@crystalboy

Spoiler

Thank you. Solved now (PAN{tricky...) via using an automated http post request, because you know it is almost impossible to copy past quickly -and solve the challenge- under a VM spcifically when using 3G internet connection.

 

guys, any hint about a good tool to parse HWP files for docs #3?

Microsoft converter. Or you can Google for challenge authors' name and HWP to find explanation of file format.

21 hours ago, Etor Madiv said:

@kao

  Hide contents

So the algorithm that generate the PAN{hash} must be reused to send that quickly via a post request ? because I thought that the flag is something that does not begin with PAN{

 

Spoiler

 

This includes the "RickMorty" string they add?

wrote a simple python script  to keep sending the flag, but nothing seems to work really.

 

 

Edited June 18, 20178 yr by imaqt

Can I borrow a Mac from you guys, I will not be able to continue binary challenges because Binary #4 is an osxransomware

You can get VM images of OSX 10.12, for instance

anyone here solved mobile 1 ? this seems to have no logic 

@NotSure: yes. It does have logic and is perfectly solvable.

 

Thanks @kao got the Microsoft converter to work now.

3 hours ago, pop said:

Its getting an exception because the number is too big to parse

Well, then you need to find a much smaller number..

Spoiler

You're looking for signed long - what's the min/max value of it?

 

For mobile #1, here is solution i found leaked online, but still have no idea how to get that value.

Spoiler

REMOVED - Loki

 

Edited June 21, 20178 yr by Loki
No solutions please

@Etor Madiv: please don't spoil the fun by giving full solutions! It's just ruining the game.

Could anyone point me in the right direction for Docs #2 ? At least I think its docs 2, not sure because I did a bunch of the random challenges as well ... but its the ppt with vb that has 2 embeded word docs in it with some vb ... literally spent so many hours on it and tried every tool I can think of/find in windows and linux ... just keep hitting a brick wall. Would appreciate if anyone can suggest anything.

Can anyone plz help with binary 01,

Spoiler

At a high level with procmon I can see the processes spawned and the files read, I understand that the first exe hollows out whats it spawns to write in the high entropy file, it then starts its thread again. the newly spawned and started process read in its key file and then just sits there. Do I need to use the x64dbg and change control flow to see the flag on the stack. following through from the first exe does not reveal anything that resembles a flag neither does attaching to the spawned process.

Plz plz plz helps, I only want to complete binary01 to get the noob track done.

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

@re_sigh: You mean "Please help me find the n33dle_challenge_File.ppt"? That's Random #5.

Spoiler

In the biggest Word document there's a big embedded thing. Look into it.

 

@kao: Yeah I did notice some embedded OCX stuff when I initially pulled the docs out but it didn't work well in my version of office (2016) with compatibility settings, so I guess I'll give a different version a shot. Thanks for the tip in any case.

@DivBy0

Spoiler

Once you understood what the main executable is doing to create the child process focus on the child.

 

Edited June 22, 20178 yr by crystalboy

Has anyone solved Level 2 in Binary #5? I truly hate that part as it has nothing to do with reversing.

 

EDIT: nevermind, solved. This and Programming #3 are great examples of how to ruin otherwise really fun challenge.

 

Edited June 23, 20178 yr by kao

I have some more time this weekend for reversing, my question is: do you really need a VM for the Binary #3? Or can I overcome those checks for virtual machine and continue running the application on my PC? Like are there certain values from the VM necessary for the Flag or can I skip that whole part and try to modify the binary so it will run on my pc without VM?

 

Spoiler

I tried Oracle VM with Win 10 but it didn't seem to work. After research I found out it's checking for VMWare with the Magic value and input instruction (but the command isn't 10? Is there a list of command IDs available?) Also somewhere was a cpuid check I believe but didn't investigate into it that much yet.

 

@Castor: No, you don't *need* it. In fact, I did 95% of analysis in IDA. But debugging goes so much faster with VM as you can focus on reversing instead of trying to modify binary to make it run.

Spoiler

If you don't have any VMWare images, just grab some from http://modern.ie/
Commands are decribed on VMWare site as well as here: https://sites.google.com/site/chitchatvmback/backdoor

 

On 21/06/2017 at 7:17 PM, Etor Madiv said:

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

1. I havent given you a warning, just removed part of your post. I saw no need to delete your post and see little need to justify editing it either tbh

2. Board rules are board rules, there are many things we could spell out in there but choose not to. We expect some common sense and general courtesy. We also reserve the right to remove content, even though we censor very little. Again, I dont really feel the need to justify moderating your post (hence no PM etc) but I am doing so out of courtesy because you have asked.

On 6/10/2017 at 7:25 PM, evandrix said:

i'm stuck on Document #3 - got the images from usb.pcap, then what?

I got the second half of the flag, any hints where to look for the first half?

4 hours ago, fasya said:

I got the second half of the flag, any hints where to look for the first half?

Look back! You have missed it.

It is way easier than part1.

7 hours ago, tec said:

Look back! You have missed it.

It is way easier than part1.

yup I know it must be back but cant find exactly where it was, pdf, hwp or javascript