Flare-On 10

[Kolombo]

1 hour ago, pcmcia said:

Regarding ch #10 second file, if the file is meant to be executable, did I do something wrong?  Or is getting the file to execute part of the challenge?

# ls -l f
-rwxr-x--x  1 root         4591 Aug  5 00:29 f

# ./f
./f: syntax error at line 4: `(' unexpected
#
 

It is a very little part of the challenge 🙂

[kao]

@pcmcia:

Spoiler

You did not extract the file from the tape correctly. Unpacked size should be 6392 bytes.

 

[AeroX2]

I need a little nudge for ch10, if anyone can provide it would be greatly appreciated.

Spoiler

I've managed to extract the tap file and run the executable,
I've started having a look at the assembly in adb and the decrypt function.
However I'm not sure where the data to feed the decrypt function comes from?
I'm assuming it is the secret word but the address it places on the stack doesn't seem to be encrypted data

 

 

[Kolombo]

7 hours ago, AeroX2 said:

I need a little nudge for ch10, if anyone can provide it would be greatly appreciated.

  Hide contents

I've managed to extract the tap file and run the executable,
I've started having a look at the assembly in adb and the decrypt function.
However I'm not sure where the data to feed the decrypt function comes from?
I'm assuming it is the secret word but the address it places on the stack doesn't seem to be encrypted data

 

 

Spoiler

The address is the pointer to encrypted data. You need to perform 2 operation in order to decrypt it.

Use FORTH command line to pass params. Check how does FORTH words works.

 

Edited October 24, 2023 by Kolombo

[cojec93983]

ch5, is the function to decrypt the layer with the hint the same function that needs to patch arg and decrypt the last layer or the buffer (I don't know what's in it yet) that the second hint sends to?

[loossy]

Does anyone know of a manual or site that can be referred to for solving ch10?
This challenge is so riddle to me

[Kolombo]

4 hours ago, loossy said:

Does anyone know of a manual or site that can be referred to for solving ch10?
This challenge is so riddle to me

I've answered u in PM.
BTW, you didn't say what u have already done.

[test]

Regarding #13:

Spoiler

I saw the reverse shell and found the two "hidden" commands. I guess the advice command is useless and so I continued with the secret command. I found the password for the secret command and was able to decrypt the false flag. Then I saw that mersenne twister is used for generating a key that is used to encrypt the contents of a part of the false flag picture. After that the content is encoded with something that looks like base64. Since there seems to be a random component, I'm unsure if I'm looking in the right place. On the other hand, I could imagine that because of the hint in the password I just have to keep sending the command, after all it is a PRNG which always generates the same numbers. Do I maybe just have to wait for the right numbers?

 

[Kolombo]

REMOVED.

Sorry for the public findings.

Edited October 26, 2023 by Kolombo

[Kolombo]

CH #13

Spoiler

I guess this is an encrypted data we need to decrypt:
7F ....

The only way to decrypt is to give the right SOME value which is limited at the end to "0x7FFFFFFF"

 

Edited October 26, 2023 by Kolombo
removed findings

[test]

1 hour ago, Kolombo said:

CH #13

  Hide contents

I guess this is an encrypted data we need to decrypt:
7F 2B D8 F5 C3 44 6D B7 75 95 89 A7 B9 C3 2C 3F 9E 91 B8 DC 6E 55 A7 51 E6 2C 59 BC 9C 12 98 06 8B A0 50 79 18 AA 29 4E 84 96 5F A6 37 9F ED 9A 33 3C ED 34 2D 63 7F 6C 5A

The only way to decrypt is to give the right seed value which is limited at the end to "0x7FFFFFFF" because of "lcg".

 

Spoiler

Yes, that's how I see it, too. Probably you have to find out the encryption algorithm, detect the algorithm that generates the Base64 like code (In my opinion it is not Base64) and then try all the seeds from the advices. Does anyone have any idea what the algorithms might be?

 

[Kolombo]

6 hours ago, test said:

  Hide contents

Yes, that's how I see it, too. Probably you have to find out the encryption algorithm, detect the algorithm that generates the Base64 like code (In my opinion it is not Base64) and then try all the seeds from the advices. Does anyone have any idea what the algorithms might be?

 

Spoiler

Need to construct from the hardcoded function the following from the extracted data.

 

Edited October 26, 2023 by Kolombo

[test]

1 minute ago, Kolombo said:

  Hide contents

Need to construct from the hardcoded function the following:
CyberChef << -- link to the disassembled code

 

Yes, I've seen that too and spent several hours googling for it. But have found nothing useful

[Washi]

@test @Kolombo Please leave any of your concrete findings in DMs, and maybe remove some of the details in your posts. FLARE is an individual competition, not meant to be collaboratively solved all together as a forum. Thanks!

[Kolombo]

Done 💥💥💥

This is my second. This year was more difficult than Flare-On 8. I almost lost hope while solving the last task.

Also I'd like to say 'thank you' to @kao !

[gghost]

May I ask for a small nudge for challenge 13?

I feel like I have a good understanding of the binary. Without posting too many details, I have figured out how the secret messages are generated, I even wrote my own implementation (c, assembly and a bit of python) that can generate the same messages.

My biggest issue is that I'm not sure what I'm supposed to do now to get the flag. I tried combining the steps I have implemented in various ways, but I never got the flag.

