Welcome to the Seventh Flare-On Challenge!

This is a simple game. Win it by any means necessary and the victory screen will reveal the flag. Enter the flag here on this site to score and move on to the next level.

This challenge is written in Python and is distributed as a runnable EXE and matching source code for your convenience. You can run the source code directly on any Python platform with PyGame if you would prefer.

The challenge consists of a simple game written in python, you are given both the precompiled executable and python source code.

First of all the challenge ask you for a password, by opening fidler.py it’s easy to see the check_password function that asks you to input ghost.

Once the password is checked the game starts.

To obtain the flag you have to reach 100 Bln clicks, you can buy auto-clickers paying already done clicks. Even with auto-clickers, reaching 100 Bln clicks, it’s obviously a stupid idea and not the intended solution.

Looking in the source code, in fidler.py, there is a function:

def decode_flag(frob):
  last_value = frob
  encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
  decoded_flag = []

  for i in range(len(encoded_flag)):
    c = encoded_flag[i]
    val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
    decoded_flag.append(val)
    last_value = c

  return ''.join([chr(x) for x in decoded_flag])

def victory_screen(token):
  ...
  flag_content_label.change_text(decode_flag(token))
  ...

The function victory_screen is called as follows:

victory_screen(int(current_coins / 10**8))

Where current_coins is the number of clicks done. So retrieving the flag could be done by calling the decode_flag function.

idle_with_kitty@flare-on.com

One of our team members developed a Flare-On challenge but accidentally deleted it. We recovered it using extreme digital forensic techniques but it seems to be corrupted. We would fix it but we are too busy solving today’s most important information security threats affecting our global economy. You should be able to get it working again, reverse engineer it, and acquire the flag.

The challenge provides a corrupted PE file, trying to opening it with some tools will lead to a crash of them. The goal of the challenge was to reconstruct the PE and run it to obtain the flag.

I decided to open the file with 010Editor to check what was corrupted. The first thing I noticed is that it is a UPX packed executable, then I noticed that something at the end was missing.

The first thing I made was to unpack the file using a UpxUnpacker, then I adjusted some metadata (i.e. Imports) using CFF Explorer and finally ran it using wine to find the flag!

C0rruptGarbag3@flare-on.com

Be the wednesday. Unlike challenge 1, you probably won’t be able to beat this game the old fashioned way. Read the README.txt file, it is very important.

This challenge consists of a simple game. This game is similar to “Dino Runner”, where the character will run forward and you have to avoid obstacles by jumping them or slipping below.

After a few runs, it’s noticeable that the jumps and the slipping are always the same. So they could either generated in a deterministic way or they are hardcoded.

After searching around in the code how the obstacles were generated I found in the executable what they seem to be the bytes that determine how the obstacles should be avoided.

They are an array of zeroes and ones, where zeroes mean that the obstacle should be avoided by passing below while the ones mean that the obstacle should be jumped.

The flag could be found by treating those bytes as bits and converting them into characters.

1t_i5_wEdn3sd4y_mY_Dud3s@flare-on.com

Nobody likes analyzing infected documents, but it pays the bills. Reverse this macro thrill-ride to discover how to get it to show you the key.

For challenge provides only an Excel document is provided. Also from the description is clear it has to do with macros.

Dumping the macros from the document will lead you to find only an mp3. This mp3 is not useless though, as it has a hint inside it. In fact, the metadata author of the mp3 audio is P. Code, suggesting you to try to take a look at the p-code of the document.

Analyzing the p-code turns out that it does a different thing than the VBA source code, what’s happened is called VBA stomping.

The author of the challenge has modified the VBA source code leaving the compiled version in the document, known as p-code, unchanged.

To retrieve back the source code can be used pcode2code.exe as follows:

pcode2code.exe  .\report.xls > output.txt

Analyzing the resulting code will lead to finding an image containing the flag:

thi5_cou1d_h4v3_b33n_b4d@flare-on.com

Now you can play Flare-On on your watch! As long as you still have an arm left to put a watch on, or emulate the watch’s operating system with sophisticated developer tools.

