Jump to content
Tuts 4 You

Flare-On 8

kao

By kao
in Reverse Engineering Articles

 Share

Recommended Posts

kao

kao

Posted
Posted

Get ready! :)

Quote

The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 22, 2021. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript

...

Check the Flare-On website for a live countdown timer, to view the previous year’s winners, and to download past challenges and solutions for practice. For official news and information, we will be using the Twitter hashtag: #flareon8.

Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

  • Like 3
Link to comment
Share on other sites
  • Replies 178
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    36

  • adicto

    10

  • Washi

    7

  • Oggy

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Washi
Washi

I just pushed my write-ups for all challenges as well. Could contain some spelling mistakes here and there, but here you go: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2021/

kao
kao

Get ready! Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html

Extreme Coders
Extreme Coders

Indeed. Started late this year but managed to get all 10 done. Challenge 5 is literally the worst in my opinion. So much for guessing and making sense of all the weird recipes. 😂

Posted Images

Washi

Washi

Posted
Posted (edited)

Yikes, that's not a great timing for me. I'll probably have to start a few days late :c

Also, only 10 challenges this time around (as opposed to the usual 11 or 12)? They must be difficult ones.

Edited by Washi
Link to comment
Share on other sites
  • 5 weeks later...
LLMN

LLMN

Posted
Posted

Can anyone give me a hint for challenge 3? I spent 2 days on it already and I'm not sure what else to try. I'm currently trying to figure out the expected answers to the questions in approach.

Link to comment
Share on other sites
JohnSull1van

JohnSull1van

Posted
Posted

Challenge #6 is so annoying - after #5 I expected a decent reverse engineering challenge with lots of static analysis involved - but it seems to be yet another guessing task. I've been staring at the PCAP for hours - and the only thing I could infer from the traffic was the packet format. No idea of how the payload is encrypted inside the packets. Any hints about that?

Link to comment
Share on other sites
unionselect

unionselect

Posted
Posted
2 hours ago, kao said:

Challenge 3:

  Hide contents

You need to figure out the correct order for the Docker layers and put them together.

 

Hmmm....I did notice there was repeats and was wondering about order. I'll give that another look, thanks.

Link to comment
Share on other sites
adicto

adicto

Posted
Posted (edited)

Still at 5, ive tried the rc4 key they gave but its not working on any of the encrypted text, also dont know about the formula since a bunch of numbers are missing...

Update: Found the way to the RC4 key, and now its just the hexdump and the formula

Update: The formula with numbers is for another cipher, already found them. But now I'm left with the big hex string with no clue to apply lol
Update: got the hexstring cipher now.

 

Spoiler

hint: believe in the clues, if they tell you to do something, do it :D


 

Edited by adicto
Link to comment
Share on other sites
Mr. J

Mr. J

Posted
Posted (edited)
@kao and everyone else being stuck at evil(#9) try to re-submit your flag https://twitter.com/strigeus/status/1437504623665946632 Edited by Mr. J
Link to comment
Share on other sites
kao

kao

Posted
  • Author
Posted (edited)

@Mr. J Thanks! They fixed the challenge description and now tell you which flags are false, so you don't waste time and energy submitting them. :) 

My problem was something else.

Edited by kao
Link to comment
Share on other sites
adicto

adicto

Posted
Posted (edited)

for #6, @kao,

Spoiler

do you mean the signature is included in the traffic? can't seem to make heads or tails about the compression used

Update: I think I know what the filetype now is and the compression. But one tool I found isn't working. 

Edited by adicto
Link to comment
Share on other sites
layered_design

layered_design

Posted
Posted (edited)

Hello everyone, I figured out some of the ordering of level 3 (actually just one).

But I am not sure how to 'reoder' the layers, could someone help me out?

DM is also possible to prevent spoilers.

Edited by layered_design
added DM
Link to comment
Share on other sites
loossy

loossy

Posted
Posted

I have a question for ch3.

I don't know if the way I'm doing it is right.

1. I checked the first comparison value in the approach, and made the value calculation process into code as it is.

However, it is difficult to inversely compute the comparison value.

2. Couldn't find a way to configure the docker layer.

 

Could you please let me know what I am missing?
If not, what keyword should I search for how to set docker layer?

Link to comment
Share on other sites
RookofSpades

RookofSpades

Posted
Posted

I will say, this year definitely has me more stumped than the previous year. Though it also probably comes down to my inexperience with docker layers in general. (Been awhile since I've googled a subject so aggressively.) Probably is as far as I go this year unless I figure out how to get un-lost in the sauce. (And then slam my head on a wall when they post the solutions when the challenge is over.)

Maybe they upped the difficulty a smidgen due to the reduced number of stages though, that's the lie I'll tell myself. (Though based on the scoreboard it does seem like the 3rd challenge is where there's quite a bit of drop off.)

Link to comment
Share on other sites
adicto

adicto

Posted
Posted (edited)

Best i can say for challenge 3 without giving much is treat docker as a repo like git. Each layer represents a commit to the code as an analogy

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

Edited by adicto
Link to comment
Share on other sites
Washi

Washi

Posted
Posted
58 minutes ago, adicto said:

Challenge 6 is giving me a headache. I figured out the small ones but the same approach is giving me an error on the actual thing that matters. Does anyone have a reference to the file format?

 

Spoiler

Verify that you are using the right "source data" for the actual messages.

  • Like 1
Link to comment
Share on other sites
zarny

zarny

Posted
Posted (edited)

for #6, i cant seem to figure out which method is used to to properly convert the messages. i tried brute forcing every bit position as a starting point and removed consideration from any potential headers. anything that does come back is obviously erronius. are those messages decode-able with cyberchef? or is it a different algorithm?

Nevermind, i managed to figure out what to use.

Edited by zarny
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...