Flare-on Challenge 2018

The fifth edition of the FireEye's Flare-on reverse challenge take place this year between august 24th and the 5th octobe with a total of 12 challenges centered on Windows binaries. https://www.fireeye.com/blog/threat-research/2018/08/announcing-the-fifth-annual-flare-on-challenge.html

Minesweeper Championship Registration

Welcome to the Fifth Annual Flare-On Challenge! The Minesweeper World Championship is coming soon and we found the registration app. You weren't officially invited but if you can figure out what the code is you can probably get in anyway. Good luck!

Download the challenge

We download the 7z and after extraction we got the jar. We start jd-gui and load the jar. The InviteValidator class is the following:

import javax.swing.JOptionPane;

public class InviteValidator
{
  public static void main(String[] args)
  {
    String response = JOptionPane.showInputDialog(null, "Enter your invitation code:", "Minesweeper Championship 2018", 3);
    if (response.equals("GoldenTicket2018@flare-on.com")) {
      JOptionPane.showMessageDialog(null, "Welcome to the Minesweeper Championship 2018!\nPlease enter the following code to the ctfd.flare-on.com website to compete:\n\n" + response, "Success!", -1);
    } else {
      JOptionPane.showMessageDialog(null, "Incorrect invitation code. Please try again next year.", "Failure", 0);
    }
  }
}

We directly got the challenge flag GoldenTicket2018@flare-on.com.

Ultimate Minesweeper

You hacked your way into the Minesweeper Championship, good job. Now its time to compete. Here is the Ultimate Minesweeper binary. Beat it, win the championship, and we'll move you on to greater challenges.

Download the challenge

Once unzip the file is a 32bits executable binary. $ file UltimateMinesweeper.exe UltimateMinesweeper.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

When executed the program is similar to every Minesweeper execpt there is a LOT of mines! Only 3 squares of the 900 are not mines. The goal is to reveal this 3 squares with exploding on a mine.

Capture4.PNG

We can use a tool like DnSpy to decompile the .NET and access the source code.

Capture5.PNG

We can even recompile the code. Nevertheless , the line 156 will fire a compilation error. In order to fix it, we need to convert the value to byte:

array3[(int)num2] = (byte)(array3[(int)num2] ^ array[(int)num]);

We can for instance disable the failure when revealing a mine by changing the code of the BombRevealed function and make it always return false:

public bool BombRevealed
{
  get
  {
    int num = 0;
    while ((long)num < (long)((ulong)this.Size))
    {
      int num2 = 0;
      while ((long)num2 < (long)((ulong)this.Size))
      {
        if (this.MinesPresent[num2, num] && this.MinesVisible[num2, num])
        {
          return false;
        }
        num2++;
      }
      num++;
    }
    return false;
  }
}

Then we can clic on every square and get the Success message.

Capture2.PNG

The flag seems to be encoded. When looking at the function GetKey we see that the Random is build using a seed depending of the revealed cells.

We then discover that the mines (and more importently the 3 empty squares) are always at the same place. So we can just found the position of every empty squares with our modified binary.

Capture.PNG

And then just reveal this three squares in order to get the Success message with the flag.

Capture3.PNG

FLEGGO

When you are finished with your media interviews and talk show appearances after that crushing victory at the Minesweeper Championship, I have another task for you. Nothing too serious, as you'll see, this one is child's play.

Download the challenge

Once extraxted we get 48 executables. Each binary is a 32bits executable.

$ file ./*
./1BpnGjHOT7h5vvZsV4vISSb60Xj3pX5G.exe: PE32 executable (console) Intel 80386, for MS Window

When launching any of the executable we get an error about the VCRUNTIME140 DLL missing.

Capture6.PNG

To fix this you just need to install Visual Studio Community Edition.

After a few try using IDA and OllyDBG, I found a hint on twitter: Capture7.PNG

FLOSS static UTF-16 strings
@BRICK
%s\%s
IronManSucks
Oh, hello Batman...
I super hate you right now.
What is the password?
%15ls
Go step on a brick!
Oh look a rainbow.
Everything is awesome!
%s => %s
BRICK
ZImIT7DyCMOeF6


FLOSS decoded 0 strings

FLOSS extracted 0 stackstrings

Finished execution after 2.266808 seconds

The binary password is given just after the BRICK string.

root@kalili:~/work/fleggo# wine 1BpnGjHOT7h5vvZsV4vISSb60Xj3pX5G.exe
000f:err:service:process_send_command receiving command result timed out
What is the password?
ZImIT7DyCMOeF6
Everything is awesome!
65141174.png => w

An image is created associated to a character.

We can automatized this for the 48 binary:

root@kalili:~/work/fleggo# for f in *exe; do wine $f <<< `./floss $f | grep '^BRICK' -A 1 | grep -v BRICK` ; done
000f:err:service:process_send_command receiving command result timed out
What is the password?
Everything is awesome!
65141174.png => w
000f:err:service:process_send_command receiving command result timed out
What is the password?
Everything is awesome!
85934406.png => m
<SNIP>

A simple redirection allow to keep the information in a file. In the corner of each image is the position of the associated charactere. (for instance the image 85934406.png is associated to the letter "m" and the number in the right corner is 35 so the "m" is in the 35th position).

Capture8.PNG

We might use tesseract in order to automaticaly detect the number in the corner. But I manualy identify them and got the order of the flag:

mor3_awes0m3_th4n_an_awes0me_p0ssum@flare-on.com

binstall

It is time to get serious. Reverse Engineering isn't about toys and games. Sometimes its about malicious software. I recommend you run this next challenge in a VM or someone else's computer you have gained access to, especially if they are a Firefox user.

Download the challenge

Once unzip we get a simple executable.

$ file binstall.exe
Downloads/binstall/binstall.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

As said in the descritpion this file is a malware and a lot of AV detect it as someone uploaded it on virus total.

Capture9.PNG

I didn't get a lot of time to work on this challenge and didn't solve it.

Contest ending

The contest is now over and fireEye realse the solution for all challenges.