Back to home
NSA Codebreaker icon

NSA Codebreaker Challenge 2025

Multi-Stage Cybersecurity Investigation — All 7 Tasks Completed

Volatility 3 · Ghidra · Binary Ninja · Wireshark · tshark · GDB · Python

Overview

The NSA Codebreaker Challenge is an annual multi-stage cybersecurity competition run by the National Security Agency. Each task builds on the previous, requiring skills across digital forensics, network forensics, memory forensics, malware analysis, cryptanalysis, vulnerability research, and exploitation. Completing all 7 tasks places participants in a small group of top finishers nationally.

The 7 Tasks

Task 1 — Digital Forensics

Mounted and analyzed a zipped .ext2 filesystem image; analyzed bash history and system logs to identify malicious file installations and reconstruct the full attack timeline.

Task 2 — Network Forensics

Analyzed a 2344-packet PCAP using Wireshark/tshark; discovered DNS poisoning through router configuration correlation; identified malicious device IPs (127.4.1.3, 192.168.3.254, 192.168.5.1).

Task 3 — Memory Forensics

Built a custom Volatility profile using dwarf2json from a kernel image (System.map/vmlinux) for an OpenWrt router; analyzed a memory dump using Volatility and crash utilities; reverse engineered an obfuscated binary using Ghidra/Binary Ninja to reveal a base64-encoded encrypted DNS poisoning configuration not present on disk.

Task 4 — Malware Analysis

Bypassed multi-layer anti-debugging protections (ptrace checks, sigaction signal handlers, /proc/self/status parsing); extracted nested ELF from memfd; reverse engineered an obfuscated dropper; broke AES-128-ECB + RSA + RC4 encryption; recovered C2 server details and malware persistence mechanism.

Task 5 — Cryptanalysis

Identified a critical weakness in key generation (26-bit effective entropy despite 128-bit keys); performed a parallelized dual-layer AES-128-ECB brute-force attack (~67M keys, ~5 min); decrypted captured C2 traffic from PCAP; recovered the Mattermost C2 URL.

Task 6 — Vulnerability Research

Identified an authentication flaw in Mattermost bot channel creation logic; mapped the channel access graph via DFS to discover a privilege escalation path; gained access to adversary C2 infrastructure.

Task 7 — Vulnerability Exploitation

Analyzed an Android ZIP archiver; identified unsafe recursive extraction; bypassed directory constraints via filename encoding; compiled a malicious DEX JAR achieving Remote Code Execution.

Tools Used

IDA ProVolatility 3dwarf2jsonGhidraBinary NinjaWiresharkcrashGDBPyCrypto/Cryptodomestrace
Back to home