Is it possible I have missed some crucial steps while reversing the binary, or should I keep trying to combine the generation steps in more ways?

Any pointers would be greatly appreciated!

[Kolombo]

10 hours ago, gghost said:

May I ask for a small nudge for challenge 13?

I feel like I have a good understanding of the binary. Without posting too many details, I have figured out how the secret messages are generated, I even wrote my own implementation (c, assembly and a bit of python) that can generate the same messages.

My biggest issue is that I'm not sure what I'm supposed to do now to get the flag. I tried combining the steps I have implemented in various ways, but I never got the flag.

Is it possible I have missed some crucial steps while reversing the binary, or should I keep trying to combine the generation steps in more ways?

Any pointers would be greatly appreciated!

I'm not exactly understand  what do you mean by saying 'secret messages'. Anyway

Spoiler

If you mean "Yoda saying," then you need to answer the question "What might he say?". After that, answer "How can one achieve that?"

BTW: ^^^ I don't have a powerful PC, there is the straight forward way to solve it. Just need to make a few weak assumptions.

 

Edited October 29, 2023 by Kolombo

[gghost]

2 hours ago, Kolombo said:

I'm not exactly understand  what do you mean by saying 'secret messages'. Anyway

  Reveal hidden contents

If you mean "Yoda saying," then you need to answer the question "What might he say?". After that, answer "How can one achieve that?"

BTW: ^^^ I don't have a powerful PC, there is the straight forward way to solve it. Just need to make a few weak assumptions.

 

Thank you so much, this gave me enough will power to continue working on the challenge, and I did manage to get the flag.

Overall I really enjoyed the contest, I just wish I didn't get stuck so many times, and go down so many time-waster paths, but I guess that should go away with more experience.

[mmmm]

appreciate a nudge for #10

Spoiler

i've been analysing the decryption function and i've identified 3(?) arguments that should be fed to it, but i haven't been able to feed data without crashing it

i understand the crux of the function, but it feels like i'm taking an oversimplistic approach to the challenge. as a sanity check, am i heading in the right direction or is there another part of the challenge that i'm missing big time?

 

Edited October 30, 2023 by mmmm

[Kolombo]

10 hours ago, mmmm said:

appreciate a nudge for #10

  Hide contents

i've been analysing the decryption function and i've identified 3(?) arguments that should be fed to it, but i haven't been able to feed data without crashing it

i understand the crux of the function, but it feels like i'm taking an oversimplistic approach to the challenge. as a sanity check, am i heading in the right direction or is there another part of the challenge that i'm missing big time?

 

Spoiler

To solve this task you don't need to provide data. Of course, if you wish you can, but it is enough to understand what is the purpose of the function. Then you need one more function as well as the encrypted data. Analyze both algorithms and apply to the encrypted data.

 

[gifr]

Need support for ch3.

I can't figure it out thefirst byte of the first shellcode that gets executed. All bytes seem off and not inline with the execution context. Anyone else had the same problem ? 

 

[UnskilledGarbage]

kinda stuck on that pdp11 thing  

Spoiler

I have encrypted data and its size but I do not see any function that derives a key. do I pass it myself? it seems that r1 register in decrypt function, that holds key ptr points to user passed data. Is the hint about Ken Thompson's password relevant here? does not seem to work. or is it some cyclic thing like the next byte of encrypted data is key to previous or smth and the only question is starting pointers?
does task require to do some funky stuff with a bunch of forth words? some calculations or something...

also found some words that are not in debug symbols.. are they relevant?

 

 

Edited October 31, 2023 by UnskilledGarbage
upd

[Washi]

@gifr

Spoiler

Remember that every byte that is put into shellcode is strongly related to the input password, i.e., it needs to be printable characters. Furthermore, try to figure out what 'type' of instruction may be required. This should limit your options a lot.

@UnskilledGarbage

Spoiler

Reread the README and the welcome message again... and again, and then again. It contains more information than you may realize. It took me a few reads before I fully used everything that is mentioned there.

 

@mmmm

Spoiler

Yes. Also, like the advice given to UnskilledGrabage, the READMEs contain everything you need. Reread it again, it may contain more information than you realize.

 

[backin]

Good day everyone, need some help with ch10.

 

Spoiler

I can trace functions "decode" and "decrypt" via adb but cannot see any changes of `secret` if I will set it as one of parameters. I found `secret` in raw binary, but i have no clue how to properly proceed it to "decode" and "decrypt".

 

UPD: realized how to proceed `secret` to `decode`, but `decrypt` makes my life a bit challenging rn - i tried all variants of submitting 4 params to it, still no hope

UPD2: i can bp on xor, there is a lot of stranges (e.g. why it parses content of previous command??? or something broke on my side)

UPD3: solved. Insane and frustrative, not all information in tap description are accurate

 

Edited November 6, 2023 by backin

[f355]

would appreciate some help on ch13

Spoiler

so I wrote a reverse shell server-side script, so I can issue commands to the client and receive responses. I found 2 commands one gives life tip, another tells I need to provide password. I am kind of stuck at this point, any pointers would be appreciated..

Also the debugging here is tricky since the executable relaunches itself after every command, so it is hard to debug how commands are processed and responses generated. Any tips for proper debugging? Should I patch the binary so it doesn't terminate itself?

Also saw folks on Twitter saying there is a special "tooling" that can help solving this. What that can be?

 

Edited November 9, 2023 by f355