Flare-On 10

[cojec93983]

3 hours ago, Canlex said:

  Hide contents

I also had this "issue". Your "ob5cUre" is wrong, you might say "this is what the debugger accepts, but really almost the entire string is built from an earlier part or sub-level if you will. so check where it derives "ob5cUre" from and then double check what in your input generated that string. this is trivial to do with a debugger. 

 

i got 'pb5cUe3' but its wrong too. AES decryption key is for sure 7 chars len? I don't see any other key characters checking against anything.

[test]

Spoiler

I need help with ch9: I didn't know where to find the code, so I created a RAM dump and found the code to be analyzed. After that I tried to figure out, how the disk is decrypted. I saw that the first 6 bytes have this XOR condition, so I get the message "Incorrect key" instead of "Invalid key". Then I identified the Blowfish algorithm and saw the test encryption with Test str. I tried to brute force the last two bytes of the blowfish key, but this wasn't successful. Am I missing something?

Regarding ch9, thanks in advance

Solved it...

Edited October 19, 2023 by test
Already solved it

[Kolombo]

57 minutes ago, test said:

  Hide contents

I need help with ch9: I didn't know where to find the code, so I created a RAM dump and found the code to be analyzed. After that I tried to figure out, how the disk is decrypted. I saw that the first 6 bytes have this XOR condition, so I get the message "Incorrect key" instead of "Invalid key". Then I identified the Blowfish algorithm and saw the test encryption with Test str. I tried to brute force the last two bytes of the blowfish key, but this wasn't successful. Am I missing something?

Regarding ch9, thanks in advance

Spoiler

You did everything right. Except im not sure if it is a BlowFish. I did brute in the boot code, just patched some bytes. It took almost 1 hour to brute on my Mac.

 

Edited October 19, 2023 by Kolombo

[loossy]

Spoiler

10 hours ago, cojec93983 said:

I also had this "issue". Your "ob5cUre" is wrong, you might say "this is what the debugger accepts, but really almost the entire string is built from an earlier part or sub-level if you will. so check where it derives "ob5cUre" from and then double check what in your input generated that string. this is trivial to do with a debugger. 

 

10 hours ago, cojec93983 said:

i got 'pb5cUe3' but its wrong too. AES decryption key is for sure 7 chars len? I don't see any other key characters checking against anything.

 

In the two examples above, each just one character is incorrect.
Try combining them well

Edited October 19, 2023 by loossy

[Kolombo]

Oh.... I've solved #ch10, that was crazy. The most difficult task in this year. However, I haven't seen 11,12,13 yet... 🙂

Only 1 advice: take a bag of the RedBull and be patient

Edited October 19, 2023 by Kolombo

[cw_2]

I'm a bit stuck on 11...probably a lack of crypto/math knowledge. can someone point me in the right direction?

Spoiler

I don't see any other way forward other than recovering the data used to actually encrypt the file contents. Recovering that data looks like it requires an attack on something pretty strong. I've been reading a lot about ways to do it, and I've tried a lot of known methods (coppersmith, low public) using various tools, python, sagemath...but I'm either implementing it wrong every time or I'm missing something obvious. Have I made a bad assumption somewhere? I think I have to attack those 0x100 bytes and somehow it should be possible. It just doesn't seem to work...is it a matter of more patience on a bruteforce attempt? or should I be able to calculate it quickly if I have the right equation?

any hints, reading material, writeups of related concepts, etc. would be appreciated. thanks!

 

[Kolombo]

2 hours ago, cw_2 said:

I'm a bit stuck on 11...probably a lack of crypto/math knowledge. can someone point me in the right direction?

  Hide contents

I don't see any other way forward other than recovering the data used to actually encrypt the file contents. Recovering that data looks like it requires an attack on something pretty strong. I've been reading a lot about ways to do it, and I've tried a lot of known methods (coppersmith, low public) using various tools, python, sagemath...but I'm either implementing it wrong every time or I'm missing something obvious. Have I made a bad assumption somewhere? I think I have to attack those 0x100 bytes and somehow it should be possible. It just doesn't seem to work...is it a matter of more patience on a bruteforce attempt? or should I be able to calculate it quickly if I have the right equation?

any hints, reading material, writeups of related concepts, etc. would be appreciated. thanks!

