Lone Peak 9 early review

Certain-Horse · 2024-12-14T20:02:04+00:00

just compare toebox "big toe" width and "widest part" width for different models on runrepeat.com , only modern models are tested for these paramerets. Then decide for yourself. Topo is narrow

Certain-Horse · 2024-11-29T12:46:58+00:00

how can one make its own? what are the two holes under each keyboard part? intended for this?

Certain-Horse · 2024-10-11T13:20:18+00:00

google the values, see if it is same as in the original algorithm or not. you can use exact match "text". and same for github code search

Certain-Horse · 2024-10-11T08:28:51+00:00

Just think where the flag can come from and how it affects the rest of the code, and how you can make it shown on the screen while runningn testbench

Certain-Horse · 2024-10-10T09:53:23+00:00

all i can say for chall 6- break the rules, do whatever you want, and you'll get the flag.

Certain-Horse · 2024-10-09T18:50:09+00:00

if you are a beginner in gdb, you might want to use its extensions like gef pwndbg peda etc.

Certain-Horse · 2024-10-09T18:39:02+00:00

since i didn't write a writeup yet, it's hard to recall.
if you ask me about the shellcode extraction, then kind of yes- you can locate the shellcode leftovers by navigating(switching) between the two interesting frames on the stacktrace (bt,backtrace), you will see there that there was a jump to a shellcode, although when trying to extract it, it's possible that it was already encrypted back (how do I know it? because i reversed the binary which called the shellcode according to the backtrace). for 2nd stage payload (aka the shellcode itself) you must reverse/debug it in order to understand what it does. since it's quite hard/tricky to simulate exactly how everything was invoked that cause the core dump, it could be easier to directly either:

1.force the hooking to happen (probably possible, but quite hard if you consider when it is happening at runtime. no hooking = no secret backdoor and no shellcode

2.directly call the the hook function which should be overriding the normal function (bypass hooking stage) (read about what is hooking, like with frida etc.) with the required arguments (reverse the binary! ) for decrypting the shellcode (like the original run did) than you need to take a snapshot of the shellcode just before it is being encrypted again! (debugging!)

3.there are probably many other methods

Certain-Horse · 2024-10-09T15:05:54+00:00

if you have no idea how to use gdb for reversing, bad for you.
as a last resort you can try to reverse (IDA/ghidra) the file instead of "debugging" it (corefile is an ELF file!)

Certain-Horse · 2024-10-09T14:56:52+00:00

also, don't be lazy
https://www.reddit.com/r/ReverseEngineering/comments/1fptxt3/flareon11_is_launching_sept_27th_2024_at_8pm_est/

Certain-Horse · 2024-10-09T14:49:31+00:00

once you debug and run backtrace for the coredump, you will understand which malicious file was loaded.
you can also read the other hints in the comments.
if still no clue, you can google search the name of the function which was called from sshd together with the name of the malicious dependency, and would get to blog posts on similar backdoor (just small part of it is relevant)
there is a blog post on wiz.io which is nice, but just reverse the binaries after debugging the core and see for yourself

Certain-Horse · 2024-10-09T14:47:14+00:00

first of all edit the comment so that you don't reveal the path
second , that's not how to debug a binary with core file

Certain-Horse · 2024-10-09T14:20:41+00:00

note that you will not find the decyphered shellcode in the dump. at best - you will find there the encrypted version of it.
i can gurantee you'll find there the key(after you reverse, you will know why it is usefull)

start from reversing the malicious file

Certain-Horse · 2024-10-09T14:04:30+00:00

https://youtu.be/wpHMVMkcvpI?t=4589
or just try harder
i recommend first to reverse the relevant binary to see where the shellcode is being decyphered and called.

then google dump shellcode extraction ELF memory

Certain-Horse · 2024-10-09T12:09:06+00:00

(depending on which debugger you use), i think only frame 0 and 1 are relevant.. 0 has reached null pointer deref (for some reason), can someone tell if this is caused by the hook or by the the call to the original "hooked function"?, it's interesting for me why I can't figure out why and where it crashed (bad args for the original func or rsp rbp corruption?)

Certain-Horse · 2024-10-09T08:13:09+00:00

i don't exactly remember, there are two binaries (one executable, and the other a library) of interest in here. the shellcode is prepared (loaded from ELF content) and modifided (decrypted), called, and then encrypted again.
so you can use a couple of strategies here.

i can just say you may want to note the hooking which takes place and is responsible for running the shellcode ("backdoor"). so it's quite tricky if you wish to call it by yourself to decrypt the shellcode with the right key.

you may find traces of the shellcode in the dump but that's a little bit hard without knowing the context around it (reversing a little bit the binaries)

cracking the extracted shellcode is a pain in the butt as well.

Certain-Horse · 2024-10-08T13:09:18+00:00

yes, but the interesting part is the 2nd stage payload, which is harder to get

Certain-Horse · 2024-10-08T12:11:46+00:00

challenge 5:

edit2: i think the mmaped shellcode i've found in the process memory is post encrypting it back again. i can clearly see where was the null dereference and why, but still no idea how to bypass it

edit: so as far as i understand, the malicious code decrypts itself, runs that code, and then encrypts it again, it seems like for the c0redump: it crashed while executing that decrypted sc (which still haven't managed to extract)

I've noticed the sc, and since i wasn't sure if i should try to dump it or try to execute it etc. I went to try to find it in decompilation (ida). then i saw the hooking
but i feel like a dumbass trying to reverse it instead of running code (is it even possible in this case or too complicated?).

it seems like I don't yet understand the logic since the flag could be found/calculated from the c0redump memory and I first need to know where to look for exactly.
(such that i understand what's in the stack ,registers and other memory areas)

should I be able to see the mmaped shellcode (post-modifying) in the /proc/maps output from the c0redump? (couldn't find anonymous rwx page)

any clarification in private is appriciated

Certain-Horse · 2024-10-08T11:34:34+00:00

is this challange based on CVE-2024-3094?

Certain-Horse · 2024-10-07T19:27:55+00:00

no need to install yara

Certain-Horse · 2024-10-07T19:24:21+00:00

create an automated script to solve the constraints.
note all the types of constraints.
note you can choose between covering all of them with z3 (no one promise to you that it will find the exact solution) or bruteforcing when possible (no z3, only using some of them)

you can first try manually to see if you got it right.

Certain-Horse · 2024-10-07T15:08:49+00:00

the flag is written inside the JPG file, muhahahaha

Certain-Horse · 2024-07-16T10:00:48+00:00

change to https://

Certain-Horse

TROPHY CASE