Ravick Posted October 14, 2021 Posted October 14, 2021 (edited) May I get some hint on last step in ch5 (hexdumps or t* files)? I know there were plenty of hints on this challenge but they are referring to previous stages... @edit Got the flag... I've got no words... Thank you @Extreme Coders! Edited October 14, 2021 by Ravick
Extreme Coders Posted October 14, 2021 Posted October 14, 2021 @Ravick Spoiler The t* file can be decrypted by following what's mentioned in some other file. Just note that this challenge will be unsolvable if some popular microblogging site goes offline or maybe a few users there gets their account banned.
Brisco2077 Posted October 14, 2021 Posted October 14, 2021 On 10/12/2021 at 12:59 PM, kao said: @Brisco2077: Hide contents Exactly that. Well that was the last thing I was expecting to be in there. Spoiler Managed to find a different way that didn't use keywords. Thanks for the hint though!
0rangeHat Posted October 14, 2021 Posted October 14, 2021 I have been smashing my head against ch3 for longer than I dare to admit... Arrgghhh! I have read the hints from previous posts, but still no flag. Hopefully I'm not revealing too much, although we are so far into the thing now there can't be many people left on #3. I can provide more details in a DM too. For one command: Spoiler I brute-forced some answers, got the correct response, but figured it was just a red herring in the end. For the second command: Spoiler I used some "metadata" about the layers in order to sort them, ascending. Some layers had an equal metadata value, so there were multiple combinations that could be applied. I enumerated all the combinations, and applied them in how I think a union fs works, but none of them produce legible output. I recreated the decode algorithm in python, I validated that it is correct by hashing what the consult call from the binary produced with the output of my script for several of the combinations. So I'm convinced that part is good. I tried using something that the response to my answers to the first part gave as selection criteria, but still nothing. Am I completely misunderstanding how union fs works? Does it do a more intelligent merge/diff or is it simply an overwrite op?
kao Posted October 14, 2021 Author Posted October 14, 2021 @0rangeHat: see this comment and the discussion after that: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245
0rangeHat Posted October 14, 2021 Posted October 14, 2021 (edited) Just now, kao said: @0rangeHat: see this comment and the discussion after that: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245 The method I used is: Spoiler Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3 Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted. At the end you have a bunch of files, containing a combination of files from each layer. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a' The output is always garbage I don't know if docker does anything more fancy than that? Spoiler I noticed some files are all null bytes, some have only values every 16th byte, which because of the decode logic is essentially the same as all nulls. I must be missing something, but have completely run out of ways to order these layers/files. Edited October 14, 2021 by 0rangeHat Add spoiler tags
kao Posted October 14, 2021 Author Posted October 14, 2021 @0rangeHat: Sounds about right. So, my guess is that most likely you did not sort the layers correctly. Feel free to PM me with your layer order and/or the final set of files, I can take a look at that. P.S. If that's not too much to ask, could you please edit your previous message and add the "spoiler" tags?
Rurik Posted October 14, 2021 Posted October 14, 2021 1 hour ago, 0rangeHat said: The method I used is: Reveal hidden contents Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3 Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted. At the end you have a bunch of files, containing a combination of files from each layer. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a' From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side: Spoiler I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host. https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/
tycolli Posted October 16, 2021 Posted October 16, 2021 (edited) On 10/14/2021 at 9:19 PM, Rurik said: From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side: Reveal hidden contents I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host. https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/ You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. Edited October 16, 2021 by tycolli
Washi Posted October 17, 2021 Posted October 17, 2021 18 hours ago, tycolli said: You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF.
tycolli Posted October 17, 2021 Posted October 17, 2021 5 hours ago, Washi said: A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF. I had the impression that he did not solve it. And try to simplify it for him.
layered_design Posted October 17, 2021 Posted October 17, 2021 (edited) Could someone help me on level 7? I think I sent the correct data to the remote *entity*, but err, not sure how to proceed from here? Not sure where to look for received data, if any. Edited October 17, 2021 by layered_design
Kolombo Posted October 17, 2021 Posted October 17, 2021 On 9/27/2021 at 7:42 PM, kao said: hen you didn't send the right data. You're close, just one small step is missing... Hah.... I'd say this is the most valuable hint in this thread 🙂 Hit the nail! I've lost 2 hours to figure it out. Highly appreciate your help. Thank you.
