Note: this blog post was originally written for the benefit of students who will disect this shellcode on their course.
The Tor network is an anonymising network that allows people to browse the web and access other services without being traced. As part of this network, there is the so called ‘darknet’, servers only accessible through Tor which host a variety of services from forums to e-mail. Whilst a few of these services are innocent and aimed at those concerned about Human Rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It’s then very difficult for law enforcement agencies to trace the original IP address.
In 2013, a piece of malware was found embedded in Freedom Hosting’s darknet server that would exploit a security hole in a particular web browser and execute code on the user’s computer. This code gathered some information about the user and sent it to a server in Virginia and then crashed – it had no obvious malicious intent that is so characteristic of malware.
GCHQ released a recruitment challenge on www.canyoucrackit.co.uk in November 2011. The challenge involved a series of reverse engineering puzzles.
I cracked the challenge in a few days and published the videos of how to solve it online. The puzzle was broken into three stages which took around six to eight hours to solve. The videos received widespread media attention and are included here as step-by-step guides to completing them (spoiler alert obviously).