Jump to content
Tuts 4 You

Flare-On 8


Recommended Posts

May I get some hint on last step in ch5 (hexdumps or t* files)? I know there were plenty of hints on this challenge but they are referring to previous stages...

@edit

Got the flag... I've got no words... Thank you @Extreme Coders!

Edited by Ravick
Link to comment
Extreme Coders

@Ravick

Spoiler

The t* file can be decrypted by following what's mentioned in some other file. Just note that this challenge will be unsolvable if some popular microblogging site goes offline or maybe a few users there gets their account banned.

 

Link to comment
Brisco2077
On 10/12/2021 at 12:59 PM, kao said:

@Brisco2077:

  Hide contents

Exactly that. :) 

 

Well that was the last thing I was expecting to be in there.

Spoiler

Managed to find a different way that didn't use keywords.

Thanks for the hint though!

Link to comment
0rangeHat

I have been smashing my head against ch3 for longer than I dare to admit... Arrgghhh! I have read the hints from previous posts, but still no flag. Hopefully I'm not revealing too much, although we are so far into the thing now there can't be many people left on #3. I can provide more details in a DM too. For one command:

Spoiler

I brute-forced some answers, got the correct response, but figured it was just a red herring in the end.

For the second command:

Spoiler

I used some "metadata" about the layers in order to sort them, ascending. Some layers had an equal metadata value, so there were multiple combinations that could be applied. I enumerated all the combinations, and applied them in how I think a union fs works, but none of them produce legible output. I recreated the decode algorithm in python, I validated that it is correct by hashing what the consult call from the binary produced with the output of my script for several of the combinations. So I'm convinced that part is good. I tried using something that the response to my answers to the first part gave as selection criteria, but still nothing. Am I completely misunderstanding how union fs works? Does it do a more intelligent merge/diff or is it simply an overwrite op?

 

Link to comment
0rangeHat
Just now, kao said:

The method I used is:

Spoiler
  1. Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3
  2. Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted.
  3. At the end you have a bunch of files, containing a combination of files from each layer.
  4. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a'

The output is always garbage :(

I don't know if docker does anything more fancy than that?

Spoiler

I noticed some files are all null bytes, some have only values every 16th byte, which because of the decode logic is essentially the same as all nulls. I must be missing something, but have completely run out of ways to order these layers/files.

Edited by 0rangeHat
Add spoiler tags
Link to comment

@0rangeHat:  Sounds about right. So, my guess is that most likely you did not sort the layers correctly. Feel free to PM me with your layer order and/or the final set of files, I can take a look at that.

 

P.S. If that's not too much to ask, could you please edit your previous message and add the "spoiler" tags? ;) 

 

Link to comment
1 hour ago, 0rangeHat said:

The method I used is:

  Reveal hidden contents
  1. Iterate over each layer in order, (sorted by that metadata) say 1, 2, 3
  2. Copy files, e.g. football.txt, car.jpg to a "rootfs" layer (just a dict, keyed on file name). If a file in the layer I'm applying has same name as an existing one in the rootfs, it overwrites the existing one. If it's a new one it's inserted.
  3. At the end you have a bunch of files, containing a combination of files from each layer.
  4. Then, the decode loop iterates over the files in ascending alphabetical order, starting with 'a'

 

 

From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side:

Spoiler

I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host.

https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/


 

Link to comment
On 10/14/2021 at 9:19 PM, Rurik said:

 

 

From a technical side, I was able to rely upon a third-party Python script to automatically do most of the Docker side:

  Reveal hidden contents

I used this script to initially extract the binary. And, once the order was corrected and a new image made, it extracted out the "final" set of files for me to run directly against from my host.

https://www.madebymikal.com/quick-hack-extracting-the-contents-of-a-docker-image-to-disk/


 

You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. 

Edited by tycolli
Link to comment
18 hours ago, tycolli said:

You over complicated things. Docker images can be downloaded and you can un-tar them. Do a small test, create a docker file load it download the image un-tar and see what is inside. On the same way you can rebuild and load the image. 

A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF. :)

Link to comment
5 hours ago, Washi said:

A solution is a solution. It doesn't matter how you got to the end, especially not with a CTF. :)

I had the impression that he did not solve it. And try to simplify it for him. 

Link to comment
layered_design

Could someone help me on level 7? I think I sent the correct data to the remote *entity*, but err, not sure how to proceed from here? Not sure where to look for received data, if any.

Edited by layered_design
Link to comment
On 9/27/2021 at 7:42 PM, kao said:

hen you didn't send the right data. :) You're close, just one small step is missing...

Hah.... I'd say this is the most valuable hint in this thread 🙂 Hit the nail! I've lost 2 hours to figure it out.

Highly appreciate your help. Thank you.

Link to comment

Any hints for #2?

late start 😃

Should i find smthg in disassembled .exe file or should look for registries values in cmp stage?

or just look for b64 blob...? (can't understand the hint in this blob..)

Edited by okmenow
Link to comment
38 minutes ago, okmenow said:

Any hints for #2?

 

Base64? Are you sure that's #2?

Spoiler

The challenge tests your ability to find an encryption routine in the executable and to write your own reimplementation of it. It should be very easy to find, and most of the data can be used to test as the outputs are well-known.

 

  • Thanks 1
Link to comment

Coming back to this after one week of inactivity.

Still stuck on challenge 3 :

Spoiler

I managed to extract all books of armaments, and the correct layer order. I'm pretty sure that I have to merge all texts one way or another. I tried to merge them as successful diffs (one replacing the modified characters of the previous one), to concat them all in one global final file and event to merge each line independently (line 1 from file 1, line 1 from file 2, etc...). But no success so far.

Any hints or help would be highly appreciated :(

Link to comment

I wonder, if challenge 10 possible to reproduce locally?
 

Spoiler

I have installed server and trying to do the same actions as in the PCAP. The command executes completely fine, however it doesn't return damages back. Hangs on in recv during vm code execution.

Anyway, do I need to analyze that magic "programs" to understand what going on?

I think we may analyze the result only, cuz it is quite obvious what's going on there. However, I'm confused with that numbers and "d" and crypto inside... Does crypto related to the task or it is a part of the library?

 

Edited by Arkadiy
Link to comment

@Arkadiy

Spoiler

Possible to reproduce locally but you can't blindly replay the traffic from the pcap. Check the Nick.

There are multiple ways to solve this challenge, some of which requires minimal analysis. Can be solved with bruteforce without requiring a detailed study of the vm's.

The numbers and "d" are a part of the challenge. How they are generated can be found after analyzing the code. IDA works great if you create the structs and apply the proper function types.

 

Link to comment

Thank you guys for your comments and support. Solved everything.

@Extreme Coders, the nick was the first thing I've done 🙂 I had different problem and I wish to make some technical spoiler regarding the #10 task.

Spoiler

The only problem I faced is a good server. I tried two of the most famous, but the response didn't come. Then I've found a simple python script and everything is going to work well.

In summary, the #10 was the most simple I think 😄 , where the #5 is the worst. To be honest, I brute last 6 characters in #5... 🙂

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...