layered_design Posted October 17, 2021 Posted October 17, 2021 (edited) That confuses me a bit more, ha. But thanks for the reply! EDIT: thanks @kao for clarifying. Edited October 17, 2021 by layered_design thanks kao
kao Posted October 17, 2021 Author Posted October 17, 2021 (edited) @Arkadiy: you're welcome. @layered_design: sorry for the confusion, Arkadiy's comment is about challenge #9. To answer your question, the subdomain name is a pretty big giveaway. Edited October 17, 2021 by kao
okmenow Posted October 18, 2021 Posted October 18, 2021 (edited) Any hints for #2? late start 😃 Should i find smthg in disassembled .exe file or should look for registries values in cmp stage? or just look for b64 blob...? (can't understand the hint in this blob..) Edited October 18, 2021 by okmenow
Rurik Posted October 18, 2021 Posted October 18, 2021 38 minutes ago, okmenow said: Any hints for #2? Base64? Are you sure that's #2? Spoiler The challenge tests your ability to find an encryption routine in the executable and to write your own reimplementation of it. It should be very easy to find, and most of the data can be used to test as the outputs are well-known. 1
layered_design Posted October 19, 2021 Posted October 19, 2021 @Rurik there was a 'hint' somewhere, written in base64. Good luck @okmenow my DM is open if you have another question about this level.
DrSauerkraut Posted October 19, 2021 Posted October 19, 2021 Coming back to this after one week of inactivity. Still stuck on challenge 3 : Spoiler I managed to extract all books of armaments, and the correct layer order. I'm pretty sure that I have to merge all texts one way or another. I tried to merge them as successful diffs (one replacing the modified characters of the previous one), to concat them all in one global final file and event to merge each line independently (line 1 from file 1, line 1 from file 2, etc...). But no success so far. Any hints or help would be highly appreciated
kao Posted October 19, 2021 Author Posted October 19, 2021 @DrSauerkraut: someone already answered to you last week: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245
Kolombo Posted October 19, 2021 Posted October 19, 2021 (edited) I wonder, if challenge 10 possible to reproduce locally? Spoiler I have installed server and trying to do the same actions as in the PCAP. The command executes completely fine, however it doesn't return damages back. Hangs on in recv during vm code execution. Anyway, do I need to analyze that magic "programs" to understand what going on? I think we may analyze the result only, cuz it is quite obvious what's going on there. However, I'm confused with that numbers and "d" and crypto inside... Does crypto related to the task or it is a part of the library? Edited October 19, 2021 by Arkadiy
Extreme Coders Posted October 20, 2021 Posted October 20, 2021 @Arkadiy Spoiler Possible to reproduce locally but you can't blindly replay the traffic from the pcap. Check the Nick. There are multiple ways to solve this challenge, some of which requires minimal analysis. Can be solved with bruteforce without requiring a detailed study of the vm's. The numbers and "d" are a part of the challenge. How they are generated can be found after analyzing the code. IDA works great if you create the structs and apply the proper function types.
Kolombo Posted October 20, 2021 Posted October 20, 2021 Thank you guys for your comments and support. Solved everything. @Extreme Coders, the nick was the first thing I've done 🙂 I had different problem and I wish to make some technical spoiler regarding the #10 task. Spoiler The only problem I faced is a good server. I tried two of the most famous, but the response didn't come. Then I've found a simple python script and everything is going to work well. In summary, the #10 was the most simple I think 😄 , where the #5 is the worst. To be honest, I brute last 6 characters in #5... 🙂
pcmcia Posted October 25, 2021 Posted October 25, 2021 For those who solved ch#10, how did you solve it without reversing the VM. I already read the official posted solution, but it seems that requires you to reverse the VM code.
kao Posted October 25, 2021 Author Posted October 25, 2021 @pcmcia: VM1 was one-byte XOR. You should be able to recognize xored data after suffering through Challenge #5. VM2 - CPA. Right now I don't have time and energy for a proper writeup but here are rough steps. Step 1- create file consisting of 1000 zeroes, exfiltrate it. See that there is a pattern repeating every 0x18 chars, something like this: Such patterns suggest either a block cipher in ECB mode, or weak crypto. Since I'm not aware of any strong crypto with block size of 0x18 bytes, it must be weak crypto! Which means - you can create a lookup table for each of 0x18 positions and each of 256 values. Step 2 - create a file consisting of 0x18 zeroes, followed by 0x18 ones, 0x18 twos and so on. Exfiltrate it. Step 3 - now you have a lookup table that you can use to decrypt exfiltrated image.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now