Get ready!

Quote

The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 22, 2021. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript

...

Check the Flare-On website for a live countdown timer, to view the previous year’s winners, and to download past challenges and solutions for practice. For official news and information, we will be using the Twitter hashtag: #flareon8.

Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

 I hope it turns out to be better than previous year's contest.

Thanks kao

Yikes, that's not a great timing for me. I'll probably have to start a few days late :c

Also, only 10 challenges this time around (as opposed to the usual 11 or 12)? They must be difficult ones.

Edited August 12, 20214 yr by Washi

Can anyone give me a hint for challenge 3? I spent 2 days on it already and I'm not sure what else to try. I'm currently trying to figure out the expected answers to the questions in approach.

I could use a nudge on 3 as well. I've pull out all the information, and feel like I have the binary understood. But no flag.

Challenge 3:

Spoiler

You need to figure out the correct order for the Docker layers and put them together.

 

Challenge #6 is so annoying - after #5 I expected a decent reverse engineering challenge with lots of static analysis involved - but it seems to be yet another guessing task. I've been staring at the PCAP for hours - and the only thing I could infer from the traffic was the packet format. No idea of how the payload is encrypted inside the packets. Any hints about that?

#6: there's very little guessing involved.

Spoiler

That compression signature is well known.

 

2 hours ago, kao said:

Challenge 3:

  Hide contents

You need to figure out the correct order for the Docker layers and put them together.

 

Hmmm....I did notice there was repeats and was wondering about order. I'll give that another look, thanks.

Still at 5, ive tried the rc4 key they gave but its not working on any of the encrypted text, also dont know about the formula since a bunch of numbers are missing...

Update: Found the way to the RC4 key, and now its just the hexdump and the formula

Update: The formula with numbers is for another cipher, already found them. But now I'm left with the big hex string with no clue to apply lol
Update: got the hexstring cipher now.

 

Spoiler

hint: believe in the clues, if they tell you to do something, do it

 

Edited September 13, 20213 yr by adicto

@kao and everyone else being stuck at evil(#9) try to re-submit your flag https://twitter.com/strigeus/status/1437504623665946632

Edited September 13, 20213 yr by Mr. J

@Mr. J Thanks! They fixed the challenge description and now tell you which flags are false, so you don't waste time and energy submitting them.  

My problem was something else.

Edited September 13, 20213 yr by kao

nice

Edited September 14, 20213 yr by greenfield

for #6, @kao,

Spoiler

do you mean the signature is included in the traffic? can't seem to make heads or tails about the compression used

Update: I think I know what the filetype now is and the compression. But one tool I found isn't working. 

Edited September 14, 20213 yr by adicto

Hello everyone, I figured out some of the ordering of level 3 (actually just one).

But I am not sure how to 'reoder' the layers, could someone help me out?

DM is also possible to prevent spoilers.

Edited September 14, 20213 yr by layered_design
added DM

Somebody can give a little hint for challenge 4 :'((

@layered_design
 

Spoiler

Stack the layers

 

oh nervermind, i got it

@kao any hint to ch 8, please?)

Edited September 14, 20213 yr by greenfield

I have a question for ch3.

I don't know if the way I'm doing it is right.

1. I checked the first comparison value in the approach, and made the value calculation process into code as it is.

However, it is difficult to inversely compute the comparison value.

2. Couldn't find a way to configure the docker layer.

 

Could you please let me know what I am missing?
If not, what keyword should I search for how to set docker layer?

@loossy Check your DM

I will say, this year definitely has me more stumped than the previous year. Though it also probably comes down to my inexperience with docker layers in general. (Been awhile since I've googled a subject so aggressively.) Probably is as far as I go this year unless I figure out how to get un-lost in the sauce. (And then slam my head on a wall when they post the solutions when the challenge is over.)

Maybe they upped the difficulty a smidgen due to the reduced number of stages though, that's the lie I'll tell myself. (Though based on the scoreboard it does seem like the 3rd challenge is where there's quite a bit of drop off.)

Best i can say for challenge 3 without giving much is treat docker as a repo like git. Each layer represents a commit to the code as an analogy

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

Edited September 14, 20213 yr by adicto

58 minutes ago, adicto said:

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

 

Spoiler

Verify that you are using the right "source data" for the actual messages.

for #6, i cant seem to figure out which method is used to to properly convert the messages. i tried brute forcing every bit position as a starting point and removed consideration from any potential headers. anything that does come back is obviously erronius. are those messages decode-able with cyberchef? or is it a different algorithm?

Nevermind, i managed to figure out what to use.

Edited September 25, 20213 yr by zarny