This challenge gives you a TPK file. A TPK file is a Tizen Application Package file and it is used on watches running Tizen OS.

As for Android applications, we can unzip it to take a look at the components. Inside the bin folder can be found a bunch of dlls, they were written and compiled in C# so dnSpy can be used to analyze them.

During the analysis of TKApp.dll I noticed a sort of “anomaly”. The MainPage class has a GetImage method that is going to read and decipher a resource called “Runtime.Runtime_dll”.

So I decided to decipher the content of that resource as it does the application. The key used to decipher the flag is generated by hashing the text variable, generated as follows:

All the variables used are initialized in other points of the application upon specific circumstances, so to check that I was using the right values I found another point in the code where I could test these variables.

As shown in the image they are used to generate a hash that must be equal to the one hardcoded.

Once found the right variables the Runtime_dll resource can be decrypted.

n3ver_go1ng_to_recov3r@flare-on.com

Reverse engineer this little compiled script to figure out what you need to do to make it give you the flag (as a QR code).

The challenge provides you with an executable, the program asks you for input and then generates a QR code based on it. The goal of the challenge is to let the program meet a condition so that the generated QR code contains the flag.

The name of the challenge suggests it could be an AutoIt3 compiled executable. Looking with pestudio and searching for the string AU3!EA06 at the and of the code section confirmed the hypothesis.

Fortunately, there are tools that decompile AutoIt3 executable for you. The output code obtained is obfuscated, so I made other operations to it in order to make it much more readable.

The decompiler tool will output also a qr_encoder.dll and a sprite.bmp.

The first thing done, to try to deobfuscate the code, was to replace the variables instantiated for each number used inside the code with the numbers themselves, using a parser that I’ve written for this challenge.

regex = r'([a-z]+) = Number\(" ([0-9]+) "'

content = ''
with open(FILE_OBFUSCATED, "r") as f:
    content = f.read()
r1 = re.findall(regex,content)

for name, num in r1:
    content = content.replace(f"${name}", str(num))

After that was much easier to deobfuscate all the strings. They are saved as hexadecimal strings in an array and then decoded runtime. Replacing the call to the function that does these operations, with the deobfuscated strings, will result in a much more clear code.

for n,c in enumerate(hexencoded_strings_array):
    if c == '':
        content = content.replace(f"decoder($os[{n+1}])", "''")
        continue

    content = content.replace(f"decoder($os[{n+1}])", f'"{libnum.n2s(int(c,16))}"')

What the challenge does is to take our input and transform it into a QR code. Once the code it’s more clear it can be seen that, when the program meets a certain condition, it substitute the input with a decrypted string.

The string gets decrypted using a key generated from the computer name. Analyzing the function that processes the computer name turns out that it reads some bytes from sprite.bmp, getting only the bit of them, grouping the bits each 7, sum them with the bytes of our computer name and then divide the result by 2.

Converting the 7 bits groups, obtained from the sprite.bmp, in ASCII will decode the string aut01tfan1999. So if we put as computer name that string what the above algorithm will do is to multiply each byte of 2 (as the characters it is summing are the same) and then dividing them by 2, resulting in an unchanged string. These string, as explained before, will be used to decipher the flag that will be then encoded in a QR code.

To solve the challenge it is needed only to change the computer name to aut01tfan1999 and then generate a QR code with any input string, also empty.

L00ks_L1k3_Y0u_D1dnt_Run_Aut0_Tim3_0n_Th1s_0ne!@flare-on.com

Hello,

Here at Reynholm Industries we pride ourselves on everything. It’s not easy to admit, but recently one of our most valuable servers was breached. We don’t believe in host monitoring so all we have is a network packet capture. We need you to investigate and determine what data was extracted from the server, if any.

Thank you

The challenge provides only a captured network traffic, of a malicious attack, and asks to investigate what data was stolen from the server of the Reynholm Industries. The flag it’s inside these data.

The network traffic has captured an exploit of CVE-2017-7269, this vulnerability exploits a buffer overflow present in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003. This CVE allows remote attackers to execute arbitrary code via a long header beginning with “If: <http://” in a PROPFIND request.

