Flare-On 8

[Ravick]

May I get some hint on last step in ch5 (hexdumps or t* files)? I know there were plenty of hints on this challenge but they are referring to previous stages...

@edit

Got the flag... I've got no words... Thank you @Extreme Coders!

Edited October 14, 2021 by Ravick

[Extreme Coders]

@Ravick

Spoiler

The t* file can be decrypted by following what's mentioned in some other file. Just note that this challenge will be unsolvable if some popular microblogging site goes offline or maybe a few users there gets their account banned.

 

[Brisco2077]

On 10/12/2021 at 12:59 PM, kao said:

@Brisco2077:

  Hide contents

Exactly that.  

 

Well that was the last thing I was expecting to be in there.

Spoiler

Managed to find a different way that didn't use keywords.

Thanks for the hint though!

[0rangeHat]

I have been smashing my head against ch3 for longer than I dare to admit... Arrgghhh! I have read the hints from previous posts, but still no flag. Hopefully I'm not revealing too much, although we are so far into the thing now there can't be many people left on #3. I can provide more details in a DM too. For one command:

Spoiler

I brute-forced some answers, got the correct response, but figured it was just a red herring in the end.

For the second command:

Spoiler

I used some "metadata" about the layers in order to sort them, ascending. Some layers had an equal metadata value, so there were multiple combinations that could be applied. I enumerated all the combinations, and applied them in how I think a union fs works, but none of them produce legible output. I recreated the decode algorithm in python, I validated that it is correct by hashing what the consult call from the binary produced with the output of my script for several of the combinations. So I'm convinced that part is good. I tried using something that the response to my answers to the first part gave as selection criteria, but still nothing. Am I completely misunderstanding how union fs works? Does it do a more intelligent merge/diff or is it simply an overwrite op?

 

[kao]

@0rangeHat: see this comment and the discussion after that: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245 

 

[0rangeHat]

Just now, kao said:

@0rangeHat: see this comment and the discussion after that: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245 

 

The method I used is:

Spoiler

1. Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3
2. Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted.
3. At the end you have a bunch of files, containing a combination of files from each layer.
4. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a'

The output is always garbage

I don't know if docker does anything more fancy than that?

Spoiler

I noticed some files are all null bytes, some have only values every 16th byte, which because of the decode logic is essentially the same as all nulls. I must be missing something, but have completely run out of ways to order these layers/files.

Edited October 14, 2021 by 0rangeHat
Add spoiler tags

[kao]

@0rangeHat:  Sounds about right. So, my guess is that most likely you did not sort the layers correctly. Feel free to PM me with your layer order and/or the final set of files, I can take a look at that.

 

P.S. If that's not too much to ask, could you please edit your previous message and add the "spoiler" tags?  

 

[Rurik]

1 hour ago, 0rangeHat said:

The method I used is:

  Reveal hidden contents

1. Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3
2. Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted.
3. At the end you have a bunch of files, containing a combination of files from each layer.
4. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a'

 

 

From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side:

Spoiler

I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host.

https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/

 

[tycolli]

On 10/14/2021 at 9:19 PM, Rurik said:

 

 

From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side:

  Reveal hidden contents

I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host.

https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/

 

You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. 

Edited October 16, 2021 by tycolli

[Washi]

18 hours ago, tycolli said:

You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. 

A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF.

[tycolli]

5 hours ago, Washi said:

A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF.

I had the impression that he did not solve it. And try to simplify it for him. 

[layered_design]

Could someone help me on level 7? I think I sent the correct data to the remote *entity*, but err, not sure how to proceed from here? Not sure where to look for received data, if any.

Edited October 17, 2021 by layered_design

[Kolombo]

On 9/27/2021 at 7:42 PM, kao said:

hen you didn't send the right data.  You're close, just one small step is missing...

Hah.... I'd say this is the most valuable hint in this thread 🙂 Hit the nail! I've lost 2 hours to figure it out.

Highly appreciate your help. Thank you.

[layered_design]

That confuses me a bit more, ha. But thanks for the reply!