 

Spoiler

Working on one of them right now. Tell u a bit later.

 

Edited October 21, 2023 by Kolombo
so many hints

[Kolombo]

2 hours ago, cw_2 said:

I'm a bit stuck on 11...probably a lack of crypto/math knowledge. can someone point me in the right direction?

  Reveal hidden contents

I don't see any other way forward other than recovering the data used to actually encrypt the file contents. Recovering that data looks like it requires an attack on something pretty strong. I've been reading a lot about ways to do it, and I've tried a lot of known methods (coppersmith, low public) using various tools, python, sagemath...but I'm either implementing it wrong every time or I'm missing something obvious. Have I made a bad assumption somewhere? I think I have to attack those 0x100 bytes and somehow it should be possible. It just doesn't seem to work...is it a matter of more patience on a bruteforce attempt? or should I be able to calculate it quickly if I have the right equation?

any hints, reading material, writeups of related concepts, etc. would be appreciated. thanks!

 

Spoiler

CONFIRMED. One of your approaches works.

 

Edited October 21, 2023 by Kolombo
so many hints, deleted answer to the task

[bpsl]

Stuck on #3, feel like I missed something important here:

 

Spoiler

I'm on the part where it reads the pr.ost file it wrote out, and checks if the first four bytes equal 11333377. I found the part that writes those four bytes to the file, but it seems to generate those four bytes from some operations on a random byte that it gets from a malloc call... This one seed byte always seems random, so I'm having trouble seeing how you could control the four bytes in the pr.ost file? What am I missing?

 

[gghost]

17 hours ago, Kolombo said:

  Reveal hidden contents

CONFIRMED. One of your approaches works.

 

I'm sorry to be asking for more hints on challenge 11, but I'm very stuck and frustrated. I have been trying to solve this for the past 5 days, 3 of which went into trying to get the approach you have mentioned in your original reply (before editing it) work. As far as I understand that approach requires you to know some bytes at the beginning of the message before the encryption takes place, however those bytes are random. The only bytes we know are at the end of the message, which doesn't help with this approach. Bruteforcing for the start bytes is also not a viable route as far as I can tell because it would take too long.

I would be very grateful if you could provide any information as to how to make the approach you have originally mentioned work, but I also understand if you think that would be too much to reveal.

[Kolombo]

1 hour ago, gghost said:

I'm sorry to be asking for more hints on challenge 11, but I'm very stuck and frustrated. I have been trying to solve this for the past 5 days, 3 of which went into trying to get the approach you have mentioned in your original reply (before editing it) work. As far as I understand that approach requires you to know some bytes at the beginning of the message before the encryption takes place, however those bytes are random. The only bytes we know are at the end of the message, which doesn't help with this approach. Bruteforcing for the start bytes is also not a viable route as far as I can tell because it would take too long.

I would be very grateful if you could provide any information as to how to make the approach you have originally mentioned work, but I also understand if you think that would be too much to reveal.

Spoiler

Your purpose is to decrypt the random bytes. They are random, but the encryption is weak. You can decrypt all of them. You know the start and the end. You have encrypted part in some place (i guess, you know where). So, just decrypt the middle one.

You said you saw what I wrote in the original message. Yes, it is the attack you need to use. And it is about the decrypting of the middle one.

P.S.: the source code on the GitHub which you may found has a mistake. You need to find a writeup. Follow it and get the answer 🙂

 

Edited October 22, 2023 by Kolombo

[cw_2]

3 hours ago, gghost said:

I'm sorry to be asking for more hints on challenge 11, but I'm very stuck and frustrated. I have been trying to solve this for the past 5 days, 3 of which went into trying to get the approach you have mentioned in your original reply (before editing it) work. As far as I understand that approach requires you to know some bytes at the beginning of the message before the encryption takes place, however those bytes are random. The only bytes we know are at the end of the message, which doesn't help with this approach. Bruteforcing for the start bytes is also not a viable route as far as I can tell because it would take too long.

I would be very grateful if you could provide any information as to how to make the approach you have originally mentioned work, but I also understand if you think that would be too much to reveal.

