scorpion77 Posted October 26, 2016 Share Posted October 26, 2016 Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress. Link to comment Share on other sites More sharing options...
kao Posted October 26, 2016 Author Share Posted October 26, 2016 @scorpion77: sub_402EE0 and sub_401880 are certain industry-standard hash & encryption algorithms. Don't try to attack those and focus on other parts. Link to comment Share on other sites More sharing options...
msr Posted October 26, 2016 Share Posted October 26, 2016 For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger. Link to comment Share on other sites More sharing options...
Mr. J Posted October 26, 2016 Share Posted October 26, 2016 3 minutes ago, msr said: For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger. Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it. Spoiler I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP? Link to comment Share on other sites More sharing options...
Extreme Coders Posted October 26, 2016 Share Posted October 26, 2016 @msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate. @Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it. 1 Link to comment Share on other sites More sharing options...
quend Posted October 26, 2016 Share Posted October 26, 2016 I love how i could solve chal #9 with grep - i only wish i had thought of it earlier Link to comment Share on other sites More sharing options...
hyper-v Posted October 27, 2016 Share Posted October 27, 2016 For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger. WinDbg and !name2ee are your best friends. 1 Link to comment Share on other sites More sharing options...
quend Posted October 27, 2016 Share Posted October 27, 2016 agree on the windbg point there : D Link to comment Share on other sites More sharing options...
quend Posted October 29, 2016 Share Posted October 29, 2016 And just when i thought i was done with #10 ... Link to comment Share on other sites More sharing options...
quend Posted October 31, 2016 Share Posted October 31, 2016 I don't see how to recover x and y for level 10? Should i be looking in the pcap? Or is it more of a brute forcing problem? Link to comment Share on other sites More sharing options...
quend Posted October 31, 2016 Share Posted October 31, 2016 Never mind i figured it out... not a very impressive ending to the chal Link to comment Share on other sites More sharing options...
kao Posted November 2, 2016 Author Share Posted November 2, 2016 Still can't figure out x and y in #10... Does it have something to do with the picture? Any hints? Link to comment Share on other sites More sharing options...
Extreme Coders Posted November 2, 2016 Share Posted November 2, 2016 @kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key. Link to comment Share on other sites More sharing options...
Extreme Coders Posted November 5, 2016 Share Posted November 5, 2016 Official solutions has been published by Fireeye. https://www.fireeye.com/blog/threat-research/2016/11/2016_flare-on_challe.html Link to comment Share on other sites More sharing options...
Hypnz Posted November 5, 2016 Share Posted November 5, 2016 Anyone can upload the challenges somewhere; thx. Link to comment Share on other sites More sharing options...
kienmanowar Posted November 6, 2016 Share Posted November 6, 2016 22 hours ago, Hypnz said: Anyone can upload the challenges somewhere; thx. Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare) Regards 1 Link to comment Share on other sites More sharing options...
Hypnz Posted November 6, 2016 Share Posted November 6, 2016 Thanks a lot my friend. Link to comment Share on other sites More sharing options...
fasya Posted November 7, 2016 Share Posted November 7, 2016 (edited) Two other writeups http://vulnerablespace.blogspot.com/ http://mshetta.blogspot.com/2016/11/flare-on-2016-writeup.html Edited November 7, 2016 by fasya 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now