Jump to content
Tuts 4 You

Flare-On 7


Recommended Posts

So anyway. #9. Crackstaller. I hate it. ūüėě

I have found an entry for a certain CLSID that contains an empty entry for FLAG and PASSWORD.

I've extracted several files.

Reversing around these functions I found that the only place this is written is where they are actually set to NULL so there is nothing to get.

Yet I see people announcing they have passed it.

Any hint for what I should look for or do next ?

Link to post
  • Replies 87
  • Created
  • Last Reply

Top Posters In This Topic

  • Kurapica

    9

  • kraxgrr

    9

  • kao

    8

  • ECX

    8

Top Posters In This Topic

Popular Posts

Get your tools ready!  

After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i stil

With all respect to the efforts of the authors of the challenges, I advise you guys not to evaluate yourself or skills based on how many challenges of those you were able to solve, do it only for

Posted Images

Kurapica

With all respect to the efforts of the authors of the challenges, I advise you guys not to evaluate yourself or skills

based on how many challenges of those you were able to solve, do it only for fun, it can be really depressing not

to be able to pass some of the challenges, it's just a CTF in the end.

  • Thanks 2
Link to post

Hi again.

I have a question regarding Task 7. Do i need to put correct values to ECX / ESI registers to things go like it have to?  Are there any things that needs to be done to registers/code to work like it should be?

I speak with some 'code' to not spoil to much to others. If i am speaking in too encrypted form please let me know :)

This task is quite new to me and i do not know if i am missing something or doing mistake.

Thank you tips.

Edited by ECX (see edit history)
Link to post

Not a topic of spoilers, but of technical help for #9

Are there any good references to getting a kernel debugging environment setup with WinDbg? I searched here, and searched for kdnet, but found nothing.

I've follow various KDnet guides, setup two VMs, tried LAN, and COM, but spent a weekend where I could've solved #9 in just troubleshooting (without success) WinDbg.

In the past I've done ghetto analysis of drivers. Which is literally copying the executable into current memory space, then forcing jmp/calls into the code while repairing the stack along the way, and nop'ing out things that'll cause issues. But there's just way too much going on to do that here.

Edited by Rurik (see edit history)
Link to post

I don't know how task 9 looks like but Did you try settings up VM + VirtualKD-Redux. WinDBG on host which attaches to VM?  VirtualKD-redux supports new Windbg Preview which is more userfriendly :)

Then load driver by osrloader/ KMDmanager (tool to load drivers- i do not remember the name)... In Process Explorer you can check the base address where it loaded the driver. From Host you can control VM with windbg.

 

Edited by ECX (see edit history)
Link to post

@Rurik: why the kdnet requirement? Why 2 virtual machines?

 

I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe.  Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html

 

1) Windbg - I have a BAT file with the command-line. It's used only for kernel debugging:

windbg -k com:pipe,port=\\.\pipe\com_1,resets=0,reconnect

2) VMWare guest is set up to have virtual com port that uses named pipe:

Spoiler

spacer.png

3) When necessary, I enable kernel debugging in VMWare guest using bcdedit commands from elevated command prompt:

bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200

4) Reboot the guest machine, it will freeze for ~30 seconds waiting for WinDbg to attach.

5) Run WinDbg from .BAT file, done.

 

If you insist on running WinDbg in the other VM, you can still link 2 machines via virtual com port and named pipes. I just quickly tried, something like this:

1) set up VMWare with kernel debugging enabled just like before.
2) set up VMWare with Windbg to use com port like this:

Spoiler

spacer.png

Notice "this end is the client" setting

3) Start VMWare with WinDbg, run WinDbg like this:

windbg -k com:port=COM1,baud=115200

4) (re-)start VMWare with kernel debugging enabled, WinDbg should automagically attach.

 

Link to post
12 hours ago, Rurik said:

In the past I've done ghetto analysis of drivers. Which is literally copying the executable into current memory space, then forcing jmp/calls into the code ..

That's interesting. Does this work for kernel drivers? Lets say I have a driver and want to run it in Kernel space. Copy the .sys file to kernel memory and jump to an offset inside that memory area? I guess copying it to user space memory and jumping to it wont work because of SMEP (something to think about later).

Edited by waronz (see edit history)
Link to post
21 minutes ago, waronz said:

That's interesting. Does this work for kernel drivers? Lets say I have a driver and want to run it in Kernel space. Copy the .sys file to kernel memory and jump to an offset inside that memory area? I guess copying it to user space memory and jumping to it wont work because of SMEP (something to think about later).

I've also been able to change the PE header for a driver to a DLL, LoadLibrary it, and call the routines as exports ... or just call() straight into them. It's very ghetto-ish, and did it for an earlier year. 

Like Flare-on 2015, Challenge 10

https://www.ghettoforensics.com/2015/09/solving-2015-flare-on-challenges.html

  • Like 1
Link to post
2 hours ago, kao said:

@Rurik: why the kdnet requirement? Why 2 virtual machines?

I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe.  Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html

Much appreciated! In reviewing the setup I was under the impression that it was a necessary setup, as that was the only prescribed way I found to do kernel debugging. And, it's a heavily complicated procedure. After going at it in various ways, using kdnet was a clue I found from others, so I took it as the required route. I had not found that set of instructions. Though I've done many of the steps, I'll walk through it to test. Thank you!

