Jump to content
Tuts 4 You

Flare-On 8


Recommended Posts

Hi, can someone point me the direction on how to start #5 ?

I've been pocking around the system for hours, but I can't find any clue on what to do ...

Spoiler

The only message that I found was the FLARE env variable, but that's all ... I saw the snapshot things, but even after diffing the 6 snapshots, I can't find where to start, which is a bit frustrating. I'm basically throwing some wild guess with some "grep -Rn" on the / directory right now ...

I've checked the logs files, nothing unusuall.

Same for the running process.

No crontab/init.d script/bashrc entry indicating the presence of a malware so far.

History is empty.

Running services are legitimates.

And I can't link those cipher files to anything ....

Thanks :)

Edited by Aeri
missing infos
Link to comment

for challenge 7, 

Spoiler

is the flag inside the PNG resource. I tried to run the program but nothing seems to be done on the resource

 

Link to comment
12 hours ago, kao said:

@saagaraS:

  Reveal hidden contents

no, flag is not inside. But the PNG resource is relevant.

 

@kao:

Spoiler

Should I be concerned with what information is sent to the C2 or the date of which the program is run?

 

Link to comment
18 minutes ago, kao said:

@score1: you need to find that.

The entire challenge is about finding things. And a LOT of guessing.

 

How much guessing is involved at the end ?

I only have the "hex" (starting with t*) files left.

The hint must be in front of me because everything else is decrypted :-(

Link to comment

@muppet

Spoiler

Every "stage" has a hint for the next one. The last one you have seen should have talked about where you can find the final clue for the T files.

Though, I must say, in my opinion, this last one is particularly stupid.

 

Edited by Washi
Change quote to spoiler
Link to comment
4 minutes ago, Washi said:

@muppet

  Reveal hidden contents

Every "stage" has a hint for the next one. The last one you have seen should have talked about where you can find the final clue for the T files.

Though, I must say, in my opinion, this last one is particularly stupid.

 

 

Yes. I went to the profiles of the accounts announced expecting to see some hint in their profiles or something.

But nothing was there to be found 😞

Is the final step to DM one of those accounts hoping it is a bot with auto reply of the last hint ? 😕

Cause that is one of my paths forward that I dont want to try just yet because that is just too weird.

I duno. This whole challenge has been a lot of far fetched guesswork.

 

Link to comment

Hi everyone, can anyone point me onto the right direction for Ch. 4. I tried to get it in IDA but seems that I'm lost :D.

Link to comment
4 hours ago, muppet said:

 

Yes. I went to the profiles of the accounts announced expecting to see some hint in their profiles or something.

But nothing was there to be found 😞

Is the final step to DM one of those accounts hoping it is a bot with auto reply of the last hint ? 😕

Cause that is one of my paths forward that I dont want to try just yet because that is just too weird.

I duno. This whole challenge has been a lot of far fetched guesswork.

 

 

Went for a run.

Came back with an idea.

Tried it and now have decrypted the hex files!

Link to comment

@muppet: congrats! :) 

If it makes you feel any better, all the remaining challenges are really good ones with focus on reverse engineering.

Link to comment
1 hour ago, kao said:

@muppet: congrats! :) 

If it makes you feel any better, all the remaining challenges are really good ones with focus on reverse engineering.

Thanks!

Nice a pcap!

The PCAP challenge last year was one of my favorites for its "realistic value" 🙂

 

 

Edited by muppet
Link to comment

Hi everyone, any tips for ch5?

I had solved most of them except `n*`, `t*` (long hex string).

I had no idea about the RC4 key as I simply decrypted all the files and got nothing readable :-<

BTW, I have retrieved the origin text of `i*`, but only the flag part was wrong. Is that normal?

Well... I used some tricks and solved this challenge.

Edited by pula3241
To clarify my problem
Link to comment
Darth Blue

hello @kao i am on chall 10

Spoiler

i have extracted the bin from pcap and now analyzing, so what should i do? I mean do i need to install and up an i** server?

 

Edited by Darth Blue
add spoiler
Link to comment

@Darth Blue: you got this far, so you certainly have skills. I'm sure you'll figure it out. :)

To answer your question - it's not strictly necessary but might help you with *something*. You'll know more once you analyze the binary.

  • Like 1
Link to comment
Brisco2077

Hey everyone,

I'm still stuck on challenge #3 and I'm pretty sure I'm 99% of the way there. One last hint would be super appreciated.

Spoiler

I have the correct order for all the names, and am able to "read" each layer's book of armaments. My assumption was that I'm supposed to combine the output from that into some for of ascii art (since it's just dots, slashes, and pipes). I managed to do all of this without actually running the docker container itself if that is what is holding me back. Let me know if this is too much information here and I can remove this message as well.

 

Link to comment
Hacktreides

Hi o/

Can i ask a hint on CH8

Spoiler

I saw the big b64 array but i don't understand how to decrypt it (after debase64 of course), and there is stranges eval(), i think the b64 array the eval of the passwords are related but i don't understand where to start

Thanks

Link to comment

For #6

Spoiler

I know what this file type is and I can decrypt with a python script. I even see strings like "MEOOWMEOOW" in some of the decrypted files. But I'm lost on how to take these files and make a flag. Any advice?

 

@Brisco2077 There are a few Docker-specific hints on the first page of this thread. You can technically do it without Docker but Docker will make it easier.

Link to comment

Hello all, how to guess right password in ch8? Or find clue. i have weird keysmash with unusual two strings. Thanks.

Link to comment

#CHALLENGE 3

Spoiler

I've already managed to figure out the correct layer order, but I don't know what to do with them. I understand that I must put them in order. But it didn't work when I try to run the new image. I really don't know how to proceed anymore. 

 

Link to comment
47 minutes ago, Coca said:

#CHALLENGE 3

  Hide contents

I've already managed to figure out the correct layer order, but I don't know what to do with them. I understand that I must put them in order. But it didn't work when I try to run the new image. I really don't know how to proceed anymore. 

 

@Coca

Spoiler

don't forget what type of file it originally is. Aside from being a docker export.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...