Contents

Introduction The Rigged Registration Ultimate Minesweeper FLEGGO Epilogue Acknowledgements Further Reading Footnotes References

Introduction

On the 15th of August 2018, FireEye [2][3] launched their fifth annual FLARE-ON competition [4], in where contestants are given six weeks to work out the flags to a number of reverse engineering problems. Sadly, I was only able to work out three flags [5] out of the total twelve reverse engineering problems. My reasons *cough* excuses *wheeze* as to why this is are as follows:

I’m a n00b at reversing. This is unacceptable… I gotta stop killing brain cells with stupid shit on the internet, and start going through the FLARE-ON archives [6] and reading up on RCE literature (more on that later). I just found out about the contest on the 22nd of September, which was like five weeks after the thing got started. At the moment, I’m looking for a job. A lot of my time is spent studying for certifications and doing volunteer work that’ll (hopefully) land me a position in helldesk (which is still better than nothing).

This is just neophyte postmortem. The methods that I used to work out a flag for each given problem lacked finesse and elegance. A far more accurate and comprehensive discussion of the solutions are provided by Nick Harbour and the FLARE-ON team themselves [7].

Not bad for a n00b 😊

The Rigged Registration

Okay, so the first one was pretty easy. I just downloaded the 7-Zip archive and extracted the ‘MinesweepChampionshipRegistration.jar’ file. I literally just Googled ‘online Java decompiler’ [8] and uploaded the JAR file to the it and got ‘InviteValidator.java’.

Contents of “InviteValidator.java”

It took me about two seconds to work out that ‘GoldenTicket2018@flare-on.com’ is the flag (hint: look at the conditional on the eighth line).

Ultimate Minesweeper

This is where it got a bit trickier. I downloaded the 7-Zip archive for this challenge, extracted it and got an .NET assembly (that I previously assumed was a native executable) called UltimateMinesweeper.exe. After a few hours of experimenting with different possible solutions, I discovered a technique that got me the flag.

Ultimate Minesweeper has about 30-by-30 squares (a total of 900 squares), and the player had to work out all non-mine riddled squares. If a square with a mine was selected, the game would exit.

Ultimate Minesweeper in all its Glory

Assuming that there are three non-mine riddled squares (which is the case) and that my maths are correct, then the probability of selecting the correct squares by mere chance is 0.000000001 — fat chance! 😲

Ultimate Minesweeper really lived up to its name, in the sense that the only way to beat it was to cheat. I opened up the UltimateMinesweeper.exe assembly in dnSpy [15] and came up with a kludge-like solution. I navigated to the SquareRevealedCallback function and removed a bit of code that closed the game when an mine square was selected.

UltimateMinesweeper.MainForm.SquareRevealedCallback — what I “edited out”

me patching ultimate minesweeper irl ;-)

I then saved the module to ‘UltimateMinesweeperHaxxed.exe’ and proceeded to click on many of the squares like mad with my laptop’s touchscreen, eventually revealing the ‘non-mine’ squares, which is basically the solution.

They didn’t call it “Ultimate Minesweeper” for nothin’

I then opened up the original UltimateMinesweeper.exe assembly and clicked on the non-mine squares and finally got the flag.

Hey, how do you think white people get ahead? 😉

FLEGGO

So this one was a doozy (well, for me at least). I downloaded FLEGGO.7z and extracted its contents. FLEGGO.zip came out, so I extracted that and got this:

Wow, that’s a lot of binaries to examine!

I turned to the wisdom of Twitter users, and searched for ‘#flareon5 FLEGGO’. One user tweeted out a one-liner for the *NIX shell [9].

First Hint

Another user tweeted out a directory listing image files, with parts of each image’s filename redacted [10].

Second Hint

A third user suggested that the contender use FireEye’s FLOSS tool [11][12].

Third Hint

A fourth user suggested that an OCR script ought to be deployed to automate… something [13].

Fourth Hint

Finally, a fifth Twitter user made it all clear for me. They said that each pictured had a number, which is associated with the order of a character in the console output when running wine <exectuable> [14].

Final Hint

Like with Ultimate Minesweeper, it took me a while to work out a solution, and it eventually came to me. Each executable asks for a password, which can be extracted via the ‘strings -e l <executable name>’ (I’m operating on a Linux environment).

