Posted by on 19 Jan 2014 in Reversing, Security, Software | 2 comments

… and all I got was this (virtual) T-Shirt.

Sorry. Poor attempt at a joke, and not even technically true; I received two virtual T-Shirts for my Xbox Live Avatar and the blue hat proudly displayed in the picture.

A few months ago I heard of Microsoft’s BlueHat Challenge. Their post explains it well, but in summary it’s a free series of computer security problems split across three different “tracks”. Evidently they were inspired by the Matasano Crypto Challenges into doing something similar.

The three available tracks are:

  • “Vulnerability Discovery” [vuln]
  • “Reverse Engineering” [rev]
  • “Web Design Vulnerabilities” [web]

I now know that each track contains eight levels, the last one being “optional” – that is, finishing the first seven levels of a track is all that’s required to get a free avatar item. I’m not going to list each level or my solutions here, just in case anyone out there is still working through them.

[rev]

I figured that I could best apply my knowledge to the [rev] track, and as I wasn’t really sure what sort of difficulty the challenges would be, I’d start with just that one and see how I got on. A few moments after applying I was pleasantly surprised to receive an email containing the first level for all three tracks, not just the one I’d applied for. I think that’s a great idea, though I question the point of having to initially apply to a specific track, as answers are accepted for all of them once one of them has been started.

Each level takes the form of a series of questions that must be answered by replying to the email. In general explaining the process of finding the answer is more important than the answer itself. As an example, the first [rev] level consists of a Windows executable that when run has “Gollum” asking a series of riddles. How to find out the answers to the riddles is explained – some by debugging the binary, one by relying on an information leak in Gollum’s responses.

It took quite a few weeks (months) of elapsed time but I finally finished all eight levels of the [rev] track, including the last “hard mode” level. The difficulty level of that last level really was higher than the other levels, but with some perseverance I got there in the end. Without wishing to give too much away, it was very rewarding to write my own disassembler and use it to understand what was going on in the target binary. I got one Xbox Live item for getting to level 7 of this track.

Other [rev] levels included old-school “crackme” style executables – complete with appropriate chiptunes – Flash files, Java applets, and binaries from a couple of different architectures. All in all, a great mix of general reverse engineering challenges, and a very good progression of difficulty. I’d definitely recommend this track to anyone interested in reverse engineering.

[web]

As each level of a track must be completed before receiving the next one, I often had some time in between sending in [rev] answers and waiting for the next level. I used that time to have a look at the [web] track and fairly quickly worked my way through all eight levels of those too. I’d say that the [web] track is significantly easier than the [rev] track, partly because there’s only one question per level and partly because the scope is much smaller.

I’d recommend the [web] track to anyone interested in JavaScript web development, essentially all of the questions are JS based and are fairly straightforward. My only caveat would be that after a few levels it became clear to me that (being Microsoft) it was implicitly assumed that a late version of Internet Explorer was the target. Perhaps it’s obvious in hindsight, but after spending half an hour trying to get an answer that worked in Chrome and Firefox to function in Internet Explorer 8, I realised that it worked fine in IE9, and that cross-browser answers just weren’t expected at all. Not a problem as such, but it would have been nice for this to be stated explicitly at the beginning.

I’m going to break my own self-imposed rule here and give the first [web] level, in an attempt to whet your appetite. The level is comprised of an HTML file containing this JS code:

/********** YOUR CODE SHOULD START BELOW THIS LINE **********/




/*********** YOUR CODE SHOULD END ABOVE THIS LINE ***********/
var goodJob = /!/._//!//
alert(goodJob); // We should see an alert saying "HACKED".

The question is: what code should be put between the two comments, that causes an alert() box to appear containing the word “HACKED”? There are a couple of conditions:

  • You can’t change the behavior of alert, String, or undefined.
  • You can’t use onerror/try/catch or any code that controls errors.
  • Your code can be any length inside the allowed area. No changes outside of it.

This is just the first level, remember! It does get a bit more involved, and security related.

Completing the eighth level actually involves discovering a (specific) unpublished Internet Explorer vulnerability. Completing that one absolutely took me the longest of the lot! At the time I completed it I was told that I was one of three people who had done so. Without knowing how many had tried it, I’m not sure whether that’s good or bad! I got a second special Xbox Live avatar item for completing level 7 and another for level 8, completing my set of three.

[vuln]

Once I’d finished the [web] and [rev] tracks, I started looking at the [vuln] one. The answers required here (at least for the first level) seem to be more subjective than for the other tracks. The first level requires the use of a “fuzzer” to find a crash in a given Windows executable and then answer a few questions about how long it took to crash, how the process might be sped up and optionally how serious of a bug has been found.

I can’t say much else about the [vuln] track because while I sent in my answers for the first level a couple of months ago, I haven’t yet received a response. A few days or weeks delay before responding is not unusual, but this time appears to be a bit different. Perhaps the challenge has ended, which would be disappointing. Unfortunately a lack of clear communication mars a challenging and enjoyable experience that I’d otherwise be eager to recommend. As it is, I’m not sure if it’s now worth attempting to start the challenge or not.

Regardless, I have very much enjoyed completing the challenge this far, and am virtually wearing my Xbox Live avatar items with pride.