In the network traffic captured there are a lot of HTTP requests, against a Microsoft IIS 6.0 server, each one differs only on the length of padding until it guesses the correct one that will start the ROP chain that will lead to an RCE.

The code to be executed is inside the request and it is encoded in an alphanumeric string, created using the Metasploit encoder ‘AlphanumUnicodeMixed’. Metasploit alphanumeric payloads have an initial decoder STUB that will decode the rest of the payload.

If the attack goes well then the server will establish a new connection to the attacker’s port 4444, followed by another one on port 1337.

The new connections established with the server seem to be encrypted in some way, so to see what’s inside that communication first it is needed to understand what all those requests do.

Starting to debug the first payload it can be seen that it loads functions library by using a technique that consists of calculating a sort of hash code of the dll names, if one match with the one it is searching for then it continues with the same technique for each function inside that library. Once it found the right function then it saves its pointer, ready to be used during the rest of the execution.

By using the functions loaded, it will open a connection to the IP 192.168.68.21 on port 4444, there it will wait to receive any data. Arrived at this point I decided to change the IP of my virtual machine to 192.168.68.21, using a python script to wait for the connection and sends back the same bytes extracted from the captured connection that the server has received at the same time. Once send those bytes my python script will wait for a connection at port 1337.

from pwn import *
import libnum

EXTRACTED_RESPONSE = "\x9c\x5c\x4f\x52..."

l  = listen(4444)
l2 = listen(1337)

l.wait_for_connection()
print()

raw_input("received a connection on 4444! press a key to continue...")
print("continuing...")

l.send(EXTRACTED_RESPONSE)

l2.wait_for_connection()

s = l.recv(10) # receive some bytes
print("l  ", s)

The bytes received will be stored in a VirtualAlloced area, decrypted, and then continued the execution into it.

Inside this second payload, it will use the same technique used before to load some function that will use for this last part. The functions are for example “CreateFile”, “ReadFile” and other functions useful to establish socket connections.

The CreateFile function will be used to access the file “C:\accounts.txt”, then it will read the content, encrypt it by xoring with a generated key and finally sends the content to port 1337 of the attacker. By debugging this part the xoring key could be dumped and used to retrieve back the original file send xored and captured in the network traffic!

roy:h4ve_you_tri3d_turning_1t_0ff_and_0n_ag4in@flare-on.com:goat
moss:Pot-Pocket-Pigeon-Hunt-8:narwhal
jen:Straighten-Effective-Gift-Pity-1:bunny
richmond:Inventor-Hut-Autumn-Tray-6:bird
denholm:123:dog

Expect difficulty running this one. I suggest investigating why each error is occuring. Or not, whatever. You do you.

The challenge consists in a Tic-Tac-Toe game between you and an AI. The goal of the challenge was to beat the AI.

While you run the code on a windows machine, the AI was deployed automatically on WSL, using COMs, and so it is an ELF executable. The AI was impossible to beat fairly, so I modified the ELF executable.

My solution was to swap the move of the AI with my one, so instead of putting ‘X’ I modified the executable such that the AI will put an ‘O’.

This will lead to the win and to the flag.

c1ArF/P2CjiDXQIZ@flare-on.com

As you can see the flag seems weird but, after running the program some times on different machines and briefly looking at how it generates it, trying to submitting it will confirm that it is the right one.

What kind of crackme doesn’t even ask for the password? We need to work on our COMmunication skills.

• Bug Notice: Avoid a possible blue-screen by debugging this on a single core VM

The challenge provides you with an executable crackinstaller.exe, it was a kind of crackme that doesn’t ask you for input but you have to provide the “password” through registers. The goal was to find the right password so that it decrypts the flag.

The first thing done was to setup an environment to analyze the behavior of the program. Using Procmon it can be seen that it creates and interacts with the register:

HKEY_CLASSES_ROOT\CLSID\{CEEACC6E-CCB2-4C4F-BCF6-D2176037A9A7}

This register refers to a COM object which implementation could be found in the dll pointed by the key InProcServer32\Default.

