Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress.

 

@scorpion77: sub_402EE0 and sub_401880 are certain industry-standard hash & encryption algorithms. Don't try to attack those and focus on other parts.

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

3 minutes ago, msr said:

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it.
 

Spoiler

I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP?

 

@msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate.

@Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it.

I love how i could solve chal #9 with grep - i only wish i had thought of it earlier

For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger.

WinDbg and !name2ee are your best friends.

agree on the windbg point there : D

And just when i thought i was done with #10 ...

I don't see how to recover x and y for level 10? Should i be looking in the pcap? Or is it more of a brute forcing problem?

Never mind i figured it out... not a very impressive ending to the chal

Still can't figure out x and y in #10... Does it have something to do with the picture?  

Any hints?

@kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key.

Official solutions has been published by Fireeye.

https://www.fireeye.com/blog/threat-research/2016/11/2016_flare-on_challe.html

Anyone can upload the challenges somewhere; thx.

22 hours ago, Hypnz said:

Anyone can upload the challenges somewhere; thx.

Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare)

Regards

Thanks a lot my friend.

Two other writeups 

http://vulnerablespace.blogspot.com/

http://mshetta.blogspot.com/2016/11/flare-on-2016-writeup.html

Edited November 7, 20168 yr by fasya