Posted June 21, 20169 yr Quote You have less than one month to prepare for the first ever Unit 42 Capture the Flag (CTF) challenge: LabyREnth! Hone your skills and get ready to test yourself against challenges designed by the best threat research teams across Palo Alto Networks. The CTF will be open to the public starting July 15, 2016, at 4:00 pm PST, and we’ve asked our technical teams to craft challenges that delve into their most used skills across, but not limited to, the following areas: Reverse Engineering Malware Analysis Programming Threat Intelligence Analysis Critical Thinking Winning will require being a master of many disciplines, and you should expect challenges in lots of different mediums and architectures. Trust us when we say the prizes will be worth it! The challenge will start on Friday July 15, 2016, at 4:00 pm PST and will run until August 14,,2016, at 11:59pm PST. Official site: http://labyrenth.com/ Announcement: http://researchcenter.paloaltonetworks.com/2016/06/unit-42-countdown-to-labyrenth-capture-the-flag-ctf-challenge/
June 21, 20169 yr The only real question here is whether you will finish it without sleeping or not ;-)
June 22, 20169 yr Found something interesting-ish (or completely useless, who knows) There is binary on the main front page (obviously), which is largely garbage ("00100000" repeated), but in the middle there is some actual binary : Quote 0101001001101101001110010111100101001001010010000100101001101100010110010101011101111000011110100100100101001000011011000110100001100010010001110111011101110101010010010100010101101000011010000110001101111001010000100110100001100010011011100110110001110110011000100110110101010101011001110110001101101101010101100110100001100010010001110111100000110101010010010100011101001010011011000101101001010111001101000110011101011010011011010100011001111001010010010100011101000110011110100100100101000111010100100110110001011001001100100110110001101011010110100101011101010001011001110110010001000111001110000110011101100100010110000100111001101100010010010100011001101000010100000101010101101001010000100110110001100100011011010101011001110101010010010100011101100100011101100100100101001000011001000110100001100010011011100101000101100111011001000100011100111000011001110101101001000111001110000110011101100010010001110011100101110110011000010111100101000010011101000110001000110011010010100110110001001001010001110111100001110000011000010011001001010101001011110100100101000110011011000111011001100100010100110110010000110010010110100101001101000010011011100110001000110011010100010110011101100100010001110011100001100111010110100101100001011010011011000110001001101001010000100110111101011001010110000101101001101100010010010100011101001010011011000101101001010111001101000110011101100001001100100110110001101011010110100100011101101100011101010101101001111001010000100111010001011010010100110100001000110011011000010101100001010010011011110100100101001000010100100110111101100001010110000100110101100111010101010100010101000110010011110100110001101001010000100100101001001010001100110101101001101100010010010100011101001010011011000101101001010111001101000110011101011010011011100101011001111001011001000100011101101000011011000110001101101001010000100110110001100100011011010101011001110101010010010100011100110001011101100110001101101101010101010110011101011010010001110101011001101010011000010101011101010010011011000101101001000011010000100011000001100010011110010100001000110001011000110011001001010101011001110101101001011000010110100110110001100010011010010100001001101110011000100111100101000010011101010101101001010111010101100110101101001001010010000101001001110110010010010100011101010010011101100100100101000111011110000111011001100010001100100111001101100111011000100101011100111001011110010101101001010011010000100110100001100011011110010100001001101000011000100110111001101100011101100110001001101101010101010110011101011001001100100100011001110101010010010100011101011010011101100110001101101001010000100101001101100100010101110111100001101100011000110111100101000010011010000110001001101101010100010110011101011010010110000101101001101100011000100110100101000010011101000110001000110011010010100110110001001001010010000101001001101111010110010101011100110100011001110101010101001000010010100111000001100101011011010101011001111010010010010100011101101000011010000110010001101101010101010110011101011001011011010101011001101100011000100110100101000010001100000110000101000111010101010110011101010100001100110101101001101100011000110110111001011010011100000101101001011000011001000111101001001100011010010100001001000100010110010101011100110100011001110110010101010111001110010011000101001001010010000100101001101100010110010101011101111000011100110110010101010011010000100110100101011010010100110100001001101101010110010101100001001001011001110101101001101110010010100111011001100010010100110100001001010000011000110110110101010010011011000110001101101101011011000111010101011010011110010100001001101100011001000110110101010110011101010100100101000111010001100111101001001001010001110101001001101100010110010011001001101100011010110101101001010111010100010110011101100001010001110100011001110011010110100110100101000010011010000110001101111001010000100111010001100100010101110100111001101111010010010100100001010010011101100100100101001000010101100111101001011010010100110100001001000101011000010101011101100100011100000110010001001000010011010110011101011010001100100011100001100111011001000011001001101100011110100110000101000011010000100110110101100010001100110100100101100111011001000100011101101000011010000110010001000100001110000011110100100000 which decodes to a base64 string Quote