LabyREnth Capture the Flag (CTF) Challenge

[kao]

Quote

You have less than one month to prepare for the first ever Unit 42 Capture the Flag (CTF) challenge: LabyREnth! Hone your skills and get ready to test yourself against challenges designed by the best threat research teams across Palo Alto Networks.

The CTF will be open to the public starting July 15, 2016, at 4:00 pm PST, and we’ve asked our technical teams to craft challenges that delve into their most used skills across, but not limited to, the following areas:

• Reverse Engineering
• Malware Analysis
• Programming
• Threat Intelligence Analysis
• Critical Thinking

Winning will require being a master of many disciplines, and you should expect challenges in lots of different mediums and architectures. Trust us when we say the prizes will be worth it! The challenge will start on Friday July 15, 2016, at 4:00 pm PST and will run until August 14,,2016, at 11:59pm PST. 

Official site: http://labyrenth.com/
Announcement: http://researchcenter.paloaltonetworks.com/2016/06/unit-42-countdown-to-labyrenth-capture-the-flag-ctf-challenge/

[Loki]

The only real question here is whether you will finish it without sleeping or not ;-)

[kao]

Nah, this is a team challenge. I have zero experience with those.  

[Loki]

Found something interesting-ish (or completely useless, who knows)

There is binary on the main front page (obviously), which is largely garbage ("00100000" repeated), but in the middle there is some actual binary :

Quote

0101001001101101001110010111100101001001010010000100101001101100010110010101011101111000011110100100100101001000011011000110100001100010010001110111011101110101010010010100010101101000011010000110001101111001010000100110100001100010011011100110110001110110011000100110110101010101011001110110001101101101010101100110100001100010010001110111100000110101010010010100011101001010011011000101101001010111001101000110011101011010011011010100011001111001010010010100011101000110011110100100100101000111010100100110110001011001001100100110110001101011010110100101011101010001011001110110010001000111001110000110011101100100010110000100111001101100010010010100011001101000010100000101010101101001010000100110110001100100011011010101011001110101010010010100011101100100011101100100100101001000011001000110100001100010011011100101000101100111011001000100011100111000011001110101101001000111001110000110011101100010010001110011100101110110011000010111100101000010011101000110001000110011010010100110110001001001010001110111100001110000011000010011001001010101001011110100100101000110011011000111011001100100010100110110010000110010010110100101001101000010011011100110001000110011010100010110011101100100010001110011100001100111010110100101100001011010011011000110001001101001010000100110111101011001010110000101101001101100010010010100011101001010011011000101101001010111001101000110011101100001001100100110110001101011010110100100011101101100011101010101101001111001010000100111010001011010010100110100001000110011011000010101100001010010011011110100100101001000010100100110111101100001010110000100110101100111010101010100010101000110010011110100110001101001010000100100101001001010001100110101101001101100010010010100011101001010011011000101101001010111001101000110011101011010011011100101011001111001011001000100011101101000011011000110001101101001010000100110110001100100011011010101011001110101010010010100011100110001011101100110001101101101010101010110011101011010010001110101011001101010011000010101011101010010011011000101101001000011010000100011000001100010011110010100001000110001011000110011001001010101011001110101101001011000010110100110110001100010011010010100001001101110011000100111100101000010011101010101101001010111010101100110101101001001010010000101001001110110010010010100011101010010011101100100100101000111011110000111011001100010001100100111001101100111011000100101011100111001011110010101101001010011010000100110100001100011011110010100001001101000011000100110111001101100011101100110001001101101010101010110011101011001001100100100011001110101010010010100011101011010011101100110001101101001010000100101001101100100010101110111100001101100011000110111100101000010011010000110001001101101010100010110011101011010010110000101101001101100011000100110100101000010011101000110001000110011010010100110110001001001010010000101001001101111010110010101011100110100011001110101010101001000010010100111000001100101011011010101011001111010010010010100011101101000011010000110010001101101010101010110011101011001011011010101011001101100011000100110100101000010001100000110000101000111010101010110011101010100001100110101101001101100011000110110111001011010011100000101101001011000011001000111101001001100011010010100001001000100010110010101011100110100011001110110010101010111001110010011000101001001010010000100101001101100010110010101011101111000011100110110010101010011010000100110100101011010010100110100001001101101010110010101100001001001011001110101101001101110010010100111011001100010010100110100001001010000011000110110110101010010011011000110001101101101011011000111010101011010011110010100001001101100011001000110110101010110011101010100100101000111010001100111101001001001010001110101001001101100010110010011001001101100011010110101101001010111010100010110011101100001010001110100011001110011010110100110100101000010011010000110001101111001010000100111010001100100010101110100111001101111010010010100100001010010011101100100100101001000010101100111101001011010010100110100001001000101011000010101011101100100011100000110010001001000010011010110011101011010001100100011100001100111011001000011001001101100011110100110000101000011010000100110110101100010001100110100100101100111011001000100011101101000011010000110010001000100001110000011110100100000

which decodes to a base64 string

Quote

Rm9yIHJlYWxzIHlhbGwuIEhhcyBhbnlvbmUgcmVhbGx5IGJlZW4gZmFyIGFzIGRlY2lkZWQgdG8gdXNlIFhPUiBldmVuIGdvIHdhbnQgdG8gZG8gbG9vayBtb3JlIGxpa2U/IFlvdSd2ZSBnb3QgdG8gZXZlbiBoYXZlIGJlZW4ga2lkZGluZyBtZSB3aXRoIHRoaXMgUEFOLiBJJ3ZlIGJlZW4gZnVydGhlciBldmVuIG1vcmUgZGVjaWRlZCB0byB1c2UgZXZlbiBnbyBuZWVkIHRvIGRvIGxvb2sgbW9yZSBhcyBhbnlvbmUgY2FuIGZvciBSdWxlcyBhbmQgZXZlbiBtb3JlIHRoYW4gUHJpemVzIGhhdmUgYmVlbiB0aGUgT3ZlcnZpZXdzLiBDYW4geW91IHJlYWxseSBiZSBmYXIgZnJvbSBPcmRlcmluZyBldmVuIGFzIGRlY2lkZWQgaGFsZiBhcyBtdWNoIHRvIHVzZSBEaWdpdHMgZ28gd2lzaCBmb3IgdGhhdD8=

