Flare-On 2018 CTF

Reverse Engineering

CTF – https://2018.flare-on.com/
Announcement – https://www.fireeye.com/blog/threat-research/2018/08/announcing-the-fifth-annual-flare-on-challenge.html
First challenge we are presented with a jar file.

Minesweeper-Championship-Registration

We can let IDA deflate it from .jar to .class

We can see the function Strings.equal comparing the input we give it against “GoldenTicket2018@flare-on.com”.

Running the program with GoldenTicket2018@flare-on.com.

Ultimate-Minesweeper

We are presented with a PE binary.

Loading the binary in IDA we can see it is .NET
.NET files only have one import and thats mscore.dll.
So we can use dnSpy .NET debugger and assembly editor
https://github.com/0xd4d/dnSpy

Focusing on the module MineField.

The function TotalMines creates the mines by viewing the local variables we can see which squares are safe.

Noted all the safe squares.

[7,20]
[24,28]
[28,7]

Fleggo

In this challenge we get 44 PE binaries with names that looks like a random string.

Main function of one of them

Basically what happens is the same for each binary.
I’ll focus on the main idea, the program takes a password as an argument then the arguments is passed to sub_CD1240 which checks the password against a variable “IronManSucks” if flase then the function Loc_CD1248 loops through each character of a variable located at offset unk_CD4380 marked red below.

In each binary there is a unique password.

When running the program with the right password a png file is written and a string.
Example below.

In each picture there is a number in one of the corners, for example the png file below is 853934406.png

 

65141174.png => w
85934406.png => m
67782682.png => m
75072258.png => r
16544936.png => e
67322218.png => 
58770751.png => o
64915798.png => 3
88763595.png => e
18376743.png => 
36870498.png => m
72501159.png => c
47619326.png => p
70037217.png => m
18309310.png => @
15566524.png => e
82100368.png => m
60075496.png => s
71290032.png => a
33718379.png => .
42255131.png => t
16295588.png => a
61333226.png => f
13147895.png => w
16785906.png => 4
80333569.png => o
37723511.png => n
44958449.png => 
30171375.png => s
72263993.png => h
82236857.png => e
33098947.png => 
33662866.png => r
47893007.png => _
61006829.png => l
89295012.png => 0
87730986.png => 0
65626704.png => 3
72562746.png => -
36494753.png => 0
79545849.png => s
63223880.png => a
51227743.png => a
73903128.png => u
52817899.png => n
19343964.png => o
12268605.png => s
47202222.png => n
We order the characters we get by the number of each png file and we get mor3_awes0m3_th4n_an_awes0me_p0ssum@flare-on.com

One thought on “Flare-On 2018 CTF”

  1. velvet buzzsaw film March 13, 2019 11:27 am

    These are actually fantastic ideas in oon thee topic оf
    blogging. Yօu have touched some nice factors һere. Any
    way қeep up wrinting.

Post a Comment

Your email address will not be published. Required fields are marked *

*