Jump to content
Tuts 4 You

Flare-On 7


kao

Recommended Posts

With all respect to the efforts of the authors of the challenges, I advise you guys not to evaluate yourself or skills

based on how many challenges of those you were able to solve, do it only for fun, it can be really depressing not

to be able to pass some of the challenges, it's just a CTF in the end.

  • Thanks 2
Link to comment
Share on other sites

Hi again.

I have a question regarding Task 7. Do i need to put correct values to ECX / ESI registers to things go like it have to?  Are there any things that needs to be done to registers/code to work like it should be?

I speak with some 'code' to not spoil to much to others. If i am speaking in too encrypted form please let me know :)

This task is quite new to me and i do not know if i am missing something or doing mistake.

Thank you tips.

Edited by ECX
Link to comment
Share on other sites

Not a topic of spoilers, but of technical help for #9

Are there any good references to getting a kernel debugging environment setup with WinDbg? I searched here, and searched for kdnet, but found nothing.

I've follow various KDnet guides, setup two VMs, tried LAN, and COM, but spent a weekend where I could've solved #9 in just troubleshooting (without success) WinDbg.

In the past I've done ghetto analysis of drivers. Which is literally copying the executable into current memory space, then forcing jmp/calls into the code while repairing the stack along the way, and nop'ing out things that'll cause issues. But there's just way too much going on to do that here.

Edited by Rurik
Link to comment
Share on other sites

I don't know how task 9 looks like but Did you try settings up VM + VirtualKD-Redux. WinDBG on host which attaches to VM?  VirtualKD-redux supports new Windbg Preview which is more userfriendly :)

Then load driver by osrloader/ KMDmanager (tool to load drivers- i do not remember the name)... In Process Explorer you can check the base address where it loaded the driver. From Host you can control VM with windbg.

 

Edited by ECX
Link to comment
Share on other sites

@Rurik: why the kdnet requirement? Why 2 virtual machines?

 

I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe.  Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html

 

1) Windbg - I have a BAT file with the command-line. It's used only for kernel debugging:

windbg -k com:pipe,port=\\.\pipe\com_1,resets=0,reconnect

2) VMWare guest is set up to have virtual com port that uses named pipe:

Spoiler

spacer.png

3) When necessary, I enable kernel debugging in VMWare guest using bcdedit commands from elevated command prompt:

bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200

4) Reboot the guest machine, it will freeze for ~30 seconds waiting for WinDbg to attach.

5) Run WinDbg from .BAT file, done.

 

If you insist on running WinDbg in the other VM, you can still link 2 machines via virtual com port and named pipes. I just quickly tried, something like this:

1) set up VMWare with kernel debugging enabled just like before.
2) set up VMWare with Windbg to use com port like this:

Spoiler

spacer.png

Notice "this end is the client" setting

3) Start VMWare with WinDbg, run WinDbg like this:

windbg -k com:port=COM1,baud=115200

4) (re-)start VMWare with kernel debugging enabled, WinDbg should automagically attach.

 

Link to comment
Share on other sites

12 hours ago, Rurik said:

In the past I've done ghetto analysis of drivers. Which is literally copying the executable into current memory space, then forcing jmp/calls into the code ..

That's interesting. Does this work for kernel drivers? Lets say I have a driver and want to run it in Kernel space. Copy the .sys file to kernel memory and jump to an offset inside that memory area? I guess copying it to user space memory and jumping to it wont work because of SMEP (something to think about later).

Edited by waronz
Link to comment
Share on other sites

21 minutes ago, waronz said:

That's interesting. Does this work for kernel drivers? Lets say I have a driver and want to run it in Kernel space. Copy the .sys file to kernel memory and jump to an offset inside that memory area? I guess copying it to user space memory and jumping to it wont work because of SMEP (something to think about later).

I've also been able to change the PE header for a driver to a DLL, LoadLibrary it, and call the routines as exports ... or just call() straight into them. It's very ghetto-ish, and did it for an earlier year. 

Like Flare-on 2015, Challenge 10

https://www.ghettoforensics.com/2015/09/solving-2015-flare-on-challenges.html

  • Like 1
Link to comment
Share on other sites

2 hours ago, kao said:

@Rurik: why the kdnet requirement? Why 2 virtual machines?

I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe.  Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html

Much appreciated! In reviewing the setup I was under the impression that it was a necessary setup, as that was the only prescribed way I found to do kernel debugging. And, it's a heavily complicated procedure. After going at it in various ways, using kdnet was a clue I found from others, so I took it as the required route. I had not found that set of instructions. Though I've done many of the steps, I'll walk through it to test. Thank you!

Link to comment
Share on other sites

18 hours ago, ECX said:

Hi again.

I have a question regarding Task 7. Do i need to put correct values to ECX / ESI registers to things go like it have to?  Are there any things that needs to be done to registers/code to work like it should be?

I speak with some 'code' to not spoil to much to others. If i am speaking in too encrypted form please let me know :)

This task is quite new to me and i do not know if i am missing something or doing mistake.

Thank you tips.

When make payload on msf, you can focus "BufferRegister". 

