Write-up to the 2018 FLARE-ON Challenge—InfoSec Newbie Edition #flareon5
- The Rigged Registration
- Ultimate Minesweeper
- Further Reading
On the 15th of August 2018, FireEye  launched their fifth annual FLARE-ON competition , in where contestants are given six weeks to work out the flags to a number of reverse engineering problems. Sadly, I was only able to work out three flags  out of the total twelve reverse engineering problems. My reasons *cough* excuses *wheeze* as to why this is are as follows:
- I’m a n00b at reversing. This is unacceptable… I gotta stop killing brain cells with stupid shit on the internet, and start going through the FLARE-ON archives  and reading up on RCE literature (more on that later).
- I just found out about the contest on the 22nd of September, which was like five weeks after the thing got started.
- At the moment, I’m looking for a job. A lot of my time is spent studying for certifications and doing volunteer work that’ll (hopefully) land me a position in helldesk (which is still better than nothing).
This is just neophyte postmortem. The methods that I used to work out a flag for each given problem lacked finesse and elegance. A far more accurate and comprehensive discussion of the solutions are provided by Nick Harbour and the FLARE-ON team themselves .
The Rigged Registration
Okay, so the first one was pretty easy. I just downloaded the 7-Zip archive and extracted the ‘MinesweepChampionshipRegistration.jar’ file. I literally just Googled ‘online Java decompiler’  and uploaded the JAR file to the it and got ‘InviteValidator.java’.
It took me about two seconds to work out that ‘GoldenTicket2018@flare-on.com’ is the flag (hint: look at the conditional on the eighth line).
This is where it got a bit trickier. I downloaded the 7-Zip archive for this challenge, extracted it and got an .NET assembly (that I previously assumed was a native executable) called UltimateMinesweeper.exe. After a few hours of experimenting with different possible solutions, I discovered a technique that got me the flag.
Ultimate Minesweeper has about 30-by-30 squares (a total of 900 squares), and the player had to work out all non-mine riddled squares. If a square with a mine was selected, the game would exit.
Assuming that there are three non-mine riddled squares (which is the case) and that my maths are correct, then the probability of selecting the correct squares by mere chance is 0.000000001 — fat chance! 😲
Ultimate Minesweeper really lived up to its name, in the sense that the only way to beat it was to cheat. I opened up the UltimateMinesweeper.exe assembly in dnSpy  and came up with a kludge-like solution. I navigated to the SquareRevealedCallback function and removed a bit of code that closed the game when an mine square was selected.
I then saved the module to ‘UltimateMinesweeperHaxxed.exe’ and proceeded to click on many of the squares like mad with my laptop’s touchscreen, eventually revealing the ‘non-mine’ squares, which is basically the solution.
I then opened up the original UltimateMinesweeper.exe assembly and clicked on the non-mine squares and finally got the flag.
So this one was a doozy (well, for me at least). I downloaded FLEGGO.7z and extracted its contents. FLEGGO.zip came out, so I extracted that and got this:
I turned to the wisdom of Twitter users, and searched for ‘#flareon5 FLEGGO’. One user tweeted out a one-liner for the *NIX shell .
Another user tweeted out a directory listing image files, with parts of each image’s filename redacted .
A third user suggested that the contender use FireEye’s FLOSS tool .
A fourth user suggested that an OCR script ought to be deployed to automate… something .
Finally, a fifth Twitter user made it all clear for me. They said that each pictured had a number, which is associated with the order of a character in the console output when running wine <exectuable> .
Like with Ultimate Minesweeper, it took me a while to work out a solution, and it eventually came to me. Each executable asks for a password, which can be extracted via the ‘strings -e l <executable name>’ (I’m operating on a Linux environment).
In all cases, the password is the very last string outputted on the terminal (in this cases, it’s ‘ZImIT7DyCMOeF6’). I then used WINE to run an executable, which resulted in some console output and the following image:
The last line of the console prints the image’s filename, followed by ‘=>’, which is followed up by a letter (in this case, ‘w’). On the LEGO image, the top-left corner has a number on it. The letter ‘w’ is just a bigger part of the flag’s string, and the number (seven ‘7’ in this case) indicates its place.
