The Flare-On Challenge is the FLARE team's annual Capture-the-Flag (CTF) contest. It is a single-player series of Reverse Engineering puzzles that runs for 6 weeks every fall. #flareon11 is launching Sept. 27th 2024 at 8pm EST with 10 challenges. In this blog we share our solution to the challenges
Challenge 1 - frog
Welcome to Flare-On 11! Download this 7zip package, unzip it with the password 'flare', and read the README.txt file for launching instructions. It is written in PyGame so it may be runnable under many architectures, but also includes a pyinstaller created EXE file for easy execution on Windows. Your mission is get the frog to the "11" statue, and the game will display the flag. Enter the flag on this page to advance to the next stage. All flags in this event are formatted as email addresses ending with the @flare-on.com domain.Given an exe and src python code of that exe. Read the src, we see the flag is generated by the function GenerateFlagText, which decrypts the encrypted flag with a simple xor


Flag: welcom_to_11@flare-on.com
Challenge 2 - checksum
We recently came across a silly executable that appears benign. It just asks us to do some math... From the strings found in the sample, we suspect there are more to the sample than what we are seeing. Please investigate and let us know what you find!We're given an executed code in Go, and we're lucky that it's not stripped at all. For the first part, it requires the user to do some math a random number of times (at most will be 8)










Challenge 3 - aray
And now for something completely different. I'm pretty sure you know how to write Yara rules, but can you reverse them?Given a Yara file, we have to find a file that matches that Yara rule. Take a look into the Yara rule, there are a bunch of rules, but just some of them are required to get the flag.

uint8(58) + 25 == 122
uint32(52) ^ 425706662 == 1495724241
uint32(17) - 323157430 == 1412131772
hash.crc32(8, 2) == 0x61089c5c
hash.crc32(34, 2) == 0x5888fc1b
uint8(36) + 4 == 72
uint8(27) ^ 21 == 40
uint32(59) ^ 512952669 == 1908304943
uint8(65) - 29 == 70
uint8(45) ^ 9 == 104
uint32(28) - 419186860 == 959764852
uint8(74) + 11 == 116
hash.crc32(63, 2) == 0x66715919
hash.sha256(14, 2) == "403d5f23d149670348b147a15eeb7010914701a7e99aad2e43f90cfa0325c76f"
hash.sha256(56, 2) == "593f2d04aab251f60c9e4b8bbc1e05a34e920980ec08351a18459b2bc7dbf2f6"
uint8(75) - 30 == 86
uint32(66) ^ 310886682 == 849718389
uint32(10) + 383041523 == 2448764514
uint32(37) + 367943707 == 1228527996
uint32(22) ^ 372102464 == 1879700858
uint8(2) + 11 == 119
hash.md5(0, 2) == "89484b14b36a8d5329426a3d944d2983"
uint32(46) - 412326611 == 1503714457
hash.crc32(78, 2) == 0x7cab8d64
uint8(7) - 15 == 82
uint32(70) + 349203301 == 2034162376
hash.md5(76, 2) == "f98ed07a4d5f50f7de1410d905f1477f"
uint32(80) - 473886976 == 69677856
uint32(3) ^ 298697263 == 2108416586
uint8(21) - 21 == 94
uint8(16) ^ 7 == 115
uint32(41) + 404880684 == 1699114335
hash.md5(50, 2) == "657dae0913ee12be6fb2a6f687aae1c7"
uint8(26) - 7 == 25
hash.md5(32, 2) == "738a656e8e8ec272ca17cd51e12f558b"
uint8(84) + 3 == 128
For hash check, because it's just two characters for each check, it can be easy to crack by brute force
The left it just recover back to from add/sub/xor
Flag: 1RuleADayK33p$Malw4r3Aw4y@flare-on.com
Challenge 4 - Meme Maker 3000
You've made it very far, I'm proud of you even if noone else is. You've earned yourself a break with some nice HTML and JavaScript before we get into challenges that may require you to be very good at computers.Given an HTML file, open it in the browser, it's exactly "mememaker"


function a0k() {
const a = a0g.alt.split('/').pop()
if (a !== Object.keys(a0e)[5]) {
return
}
const b = a0l.textContent,
c = a0m.textContent,
d = a0n.textContent
if (
a0c.indexOf(b) == 14 &&
a0c.indexOf(c) == a0c.length - 1 &&
a0c.indexOf(d) == 22
) {
var e = new Date().getTime()
while (new Date().getTime() < e + 3000) {}
var f =
d[3] +
'h' +
a[10] +
b[2] +
a[3] +
c[5] +
c[c.length - 1] +
'5' +
a[3] +
'4' +
a[3] +
c[2] +
c[4] +
c[3] +
'3' +
d[2] +
a[3] +
'j4' +
a0c[1][2] +
d[4] +
'5' +
c[2] +
d[5] +
'1' +
c[11] +
'7' +
a0c[21][1] +
b.replace(' ', '-') +
a[11] +
a0c[4].substring(12, 15)
f = f.toLowerCase()
alert(atob('Q29uZ3JhdHVsYXRpb25zISBIZXJlIHlvdSBnbzog') + f)
}
}
The decode base64 in alert ("Congratulations! Here you go: ") suggests that f is the flag we have to find.
f is constructed from a, b, c, d, a0c variable where:
- a0c: hardcode array of string
- a: a0e[5] ==> 'boy_friend0.jpg'
- b: a0c[14] ==> 'FLARE On'
- c: a0c[len(a0c) - 1] ==> 'Security Expert'
- d: a0c[22] ==> 'Malware'
==> f: wh0A_it5_4_cru3l_j4va5cr1p7@FLARE-On.com
the flag is in the lower form: wh0a_it5_4_cru3l_j4va5cr1p7@flare-on.com
Flag: wh0a_it5_4_cru3l_j4va5cr1p7@flare-on.com
We can also change the js code that always match the condition so that the browser shows the flag for us

Challenge 5 - sshd
Our server in the FLARE Intergalactic HQ has crashed! Now criminals are trying to sell me my own data!!! Do your part, random internet hacker, to help FLARE out and tell us what data they stole! We used the best forensic preservation technique of just copying all the files on the system for you.Flareon team gave us a copy of a system, with a hint that the server crashed, and it may be related to sshd. As it hints that the server is crashed, searching for the core-dump file, we found that it's exactly sshd coredump.

set set solib-absolute-prefix
file ./usr/sbin/sshd
core-file ./var/lib/systemd/coredump/sshd.core.93794.0.0.11.1725917676
using two commands "info shared library" and "info proc mappings" we can find where libraries loaded on mem. Typically, a lib appears as deleted, but combines the result of two commands, we can conclude that it's liblzma.so


bt
command, we can find the return address, and from that, we can identify where it crashed












Flag: supp1y_cha1n_sund4y@flare-on.com
Read more:
Part 2: https://sec.vnpt.vn/2024/11/flareon-11-writeup-part-2/ Part 3: https://sec.vnpt.vn/2024/11/flareon-11-writeup-part-3/ 1374 lượt xem