Extracting the “password” from a FLEGGO executable

In all cases, the password is the very last string outputted on the terminal (in this cases, it’s ‘ZImIT7DyCMOeF6’). I then used WINE to run an executable, which resulted in some console output and the following image:

Ohai Mr. LEGO man

On the last line, the console output associated a letter (‘w’ in this case) to the image.

The last line of the console prints the image’s filename, followed by ‘=>’, which is followed up by a letter (in this case, ‘w’). On the LEGO image, the top-left corner has a number on it. The letter ‘w’ is just a bigger part of the flag’s string, and the number (seven ‘7’ in this case) indicates its place.

Now I just have to automate (the first part of) this. I wrote a Python script (which was rubbish compared to the first hint) that for each binary will extract the password with the strings command, then will run the binary in question, input it’s associated password, and finally extract a cropped version of the image.

It’s almost like @th3j35t3r wrote this XD

There are forty-nine (49) executable modules (and therefore forty-nine characters and images extracted) in total. The script outputted each image’s filename and it’s associated character. I then organised them in a spreadsheet, with the place on the first column and the letter on a second column. Finally, I manually put the flag together by putting an associated letter with its place as defined by the top-left corner number, and finally got the flag ‘mor3_awes0m3_th4n_an_awes0me_p0ssum@flare-on.com’.

Epilogue

Even though I didn’t get to finish all the challenges, I had fun doing this, and it made me think critically. I had to think ‘outside the box’ and differently from standard DFIR and RCE techniques which typically involves an analyst documenting the behaviour of a programme.

I can’t wait for next year’s tournament! I’m gonna hit the books, reverse engineer everything in sight (whist following copyright laws 😉) and go over FLARE-ON and other CTF archives!

Acknowledgements

I’d like to thank the aforementioned Twitter users for indirectly helping me solve the FLEGGO challenge.

Further Reading

Like I mentioned in the Introduction, I need to read up on RCE literature. Here are some books (most I haven’t even read yet) that myself and others can use to hopefully conquer the next FLARE-ON challenge:

Reversing: Secrets of Reverse Engineering by Eldad Eilam (ISBN-13: 978–0764574818) https://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation by Bruce Dang (ISBN-13: 978–1118787311) https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315/

Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software 1st Edition by Andrew Honig and Michael Sikorski (ISBN-13: 978–1593272906) https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler Second Edition by Chris Eagle (ISBN-13: 978–1593272890) https://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593272898/

xchg rax,rax 1st Edition by xorpd (ISBN-13: 978–1502958082) https://www.amazon.com/xchg-rax-xorpd/dp/1502958082/

Malware Data Science: Attack Detection and Attribution by Joshua Saxe and Hillary Sanders (ISBN-13: 978–1593278595) https://www.amazon.com/Malware-Data-Science-Detection-Attribution/dp/1593278594/

Footnotes

I based the intro banner from Flare-On 2018’s dashboard and a clip from the ‘Swiped Sweets’ episode of LazyTown: https://youtu.be/2GgSZ9SlEnc?t=12m3s FireEye’s Corporate Website: https://www.fireeye.com/ FireEye’s Twitter: https://twitter.com/FireEye FLARE-ON Website: http://flare-on.com/ Well, one can say two-and-a-half ( 2 [1/2] ) cos’ I consulted the wisdom of Twitters for the FLEGGO challenge :P Amanda Rousseau (@malwareunicorn) did a pretty good write-up for 2017’s Flare-On contest; see Rousseau, A. (2017, November 17) See Harbour, N. (2018, October 05) This one to be exact: http://www.javadecompilers.com/ https://twitter.com/d3dc4t/status/1035405559795613696 https://twitter.com/RubiksHnK/status/1034622275289587712 https://twitter.com/ixSly/status/1034842534957203456 FireEye’s FLOSS tool: https://github.com/fireeye/flare-floss https://twitter.com/svobodds/status/1035596584564785152 https://twitter.com/shotgunner101/status/1033570719148503042 dnSpy — .NET debugger and assembly editor: https://github.com/0xd4d/dnSpy

References

Harbour, N. (2018, October 05). 2018 Flare-On Challenge Solutions « 2018 Flare-On Challenge Solutions. Retrieved October 5, 2018, from https://www.fireeye.com/blog/threat-research/2018/10/2018-flare-on-challenge-solutions.html

Rousseau, A. (2017, November 17). 2017 Flare-On Challenge Walk Through. Retrieved October 5, 2018, from https://securedorg.github.io/flareon4/