Furthermore, there is also a Config key containing two subkeys Flag and Password.

The credHelper.dll exposes two interfaces, one it’s the most generic one IUnkown while the other one is not provided. By looking at the objects in the executable containing the function pointers of the interfaces, can be inferred that there are other 2 functions.

Reverse engineering those functions it can be retrieved that the second interface is something like:

[object, uuid(e27297b0-1e98-4033-b389-24eca246002a),
oleautomation, helpstring("CustomInterface")]
interface ICustomInterface : IUnknown
{
    HRESULT GetAndProcessPassword([in, out] byte* param);
    HRESULT ProcessAndSetFlag([in, out] byte* param);
};

Procmon also reveals that the program creates another file, C:\Windows\System32\cfs.dll. Looking at the interactions with this file suggests that it is a driver. IDA itself detected also it was a driver and the imports of the dll confirmed the assumption.

Debugging a driver needs to enter in kernel debugging by putting the VM in Test Mode and then attaching a remote WinDbg debugger to it. After that the following steps let me break to the first instruction of the driver:

• sxe ld cfs.dll : break the execution when cfs.dll will be loaded in memory
• lm : once stopped this command will show you the address where the driver is loaded
• bp <base_driver_address> + <offset_to_the_entrypoint> : this will put a breakpoint to the first instruction of the entrypoint
• g : continue the execution until it encounters the breakpoint set before

Following the execution of the driver will jump back to crackinstaller.exe at offset 0x2a10. By debugging carefully this part of the execution the string H@n $h0t FiRst! show up in memory after some decryptions.

Trying to set the Password key in the COM register and write a COM client to interact with credHelper.dll, after doing a GetAndProcessPassword and passing the bytes obtained to the ProcessAndSetFlag in memory we can found the flag.

S0_m@ny_cl@sse$_in_th3_Reg1stry@flare-on.com

As a reward for making it this far in Flare-On, we’ve decided to give you a break. Welcome to the land of sunshine and rainbows!

The challenge provides with an executable, it was obfuscated using a technique known as nanomites. Nanomites is an anti-debugging and anti-dumping technique that consists of having two or more processes to perform a task together by interacting with each other using ptraces. In this case, there were three processes where the second ptrace-attach to the first, and the third that will ptrace-attach to the second. The goal of the challenge was to insert the correct flag as input.

Starting the analysis from the main program seems simple.

The flag seems to be sunsh1n3_4nd_r41nb0ws@flare-on.com. Let’s test it:

$ ./break
welcome to the land of sunshine and rainbows!
as a reward for getting this far in FLARE-ON, we've decided to make this one soooper easy

please enter a password friend :) sunsh1n3_4nd_r41nb0ws@flare-on.com
sorry, but 'sorry i stole your input :)' is not correct

Obviously no…. It also says to have stolen our input… Where sorry i stole your input :) comes from?

Trying to run ltrace against the program we can see a fork(), looking at the references it was first called in the init1 function.

In the init1 function, after the fork(), if the process continues in the parent then it modifies the process permissions to let children attaching using a ptrace to him and then do a nanosleep and continuing then to the main.

If the process continues to the child instead it starts a whole new function. In this function, the child process will attach to the parent using ptrace. Once attached, using PTRACE_POKEDATA, it modifies the firsts 2 bytes at the address 0x08048cdb with 0x0f0b. That address is the function charged to check the password and it is modifying the firsts 2 bytes by putting the defined undefined instruction (ud2). What will happen when the father enters to that function will be to raise an Illegal Instruction Signal, that will be handled by the child process as it is ptracing him.

But let’s take a step back. After doing this modification the child will spawn another process, that will be discussed later, and then do a PTRACE_SYSEMU.

This particular ptrace request was designed to stop the execution of the ptraced process when it encounter a syscall, to emulate it. Every time the ptraced process will stop, the waitpid in the debugger will receive 2 bytes in the wstatus parameter, to have a full understanding of what these 2 bytes mean I suggest you take a look at the waitstatus.h source code.

