Jump to content
Tuts 4 You

LabyREnth Capture the Flag (CTF) Challenge - 2017

crystalboy

By crystalboy
in Reverse Engineering Articles

 Share

Recommended Posts

Etor Madiv

Etor Madiv

Posted
Posted

@crystalboy

Spoiler

Thank you. Solved now (PAN{tricky...) via using an automated http post request, because you know it is almost impossible to copy past quickly -and solve the challenge- under a VM spcifically when using 3G internet connection.


 

  • Replies 92
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    22

  • evandrix

    8

  • Rurik

    7

  • Etor Madiv

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kao
kao

Unfortunately for that weekend I have some other plans in "real life".  So, I'll take part in it but only starting on Monday..   Last year it was THE best CTF challenge I tried, so I can who

crystalboy
crystalboy

Official site: http://labyrenth.com/Announcement: https://researchcenter.paloaltonetworks.com/2017/04/unit42-labyrenth-ctf-2017/

kao
kao

@Castor: yep, first challenges of binary track are more difficult. No more base64 or xor, it's proper reversing this year. Other tracks aren't that hard. @akkaldama: there shouldn't be an excepti

fasya

fasya

Posted
Posted

guys, any hint about a good tool to parse HWP files for docs #3?

kao

kao

Posted
Posted

Microsoft converter. Or you can Google for challenge authors' name and HWP to find explanation of file format.

imaqt

imaqt

Posted
Posted (edited)
21 hours ago, Etor Madiv said:

@kao

  Hide contents

So the algorithm that generate the PAN{hash} must be reused to send that quickly via a post request ? because I thought that the flag is something that does not begin with PAN{

 

Spoiler

 

This includes the "RickMorty" string they add?

wrote a simple python script  to keep sending the flag, but nothing seems to work really.

 

 

Edited by imaqt
Etor Madiv

Etor Madiv

Posted
Posted

Can I borrow a Mac from you guys, I will not be able to continue binary challenges because Binary #4 is an osxransomware

evandrix

evandrix

Posted
Posted

You can get VM images of OSX 10.12, for instance

NotSure

NotSure

Posted
Posted

anyone here solved mobile 1 ? this seems to have no logic :wacko:

kao

kao

Posted
Posted

@NotSure: yes. It does have logic and is perfectly solvable.

 

fasya

fasya

Posted
Posted

Thanks @kao got the Microsoft converter to work now.

kao

kao

Posted
Posted
3 hours ago, pop said:

Its getting an exception because the number is too big to parse

Well, then you need to find a much smaller number..

Spoiler

You're looking for signed long - what's the min/max value of it?

 

Etor Madiv

Etor Madiv

Posted
Posted (edited)

For mobile #1, here is solution i found leaked online, but still have no idea how to get that value.

Spoiler

REMOVED - Loki

 

Edited by Loki
No solutions please
kao

kao

Posted
Posted

@Etor Madiv: please don't spoil the fun by giving full solutions! It's just ruining the game. :(

  • Like 2
re_sigh

re_sigh

Posted
Posted

Could anyone point me in the right direction for Docs #2 ? At least I think its docs 2, not sure because I did a bunch of the random challenges as well ... but its the ppt with vb that has 2 embeded word docs in it with some vb ... literally spent so many hours on it and tried every tool I can think of/find in windows and linux ... just keep hitting a brick wall. Would appreciate if anyone can suggest anything.

DivBy0

DivBy0

Posted
Posted

Can anyone plz help with binary 01,

Spoiler

At a high level with procmon I can see the processes spawned and the files read, I understand that the first exe hollows out whats it spawns to write in the high entropy file, it then starts its thread again. the newly spawned and started process read in its key file and then just sits there. Do I need to use the x64dbg and change control flow to see the flag on the stack. following through from the first exe does not reveal anything that resembles a flag neither does attaching to the spawned process.

Plz plz plz helps, I only want to complete binary01 to get the noob track done.

Etor Madiv

Etor Madiv

Posted
Posted

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

kao

kao

Posted
Posted

@re_sighYou mean "Please help me find the n33dle_challenge_File.ppt"? That's Random #5.

Spoiler

In the biggest Word document there's a big embedded thing. Look into it.

 

re_sigh

re_sigh

Posted
Posted

@kao: Yeah I did notice some embedded OCX stuff when I initially pulled the docs out but it didn't work well in my version of office (2016) with compatibility settings, so I guess I'll give a different version a shot. Thanks for the tip in any case. ;)

crystalboy

crystalboy

Posted
  • Author
Posted (edited)

@DivBy0

Spoiler

Once you understood what the main executable is doing to create the child process focus on the child. :)

 

Edited by crystalboy
kao

kao

Posted
Posted (edited)

Has anyone solved Level 2 in Binary #5? I truly hate that part as it has nothing to do with reversing.

 

EDIT: nevermind, solved. This and Programming #3 are great examples of how to ruin otherwise really fun challenge. :(

 

Edited by kao
Downpour

Downpour

Posted
Posted

I have some more time this weekend for reversing, my question is: do you really need a VM for the Binary #3? Or can I overcome those checks for virtual machine and continue running the application on my PC? Like are there certain values from the VM necessary for the Flag or can I skip that whole part and try to modify the binary so it will run on my pc without VM?

 

Spoiler

I tried Oracle VM with Win 10 but it didn't seem to work. After research I found out it's checking for VMWare with the Magic value and input instruction (but the command isn't 10? Is there a list of command IDs available?) Also somewhere was a cpuid check I believe but didn't investigate into it that much yet.

 

Loki

Loki

Posted
Posted
On 21/06/2017 at 7:17 PM, Etor Madiv said:

@Loki

why not delete the whole reply in the first place and I will be fine if you sent me a notification privately expressing that one should not post full solutions. unless if you forgot to add that rule to The Board Rules.

1. I havent given you a warning, just removed part of your post. I saw no need to delete your post and see little need to justify editing it either tbh

2. Board rules are board rules, there are many things we could spell out in there but choose not to. We expect some common sense and general courtesy. We also reserve the right to remove content, even though we censor very little. Again, I dont really feel the need to justify moderating your post (hence no PM etc) but I am doing so out of courtesy because you have asked.

fasya

fasya

Posted
Posted
On 6/10/2017 at 7:25 PM, evandrix said:

i'm stuck on Document #3 - got the images from usb.pcap, then what?

I got the second half of the flag, any hints where to look for the first half?

tec

tec

Posted
Posted
4 hours ago, fasya said:

I got the second half of the flag, any hints where to look for the first half?

Look back! You have missed it.

It is way easier than part1.

fasya

fasya

Posted
Posted
7 hours ago, tec said:

Look back! You have missed it.

It is way easier than part1.

yup I know it must be back but cant find exactly where it was, pdf, hwp or javascript

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...