Last year I had a go at the GCHQ hacking challenge and managed to solve it, so when a colleague informed me that there was a new challenge I thought I might give it a shot if I found some time.
The first step is to figure out what the data on the website is. The payload is as follows:
AWVLI QIQVT QOSQO ELGCV IIQWD LCUQE EOENN WWOAO
LTDNU QTGAW TSMDO QTLAO QSDCH PQQIQ DQQTQ OOTUD
BNIQH BHHTD UTEET FDUEA UMORE SQEQE MLTME TIREC
LICAI QATUN QRALT ENEIN RKG
The first thing I did was to paste this into HXD and remove the spaces (which I suspected were just there to break up the structure of the message). I generated a histogram of the bytes and it looked like this.
Apart from the anomalous ‘Q’ the distribution of the letters is basically consistent with average English. Implying that the message has not been subject to a substitution cipher or Ceaser shift (of any variant thereof) and is probably just transposed. At that point I looked at the length of the payload, 143 bytes (which has obvious factors), arranging the characters in this configuration yielded the following:
Substituing the Q for a space of . gives the sentence:
The URL embedded in Turing’s quote is the start of the second phase of the challenge. With “turing” an obvious candidate for the first of the five answers.
You’re presented with a RSA key.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The key is base64 encoded (the equals sign as padding gives that away). If you decode it you get what looks mostly like a load of crap, except there is some text that kinda looks like a URL in there:
I was actually able to just read it by looking at it you can kind of read the words, but while writing this I tried to work out how you would explain to somehow how to read it, so it’s just pairs of letters switched around, think 16bit endianness-style.
Of course, “bletchley” is the second answer. I’m starting to see a pattern here. Before I began the next section I tried a few keywords in the answers boxes, “tunny”, “tutte”, “enigma” and even “entscheidungsproblem” all yielded nothing. “Colossus” on the other hand was the answer to Step 4. I thought this sort of obvious pattern actually spoilt the puzzle somewhat, but ah well. I carried on.
At stage 3 you are met with the following sequence:
I tried all sorts for this one, disassembling it, checking various hashes, looking for patterns which would generate bits for the gaps on the last line, after about 30 minutes of fail I wondered if you were supposed to decrypt it with the key you were given in Step 2.
I used OpenSSL to take a closer look at the key we are given in Step 2.
C:\OpenSSL\bin>openssl pkey -in comp1.key -text
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Private-Key: (1022 bit)
publicExponent: 65537 (0x10001)
If I hadn’t have been lazy, I’d have probably noticed the URL for step 3 staring right at me in the prime 2 chunk. Anyway, the bits that are of interest are the public modulus and the public/private exponent. Plug these values into your favourite decrypt tool and feed it the payload from the Step 3 webpage and you get:
20 20 20 20 20 20 20 20 77 77 2E 77 68 74 72 65 67 65 73 69 65 74 2E 72 6F 63 75 2E 2F 6B 6E 65 67 69 61 6D 30 32 33 31 20 20 20 20 20 20 20 20
After applying the same 16bit endian swapping you get the URL:
This means answer 3 is “enigma2013″.
Okay, so it’s actually a picture of the Colossus computer. I was actually fortunate enough to see the working replica running at Bletchley Park a year or so ago, so recognised it immediately. Sadly, that doesn’t help me get the URL for Step 5, well I know what the folder will be, but not the domain. Time to take a deeper look into the image…
First of all I checked exif data, nothing interesting there. I tried decompressing the image with djpeg, again, this yielded nothing interesting. I then opened up the JPEG file in a hex editor and searched for the word colossus (and byte-swapped versions thereof)… Nothing.
After sometime skimming through the JPEG file I found what looked like a second header. I cut and paste that data into a new file in HXD and saved it. A thumbnail was immediately generated in explorer, double clicking the file revealed this guy hiding all along:
So my answer was correct, but now I knew the URL of the 5th and final stage.
Step 5 is a bit disappointing, I get the feeling they couldn’t be arsed at this point, it just bloody tells you the answer,
It turns out to be: “Secured”
Ah well. Bit of an anti-climax.
Maybe I’ll post on the blog again in 12 months time.