Flare-On 6 CTF WriteUp : help| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : vv_max| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : Mugatu| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : reloaderd| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : snake| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : wopr| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp: bmphide| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp : Demo| Attify Blog - IoT Security, Pentesting and Exploitation
Flare-On 6 CTF WriteUp: Dnschess| Attify Blog - IoT Security, Pentesting and Exploitation
Catbert Ransomware presents a disk image with four encrypted files, and UEFI bios. I’ll run the bios in an emulator, and find the binary responsible for the shell. In there, I’ll find the decrypt function and reverse it to see how it is using code at the end of the encrypted images in a small VM to check the input password. I’ll write Python VM emulator to work through the code finding the passwords. On decrypting all three, there’s some fun in the emulated bios and the flag.| 0xdf hacks stuff
fullspeed is a challenge around a .NET-AOT binary, which means unlike typical .NET binaries, it’s fully compiled to assembly. The binary makes an Elliptic Curve Diffie-Hellmen exchange and then uses it to send data including the flag. I’ll show how I use the given PCAP and the initialized values in the binary to recover the randomly generated privarte key, and decrypt the messages.| 0xdf hacks stuff
bloke2 involves reversing a Verilog description language project to find a hidden flag inserted by a missing developer. I’ll find a relatively long string of data and where an XOR might be applying it to the input test data, except it’s always disabled by a flag. I’ll enable that flag and the flag comes out while running the tests.| 0xdf hacks stuff
sshd is a really cool challenge that is based on the XZ Utils backdoor. I get an image that has an sshd coredump. In it, I’ll find where it crashed, in the liblzma library. I’ll reverse that to see where it is decrypting a static shellcode buffer and running it. That buffer is connecting to a TCP socket and reading off an encryption key and nonce, as well as a file path. It then reads the file at that path, encrypts it, and sends it back over the socket. I’ll use the core dump to get th...| 0xdf hacks stuff
Meme Maker 3000 is an HTML / JavaScript challenge that is made so much easier using webcrack. Most of the solution here is running webcrack and then it’s fairly easy to see a few commands to run in the browser dev console to get the flag. I’ll include a video comparing my solution without webcrack with what webcrack can do.| 0xdf hacks stuff
aray is a Yara reversing challenge. The Yara language is used to classified and identify malware (and other binary) files. In aray, I’m given a complex rule with hundreds of conditions that define a 85 byte file. I’ll find the 38 conditions that actually define the 85 bytes, and write a Python script to parse the rule and return the file contents.| 0xdf hacks stuff
checksum presents a binary compiled from Golang. I’ll have to answer a series of math addition problems, and then give it the valid SHA256 hash that matches a static value stored in the binary. On success, it writes an image to my AppData Local directory that has the flag.| 0xdf hacks stuff