EDIT: thanks @kao for clarifying.

 

Edited October 17, 2021 by layered_design
thanks kao

[kao]

@Arkadiy: you're welcome.

@layered_design: sorry for the confusion, Arkadiy's comment is about challenge #9.  To answer your question, the subdomain name is a pretty big giveaway.

Edited October 17, 2021 by kao

[okmenow]

Any hints for #2?

late start 😃

Should i find smthg in disassembled .exe file or should look for registries values in cmp stage?

or just look for b64 blob...? (can't understand the hint in this blob..)

Edited October 18, 2021 by okmenow

[Rurik]

38 minutes ago, okmenow said:

Any hints for #2?

 

Base64? Are you sure that's #2?

Spoiler

The challenge tests your ability to find an encryption routine in the executable and to write your own reimplementation of it. It should be very easy to find, and most of the data can be used to test as the outputs are well-known.

 

[layered_design]

@Rurik there was a 'hint' somewhere, written in base64. Good luck @okmenow my DM is open if you have another question about this level.

[DrSauerkraut]

Coming back to this after one week of inactivity.

Still stuck on challenge 3 :

Spoiler

I managed to extract all books of armaments, and the correct layer order. I'm pretty sure that I have to merge all texts one way or another. I tried to merge them as successful diffs (one replacing the modified characters of the previous one), to concat them all in one global final file and event to merge each line independently (line 1 from file 1, line 1 from file 2, etc...). But no success so far.

Any hints or help would be highly appreciated

[kao]

@DrSauerkraut: someone already answered to you last week: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210245

 

 

[Kolombo]

I wonder, if challenge 10 possible to reproduce locally?
 

Spoiler

I have installed server and trying to do the same actions as in the PCAP. The command executes completely fine, however it doesn't return damages back. Hangs on in recv during vm code execution.

Anyway, do I need to analyze that magic "programs" to understand what going on?

I think we may analyze the result only, cuz it is quite obvious what's going on there. However, I'm confused with that numbers and "d" and crypto inside... Does crypto related to the task or it is a part of the library?

 

Edited October 19, 2021 by Arkadiy

[Extreme Coders]

@Arkadiy

Spoiler

Possible to reproduce locally but you can't blindly replay the traffic from the pcap. Check the Nick.

There are multiple ways to solve this challenge, some of which requires minimal analysis. Can be solved with bruteforce without requiring a detailed study of the vm's.

The numbers and "d" are a part of the challenge. How they are generated can be found after analyzing the code. IDA works great if you create the structs and apply the proper function types.

 

[Kolombo]

Thank you guys for your comments and support. Solved everything.

@Extreme Coders, the nick was the first thing I've done 🙂 I had different problem and I wish to make some technical spoiler regarding the #10 task.

Spoiler

The only problem I faced is a good server. I tried two of the most famous, but the response didn't come. Then I've found a simple python script and everything is going to work well.

In summary, the #10 was the most simple I think 😄 , where the #5 is the worst. To be honest, I brute last 6 characters in #5... 🙂

 

[pcmcia]

For those who solved ch#10, how did you solve it without reversing the VM.  I already read the official posted solution, but it seems that requires you to reverse the VM code.

 

[kao]

@pcmcia: VM1 was one-byte XOR. You should be able to recognize xored data after suffering through Challenge #5.

 

VM2 - CPA. Right now I don't have time and energy for a proper writeup but here are rough steps.

Step 1- create file consisting of 1000 zeroes, exfiltrate it. See that there is a pattern repeating every 0x18 chars, something like this:

Such patterns suggest either a block cipher in ECB mode, or weak crypto. Since I'm not aware of any strong crypto with block size of 0x18 bytes, it must be weak crypto!  
Which means - you can create a lookup table for each of 0x18 positions and each of 256 values.

Step 2 - create a file consisting of 0x18 zeroes, followed by 0x18 ones, 0x18 twos and so on. Exfiltrate it.

Step 3 - now you have a lookup table that you can use to decrypt exfiltrated image.