Edited by loossy
Link to comment
Share on other sites

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Link to comment
Share on other sites

31 minutes ago, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

The shellcode should run out of the box.

Spoiler

Take care of the file format used to save the shellcode.

 

Link to comment
Share on other sites

3 hours ago, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Windows system use unicode base.

Link to comment
Share on other sites

On 9/28/2020 at 11:26 PM, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Hi

You don't need make shellcode. all things you need exists in the dump

Link to comment
Share on other sites

There have been a lot of people stuck on #8. I was. Not because I couldn't figure it out but because the flag was such bunk.

I can't believe it passed Q&A, but the flag on #8 is not a 31337-speak phrase like all the others. It's gibberish. I spent *HOURS* trying to find the flag when I had it all along, but it didn't look like a typical flag.

While it's considered improper in CTFs, spam the scoreboard with whatever values you find on #8 and you may be right.

Link to comment
Share on other sites

1 minute ago, Rurik said:

There have been a lot of people stuck on #8. I was. Not because I couldn't figure it out but because the flag was such bunk.

I can't believe it passed Q&A, but the flag on #8 is not a 31337-speak phrase like all the others. It's gibberish. I spent *HOURS* trying to find the flag when I had it all along, but it didn't look like a typical flag.

While it's considered improper in CTFs, spam the scoreboard with whatever values you find on #8 and you may be right.

Exactly. I had the flag for a day and i was trying to find it. This challenge didn't have any special tip and trick it was just a patch

Link to comment
Share on other sites

ch10 nudges are welcome :)

Spoiler

My linux low level knowledge is somewhat limited, so far I have approached the challenge by hooking the syscall that prevents debugging to get an overall picture of whats going on. I have read that people have found a "partial" flag. Is that required to pass the first stage (password)? I assume, that the initial comparison of the hardcoded decoy flag is altered by either pokedata or some elf thing. To those who solved it, how did you approach it? Any tools you can recommend? thank you.

 

Edited by waronz
Link to comment
Share on other sites

I've never used Windbg before and am struggling a bit with using it. Can anyone suggest how to launch the challenge 9 .exe in a VM and attach to it with Windbg on my host (I followed kao's instructions, which work fine)? When I launch it, it closes so fast that I can't attach to it.
I tried breaking in "bu nt!MmCreateProcessAddressSpace", but walking up the stack trace is very slow. I feel like I'm overcomplicating things

Edited by blick
Link to comment
Share on other sites

1 hour ago, blick said:

I've never used Windbg before and am struggling a bit with using it. Can anyone suggest how to launch the challenge 9 .exe in a VM and attach to it with Windbg on my host (I followed kao's instructions, which work fine)? When I launch it, it closes so fast that I can't attach to it.
I tried breaking in "bu nt!MmCreateProcessAddressSpace", but walking up the stack trace is very slow. I feel like I'm overcomplicating things

You can use sxe command

Link to comment
Share on other sites

Can anyone give me a hint for challenge 7? I think I am in the last quarter of the challenge but I have no idea what I'm seeing right now.

 

Spoiler

I was able to run the shellcode and decrypt/decode the payload from the PCAP. After the decoding/decrypting, the call returns to an "in eax, dx" instruction which will crash my program (could be an anti vm check?) The next instruction after the "in eax,dx" instruction is a call 72D954F which is also crashing because that address does not exist. How far am I away from the flag? Does this code need to be executed and I'm doing something wrong? 

 

 

Edited by lazydaemon
Link to comment
Share on other sites

4 minutes ago, lazydaemon said:

Can anyone give me a hint for challenge 7? I think I am in the last quarter of the challenge but I have no idea what I'm seeing right now.

 

  Hide contents

I was able to run the shellcode and decrypt/decode the payload from the PCAP. After the decoding/decrypting, the call returns to an "in eax, dx" instruction which will crash my program (could be an anti vm check?) The next instruction after the "in eax,dx" instruction is a call 72D954F which is also crashing because that address does not exist. How far am I away from the flag? Does this code need to be executed and I'm doing something wrong? 

 

 

 

I believe that to be due to an error in the decoder script.

Find another version of it.

There should be no "IN" instructions from what I recall.

Link to comment
Share on other sites

The in instruction appears after the running this code (thats the code, doing stuff on the data from the PCAP):

 

challenge7.png

 

Could it be a problem with the endianness? Because I just copied the data from the pcap into the allocated memory region (instead of providing data for the 'recv' call)

Edited by lazydaemon
Link to comment
Share on other sites

I've really hit a wall with challenge #9 this year. I've been trying for a probably more than a week now and I still haven't felt like I have made any progress.
Can someone point me in the right direction? Thanks
 

Spoiler

So I've extracted several files from the crackinstaller and tried a number of things.
Things I've tried:
- Extracted the driver and DLL(s)
- Written a COM application to interface and debug the COM DLL, found some interesting functions writing to the registry
- Debugged the driver and found a decryption routine which gives me a non-ASCII string but not sure how it "connects" with the rest of the application
I think I understand the flow from the application to the driver but I'm not sure about how it communicates back and what it is communicating back,

 

Edited by AeroX2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...