Flare-On 7

[kraxgrr]

4 hours ago, lazydaemon said:

The in instruction appears after the running this code (thats the code, doing stuff on the data from the PCAP):

 

 

Could it be a problem with the endianness? Because I just copied the data from the pcap into the allocated memory region (instead of providing data for the 'recv' call)

 

Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode.

Then I don't know.

I just copied the required data and provided it by a netcat session.

I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call

Do check that whatever data you provide is actually correct.

I had an issue with python in the sense that it encoded weirdly.

As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1.

Seems to have been an issue with the way python3 wants data compared to how it was done in python2.

 

[kraxgrr]

1 hour ago, AeroX2 said:

I've really hit a wall with challenge #9 this year. I've been trying for a probably more than a week now and I still haven't felt like I have made any progress.
Can someone point me in the right direction? Thanks
 

  Reveal hidden contents

So I've extracted several files from the crackinstaller and tried a number of things.
Things I've tried:
- Extracted the driver and DLL(s)
- Written a COM application to interface and debug the COM DLL, found some interesting functions writing to the registry
- Debugged the driver and found a decryption routine which gives me a non-ASCII string but not sure how it "connects" with the rest of the application
I think I understand the flow from the application to the driver but I'm not sure about how it communicates back and what it is communicating back,

 

 

The password you find should be understandable by human.

So if it is all non-human-readable (non-ASCII) you have the wrong one.

 

[lazydaemon]

35 minutes ago, kraxgrr said:

 

Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode.

Then I don't know.

I just copied the required data and provided it by a netcat session.

I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call

Do check that whatever data you provide is actually correct.

I had an issue with python in the sense that it encoded weirdly.

As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1.

Seems to have been an issue with the way python3 wants data compared to how it was done in python2.

 

I basically did the same.

 

Spoiler

First recv call is reading 4 bytes and xor them with 524f584B. This will be the length of the actual payload (0x4D7). Then its allocating memory with VirtualAllocExA and writing the other 1239 Bytes to that memory. I also copied them directly into the memory region and skipped all the other recv calls. When I look at the decrpytion/decoding part, everything looks fine in terms of lengths and so on. So I have no idea what I'm missing.

 

[lazydaemon]

Found my mistake 😉

[bohaw]

For 9

I am at the point where I can step through 9 and see what is happening with the driver. I now have seen a pop culture quote. Am I on the right track, or is this something added in to be funny like the covid19-sucks string in an early challenge?

and it is okay if this question is not answered, but can the flag be observed through a debugger without writing additional code? Or will I not be able to get around writing something to communicate with the DLL.

Edited October 7, 2020 by bohaw

[kao]

Thankfully, you don't need to know meaning of any memes or recognize any pop culture references to solve the challenge. String is just a string.
 

Spoiler

That specific string could be useful.

I didn't have to write any COM client to get the flag. YMMV.

[Washi]

I found that as a rule of thumb, when you start seeing quotes, jokes or texts that refer to flare-on, it is usually a clue put in by the challenge authors indicating that you are on the right track. Also, just noticing that it is a quote is enough, flare-on never seems to rely on riddles that go beyond the scope of reverse engineering.

 

[ECX]

Hello again.

Does Challenge 9 need clean windows 10 or any special settings? I get BSOD on DeviceIOControl. thanks for reply.

Edited October 9, 2020 by ECX

[Washi]

@ECX There have been multiple reports of challenge 9 causing blue screens for some people. The organizers suggested the following:

Quote

Avoid a possible blue-screen by debugging this on a single core VM

Did you try this already?

[Soozi]

7 hours ago, ECX said:

Hello again.

Does Challenge 9 need clean windows 10 or any special settings? I get BSOD on DeviceIOControl. thanks for reply.

I used from a windows 7 with 1 core cpu in virtualbox. But you may get BSOD sometimes in debugging but a restart solves the problem. Run your debugger as administrator

[Handunken22]

Hi, any hints on the last challenge ?

What I have done is:

Spoiler

• I dumped the dll, fix its header and got IDA analyzed it.
• I tried debug but it kept crashing.
• The code is too big, I can't RE all the functions.

 

[loossy]

I am doing flare-on7's 10th challenge.

I found first flag.

I analyzed the whole code, but couldn't find second flag.

Does anyone have any advice for me?

Bloew is what I did.

Spoiler

1. Determined the relationship to fork-ptrace-waitpid.
2. The structure of ptrace was applied.
3. child2 hooks a specific syscall.
4. It is assumed that child2 and child3 operate as handlers with a specific 4byte dword value.
5. The embedded file is decrypted, and the first 32 bytes are suspicious, but there is no object for comparison.

 

[Rurik]

7 minutes ago, loossy said:

I am doing flare-on7's 10th challenge.

I analyzed the whole code, but couldn't find second flag.

Does anyone have any advice for me?

 

They like to hide their flag checks in some really nice routines.

[sysc4ll]

Hello guys, I'm currently doing challenge 6 and I've found the correct thing that needs to be found.
I have some issues with the actual decryption, I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA) and I do not understand why, If someone can help me out with this a little I would be glad.
BTW I tried to change the value in the au3 script and I still get the same error (also when I implement the same api calls in C)

[kao]

10 hours ago, sysc4ll said:

I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA)

Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found".

Spoiler

Are you an autoit fan?

 

[sysc4ll]

4 hours ago, kao said:

Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found".

  Reveal hidden contents

Are you an autoit fan?

 

The answer to your question is yes,

(the spoiler one), I just have no idea how to make a hidden text in here... 

[ashoka_]

Hello,i am quite new to reverse engineering. My friend suggested me to try flareon challenge. I will start today. I just want to know can anyone please recommend me good reference material in case i stuck at some challenge. 

[Kurapica]

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

[ashoka_]

9 minutes ago, Kurapica said:

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

thanks

[sysc4ll]

4 hours ago, Kurapica said:

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

LOL, some friends he got there... 😂

[Kurapica]

7 hours ago, ashoka_ said:

thanks

Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics

and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those

Flareon challenges, you will definitely score better.

[loossy]

I am analyzing ch 10.

If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)?

[Washi]

8 hours ago, Kurapica said:

Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics

and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those

Flareon challenges, you will definitely score better.

To be fair though, the first few challenges are relatively easy. If you're new, you probably won't finish all challenges, maybe not even half of them, but it doesn't hurt to give it a shot

Also a lot can be learnt while reading write-ups of previous runs of the flare-on CTF.

  

6 hours ago, loossy said:

I am analyzing ch 10.

If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)?

Spoiler

Probably not the best advice, but I did everything with the good old debug print technique. Alternatively, maybe you can look into how you can "trace" certain function calls. What other techniques exists for dynamic analysis other than using a debugger directly?

 

Edited October 13, 2020 by Washi

[ECX]

Hi, need help with CH 9.

 Does CreateThread(kernel version) is important? I am stuck in the driver.  What is important in the driver?

I noticed that my remote debugging session in one certain point does not have RETN. Did you also have it when you were struggling with driver?

Thanks for any tips.

Also thanks for tip with 1 core VM (windows 7)...it works better but still crashing on some actions.

Is windows 10(1-Core VM) a must have?

 

 

 

 

Edited October 14, 2020 by ECX

[ashoka_]

On 10/13/2020 at 7:28 PM, Kurapica said:

Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics

and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those

Flareon challenges, you will definitely score better.

After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day.