Flare-On 3

[scorpion77]

Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress.

 

[kao]

@scorpion77: sub_402EE0 and sub_401880 are certain industry-standard hash & encryption algorithms. Don't try to attack those and focus on other parts.

[msr]

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

[Mr. J]

3 minutes ago, msr said:

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it.
 

Spoiler

I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP?

 

[Extreme Coders]

@msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate.

@Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it.

[quend]

I love how i could solve chal #9 with grep - i only wish i had thought of it earlier

[hyper-v]

For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger.

WinDbg and !name2ee are your best friends.

[quend]

agree on the windbg point there : D

[quend]

And just when i thought i was done with #10 ...

[quend]

I don't see how to recover x and y for level 10? Should i be looking in the pcap? Or is it more of a brute forcing problem?

[quend]

Never mind i figured it out... not a very impressive ending to the chal

[kao]

Still can't figure out x and y in #10... Does it have something to do with the picture?  

Any hints?

[Extreme Coders]

@kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key.

[Extreme Coders]

Official solutions has been published by Fireeye.

https://www.fireeye.com/blog/threat-research/2016/11/2016_flare-on_challe.html

[Hypnz]

Anyone can upload the challenges somewhere; thx.

[kienmanowar]

22 hours ago, Hypnz said:

Anyone can upload the challenges somewhere; thx.

Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare)

Regards

[Hypnz]

Thanks a lot my friend.

[fasya]

Two other writeups 

http://vulnerablespace.blogspot.com/

http://mshetta.blogspot.com/2016/11/flare-on-2016-writeup.html

Edited November 7, 2016 by fasya