Etor Madiv Posted June 18, 2017 Posted June 18, 2017 @crystalboy Reveal hidden contents Thank you. Solved now (PAN{tricky...) via using an automated http post request, because you know it is almost impossible to copy past quickly -and solve the challenge- under a VM spcifically when using 3G internet connection.
fasya Posted June 18, 2017 Posted June 18, 2017 guys, any hint about a good tool to parse HWP files for docs #3?
kao Posted June 18, 2017 Posted June 18, 2017 Microsoft converter. Or you can Google for challenge authors' name and HWP to find explanation of file format.
imaqt Posted June 18, 2017 Posted June 18, 2017 (edited) On 6/17/2017 at 8:36 PM, Etor Madiv said: @kao Reveal hidden contents So the algorithm that generate the PAN{hash} must be reused to send that quickly via a post request ? because I thought that the flag is something that does not begin with PAN{ Expand Reveal hidden contents This includes the "RickMorty" string they add? wrote a simple python script to keep sending the flag, but nothing seems to work really. Edited June 18, 2017 by imaqt
Etor Madiv Posted June 18, 2017 Posted June 18, 2017 Can I borrow a Mac from you guys, I will not be able to continue binary challenges because Binary #4 is an osxransomware
NotSure Posted June 20, 2017 Posted June 20, 2017 anyone here solved mobile 1 ? this seems to have no logic
kao Posted June 20, 2017 Posted June 20, 2017 @NotSure: yes. It does have logic and is perfectly solvable.
kao Posted June 20, 2017 Posted June 20, 2017 On 6/20/2017 at 1:01 PM, pop said: Its getting an exception because the number is too big to parse Expand Well, then you need to find a much smaller number.. Reveal hidden contents You're looking for signed long - what's the min/max value of it?
Etor Madiv Posted June 20, 2017 Posted June 20, 2017 (edited) For mobile #1, here is solution i found leaked online, but still have no idea how to get that value. Reveal hidden contents REMOVED - Loki Edited June 21, 2017 by Loki No solutions please
kao Posted June 21, 2017 Posted June 21, 2017 @Etor Madiv: please don't spoil the fun by giving full solutions! It's just ruining the game. 2
re_sigh Posted June 21, 2017 Posted June 21, 2017 Could anyone point me in the right direction for Docs #2 ? At least I think its docs 2, not sure because I did a bunch of the random challenges as well ... but its the ppt with vb that has 2 embeded word docs in it with some vb ... literally spent so many hours on it and tried every tool I can think of/find in windows and linux ... just keep hitting a brick wall. Would appreciate if anyone can suggest anything.
DivBy0 Posted June 21, 2017 Posted June 21, 2017 Can anyone plz help with binary 01, Reveal hidden contents At a high level with procmon I can see the processes spawned and the files read, I understand that the first exe hollows out whats it spawns to write in the high entropy file, it then starts its thread again. the newly spawned and started process read in its key file and then just sits there. Do I need to use the x64dbg and change control flow to see the flag on the stack. following through from the first exe does not reveal anything that resembles a flag neither does attaching to the spawned process. Plz plz plz helps, I only want to complete binary01 to get the noob track done.
Etor Madiv Posted June 21, 2017 Posted June 21, 2017 @Loki why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.
kao Posted June 21, 2017 Posted June 21, 2017 @re_sigh: You mean "Please help me find the n33dle_challenge_File.ppt"? That's Random #5. Reveal hidden contents In the biggest Word document there's a big embedded thing. Look into it.
re_sigh Posted June 22, 2017 Posted June 22, 2017 @kao: Yeah I did notice some embedded OCX stuff when I initially pulled the docs out but it didn't work well in my version of office (2016) with compatibility settings, so I guess I'll give a different version a shot. Thanks for the tip in any case.
crystalboy Posted June 22, 2017 Author Posted June 22, 2017 (edited) @DivBy0 Reveal hidden contents Once you understood what the main executable is doing to create the child process focus on the child. Edited June 22, 2017 by crystalboy
kao Posted June 23, 2017 Posted June 23, 2017 (edited) Has anyone solved Level 2 in Binary #5? I truly hate that part as it has nothing to do with reversing. EDIT: nevermind, solved. This and Programming #3 are great examples of how to ruin otherwise really fun challenge. Edited June 23, 2017 by kao
Downpour Posted June 23, 2017 Posted June 23, 2017 I have some more time this weekend for reversing, my question is: do you really need a VM for the Binary #3? Or can I overcome those checks for virtual machine and continue running the application on my PC? Like are there certain values from the VM necessary for the Flag or can I skip that whole part and try to modify the binary so it will run on my pc without VM? Reveal hidden contents I tried Oracle VM with Win 10 but it didn't seem to work. After research I found out it's checking for VMWare with the Magic value and input instruction (but the command isn't 10? Is there a list of command IDs available?) Also somewhere was a cpuid check I believe but didn't investigate into it that much yet.
kao Posted June 23, 2017 Posted June 23, 2017 @Castor: No, you don't *need* it. In fact, I did 95% of analysis in IDA. But debugging goes so much faster with VM as you can focus on reversing instead of trying to modify binary to make it run. Reveal hidden contents If you don't have any VMWare images, just grab some from http://modern.ie/ Commands are decribed on VMWare site as well as here: https://sites.google.com/site/chitchatvmback/backdoor 1
Loki Posted June 23, 2017 Posted June 23, 2017 On 6/21/2017 at 6:17 PM, Etor Madiv said: @Loki why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules. Expand 1. I havent given you a warning, just removed part of your post. I saw no need to delete your post and see little need to justify editing it either tbh 2. Board rules are board rules, there are many things we could spell out in there but choose not to. We expect some common sense and general courtesy. We also reserve the right to remove content, even though we censor very little. Again, I dont really feel the need to justify moderating your post (hence no PM etc) but I am doing so out of courtesy because you have asked.
fasya Posted June 26, 2017 Posted June 26, 2017 On 6/10/2017 at 5:25 PM, evandrix said: i'm stuck on Document #3 - got the images from usb.pcap, then what? Expand I got the second half of the flag, any hints where to look for the first half?
tec Posted June 27, 2017 Posted June 27, 2017 On 6/26/2017 at 9:48 PM, fasya said: I got the second half of the flag, any hints where to look for the first half? Expand Look back! You have missed it. It is way easier than part1.
fasya Posted June 27, 2017 Posted June 27, 2017 On 6/27/2017 at 2:39 AM, tec said: Look back! You have missed it. It is way easier than part1. Expand yup I know it must be back but cant find exactly where it was, pdf, hwp or javascript
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now