Rm9yIHJlYWxzIHlhbGwuIEhhcyBhbnlvbmUgcmVhbGx5IGJlZW4gZmFyIGFzIGRlY2lkZWQgdG8gdXNlIFhPUiBldmVuIGdvIHdhbnQgdG8gZG8gbG9vayBtb3JlIGxpa2U/IFlvdSd2ZSBnb3QgdG8gZXZlbiBoYXZlIGJlZW4ga2lkZGluZyBtZSB3aXRoIHRoaXMgUEFOLiBJJ3ZlIGJlZW4gZnVydGhlciBldmVuIG1vcmUgZGVjaWRlZCB0byB1c2UgZXZlbiBnbyBuZWVkIHRvIGRvIGxvb2sgbW9yZSBhcyBhbnlvbmUgY2FuIGZvciBSdWxlcyBhbmQgZXZlbiBtb3JlIHRoYW4gUHJpemVzIGhhdmUgYmVlbiB0aGUgT3ZlcnZpZXdzLiBDYW4geW91IHJlYWxseSBiZSBmYXIgZnJvbSBPcmRlcmluZyBldmVuIGFzIGRlY2lkZWQgaGFsZiBhcyBtdWNoIHRvIHVzZSBEaWdpdHMgZ28gd2lzaCBmb3IgdGhhdD8= Which in turn decodes to Quote For reals yall. Has anyone really been far as decided to use XOR even go want to do look more like? You've got to even have been kidding me with this PAN. I've been further even more decided to use even go need to do look more as anyone can for Rules and even more than Prizes have been the Overviews. Can you really be far from Ordering even as decided half as much to use Digits go wish for that? This is where my stupidity gets the better of me..... lots of ideas, but nothing worked out, and being at work isn't make it easy to play around with stuff.That sentence obviously doesn't make sense which suggests some other cipher..... possibly based on XOR and/or reordering the sentence looking at the caps in there. Quote XOR PAN Rules Prizes Overviews Ordering Digits Or it's just a reference to this meme: http://knowyourmeme.com/memes/has-anyone-really-been-far-even-as-decided-to-use-even-go-want-to-do-look-more-like There's also the 3 identical (I think, not checked) binary blocks at the bottom of the webpage. The highlighted 10011001 gives ™ so it might just be a copyright of some sort in binary, but I suspect there is more. Edited June 22, 20169 yr by Loki
July 5, 20169 yr They updated the page with the prizes information.http://researchcenter.paloaltonetworks.com/2016/07/a-quick-update-on-our-labyrenth-ctf-challenge/http://labyrenth.com/1t_w0nt_83_80r1ng.html Edited July 5, 20169 yr by Extreme Coders
July 6, 20169 yr @Kao Is it a team challenge? Here it says it is a challenge meant for individual participation http://labyrenth.com/1_d0nt_kn0w_wh3r3_1m_g01ng.html
July 7, 20169 yr Author @akkaldama: Cool, they've clarified it.. :-) And the prizes look tasty enough!
July 16, 20169 yr Author Yippee-ki-yay! Congrats! You have successfully solved all of the challenges in the windows tier! Care to try another tier? >:P
July 16, 20169 yr Windows 1 and 2 were pretty easy and fun. I think I know how to solve the 3rd one too but I'm too lazy to test it.. How many challenges are present?
July 17, 20169 yr Author There are 9. #4, #6 and #9 are the harder ones in my opinion. Challenge stats seems to confirm that.
July 17, 20169 yr @kao I cannot see anything tricky in that challenge except a function that never called. I have a key(it was super simple) and entering that key returns it is wrong one. Is there another key? or it is a mistake in converting the ascii art to key?
July 17, 20169 yr Indeed 4 is a bit harder. Reversed most of that .exe (I think) but still have to figure out how to get the key out of it (also reversing x64 is new for me).
July 18, 20169 yr Author Someone asked me about Windows challenge #4 in PM. However, I'd like to keep it fair-play, so I'll be responding here.. Quote I've reversed it and it works (so far): <removed code> But I don't get the idea of actually reversing the function. Like do I have to bruteforce the encrypted data or did I miss something out? Instead of focusing on brute force and code, try to understand what the serial checking actually does. Spoiler It's a well-known game/puzzle. Read the description that came with the challenge for a hint. Once you understand that, you can solve it within minutes using just pencil and paper.
July 18, 20169 yr On 17/07/2016 at 0:23 AM, kao said: Yippee-ki-yay! Congrats! You have successfully solved all of the challenges in the windows tier! Care to try another tier? >:P I point the honorable gentleman to my initial response in this topic
July 18, 20169 yr Author @Loki: Thank you, but I finished only Windows track, not the entire challenge. On Sunday I did the Documents track just for fun - and that was very easy. However, the remaining 4 tracks are still unsolved. Unix track looks really scary, considering my lack of experience in that particular field..
July 20, 20169 yr In docs track challenge -1 i cannot get the "evil" thing. Every time it returns connection failed error. Anyone have this issue? and the funny thing is when i first download the challenge Saturday the rar file contains more than one file, and yesterday i have re-download it and this time there is only one word file :-)
July 20, 20169 yr Author You don't need internet connection for solving any of the docs challenges. So, connection failed message is normal and expected. There was only a DOC file for me (ZIP file downloaded on Sunday).
July 20, 20169 yr I didn't start with the docs challenges, but there were also 2 files for me - a doc file and a 7z file. The 7z file contains the all of the remaining docs challenges. I believe they have put this in mistakenly which they have corrected now. The file was downloaded in about 4 hours after the commencement.
July 26, 20169 yr Somehow I'm too blind to see small hints or something like that. I'm at Windows #6 now, reversed everything (I think?), know how specific things are put together and what kind of known-functions are used, but still I'm too blind to see the relations to actually solve the challenge..
July 26, 20169 yr @Castor Spoiler The app uses some user controllable data. You need to find out this data, which decrypts the flag properly. Completed the Windows and docs challenge. The docs were indeed easy. Currently on the mobile track at level3, linux at level2 (this requires OSX ) .
July 26, 20169 yr Author I got stuck on Mobile #5 - solving that without Apple hardware doesn't seem realistic. And Threat #2 has utterly confusing requirements for Yara rule.
Create an account or sign in to comment