gig1 Posted October 14 Posted October 14 Hi guys, I am also stuck on ch5. I was able to decrypt the shellcode, however, I can't find any paths that lead me to discover the inputs for the shellcode and the filename. Feel free to DM if you can help me. 1
_no_clue Posted October 15 Posted October 15 Anyone who can give a nudge on how to proceed with the start of ch5? Found the initial piece but am unable to get anythin usefull out of it. 1
troplhers Posted October 15 Posted October 15 Hi guys, I just started #7 and it looks like a really big mess. Spoiler For starters, did you IDA guys manage to create or find signature files for the .NET system libraries and the BouncyCastle library? Without these the job seems really difficult...
test054 Posted October 16 Posted October 16 anyone give me a hint on where to go in ch4, pls. I'm stuck with strings.exe 1
truongdz Posted October 16 Posted October 16 anyone can give me some details hint ch2, i'm been stuck here for a long time:((
cl4whands Posted October 17 Posted October 17 (edited) does challenge 8 still work correctly? Spoiler I get error "missing trie node" where I think I shouldn't have. also I do not see the second methodid in the evm code and because of that (I guess) I get error "Error happened while trying to execute a function ...". is it my wrong action or it is not supposed to be like that? rpc url from official documentation is used nvm, got it. weird challenge Edited October 18 by cl4whands upd 1
T2P16 Posted October 19 Posted October 19 (edited) Spoiler I feel like I have lifted most of the assembly, and IDA is now able to produce somewhat meaningful outputs. But the math operations are chained together within each chunk and I guess I don't have the prerequisite math knowledge. Are there theorems in discrete math or cryptoanalysis that deal with this specific challenge I have to look for? Thank you! ^.^ May I have some hints on Ch9? [Update] I solved it! Spoiler Hint: make sure you fully understand the challenge code and chop stuff up before feeding things into Z3. If you feel like Z3 is taking too long to output anything, check your setup. Edited October 23 by T2P16 Solved the challenge and no longer need a hint. 1
Peter Posted October 20 Posted October 20 Any tips on traffic interception for ch7, please? Spoiler Tried scapy and while packet rewriting (for 127.0.0.1) is happening, the server doesn't receive the rewritten packet. 1
pcmcia Posted October 21 Posted October 21 20 hours ago, xdbruh1234 said: Any hints on 9? Hide contents I tried z3 and its too slow I also need some hints on 9? Spoiler I think I know how they do the calculations, but I have no idea how to reverse it. 1
troplhers Posted October 21 Posted October 21 need a sanity check on ch7 please: Spoiler I understand that it's the xxx-bit thing and the attack to use is probably PH, but it's not a standard configuration right? the thing to be factored has to be extracted from memory right? 1
oompa Posted October 21 Posted October 21 (edited) Spoiler On 10/15/2024 at 4:57 PM, troplhers said: did you IDA guys manage to create or find signature files for the .NET system libraries and the BouncyCastle library? Without these the job seems really difficult... This will make your life a lot easier, yes. I also am desperate for a nudge on #7: Spoiler I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value? EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together. Edited October 22 by oompa 1
Sawyer555 Posted October 23 Posted October 23 On 10/21/2024 at 6:32 PM, oompa said: Reveal hidden contents This will make your life a lot easier, yes. I also am desperate for a nudge on #7: Reveal hidden contents I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value? EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together. Hi there, would appreciate some help on this challenge. I am not very sure what I got in hand. 1
troplhers Posted October 23 Posted October 23 On 10/20/2024 at 12:18 PM, Peter said: Any tips on traffic interception for ch7, please? Reveal hidden contents Tried scapy and while packet rewriting (for 127.0.0.1) is happening, the server doesn't receive the rewritten packet. why you would do this? On 10/21/2024 at 5:32 PM, oompa said: Reveal hidden contents This will make your life a lot easier, yes. I also am desperate for a nudge on #7: Reveal hidden contents I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value? EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together. could you please give a hint? Spoiler we are supposed to find in memory the n (order) of the curve? 1
oompa Posted October 23 Posted October 23 Spoiler Quote we are supposed to find in memory the n (order) of the curve? No, you can compute the order with the parameters that are available Spoiler Quote Hi there, would appreciate some help on this challenge. I am not very sure what I got in hand. For me, it was helpful to understand what protocols are used for encrypting the traffic. For starters, it will be most helpful to get symbols for the cryptography library involved. 1
Sawyer555 Posted October 23 Posted October 23 4 hours ago, oompa said: Hide contents No, you can compute the order with the parameters that are available Hide contents For me, it was helpful to understand what protocols are used for encrypting the traffic. For starters, it will be most helpful to get symbols for the cryptography library involved. I did try that, but not sure how to get those symbols. Any help with that? 1
Youriali Posted October 24 Posted October 24 I could also use a hint for #7: Spoiler I have gotten the symbols, I understand the protocol, I have the public parameters, but haven't found a viable attack. I've tried PH and MOV, but they do not seem feasible. How advanced cryptographic knowledge does it require? @Sawyer555 Spoiler I used the following articles as inspiration get the symbols: https://hacklido.com/blog/855-reverse-engineering-of-natively-compiled-net-applications https://harfanglab.io/insidethelab/reverse-engineering-ida-pro-aot-net/ 1
cybercat Posted October 24 Posted October 24 Hello, Regarding CH5, I have a question about this docker file. Do i need to load it into docker or podman? This tar file? I am asking because i cannot run it in docker or podman. The question is does anybody manage to run it in docker? Or it is not necessary at all. Thank you for any help. 1
oompa Posted October 24 Posted October 24 10 minutes ago, cybercat said: Hello, Regarding CH5, I have a question about this docker file. Do i need to load it into docker or podman? This tar file? I am asking because i cannot run it in docker or podman. The question is does anybody manage to run it in docker? Or it is not necessary at all. Thank you for any help. It's not a packed container image iirc, it's just an archive you can unpack 2
cybercat Posted October 24 Posted October 24 29 minutes ago, oompa said: It's not a packed container image iirc, it's just an archive you can unpack Hmm... i never worked with docker, so i assumed that this TAR file is a docker "image" that i can import. Because Podman imported it, but i cannot run it. Also metadata looks like it is somehow related with docker. That's why i try to load it into docker to run it somehow and check what is going on in the working environment. So the answer to my question is: "you don't have to run it "? 1
oompa Posted October 24 Posted October 24 24 minutes ago, cybercat said: So the answer to my question is: "you don't have to run it "? No, you don't 2
eatcreche Posted October 25 Posted October 25 (edited) May I have a hint for #8? Spoiler I currently have what looks like fairly large Base64-encoded data but I'm not sure if I'm looking at a red herring. The decoded data's entropy is quite high and nothing in the contract(s) stand out to me suggesting me what the next step should be. I have the final stage but it isn't clear what values I am meant to replace the placeholders with. I'm assuming the URL is the same and that the address is the same one retrieved from the earlier stages. I tried modifying the block value but doing this does not seem to retrieve any data back. edit: solved it manually instead Edited October 26 by eatcreche solved 1
danilo Posted October 28 Posted October 28 Any nudges for 9 Spoiler I think I understand how control flow and obfuscation works and that I need to discover the underlying constraints. I don't know how to lift the assembly to make it easier to uncover faster. it's too slow to go through manually so would appreciate tips on how to approach. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now