Jump to content
Tuts 4 You

LabyREnth Capture the Flag (CTF) Challenge - 2017


crystalboy

Recommended Posts

@crystalboy

Spoiler

Thank you. Solved now (PAN{tricky...) via using an automated http post request, because you know it is almost impossible to copy past quickly -and solve the challenge- under a VM spcifically when using 3G internet connection.


 

Link to comment
Share on other sites

Microsoft converter. Or you can Google for challenge authors' name and HWP to find explanation of file format.

Link to comment
Share on other sites

21 hours ago, Etor Madiv said:

@kao

  Hide contents

So the algorithm that generate the PAN{hash} must be reused to send that quickly via a post request ? because I thought that the flag is something that does not begin with PAN{

 

Spoiler

 

This includes the "RickMorty" string they add?

wrote a simple python script  to keep sending the flag, but nothing seems to work really.

 

 

Edited by imaqt
Link to comment
Share on other sites

Can I borrow a Mac from you guys, I will not be able to continue binary challenges because Binary #4 is an osxransomware

Link to comment
Share on other sites

3 hours ago, pop said:

Its getting an exception because the number is too big to parse

Well, then you need to find a much smaller number..

Spoiler

You're looking for signed long - what's the min/max value of it?

 

Link to comment
Share on other sites

For mobile #1, here is solution i found leaked online, but still have no idea how to get that value.

Spoiler

REMOVED - Loki

 

Edited by Loki
No solutions please
Link to comment
Share on other sites

Could anyone point me in the right direction for Docs #2 ? At least I think its docs 2, not sure because I did a bunch of the random challenges as well ... but its the ppt with vb that has 2 embeded word docs in it with some vb ... literally spent so many hours on it and tried every tool I can think of/find in windows and linux ... just keep hitting a brick wall. Would appreciate if anyone can suggest anything.

Link to comment
Share on other sites

Can anyone plz help with binary 01,

Spoiler

At a high level with procmon I can see the processes spawned and the files read, I understand that the first exe hollows out whats it spawns to write in the high entropy file, it then starts its thread again. the newly spawned and started process read in its key file and then just sits there. Do I need to use the x64dbg and change control flow to see the flag on the stack. following through from the first exe does not reveal anything that resembles a flag neither does attaching to the spawned process.

Plz plz plz helps, I only want to complete binary01 to get the noob track done.

Link to comment
Share on other sites

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

Link to comment
Share on other sites

@re_sighYou mean "Please help me find the n33dle_challenge_File.ppt"? That's Random #5.

Spoiler

In the biggest Word document there's a big embedded thing. Look into it.

 

Link to comment
Share on other sites

@kao: Yeah I did notice some embedded OCX stuff when I initially pulled the docs out but it didn't work well in my version of office (2016) with compatibility settings, so I guess I'll give a different version a shot. Thanks for the tip in any case. ;)

Link to comment
Share on other sites

@DivBy0

Spoiler

Once you understood what the main executable is doing to create the child process focus on the child. :)

 

Edited by crystalboy
Link to comment
Share on other sites

Has anyone solved Level 2 in Binary #5? I truly hate that part as it has nothing to do with reversing.

 

EDIT: nevermind, solved. This and Programming #3 are great examples of how to ruin otherwise really fun challenge. :(

 

Edited by kao
Link to comment
Share on other sites

I have some more time this weekend for reversing, my question is: do you really need a VM for the Binary #3? Or can I overcome those checks for virtual machine and continue running the application on my PC? Like are there certain values from the VM necessary for the Flag or can I skip that whole part and try to modify the binary so it will run on my pc without VM?

 

Spoiler

I tried Oracle VM with Win 10 but it didn't seem to work. After research I found out it's checking for VMWare with the Magic value and input instruction (but the command isn't 10? Is there a list of command IDs available?) Also somewhere was a cpuid check I believe but didn't investigate into it that much yet.

 

Link to comment
Share on other sites

@Castor: No, you don't *need* it. In fact, I did 95% of analysis in IDA. But debugging goes so much faster with VM as you can focus on reversing instead of trying to modify binary to make it run.

Spoiler

If you don't have any VMWare images, just grab some from http://modern.ie/
Commands are decribed on VMWare site as well as here: https://sites.google.com/site/chitchatvmback/backdoor

 

  • Like 1
Link to comment
Share on other sites

On 21/06/2017 at 7:17 PM, Etor Madiv said:

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

1. I havent given you a warning, just removed part of your post. I saw no need to delete your post and see little need to justify editing it either tbh

2. Board rules are board rules, there are many things we could spell out in there but choose not to. We expect some common sense and general courtesy. We also reserve the right to remove content, even though we censor very little. Again, I dont really feel the need to justify moderating your post (hence no PM etc) but I am doing so out of courtesy because you have asked.

Link to comment
Share on other sites

On 6/10/2017 at 7:25 PM, evandrix said:

i'm stuck on Document #3 - got the images from usb.pcap, then what?

I got the second half of the flag, any hints where to look for the first half?

Link to comment
Share on other sites

4 hours ago, fasya said:

I got the second half of the flag, any hints where to look for the first half?

Look back! You have missed it.

It is way easier than part1.

Link to comment
Share on other sites

7 hours ago, tec said:

Look back! You have missed it.

It is way easier than part1.

yup I know it must be back but cant find exactly where it was, pdf, hwp or javascript

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...