October 26, 20168 yr Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress.
October 26, 20168 yr Author @scorpion77: sub_402EE0 and sub_401880 are certain industry-standard hash & encryption algorithms. Don't try to attack those and focus on other parts.
October 26, 20168 yr For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.
October 26, 20168 yr 3 minutes ago, msr said: For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger. Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it. Spoiler I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP?
October 26, 20168 yr @msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate. @Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it.
October 26, 20168 yr I love how i could solve chal #9 with grep - i only wish i had thought of it earlier
October 27, 20168 yr For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger. WinDbg and !name2ee are your best friends.
October 31, 20168 yr I don't see how to recover x and y for level 10? Should i be looking in the pcap? Or is it more of a brute forcing problem?
November 2, 20168 yr Author Still can't figure out x and y in #10... Does it have something to do with the picture? Any hints?
November 2, 20168 yr @kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key.
November 5, 20168 yr Official solutions has been published by Fireeye. https://www.fireeye.com/blog/threat-research/2016/11/2016_flare-on_challe.html
November 6, 20168 yr 22 hours ago, Hypnz said: Anyone can upload the challenges somewhere; thx. Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare) Regards
November 7, 20168 yr Two other writeups http://vulnerablespace.blogspot.com/ http://mshetta.blogspot.com/2016/11/flare-on-2016-writeup.html Edited November 7, 20168 yr by fasya
Create an account or sign in to comment