Cyber Security Challenge

Ok, here is a slightly more detailed review of the steps I made while solving the Cyber Security Challenge UK. I believe the post is not too long so there is a chance you would have some fun anyway. :) Ok, here we go.

It was found that the challenge set comprised of 3 stages and the complexity level of every next stage was gradually increasing.

STAGE 1

This one was rather simple. The starting page contained the code which looked like this:

Here is the [full code].

It was quite clear that this is the base64-encoded "something". :) Quick review of the first couple of decoded bytes clearly suggested that it seem to be an image. Even more: a JPEG!

A small tool for conversion had to be rapidly crafted, and in a couple of minutes I've got such nice picture:

Looks quite cool and funny, and at the first moment I thought the game is over, but ach..., obviously I was very wrong...

STAGE 2

It was not so difficult to notice that the border of the image looks kind of strange and familiar at the same time. There was nothing to consider and the first thought was right: yes, this is kind of a binary code.

Immediately, there was written another small script to convert values of pixels into their binary representation (pixel_value = (r+g+b) div 3. If pixel_value < 127 the output = 0 otherwise output = 1). Here is a converted sample fragment of the data from the top row:

0100001101111001011100100110111001100110011100100010000001110011011...

See the [full code].

Now the next logical question is: what kind of data encoding technique is used? Let's check the size of the image: it's 350 x 175 pixels. Interesting... Strangely I first noticed that the width and height nicely divides by 5:

350 /5 = 70

175/5 = 35

By the way, do you know any weird code which operates on 5-bit values? Of course you do: it's Baudot code. I wrote the small script which converted 5-bit binary packets to the target letters according to this scheme:

I was really disappointed after being testing this hypothesis. The time is spent and there was no a shadow of any sensible text. :( Why I stuck here? Are there any other encodings? Could it be a 8-bit code? LoL, this looks interesting! Now we have to find out the correct direction while reading the data. Experimentally it was found that the right direction was: clock-wise, starting from the top-left corner (I discovered that the same sequence of characters was repeated twice).

This is what was found:

cyrnfr sbyybj guvf yvax uggcf://plorefrphevglpunyyratr.bet.hx/834wgc.ugzy

And this uggcf:// was somehow veeeeeery familiar to me. ;) Ok, if this uggcf:// becomes https:// and if I am following right direction - the cipher would looks like this:

Do we know this cipher? Of course we do: this is so-called ROT13 substitution cipher.

So after decoding our secret message revealed the following:

please follow this link https://cybersecuritychallenge.org.uk/834jtp.html

Cool. So this is not the end of the game yet...

STAGE 3

After navigating to the provided URL, I found another encrypted text:

Here is the [full code].

1000 characters of [0..F] - well, it looks like 500 hex-encoded bytes to me. And obviously it is not a plain text. So let's test the following hypothesis that maybe we are dealing with:

text which is written in English (quite obvious)
text may have spaces as word dividers (why not?)
some kind of monoalphabetic substitution cipher (let's start from something simple)
full charset is used (all characters from 0 to 255)

To play with ciphers of such kind I wrote a small application called: Solver, which literally allows to "solve" or discover substitution cipher rules much quicker then with pen and paper. You can do it pretty much visually. See this:

Input: a plain text file with the list of decimal values of all bytes. Each value is in a new row.

Once data loaded to the program, initially this is what we may see:

Left table (Source data): the source data itself. Each source byte has its corresponding value (currently empty) and unique colour code (based on the value). Colours are helping to locate similar letters quicker and also faster discover (potentially existing) hidden patterns.

Middle table (Statistics): characters frequency table. Calculation are based on the source table. We can see that, e.g. most frequent byte is [4]. We can edit cells values in "Value" column and changes automatically propagated everywhere.

Result /text field/: This is where our output text would appear. Now seems to be clean.

Selection /text filed/: Here we may see more information about a characters which are selected (highlited) in the "Result" table. Selection is made with mouse - click and drag.

Ok, let's assume that the most frequently used character is a space. We also remember that the text is written in English, so characters frequency should match some well-known standards [Classical Cryptography Course, by Lanaki, September 27, 1995]. Let's play with it. Double-click the cell in the "Value" column in the row, right to the byte [4], press space button and <ENTER>. You will see nothing in this cell, but you entered space character and it is still there. You will see that the row is highlighted now (let's call it: "solved"), and the corresponding rows of all instances of byte [4] in the "Source data" table are also immediately highlighted. Spaces are also automatically inserted into a corresponding places in "Result" text field. Looks much more like a text now.

You've got the idea how it works, right? Now we may enter some values for the other characters, and the changes will be immediately reflected in "Source" table and in "Result" field. The methodology you would use for picking up the right characters is solely up to you (dependent how advanced you are in cryptography and/or how lazy).

Anothe nice feature: it is also possible to highlight a fragment of the text in "Result" filed. Then you may see the containing characters and missing values in the "Selection" field. See this example:

The word "__rson" is selected. It is clear that this rather would be a "person". In the "Selection" field we see the corresponding characters in our "Source" table:

14(0E)=? 172(AC)=? 78(4E)=r 110(6E)=s 237(ED)=o 205(CD)=n

Characters with question marks are not solved yet. So now we know that

[14] = p

[172] = e

Let's enter those chars in the "Statistics" table and see what would happen.

This way you may play with the tool again and again until you would find the right combination for as many characters as you can. :)

When you have collected enough data and want to take a broader look (yea yea, a "big picture") - you may export the tables in CSV (tab separated) file and open it for ex. in Excel (see sample file). Now you can build the reference table between the real char code and the encrypted one. This is important step, because we may check: are dealing with cipher or code? And it's a good time to look for some rules and hidden patterns (also correct some inevitable mistakes you made during your manual processing). Look at this example (fragment):

104	C	67	-37
237	o	111	-126
205	n	110	-95
236	g	103	-133
78	r	114	36
44	a	97	53
142	t	116	-26
174	u	117	-57
141	l	108	-33
44	a	97	53
142	t	116	-26
45	i	105	60
237	o	111	-126
205	n	110	-95
...

Take a look at the first char: "C".

Encrypted char (104) - char (C) - real ASCII value (67) - difference (-37).

Now sort the entire table for all chars we discovered by the third column (ascendenting) and build the graph for the "difference" column (we are still in Excell).

There must be some kind of rule in it, you can see it now!

And this the time when we may try to play with bits. Look at this:

Character "C" encrypted: 104 -> 01101000
Character "C" decrypted:  67 -> 01000011

Character "o" encrypted: 237 -> 11101101
Character "o" decrypted: 111 -> 01101111

So the rule actually quite simple. Once it is known, we may write another small script which will shift bits for every source character. So now we have a final message revealed:

Congratulations – you’ve found and completed the REAL challenge. Your win code is cyb3r=s3cur1ty*ch@ll3nge+26-07-2010.

Please email this code to our team at media@cybersecuritychallenge.org.uk. If you’re the first person to do so, and can prove you meet the eligibility criteria (British citizen currently resident in the UK) we will be in touch to advise how to claim your prize. Well done and good luck in the Cyber Security Challenge competitions taking place throughout the rest of the year.

It was a great fun for me indeed, and well - I am looking for more new challenges now! :)

STAGE 1

STAGE 2

STAGE 3

Latest Images

Trending Articles

Latest Images