Jump to content
Tuts 4 You

LabyREnth Capture the Flag (CTF) Challenge - 2017

crystalboy

By crystalboy
in Reverse Engineering Articles

 Share

Recommended Posts

ctfallday

ctfallday

Posted
Posted
On 6/17/2017 at 5:56 PM, crystalboy said:

@Etor Madiv

  Reveal hidden contents

You should just be faster. You can send it or just copy and paste it on the website but you must be fast! :)

 

Thanks! Solved it! This probably was my favorite challenge do date! 

  • Replies 92
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    22

  • evandrix

    8

  • Rurik

    7

  • Etor Madiv

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kao
kao

Unfortunately for that weekend I have some other plans in "real life".  So, I'll take part in it but only starting on Monday..   Last year it was THE best CTF challenge I tried, so I can who

crystalboy
crystalboy

Official site: http://labyrenth.com/Announcement: https://researchcenter.paloaltonetworks.com/2017/04/unit42-labyrenth-ctf-2017/

kao
kao

@Castor: yep, first challenges of binary track are more difficult. No more base64 or xor, it's proper reversing this year. Other tracks aren't that hard. @akkaldama: there shouldn't be an excepti

pivskid

pivskid

Posted
Posted

Can anyone give a hint at doc2. I think I know what to do and I get the following key

Spoiler

PAN{63g8db85T83F}

but it is wrong :rolleyes:.

Can anyone tell if it is just me not getting the ascii art correct or if I have misunderstood the task.

Thanks!

crystalboy

crystalboy

Posted
  • Author
Posted

@pivskid 

Spoiler

Yes you didn't get the ascii correctly. Some of your characters are wrong.

To correct them you can reference to this website: http://patorjk.com/ ;)

 

pivskid

pivskid

Posted
Posted

Thanks crystalboy! Finally, got the right key :P 

Does anyone know how to programatically extract the key for the xor'ing? the key that is overwritten on document open?

I tried oletools and oledump to no avail but maybe there is another way...

ctfallday

ctfallday

Posted
Posted (edited)

Any hints of mobile 2? I figured out what file is looking for, pretty sure how many chars it is looking for in that file; 29, but not sure what it is doing after that. I tried strace to see if the response is different if a character matches, but that doesnt seem to be the case... kinda stuck. I have been trying to use gdb-multiarch and radare2, but cant really debug the program. I also tried NOPing out the ptrace... 

Thanks! 

Edited by ctfallday
ctfallday

ctfallday

Posted
Posted

is the second binary from rev 1 a ping binary? just want to make sure i didnt miss anything. 

akkaldama

akkaldama

Posted
Posted

@ctfallday

It decrypts something, keep debugging.

 

Regards,

akkaldama.

Rurik

Rurik

Posted
Posted
On 7/6/2017 at 11:28 AM, ctfallday said:

Any hints of mobile 2? I figured out what file is looking for, pretty sure how many chars it is looking for in that file; 29, but not sure what it is doing after that. I tried strace to see if the response is different if a character matches, but that doesnt seem to be the case... kinda stuck. I have been trying to use gdb-multiarch and radare2, but cant really debug the program. I also tried NOPing out the ptrace... 

Thanks! 

It's in there. You got the first part done, you're just overlooking the rest somewhere. I did it in QEMU-MIPS with gdb.

ctfallday

ctfallday

Posted
Posted (edited)
3 hours ago, Rurik said:

It's in there. You got the first part done, you're just overlooking the rest somewhere. I did it in QEMU-MIPS with gdb.

Thanks Rurik... i had tried doing that, but the stack and all pointers come up as blank of gdb for some reason. for some reason, i have having issues with reading process memory no matter which debugger i am using. sudo or not. 

Edited by ctfallday
akkaldama

akkaldama

Posted
Posted

Any hints on docs4?

Got the first macro, i have edited to set the resolution.. etc as per the calculation value, got the xor encrypted content from pos 83012 but stuck at the the xor decryption as it gives invalid .doc file based on my language settings.

 

Regards,

akkaldama

kirby

kirby

Posted
Posted

Any hints for binary 3?

Spoiler

I've got to the part where it needs some 64 bytes in the host's clipboard, but I can't work out what it wants.

 

tec

tec

Posted
Posted
On 2017/7/16 at 4:01 PM, akkaldama said:

Any hints on docs4?

Got the first macro, i have edited to set the resolution.. etc as per the calculation value, got the xor encrypted content from pos 83012 but stuck at the the xor decryption as it gives invalid .doc file based on my language settings.

 

Regards,

akkaldama

Wrong offset!

There are system calls other than resolution. Try all combinations of parameters.

  • Like 1
tec

tec

Posted
Posted
On 2017/7/18 at 3:21 AM, kirby said:

Any hints for binary 3?

  Reveal hidden contents

I've got to the part where it needs some 64 bytes in the host's clipboard, but I can't work out what it wants.

 

Spoiler

There are some byte wise conversion along with redundant (repeated) computations. Then the comparison after the whole loop.

It is related to the text produced earlier.

 

evandrix

evandrix

Posted
Posted

nvm...solved

Downpour

Downpour

Posted
Posted (edited)

This is a nice writeup for the binary challenges which goes more into detail than necessary in my opinion but still really good: https://fevral.github.io/

and congrats to everyone who solved the challenges!

Edited by Castor
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...