Spoiler

You've made an assumption here that is incorrect. You know much more than just the bytes at the end of the message. Take another look at the code that prepares the buffer for encryption, particularly its size.

Also, yes, Coppersmith ends up being the right attack. I chose the wrong implementation to try and that was the mistake I was making. To avoid making the mistake I did, here's a hint...there is a python3 sagemath implementation of the coppersmith attack that deals with the exact situation we have here: [known bytes][unknown bytes][known bytes].

 

Edited October 22, 2023 by cw_2

[cw_2]

14 hours ago, bpsl said:

Stuck on #3, feel like I missed something important here:

 

  Reveal hidden contents

I'm on the part where it reads the pr.ost file it wrote out, and checks if the first four bytes equal 11333377. I found the part that writes those four bytes to the file, but it seems to generate those four bytes from some operations on a random byte that it gets from a malloc call... This one seed byte always seems random, so I'm having trouble seeing how you could control the four bytes in the pr.ost file? What am I missing?

 

Spoiler

Consider the purpose of malloc. Then work your way back up the code to see where this seemingly random value comes from. Besides really reading the code carefully, one useful approach is to set a breakpoint at the place where you think the byte is random, change your input and see if you can have some effect on that resulting byte. Test different values.

 

[gghost]

2 hours ago, Kolombo said:

  Reveal hidden contents

Your purpose is to decrypt the random bytes. They are random, but the encryption is weak. You can decrypt all of them. You know the start and the end. You have encrypted part in some place (i guess, you know where). So, just decrypt the middle one.

You said you saw what I wrote in the original message. Yes, it is the attack you need to use. And it is about the decrypting of the middle one.

P.S.: the source code on the GitHub which you may found has a mistake. You need to find a writeup. Follow it and get the answer 🙂

 

Thanks a lot for your response. I think I got all the pieces of the puzzle except for one. You said that "You know the start and the end.". I do know the end, but I have no idea how you know the start.

Spoiler

The message structure is as follows (I purposefully exclude the encrypted flag from here, since we are only focusing on this part now): <some null bytes> + <some random bytes> + <fixed/hardcoded constant>. This gets encrypted, and I know the end, since it is just the constant bytes, but I have no idea about the start, because it falls in the <some random bytes> area. From what you are writing it seems to be the structure is more as follows: <some null bytes> + <some known bytes> + <some random bytes> + <fixed/hardcoded constant>. If I had this structure then I would be able to use the approach and recover the random bytes, I tested it with a toy example.

So either I'm missing something very obvious here, or I'm not solving the same challenge.
Could you please confirm that your binary also has the same sha1 hash: 40249c35712e89fcb70ed4e32b66a7d9c0744f88

[Kolombo]

14 hours ago, gghost said:

Thanks a lot for your response. I think I got all the pieces of the puzzle except for one. You said that "You know the start and the end.". I do know the end, but I have no idea how you know the start.

  Hide contents

The message structure is as follows (I purposefully exclude the encrypted flag from here, since we are only focusing on this part now): <some null bytes> + <some random bytes> + <fixed/hardcoded constant>. This gets encrypted, and I know the end, since it is just the constant bytes, but I have no idea about the start, because it falls in the <some random bytes> area. From what you are writing it seems to be the structure is more as follows: <some null bytes> + <some known bytes> + <some random bytes> + <fixed/hardcoded constant>. If I had this structure then I would be able to use the approach and recover the random bytes, I tested it with a toy example.

So either I'm missing something very obvious here, or I'm not solving the same challenge.
Could you please confirm that your binary also has the same sha1 hash: 40249c35712e89fcb70ed4e32b66a7d9c0744f88

Spoiler

This is your struct:
<some null bytes> + <some random bytes> + <fixed constant>

"some null bytes" - known part (so, you know the start of the encrypted data; yes, they are "zeroes")

"some random bytes" - unknown crypto-random bytes (need to find out)

"fixed constant" - also known part (so, you know the end of the encrypted data)

I've solved the task in the several steps:

1. Find a writeup of the past CTF and check if you can reach the same results.

2. Modify step by step the example of the CTF input data:

- change N to our case, check if writeup still works

- change e to our case, check if writeup still works

- move the CTF's encrypted part to the same position that we have, check if writeup still works

