Jump to content
Tuts 4 You

LabyREnth Capture the Flag (CTF) Challenge


Recommended Posts

Quote

You have less than one month to prepare for the first ever Unit 42 Capture the Flag (CTF) challenge: LabyREnth! Hone your skills and get ready to test yourself against challenges designed by the best threat research teams across Palo Alto Networks.

The CTF will be open to the public starting July 15, 2016, at 4:00 pm PST, and we’ve asked our technical teams to craft challenges that delve into their most used skills across, but not limited to, the following areas:

  • Reverse Engineering
  • Malware Analysis
  • Programming
  • Threat Intelligence Analysis
  • Critical Thinking

Winning will require being a master of many disciplines, and you should expect challenges in lots of different mediums and architectures. Trust us when we say the prizes will be worth it! The challenge will start on Friday July 15, 2016, at 4:00 pm PST and will run until August 14,,2016, at 11:59pm PST. 

Official site: http://labyrenth.com/
Announcement: http://researchcenter.paloaltonetworks.com/2016/06/unit-42-countdown-to-labyrenth-capture-the-flag-ctf-challenge/

  • Like 3
Link to comment

Found something interesting-ish (or completely useless, who knows)

There is binary on the main front page (obviously), which is largely garbage ("00100000" repeated), but in the middle there is some actual binary :

Quote

0101001001101101001110010111100101001001010010000100101001101100010110010101011101111000011110100100100101001000011011000110100001100010010001110111011101110101010010010100010101101000011010000110001101111001010000100110100001100010011011100110110001110110011000100110110101010101011001110110001101101101010101100110100001100010010001110111100000110101010010010100011101001010011011000101101001010111001101000110011101011010011011010100011001111001010010010100011101000110011110100100100101000111010100100110110001011001001100100110110001101011010110100101011101010001011001110110010001000111001110000110011101100100010110000100111001101100010010010100011001101000010100000101010101101001010000100110110001100100011011010101011001110101010010010100011101100100011101100100100101001000011001000110100001100010011011100101000101100111011001000100011100111000011001110101101001000111001110000110011101100010010001110011100101110110011000010111100101000010011101000110001000110011010010100110110001001001010001110111100001110000011000010011001001010101001011110100100101000110011011000111011001100100010100110110010000110010010110100101001101000010011011100110001000110011010100010110011101100100010001110011100001100111010110100101100001011010011011000110001001101001010000100110111101011001010110000101101001101100010010010100011101001010011011000101101001010111001101000110011101100001001100100110110001101011010110100100011101101100011101010101101001111001010000100111010001011010010100110100001000110011011000010101100001010010011011110100100101001000010100100110111101100001010110000100110101100111010101010100010101000110010011110100110001101001010000100100101001001010001100110101101001101100010010010100011101001010011011000101101001010111001101000110011101011010011011100101011001111001011001000100011101101000011011000110001101101001010000100110110001100100011011010101011001110101010010010100011100110001011101100110001101101101010101010110011101011010010001110101011001101010011000010101011101010010011011000101101001000011010000100011000001100010011110010100001000110001011000110011001001010101011001110101101001011000010110100110110001100010011010010100001001101110011000100111100101000010011101010101101001010111010101100110101101001001010010000101001001110110010010010100011101010010011101100100100101000111011110000111011001100010001100100111001101100111011000100101011100111001011110010101101001010011010000100110100001100011011110010100001001101000011000100110111001101100011101100110001001101101010101010110011101011001001100100100011001110101010010010100011101011010011101100110001101101001010000100101001101100100010101110111100001101100011000110111100101000010011010000110001001101101010100010110011101011010010110000101101001101100011000100110100101000010011101000110001000110011010010100110110001001001010010000101001001101111010110010101011100110100011001110101010101001000010010100111000001100101011011010101011001111010010010010100011101101000011010000110010001101101010101010110011101011001011011010101011001101100011000100110100101000010001100000110000101000111010101010110011101010100001100110101101001101100011000110110111001011010011100000101101001011000011001000111101001001100011010010100001001000100010110010101011100110100011001110110010101010111001110010011000101001001010010000100101001101100010110010101011101111000011100110110010101010011010000100110100101011010010100110100001001101101010110010101100001001001011001110101101001101110010010100111011001100010010100110100001001010000011000110110110101010010011011000110001101101101011011000111010101011010011110010100001001101100011001000110110101010110011101010100100101000111010001100111101001001001010001110101001001101100010110010011001001101100011010110101101001010111010100010110011101100001010001110100011001110011010110100110100101000010011010000110001101111001010000100111010001100100010101110100111001101111010010010100100001010010011101100100100101001000010101100111101001011010010100110100001001000101011000010101011101100100011100000110010001001000010011010110011101011010001100100011100001100111011001000011001001101100011110100110000101000011010000100110110101100010001100110100100101100111011001000100011101101000011010000110010001000100001110000011110100100000

