Jump to content
Tuts 4 You

Flare-On 8

kao

By kao
in Reverse Engineering Articles

 Share

Recommended Posts

kao

kao

Posted
Posted

Get ready! :)

Quote

The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 22, 2021. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript

...

Check the Flare-On website for a live countdown timer, to view the previous year’s winners, and to download past challenges and solutions for practice. For official news and information, we will be using the Twitter hashtag: #flareon8.

Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

  • Like 3
  • Replies 178
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    36

  • adicto

    10

  • Washi

    7

  • Oggy

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Washi
Washi

I just pushed my write-ups for all challenges as well. Could contain some spelling mistakes here and there, but here you go: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2021/

kao
kao

Get ready! Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

Extreme Coders
Extreme Coders

Indeed. Started late this year but managed to get all 10 done. Challenge 5 is literally the worst in my opinion. So much for guessing and making sense of all the weird recipes. 😂

Posted Images

Kurapica

Kurapica

Posted
Posted

 I hope it turns out to be better than previous year's contest.

Thanks kao

Washi

Washi

Posted
Posted (edited)

Yikes, that's not a great timing for me. I'll probably have to start a few days late :c

Also, only 10 challenges this time around (as opposed to the usual 11 or 12)? They must be difficult ones.

Edited by Washi
  • 5 weeks later...
LLMN

LLMN

Posted
Posted

Can anyone give me a hint for challenge 3? I spent 2 days on it already and I'm not sure what else to try. I'm currently trying to figure out the expected answers to the questions in approach.

unionselect

unionselect

Posted
Posted

I could use a nudge on 3 as well. I've pull out all the information, and feel like I have the binary understood. But no flag.

kao

kao

Posted
  • Author
Posted

Challenge 3:

Spoiler

You need to figure out the correct order for the Docker layers and put them together.

 

JohnSull1van

JohnSull1van

Posted
Posted

Challenge #6 is so annoying - after #5 I expected a decent reverse engineering challenge with lots of static analysis involved - but it seems to be yet another guessing task. I've been staring at the PCAP for hours - and the only thing I could infer from the traffic was the packet format. No idea of how the payload is encrypted inside the packets. Any hints about that?

kao

kao

Posted
  • Author
Posted

#6: there's very little guessing involved.

Spoiler

That compression signature is well known.

 

unionselect

unionselect

Posted
Posted
2 hours ago, kao said:

Challenge 3:

  Hide contents

You need to figure out the correct order for the Docker layers and put them together.

 

Hmmm....I did notice there was repeats and was wondering about order. I'll give that another look, thanks.

adicto

adicto

Posted
Posted (edited)

Still at 5, ive tried the rc4 key they gave but its not working on any of the encrypted text, also dont know about the formula since a bunch of numbers are missing...

Update: Found the way to the RC4 key, and now its just the hexdump and the formula

Update: The formula with numbers is for another cipher, already found them. But now I'm left with the big hex string with no clue to apply lol
Update: got the hexstring cipher now.

 

Spoiler

hint: believe in the clues, if they tell you to do something, do it :D


 

Edited by adicto
Mr. J

Mr. J

Posted
Posted (edited)
@kao and everyone else being stuck at evil(#9) try to re-submit your flag https://twitter.com/strigeus/status/1437504623665946632 Edited by Mr. J
kao

kao

Posted
  • Author
Posted (edited)

@Mr. J Thanks! They fixed the challenge description and now tell you which flags are false, so you don't waste time and energy submitting them. :) 

My problem was something else.

Edited by kao
greenfield

greenfield

Posted
Posted (edited)

nice

Edited by greenfield
adicto

adicto

Posted
Posted (edited)

for #6, @kao,

Spoiler

do you mean the signature is included in the traffic? can't seem to make heads or tails about the compression used

Update: I think I know what the filetype now is and the compression. But one tool I found isn't working. 

Edited by adicto
layered_design

layered_design

Posted
Posted (edited)

Hello everyone, I figured out some of the ordering of level 3 (actually just one).

But I am not sure how to 'reoder' the layers, could someone help me out?

DM is also possible to prevent spoilers.

Edited by layered_design
added DM
Oggy

Oggy

Posted
Posted

Somebody can give a little hint for challenge 4 :'((

greenfield

greenfield

Posted
Posted (edited)

@kao any hint to ch 8, please?)

Edited by greenfield
loossy

loossy

Posted
Posted

I have a question for ch3.

I don't know if the way I'm doing it is right.

1. I checked the first comparison value in the approach, and made the value calculation process into code as it is.

However, it is difficult to inversely compute the comparison value.

2. Couldn't find a way to configure the docker layer.

 

Could you please let me know what I am missing?
If not, what keyword should I search for how to set docker layer?

RookofSpades

RookofSpades

Posted
Posted

I will say, this year definitely has me more stumped than the previous year. Though it also probably comes down to my inexperience with docker layers in general. (Been awhile since I've googled a subject so aggressively.) Probably is as far as I go this year unless I figure out how to get un-lost in the sauce. (And then slam my head on a wall when they post the solutions when the challenge is over.)

Maybe they upped the difficulty a smidgen due to the reduced number of stages though, that's the lie I'll tell myself. (Though based on the scoreboard it does seem like the 3rd challenge is where there's quite a bit of drop off.)

adicto

adicto

Posted
Posted (edited)

Best i can say for challenge 3 without giving much is treat docker as a repo like git. Each layer represents a commit to the code as an analogy

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

Edited by adicto
Washi

Washi

Posted
Posted
58 minutes ago, adicto said:

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

 

Spoiler

Verify that you are using the right "source data" for the actual messages.

  • Like 1
zarny

zarny

Posted
Posted (edited)

for #6, i cant seem to figure out which method is used to to properly convert the messages. i tried brute forcing every bit position as a starting point and removed consideration from any potential headers. anything that does come back is obviously erronius. are those messages decode-able with cyberchef? or is it a different algorithm?

Nevermind, i managed to figure out what to use.

Edited by zarny

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...