Flare-On 8

[pepegaswiper69]

@kao I got it, thanks.

[Aeri]

Hi, can someone point me the direction on how to start #5 ?

I've been pocking around the system for hours, but I can't find any clue on what to do ...

Spoiler

The only message that I found was the FLARE env variable, but that's all ... I saw the snapshot things, but even after diffing the 6 snapshots, I can't find where to start, which is a bit frustrating. I'm basically throwing some wild guess with some "grep -Rn" on the / directory right now ...

I've checked the logs files, nothing unusuall.

Same for the running process.

No crontab/init.d script/bashrc entry indicating the presence of a malware so far.

History is empty.

Running services are legitimates.

And I can't link those cipher files to anything ....

Thanks

Edited September 18, 2021 by Aeri
missing infos

[kao]

@Aeri: read the forum thread, it already contains several hints about #5.

EDIT: considering that you've tried most things already..

Spoiler

https://www.computerforensics.com/news/what-is-metadata

 

 

Edited September 18, 2021 by kao

[saagaraS]

for challenge 7, 

Spoiler

is the flag inside the PNG resource. I tried to run the program but nothing seems to be done on the resource

 

[kao]

@saagaraS:

Spoiler

no, flag is not inside. But the PNG resource is relevant.

 

[saagaraS]

12 hours ago, kao said:

@saagaraS:

  Reveal hidden contents

no, flag is not inside. But the PNG resource is relevant.

 

@kao:

Spoiler

Should I be concerned with what information is sent to the C2 or the date of which the program is run?

 

[score1]

Hi 

Any tips for ch 5

I got to the point with math equation 

which "Number1" they are referring to.

 

Thanks 

[kao]

@score1: you need to find that.

The entire challenge is about finding things. And a LOT of guessing.

[muppet]

18 minutes ago, kao said:

@score1: you need to find that.

The entire challenge is about finding things. And a LOT of guessing.

 

How much guessing is involved at the end ?

I only have the "hex" (starting with t*) files left.

The hint must be in front of me because everything else is decrypted :-(

[Washi]

@muppet

Spoiler

Every "stage" has a hint for the next one. The last one you have seen should have talked about where you can find the final clue for the T files.

Though, I must say, in my opinion, this last one is particularly stupid.

 

Edited September 19, 2021 by Washi
Change quote to spoiler

[muppet]

4 minutes ago, Washi said:

@muppet

  Reveal hidden contents

Every "stage" has a hint for the next one. The last one you have seen should have talked about where you can find the final clue for the T files.

Though, I must say, in my opinion, this last one is particularly stupid.

 

 

Yes. I went to the profiles of the accounts announced expecting to see some hint in their profiles or something.

But nothing was there to be found 😞

Is the final step to DM one of those accounts hoping it is a bot with auto reply of the last hint ? 😕

Cause that is one of my paths forward that I dont want to try just yet because that is just too weird.

I duno. This whole challenge has been a lot of far fetched guesswork.

 

[tycolli]

Hi everyone, can anyone point me onto the right direction for Ch. 4. I tried to get it in IDA but seems that I'm lost :D.

[muppet]

4 hours ago, muppet said:

 

Yes. I went to the profiles of the accounts announced expecting to see some hint in their profiles or something.

But nothing was there to be found 😞

Is the final step to DM one of those accounts hoping it is a bot with auto reply of the last hint ? 😕

Cause that is one of my paths forward that I dont want to try just yet because that is just too weird.

I duno. This whole challenge has been a lot of far fetched guesswork.

 

 

Went for a run.

Came back with an idea.

Tried it and now have decrypted the hex files!

[kao]

@muppet: congrats!  

If it makes you feel any better, all the remaining challenges are really good ones with focus on reverse engineering.

[muppet]

1 hour ago, kao said:

@muppet: congrats!  

If it makes you feel any better, all the remaining challenges are really good ones with focus on reverse engineering.

Thanks!

Nice a pcap!

The PCAP challenge last year was one of my favorites for its "realistic value" 🙂

 

 

Edited September 19, 2021 by muppet

[pula3241]

Hi everyone, any tips for ch5?

I had solved most of them except `n*`, `t*` (long hex string).

I had no idea about the RC4 key as I simply decrypted all the files and got nothing readable :-<

BTW, I have retrieved the origin text of `i*`, but only the flag part was wrong. Is that normal?

Well... I used some tricks and solved this challenge.

Edited September 20, 2021 by pula3241
To clarify my problem

[Darth Blue]

hello @kao i am on chall 10

Spoiler

i have extracted the bin from pcap and now analyzing, so what should i do? I mean do i need to install and up an i** server?

 

Edited September 20, 2021 by Darth Blue
add spoiler

[kao]

@Darth Blue: you got this far, so you certainly have skills. I'm sure you'll figure it out.

To answer your question - it's not strictly necessary but might help you with *something*. You'll know more once you analyze the binary.

[Brisco2077]

Hey everyone,

I'm still stuck on challenge #3 and I'm pretty sure I'm 99% of the way there. One last hint would be super appreciated.

Spoiler

I have the correct order for all the names, and am able to "read" each layer's book of armaments. My assumption was that I'm supposed to combine the output from that into some for of ascii art (since it's just dots, slashes, and pipes). I managed to do all of this without actually running the docker container itself if that is what is holding me back. Let me know if this is too much information here and I can remove this message as well.

 

[Hacktreides]

Hi o/

Can i ask a hint on CH8

Spoiler

I saw the big b64 array but i don't understand how to decrypt it (after debase64 of course), and there is stranges eval(), i think the b64 array the eval of the passwords are related but i don't understand where to start

Thanks

[bohaw]

For #6

Spoiler

I know what this file type is and I can decrypt with a python script. I even see strings like "MEOOWMEOOW" in some of the decrypted files. But I'm lost on how to take these files and make a flag. Any advice?

 

@Brisco2077 There are a few Docker-specific hints on the first page of this thread. You can technically do it without Docker but Docker will make it easier.

[0X7C9]

Hello all, how to guess right password in ch8? Or find clue. i have weird keysmash with unusual two strings. Thanks.

[Washi]

@Hacktreides@0X7C9

Spoiler

While you do not know the key, you do know its size and you also know something about the format of the final plaintext that should come out of it when using that key.

 

[Coca]

#CHALLENGE 3

Spoiler

I've already managed to figure out the correct layer order, but I don't know what to do with them. I understand that I must put them in order. But it didn't work when I try to run the new image. I really don't know how to proceed anymore. 

 

[adicto]

47 minutes ago, Coca said:

#CHALLENGE 3

  Hide contents

I've already managed to figure out the correct layer order, but I don't know what to do with them. I understand that I must put them in order. But it didn't work when I try to run the new image. I really don't know how to proceed anymore. 

 

@Coca

Spoiler

don't forget what type of file it originally is. Aside from being a docker export.