Now I just have to automate (the first part of) this. I wrote a Python script (which was rubbish compared to the first hint) that for each binary will extract the password with the strings command, then will run the binary in question, input it’s associated password, and finally extract a cropped version of the image.
There are forty-nine (49) executable modules (and therefore forty-nine characters and images extracted) in total. The script outputted each image’s filename and it’s associated character. I then organised them in a spreadsheet, with the place on the first column and the letter on a second column. Finally, I manually put the flag together by putting an associated letter with its place as defined by the top-left corner number, and finally got the flag ‘firstname.lastname@example.org’.
Even though I didn’t get to finish all the challenges, I had fun doing this, and it made me think critically. I had to think ‘outside the box’ and differently from standard DFIR and RCE techniques which typically involves an analyst documenting the behaviour of a programme.
I can’t wait for next year’s tournament! I’m gonna hit the books, reverse engineer everything in sight (whist following copyright laws 😉) and go over FLARE-ON and other CTF archives!
Throughout my journey into the IT field, I’ve had many great mentors and have had a lot of support from friends and family. I can’t thank them all here (I’ll save that for a bigger piece 😉); though there is one (pretty alpha) lawyer that I want to express thanks for.
I can’t thank Tor Ekeland (@TorEkelandPLLC) enough for taking time out of his busy work schedule to talk me into getting off my arse and actually doing something. At the risk of sounding repetitive, I will reiterate that I only finished three out of twelve (3/12) of the problem sets — which is equivalent to losing, and Mr. Ekeland was one of many who helped me realise that it’s okay to lose!
I’d also like to thank the aforementioned Twitter users for indirectly helping me solve the FLEGGO challenge.
Like I mentioned in the Introduction, I need to read up on RCE literature. Here are some books (most I haven’t even read yet) that myself and others can use to hopefully conquer the next FLARE-ON challenge:
- Reversing: Secrets of Reverse Engineering by Eldad Eilam (ISBN-13: 978–0764574818) https://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation by Bruce Dang (ISBN-13: 978–1118787311) https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315/
- Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software 1st Edition by Andrew Honig and Michael Sikorski (ISBN-13: 978–1593272906) https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/
- The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler Second Edition by Chris Eagle (ISBN-13: 978–1593272890) https://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593272898/
- xchg rax,rax 1st Edition by xorpd (ISBN-13: 978–1502958082) https://www.amazon.com/xchg-rax-xorpd/dp/1502958082/
- Malware Data Science: Attack Detection and Attribution by Joshua Saxe and Hillary Sanders (ISBN-13: 978–1593278595) https://www.amazon.com/Malware-Data-Science-Detection-Attribution/dp/1593278594/
- I based the intro banner from Flare-On 2018’s dashboard and a clip from the ‘Swiped Sweets’ episode of LazyTown: https://youtu.be/2GgSZ9SlEnc?t=12m3s
- FireEye’s Corporate Website: https://www.fireeye.com/
- FireEye’s Twitter: https://twitter.com/FireEye
- FLARE-ON Website: http://flare-on.com/
- Well, one can say two-and-a-half ( 2 [1/2] ) cos’ I consulted the wisdom of Twitters for the FLEGGO challenge :P
- Amanda Rousseau (@malwareunicorn) did a pretty good write-up for 2017’s Flare-On contest; see Rousseau, A. (2017, November 17)
- See Harbour, N. (2018, October 05)
- This one to be exact: http://www.javadecompilers.com/
- FireEye’s FLOSS tool: https://github.com/fireeye/flare-floss
- dnSpy — .NET debugger and assembly editor: https://github.com/0xd4d/dnSpy
Harbour, N. (2018, October 05). 2018 Flare-On Challenge Solutions « 2018 Flare-On Challenge Solutions. Retrieved October 5, 2018, from https://www.fireeye.com/blog/threat-research/2018/10/2018-flare-on-challenge-solutions.html
Rousseau, A. (2017, November 17). 2017 Flare-On Challenge Walk Through. Retrieved October 5, 2018, from https://securedorg.github.io/flareon4/