Jump to content
Tuts 4 You

Flare-On 8


Recommended Posts

Get ready! :)

Quote

The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 22, 2021. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript

...

Check the Flare-On website for a live countdown timer, to view the previous year’s winners, and to download past challenges and solutions for practice. For official news and information, we will be using the Twitter hashtag: #flareon8.

Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

  • Like 2
Link to comment

Yikes, that's not a great timing for me. I'll probably have to start a few days late :c

Also, only 10 challenges this time around (as opposed to the usual 11 or 12)? They must be difficult ones.

Edited by Washi
Link to comment
  • 5 weeks later...

Can anyone give me a hint for challenge 3? I spent 2 days on it already and I'm not sure what else to try. I'm currently trying to figure out the expected answers to the questions in approach.

Link to comment

Challenge #6 is so annoying - after #5 I expected a decent reverse engineering challenge with lots of static analysis involved - but it seems to be yet another guessing task. I've been staring at the PCAP for hours - and the only thing I could infer from the traffic was the packet format. No idea of how the payload is encrypted inside the packets. Any hints about that?

Link to comment
2 hours ago, kao said:

Challenge 3:

  Hide contents

You need to figure out the correct order for the Docker layers and put them together.

 

Hmmm....I did notice there was repeats and was wondering about order. I'll give that another look, thanks.

Link to comment

Still at 5, ive tried the rc4 key they gave but its not working on any of the encrypted text, also dont know about the formula since a bunch of numbers are missing...

Update: Found the way to the RC4 key, and now its just the hexdump and the formula

Update: The formula with numbers is for another cipher, already found them. But now I'm left with the big hex string with no clue to apply lol
Update: got the hexstring cipher now.

 

Spoiler

hint: believe in the clues, if they tell you to do something, do it :D


 

Edited by adicto
Link to comment

@Mr. J Thanks! They fixed the challenge description and now tell you which flags are false, so you don't waste time and energy submitting them. :) 

My problem was something else.

Edited by kao
Link to comment

for #6, @kao,

Spoiler

do you mean the signature is included in the traffic? can't seem to make heads or tails about the compression used

Update: I think I know what the filetype now is and the compression. But one tool I found isn't working. 

Edited by adicto
Link to comment

Hello everyone, I figured out some of the ordering of level 3 (actually just one).

But I am not sure how to 'reoder' the layers, could someone help me out?

DM is also possible to prevent spoilers.

Edited by layered_design
added DM
Link to comment

I have a question for ch3.

I don't know if the way I'm doing it is right.

1. I checked the first comparison value in the approach, and made the value calculation process into code as it is.

However, it is difficult to inversely compute the comparison value.

2. Couldn't find a way to configure the docker layer.

 

Could you please let me know what I am missing?
If not, what keyword should I search for how to set docker layer?

Link to comment

I will say, this year definitely has me more stumped than the previous year. Though it also probably comes down to my inexperience with docker layers in general. (Been awhile since I've googled a subject so aggressively.) Probably is as far as I go this year unless I figure out how to get un-lost in the sauce. (And then slam my head on a wall when they post the solutions when the challenge is over.)

Maybe they upped the difficulty a smidgen due to the reduced number of stages though, that's the lie I'll tell myself. (Though based on the scoreboard it does seem like the 3rd challenge is where there's quite a bit of drop off.)

Link to comment

Best i can say for challenge 3 without giving much is treat docker as a repo like git. Each layer represents a commit to the code as an analogy

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

Edited by adicto
Link to comment
58 minutes ago, adicto said:

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

 

Spoiler

Verify that you are using the right "source data" for the actual messages.

  • Like 1
Link to comment

for #6, i cant seem to figure out which method is used to to properly convert the messages. i tried brute forcing every bit position as a starting point and removed consideration from any potential headers. anything that does come back is obviously erronius. are those messages decode-able with cyberchef? or is it a different algorithm?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...