What it is mainly useful for this challenge is that when the parent stops the lower byte of wstatus will be set to 0x7f, while the higher one to the signal that makes it stops. When the parent encounters a syscall it will generate a SIGTRAP signal, that will move the control to the child process, that will handle the syscall in a customized way. The syscall called by the parent process is defined by the eax register that the ptracer will take, along with the other registers, using the PTRACE_GETREGS request.

What is said in the block above will be much clear in this image.

The eax of the father will be processed as to obfuscate which will be the code that will handle the syscalls. For example, as it can be seen in the image, the pivot_root syscall code (217) will become 0xe8135594 and it will do, in the memory space of the father, something like:

*ebx = ecx

Returning to the father execution, when it is inside the main function it will print some strings. As explained before, EACH syscall will be handled by the second process so when the father prints something the write syscall will be handled by the child.

Fortunately, the “write handler” will do a write without any customization.

But after the prints, the parent will do a read and if you remember the first test of the program it says it has stolen our input.

As we can see the read will be emulated by a fgets inside the second process. It will save our string in a global variable and then it will decode the string sorry i stole your input :) to be inserted in the read buffer of the father.

After the read, the parent will go into the check flag function that the second process has modified before, so what will happen is that the first process will generate an Illegal Instruction Signal that will be handled by the child as follows:

In this piece of code, the second process is going to copy in the memory space of the father the input taken by the fgets, at the same address. Then it substitutes the eip of the father with the address of another function and set as first parameter the address of the buffer where it has just copied our input.

This means that the execution of the parent will go to check our flag in another function, precisely this one:

Before analyzing this function I need to introduce the nice function. Looking at the syscalls of Linux 32-bit there is a nice syscall, but if you test this library function in a program, using strace you will discover that it calls only setpriority and getpriority syscalls. What the handlers of these two calls do together in the child process is returning the negated address of a bunch of bytes decoded. In fact, as we can see in the image above, it is passing the negated address of the return value of the nice at the next function.

Considering that all these parts are static and don’t depend on our input we can try to intercept the memcmp to see what it expect as the first part of our input. The problem now is that the first process cannot be debugged, as it has already a process attached to it.

To bypass this problem I hooked the function using LD_PRELOAD.

int memcmp(const void *s1, const void *s2, size_t n) {
     static int (*memcmp_real)(const void *s1, const void *s2, size_t n) = NULL;
     int ret;

     if (!memcmp_real)
         memcmp_real = dlsym(RTLD_NEXT, "memcmp");

     ret = memcmp_real(s1, s2, n);

     fprintf(stderr, "memcmp(\"%s\", \"%s\", %d) = 0x%x\n", s1, s2, n, ret);

     return ret;
}

Fun fact, as explained above EACH syscall of the parent process is intercepted and so the fprintf in our memcmp too. Fortunately, it does not change anything but using LD_PRELOAD in this context should be done carefully.

$ LD_PRELOAD=./ch10_preload.so ./break
welcome to the land of sunshine and rainbows!
as a reward for getting this far in FLARE-ON, we've decided to make this one soooper easy

please enter a password friend :) sunsh1n3_4nd_r41nb0ws@flare-on.com
memcmp("sunsh1n3_4nd_r41nb0ws@flare-on.com", "w3lc0mE_t0_Th3_l", 16) = 0xffffffff
sorry, but 'sorry i stole your input :)' is not correct

Perfect! The first part of the flag is w3lc0mE_t0_Th3_l!

The second part of the flag will be checked inside the function at 0x08048f05, in the image above named “TF_checkSecondPart”.

The first thing done by this function is generating 2 constants, starting from the return value of the nice(0xa4), using the function FUN_0804bfed. Then, in the while, it processes 8 bytes at a time where it has stored the second part of our input. The strange thing here is the while loop of 40000 for 32 bytes of the second part of the flag.

Below the function charged to process the bytes.

In this part of the executable, many library calls will lead to syscalls, so the interactions between the first and the second process will be a lot.

Another technique to pass the execution to the second process used in this part of the execution it’s by calling a pointer NULLed. The variable named GENERATE_TRAP was charged to generate a SIGSEGV and in the child process it will be handled as follows:

It is an implementation of a loop, where it jumps at the address passed as the first argument and will increment the counter until 0x10, which address was passed as the second parameter. The addresses where the two loops iterate are shown in the images above.