Link to post
18 hours ago, ECX said:

Hi again.

I have a question regarding Task 7. Do i need to put correct values to ECX / ESI registers to things go like it have to?  Are there any things that needs to be done to registers/code to work like it should be?

I speak with some 'code' to not spoil to much to others. If i am speaking in too encrypted form please let me know :)

This task is quite new to me and i do not know if i am missing something or doing mistake.

Thank you tips.

When make payload on msf, you can focus "BufferRegister". 

Edited by loossy (see edit history)
Link to post

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Link to post
31 minutes ago, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

The shellcode should run out of the box.

Spoiler

Take care of the file format used to save the shellcode.

 

Link to post
3 hours ago, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Windows system use unicode base.

Link to post

Hi. Anyone willing to discuss about 10th challenge? I'm blocked somewhere in the middle. Please DM.

Link to post
On 9/28/2020 at 11:26 PM, ECX said:

Is my thinking right? I take the "ASCII code"...then i can allocate it in my test app, jump to it and will it work? I think the problem is with my registers when i jump to allocated code....and i cannot find the correct values or i do not understand how this shellcode works.

Do i need to prepare special environment? Last resort would be installation of IIS and check it on real example. Can you shed some light to my problem? Thanks

 

Hi

You don't need make shellcode. all things you need exists in the dump

Link to post

There have been a lot of people stuck on #8. I was. Not because I couldn't figure it out but because the flag was such bunk.

I can't believe it passed Q&A, but the flag on #8 is not a 31337-speak phrase like all the others. It's gibberish. I spent *HOURS* trying to find the flag when I had it all along, but it didn't look like a typical flag.

While it's considered improper in CTFs, spam the scoreboard with whatever values you find on #8 and you may be right.

Link to post
1 minute ago, Rurik said:

There have been a lot of people stuck on #8. I was. Not because I couldn't figure it out but because the flag was such bunk.

I can't believe it passed Q&A, but the flag on #8 is not a 31337-speak phrase like all the others. It's gibberish. I spent *HOURS* trying to find the flag when I had it all along, but it didn't look like a typical flag.

While it's considered improper in CTFs, spam the scoreboard with whatever values you find on #8 and you may be right.

Exactly. I had the flag for a day and i was trying to find it. This challenge didn't have any special tip and trick it was just a patch

Link to post
waronz

ch10 nudges are welcome :)

Spoiler

My linux low level knowledge is somewhat limited, so far I have approached the challenge by hooking the syscall that prevents debugging to get an overall picture of whats going on. I have read that people have found a "partial" flag. Is that required to pass the first stage (password)? I assume, that the initial comparison of the hardcoded decoy flag is altered by either pokedata or some elf thing. To those who solved it, how did you approach it? Any tools you can recommend? thank you.

 

Edited by waronz (see edit history)
Link to post

I've never used Windbg before and am struggling a bit with using it. Can anyone suggest how to launch the challenge 9 .exe in a VM and attach to it with Windbg on my host (I followed kao's instructions, which work fine)? When I launch it, it closes so fast that I can't attach to it.
I tried breaking in "bu nt!MmCreateProcessAddressSpace", but walking up the stack trace is very slow. I feel like I'm overcomplicating things

Edited by blick (see edit history)
Link to post
loossy
1 hour ago, blick said:

I've never used Windbg before and am struggling a bit with using it. Can anyone suggest how to launch the challenge 9 .exe in a VM and attach to it with Windbg on my host (I followed kao's instructions, which work fine)? When I launch it, it closes so fast that I can't attach to it.
I tried breaking in "bu nt!MmCreateProcessAddressSpace", but walking up the stack trace is very slow. I feel like I'm overcomplicating things

You can use sxe command

Link to post
lazydaemon

Can anyone give me a hint for challenge 7? I think I am in the last quarter of the challenge but I have no idea what I'm seeing right now.

 

Spoiler

I was able to run the shellcode and decrypt/decode the payload from the PCAP. After the decoding/decrypting, the call returns to an "in eax, dx" instruction which will crash my program (could be an anti vm check?) The next instruction after the "in eax,dx" instruction is a call 72D954F which is also crashing because that address does not exist. How far am I away from the flag? Does this code need to be executed and I'm doing something wrong? 

 

 

Edited by lazydaemon (see edit history)
Link to post
kraxgrr
4 minutes ago, lazydaemon said:

Can anyone give me a hint for challenge 7? I think I am in the last quarter of the challenge but I have no idea what I'm seeing right now.

 

  Hide contents

I was able to run the shellcode and decrypt/decode the payload from the PCAP. After the decoding/decrypting, the call returns to an "in eax, dx" instruction which will crash my program (could be an anti vm check?) The next instruction after the "in eax,dx" instruction is a call 72D954F which is also crashing because that address does not exist. How far am I away from the flag? Does this code need to be executed and I'm doing something wrong? 

 

 

 

I believe that to be due to an error in the decoder script.

Find another version of it.

There should be no "IN" instructions from what I recall.

Link to post
lazydaemon

The in instruction appears after the running this code (thats the code, doing stuff on the data from the PCAP):

 

challenge7.png

 

Could it be a problem with the endianness? Because I just copied the data from the pcap into the allocated memory region (instead of providing data for the 'recv' call)

Edited by lazydaemon (see edit history)
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...