomb attacks against troops deployed overseas. The National Security Agency (NSA), in accordance with its support to military operations mission, has been asked to develop capabilities for use against this new threat. This will consist of six tasks of increasing difficulty, with the ultimate goals of being able to disarm the IEDs remotely and permanently render them inoperable without the risk of civilian casualties.
To accomplish this, there were six different tasks to be completed. The tasks were progressively harder and built upon the techniques discovered in the previous tasks:
- Task 1: Compute a hash and identify IED network ports
- Task 2: Refine IED network traffic signature
- Task 3: Decrypt IED key file
- Task 4: Disarm an IED with the key
- Task 5: Disarm any IED without a key
- Task 6: Permanently disable any IED – Part 1
- Task 6: Permanently disable any IED – Part 2
This was the first year I competed in this challenge and was able to work through five of the six tasks. The sixth task was quite difficult, with only 15 people successfully completing it. I think I came close on it, but ran out of time at the end.
The above items will go to breakdowns of each task once they’re live, including what worked and, just as importantly, what didn’t. For Task 6, I’ll detail what I had discovered thus far and will update that with an explanation of the solution once they post it in the coming weeks.
Really nice writeup. Any thoughts on the sixth task?
My first thought: it was really tough! 🙂
I have some notes on it that I’ll probably write up late tonight. I discovered a couple things that I think were steps on solving it. One of them was the raw command values that you could use with the client instead of the plaintext commands (disarm, arm, etc), which allowed you the additional ability of passing in some hex values to the server. Using that I found a buffer overflow, but exploiting those is really outside of my wheelhouse. I could have also been chasing a ghost, I’m really curious how the 15 people were able to solve it, but no one has posted anything that I’ve seen.
The raw commands. They move through the code as hex, but the client wants them as ints:
0BE35C05 – 199449605
0BE35C04 – 199449604
0BE35C03 – 199449603
0BE35C02 – 199449602
0BE35C01 – 199449601