- change the size of the encrypted data, check if writeup still works

- fully exchange CTF's data with ours and don't forget to change 'epsilon'

SHA1 confirmation: 40249c35712e89fcb70ed4e32b66a7d9c0744f88

Edited October 23, 2023 by Kolombo

[gghost]

2 hours ago, Kolombo said:

  Reveal hidden contents

This is your struct:
<some null bytes> + <some random bytes> + <fixed constant>

"some null bytes" - known part (so, you know the start of the encrypted data; yes, they are "zeroes")

"some random bytes" - unknown crypto-random bytes (need to find out)

"fixed constant" - also known part (so, you know the end of the encrypted data)

I've solved the task in the several steps:

1. Find a writeup of the past CTF and check if you can reach the same results.

2. Modify step by step the example of the CTF input data:

- change N to our case, check if writeup still works

- change e to our case, check if writeup still works

- move the CTF's encrypted part to the same position that we have, check if writeup still works

- change the size of the encrypted data, check if writeup still works

- fully exchange CTF's data with ours and don't forget to change 'epsilon'

SHA1 confirmation: 40249c35712e89fcb70ed4e32b66a7d9c0744f88

Thank you very much for your patience. I kept looking around for implementations of the attack and writeups as you have suggested, and finally managed to find one that worked. I am still a bit confused as to why it works, but I will have to take a deeper look.

On to the last 2 challenges now, thanks once again!

[pcmcia]

I need some question about ch#10.  I'm using the provided mog.cfg.  However, when I run it on my pdp11 emulator (v3.8-1 on ubuntu), it complains about this line "set rq0 ra80".  It complains about "non-existent parameter".  Does anyone get that? Or is that part of the challenge?

[Kolombo]

3 minutes ago, pcmcia said:

I need some question about ch#10.  I'm using the provided mog.cfg.  However, when I run it on my pdp11 emulator (v3.8-1 on ubuntu), it complains about this line "set rq0 ra80".  It complains about "non-existent parameter".  Does anyone get that? Or is that part of the challenge?

I had the same error while running on Linux Docker. Then I've installed PDP emulator on Mac (Host OS) and it works fine. I think you can ignore this error.

[pcmcia]

8 minutes ago, Kolombo said:

I had the same error while running on Linux Docker. Then I've installed PDP emulator on Mac (Host OS) and it works fine. I think you can ignore this error.

Thanks for the quick reply.  Am I supposed to get this as well?

# cat /dev/rmt12
ts0: not online
/dev/rmt12: Input/output error
 

[Kolombo]

10 minutes ago, pcmcia said:

Thanks for the quick reply.  Am I supposed to get this as well?

# cat /dev/rmt12
ts0: not online
/dev/rmt12: Input/output error
 

I have this in my notes, then should work:
 

attach ts0 forth.tap
boot rq0
Ctrl+D
root/Flare-On

 

[pcmcia]

14 minutes ago, Kolombo said:

I have this in my notes, then should work:
 

attach ts0 forth.tap
boot rq0
Ctrl+D
root/Flare-On

 

Thanks!  I got the files from the tape drive.  Is the 2nd file supposed to be an executable?  I can't seem to run it.  

[Kolombo]

9 minutes ago, pcmcia said:

Thanks!  I got the files from the tape drive.  Is the 2nd file supposed to be an executable?  I can't seem to run it.  

yes, the 2nd one is the executable. The task is started from here 😜

[test]

Can anyone give me a tip on Challenge 10? I can run the file and have since viewed it for several hours in IDA. But don't really get along with the debugger (adb) and in IDA I can't really discover anything helpful. Have the feeling I'm missing a bit of the start....

[Kolombo]

2 minutes ago, test said:

Can anyone give me a tip on Challenge 10? I can run the file and have since viewed it for several hours in IDA. But don't really get along with the debugger (adb) and in IDA I can't really discover anything helpful. Have the feeling I'm missing a bit of the start....

I've spent 5 nights.

[pcmcia]

Regarding ch #10 second file, if the file is meant to be executable, did I do something wrong?  Or is getting the file to execute part of the challenge?

# ls -l f
-rwxr-x--x  1 root         4591 Aug  5 00:29 f

# ./f
./f: syntax error at line 4: `(' unexpected
#