At the end of TF_checkSecondPart there is a call to truncate.

What it is doing is storing all the 40000 decrypted bytes in a buffer (local_3f50) and checking how many bytes of the flag we guessed by comparing the result against the bytes at 0x081a5100.

Aware of the while masked as SIGSEGV, it’s more clear that this was a decryption function, probably of a known algorithm. Since I didn’t recognize which algorithm it was I decided to patch the executable in order to let angr to the job to find back the bytes of the second part.

What I have done is firstly nop the fork and the other calls in the init, then changing the call to fake check flag to TF_checkSecondPart and then substituting all the library calls, until the truncate, with the code that the child is going to perform. During this part, the second process will pass the execution to the third one.

To explain better how the patch was performed let’s take as an example the call to pivot_root seen before in assembly.

sub esp, 8      ; align the stack
push ecx        ; this will be the ecx of the syscall
push eax        ; ebx of the syscall
call pivot_root
add esp, 0x10

I have substituted all these instructions with:

mov dword [eax], ecx

nopping all the other bytes.

For bigger parts of the code, such as the mlockall, I had to put a call to that part of the code and reconstructing a stack there.

After all these patches I had only one process doing the checks for the second part. Since the decryption was performed on 8 bytes at a time I instrumented angr and patched the executable to input 8 bytes per execution. To provide to angr a successful address and a failure one I had to put also an “if”.

import angr
import claripy

SUCESS_ADDR = 0x08049cf4
FAILITURE_ADDR = 0x08049d11
FLAG_LEN = 8

project = angr.Project("./break_ANGR")
flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(FLAG_LEN)]
flag = claripy.Concat( *flag_chars + [claripy.BVV(b'\n')])

state = project.factory.full_init_state(
    args=['./break_ANGR'],
    add_options=angr.options.unicorn,
    stdin=flag
    )

for i,k in enumerate(flag_chars):
    if i < 8:
        state.solver.add(k >= 0x20)
        state.solver.add(k <= 0x7f)

simulation_manager = project.factory.simulation_manager(state)
simulation_manager.explore(find=SUCESS_ADDR,avoid=FAILITURE_ADDR)

if (len(simulation_manager.found) > 0):
        for found in simulation_manager.found:
            print(found.posix.dumps(0))

Running more than one instance at a time, in about 1 hour, it was able to retrieve all the second part of the flag:

4nD_0f_De4th_4nd_d3strUct1oN_4nd

As explained above, during the truncate, it will store all the 40000 bytes in local_3f50, the problem is that this buffer has a size of 16000 bytes! So it was going to overflow overwriting the other variables. Since, normally, the second process will not reach a return, the overwriting of the return pointer should be excluded. Immediately after the while, there is a call to the GENERATE_TRAP variable, which is stored above the buffer and it will be overwritten with 0x08053b70.

This address’s inside the decrypted bytes at the offset of the GENERATE_TRAP variable. Dumping that address reveals the last part of code, where it checks for the last part.

During this part, there are no ptraces except for one at the start and one at the end, that could be both nopped for the moment. Once inserted those decrypted bytes in the executable and nopped the ptraces, the call to the fake check could be modified again to jump at this new function. This lets us debug this part of the challenge.

What it is doing in this part is handling big numbers. At the start of the function, it will get 4 bignumbers from the memory and uses them to perform an equation against the last part of our input, to finally check the result.

What it will do is: RESULT_TO_CHECK == bignum_1

And, as shown in the image above:

RESULT_TO_CHECK = ( last_part_input * bignum_2 ) % bignum_4

The last part of the flag could be retrieved by multiplying the expected result (bignum_1) by the modular inverse of bignum_2 modulo bignum_4.

_n0_puppi3s@flare-on.com

The flag is:

w3lc0mE_t0_Th3_l4nD_0f_De4th_4nd_d3strUct1oN_4nd_n0_puppi3s@flare-on.com