which decodes to a base64 string

Quote

Rm9yIHJlYWxzIHlhbGwuIEhhcyBhbnlvbmUgcmVhbGx5IGJlZW4gZmFyIGFzIGRlY2lkZWQgdG8gdXNlIFhPUiBldmVuIGdvIHdhbnQgdG8gZG8gbG9vayBtb3JlIGxpa2U/IFlvdSd2ZSBnb3QgdG8gZXZlbiBoYXZlIGJlZW4ga2lkZGluZyBtZSB3aXRoIHRoaXMgUEFOLiBJJ3ZlIGJlZW4gZnVydGhlciBldmVuIG1vcmUgZGVjaWRlZCB0byB1c2UgZXZlbiBnbyBuZWVkIHRvIGRvIGxvb2sgbW9yZSBhcyBhbnlvbmUgY2FuIGZvciBSdWxlcyBhbmQgZXZlbiBtb3JlIHRoYW4gUHJpemVzIGhhdmUgYmVlbiB0aGUgT3ZlcnZpZXdzLiBDYW4geW91IHJlYWxseSBiZSBmYXIgZnJvbSBPcmRlcmluZyBldmVuIGFzIGRlY2lkZWQgaGFsZiBhcyBtdWNoIHRvIHVzZSBEaWdpdHMgZ28gd2lzaCBmb3IgdGhhdD8=

Which in turn decodes to

Quote

For reals yall. Has anyone really been far as decided to use XOR even go want to do look more like? You've got to even have been kidding me with this PAN. I've been further even more decided to use even go need to do look more as anyone can for Rules and even more than Prizes have been the Overviews. Can you really be far from Ordering even as decided half as much to use Digits go wish for that?

This is where my stupidity gets the better of me..... lots of ideas, but nothing worked out, and being at work isn't make it easy to play around with stuff.That sentence obviously doesn't make sense which suggests some other cipher..... possibly based on XOR and/or reordering the sentence looking at the caps in there.

Quote

XOR PAN Rules Prizes Overviews Ordering Digits

Or it's just a reference to this meme:

http://knowyourmeme.com/memes/has-anyone-really-been-far-even-as-decided-to-use-even-go-want-to-do-look-more-like

There's also the 3 identical (I think, not checked) binary blocks at the bottom of the webpage. The highlighted 10011001 gives ™ so it might just be a copyright of some sort in binary, but I suspect there is more.

 

 

Edited by Loki
  • Like 2
Link to comment
  • 2 weeks later...
  • 2 weeks later...

Yippee-ki-yay! 

Congrats! You have successfully solved all of the challenges in the windows tier!
Care to try another tier? >:P
  • Like 4
Link to comment

Windows 1 and 2 were pretty easy and fun.

I think I know how to solve the 3rd one too but I'm too lazy to test it..

How many challenges are present?

Link to comment

@kao

I cannot see anything tricky in that challenge except a function that never called. I have a key(it was super simple) and entering that key returns it is wrong one.

Is there another key? or it is a mistake in converting the ascii art to key?

Link to comment

Indeed 4 is a bit harder.

Reversed most of that .exe (I think) but still have to figure out how to get the key out of it (also reversing x64 is new for me).

Link to comment

Someone asked me about Windows challenge #4 in PM. However, I'd like to keep it fair-play, so I'll be responding here.. ;)

Quote

I've reversed it and it works (so far):  <removed code>

But I don't get the idea of actually reversing the function.
Like do I have to bruteforce the encrypted data or did I miss something out?

 

Instead of focusing on brute force and code, try to understand what the serial checking actually does.

Spoiler

It's a well-known game/puzzle. Read the description that came with the challenge for a hint.

Once you understand that, you can solve it within minutes using just pencil and paper.

 

  • Like 1
Link to comment
On 17/07/2016 at 0:23 AM, kao said:

Yippee-ki-yay! 


Congrats! You have successfully solved all of the challenges in the windows tier!
Care to try another tier? >:P

I point the honorable gentleman to my initial response in this topic ;)

Link to comment

@Loki: Thank you, but I finished only Windows track, not the entire challenge. ;) On Sunday I did the Documents track just for fun - and that was very easy. 

However, the remaining 4 tracks are still unsolved. Unix track looks really scary, considering my lack of experience in that particular field..

Link to comment

In docs track challenge -1 i cannot get the "evil" thing. Every time it returns connection failed error. Anyone have this issue?

and the funny thing is when i first download the challenge Saturday the rar file contains more than one file, and yesterday i have re-download it and this time there is only one word file :-)

Link to comment

You don't need internet connection for solving any of the docs challenges. So, connection failed message is normal and expected.
There was only a DOC file for me (ZIP file downloaded on Sunday).

Link to comment
Extreme Coders

I didn't start with the docs challenges, but there were also 2 files for me - a doc file and a 7z file.
The 7z file contains the all of the remaining docs challenges. I believe they have put this in mistakenly which they have corrected now.
The file was downloaded in about 4 hours after the commencement.

Link to comment

Somehow I'm too blind to see small hints or something like that.
I'm at Windows #6 now, reversed everything (I think?), know how specific things are put together and what kind of known-functions are used, but still I'm too blind to see the relations to actually solve the challenge..

Link to comment
Extreme Coders

@Castor 

Spoiler

The app uses some user controllable data. You need to find out this data, which decrypts the flag properly.

Completed the Windows and docs challenge. The docs were indeed easy. 
Currently on the mobile track at level3, linux at level2 (this requires OSX :(  ) .

 

Link to comment

I got stuck on Mobile #5 - solving that without Apple hardware doesn't seem realistic. :( And Threat #2 has utterly confusing requirements for Yara rule.
 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...