Eset challenges So far I only worked on the first challenges and it seems that a multitude of solutions for this can be found via Google. The challenges seem to be multiple years and the start page can be found here. Description 1. Download the crackme.exe program The program was designed to test your skillset in reverse engineering, which might come in handy when you work at ESET in one of the positions described above.

IcedID malware challenge This is a malware challenge related to the Zero2Automated course (number 2 out of currently 4). The aim for this challenge was to unpack this IcedID binary, figure out how the configuration was stored, and develop a script to automatically extract the config information. The malware bazaar link also lets us know that the following IOC exists: ilekvoyn[.]com Unpacking In this case the file is a DLL file containing a number of exports.

Classic Password In this challenge we are supplied an elf file and the goal is to find the flag, there are multiple ways to retrieve the flag for this challenge. A simple execution of strings on the file is not enough, however the easiest way seems to be to use ltrace. In this short post, I will use ltrace and afterwards also use the disassembler to solve the challenge. Ltrace route ltrace .

Basic Types This is a basic overview over datatypes after a program has been compiled. All excamples have been compiled with gcc, it might be worthwhile to comapre the output for Visualstudio. Everything is compiled as x64, therefore padding is usually done on 8 byte sizes and pointers are also 8 byte, for 32 bit applications this should be different (4 byte). Local and Global variables This example uses global and local variables.

As I did not want to always go online, I missed the old offline MSDN library and wanted to have something like that again. For IDA there seemed to be an annotating plugin MSDN Annotations, however it looks like the Microsoft download link got removed. So via Discord rattle posted this link “Ghidra + MSDN Offline Library” which has a still working ISO with a Help Viewer. It is not the newest help but for core Windows functionality not that much should have changed.

Secret Location - Base This is the fourth challenge of the google beginner quest. Description You’re taking a stroll in the lab, when Dr. Klostermann is calling your name: “Agent, we’ve discovered the origin of the device. This time you won’t be able to reach your destination by air, but by the new Trans-Sibiriean Railway, as opposed to the old one, which runs along side it at the same time, it is a bit odd.

Anti Flag This file is part of the track “Intro to Reversing”. Because this file does not give any HTB points at the time of this writing, i will keep the flag inside the post. The file is a 64 bit elf binary: localhost:~# file anti_flag anti_flag: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b8de97bc12c627606510140e43fc13e2efffcee5, for GNU/Linux 3.2.0, stripped As the strings output is very short it can also be pasted here and it is obviosu that there are not many strings included:

Basic Malware RE This is a quick writeup of the basic malware re room from tryhackme found at https://tryhackme.com/room/basicmalwarere. The room contains 3 challenges in which the user has to find the flag that is used to calculate the displayed MD5 hash. In this post all challenges are solved without running the executables, only static analysis is used. strings 1 Description This executable prints an MD5 Hash on the screen when executed.

Syncopation This is a challenge from the HTB Business CTF in July 2021. The user has to enter a “killswitch”, when this switch is correct, it is equivalent to the flag. The challenge was solved using binary ninja in the normal graph disassembly view. At the end of the article there is also a high level IL view of the flag comparison function. This is a very short first post for this blog and hopefully not too many details are left out.

The fifth bi-weekly challenge is now ready! This one is a 2 part challenge, focusing on a pay-per-install loader you may have heard of that has been seen distributing SmokeLoader, GCleaner, Danabot, Dridex, and many more malware families - PrivateLoader! For the first part of the challenge, you’ll need to identify how the strings are stored, and decrypt them, which should help you identify how and where the C2 is stored.