Which in turn decodes to

Quote

For reals yall. Has anyone really been far as decided to use XOR even go want to do look more like? You've got to even have been kidding me with this PAN. I've been further even more decided to use even go need to do look more as anyone can for Rules and even more than Prizes have been the Overviews. Can you really be far from Ordering even as decided half as much to use Digits go wish for that?

This is where my stupidity gets the better of me..... lots of ideas, but nothing worked out, and being at work isn't make it easy to play around with stuff.That sentence obviously doesn't make sense which suggests some other cipher..... possibly based on XOR and/or reordering the sentence looking at the caps in there.

Quote

XOR PAN Rules Prizes Overviews Ordering Digits

Or it's just a reference to this meme:

http://knowyourmeme.com/memes/has-anyone-really-been-far-even-as-decided-to-use-even-go-want-to-do-look-more-like

There's also the 3 identical (I think, not checked) binary blocks at the bottom of the webpage. The highlighted 10011001 gives ™ so it might just be a copyright of some sort in binary, but I suspect there is more.

 

 

Edited June 22, 2016 by Loki

[kao]

You see, you're already lightyears ahead of me! 

 

[Extreme Coders]

They updated the page with the prizes information.
http://researchcenter.paloaltonetworks.com/2016/07/a-quick-update-on-our-labyrenth-ctf-challenge/
http://labyrenth.com/1t_w0nt_83_80r1ng.html

 

Edited July 5, 2016 by Extreme Coders

[akkaldama]

@Kao

Is it a team challenge?

Here it says it is a challenge meant for individual participation

http://labyrenth.com/1_d0nt_kn0w_wh3r3_1m_g01ng.html

[kao]

@akkaldama: Cool, they've clarified it.. :-) And the prizes look tasty enough!

[akkaldama]

Does any one have issues with windows challenge-2, or it is a tricky one?

[kao]

It's just tricky.

 

[kao]

Yippee-ki-yay! 

Congrats! You have successfully solved all of the challenges in the windows tier!
Care to try another tier? >:P

[Downpour]

Windows 1 and 2 were pretty easy and fun.

I think I know how to solve the 3rd one too but I'm too lazy to test it..

How many challenges are present?

[kao]

There are 9.  #4, #6 and #9 are the harder ones in my opinion. Challenge stats seems to confirm that.

[akkaldama]

@kao

I cannot see anything tricky in that challenge except a function that never called. I have a key(it was super simple) and entering that key returns it is wrong one.

Is there another key? or it is a mistake in converting the ascii art to key?

[kao]

Possibly a mistake in converting ("0" vs "O")?

[Downpour]

Indeed 4 is a bit harder.

Reversed most of that .exe (I think) but still have to figure out how to get the key out of it (also reversing x64 is new for me).

[kao]

Someone asked me about Windows challenge #4 in PM. However, I'd like to keep it fair-play, so I'll be responding here..

Quote

I've reversed it and it works (so far):  <removed code>

But I don't get the idea of actually reversing the function.
Like do I have to bruteforce the encrypted data or did I miss something out?

 

Instead of focusing on brute force and code, try to understand what the serial checking actually does.

Spoiler

It's a well-known game/puzzle. Read the description that came with the challenge for a hint.

Once you understand that, you can solve it within minutes using just pencil and paper.

 

[Loki]

On 17/07/2016 at 0:23 AM, kao said:

Yippee-ki-yay! 

Congrats! You have successfully solved all of the challenges in the windows tier!
Care to try another tier? >:P

I point the honorable gentleman to my initial response in this topic

[kao]

@Loki: Thank you, but I finished only Windows track, not the entire challenge.  On Sunday I did the Documents track just for fun - and that was very easy. 

However, the remaining 4 tracks are still unsolved. Unix track looks really scary, considering my lack of experience in that particular field..

[akkaldama]

In docs track challenge -1 i cannot get the "evil" thing. Every time it returns connection failed error. Anyone have this issue?

and the funny thing is when i first download the challenge Saturday the rar file contains more than one file, and yesterday i have re-download it and this time there is only one word file :-)

[kao]

You don't need internet connection for solving any of the docs challenges. So, connection failed message is normal and expected.
There was only a DOC file for me (ZIP file downloaded on Sunday).

[Extreme Coders]

I didn't start with the docs challenges, but there were also 2 files for me - a doc file and a 7z file.
The 7z file contains the all of the remaining docs challenges. I believe they have put this in mistakenly which they have corrected now.
The file was downloaded in about 4 hours after the commencement.

[Downpour]

Somehow I'm too blind to see small hints or something like that.
I'm at Windows #6 now, reversed everything (I think?), know how specific things are put together and what kind of known-functions are used, but still I'm too blind to see the relations to actually solve the challenge..

[Extreme Coders]

@Castor 

Spoiler

The app uses some user controllable data. You need to find out this data, which decrypts the flag properly.

Completed the Windows and docs challenge. The docs were indeed easy. 
Currently on the mobile track at level3, linux at level2 (this requires OSX   ) .

 

[kao]

I got stuck on Mobile #5 - solving that without Apple hardware doesn't seem realistic.  And Threat #2 has utterly confusing requirements for Yara rule.