kao Posted August 15, 2018 Posted August 15, 2018 (edited) The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, put a new coat of oil on your old debugger, and get your favorite chat client ready to futilely beg your friends for help. Once again, this contest is designed for individuals, not teams, and it is a single track of challenges. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 5, 2018. This year’s contest will once again host a total of 12 challenges covering architectures from x86, x64 on Windows, Java, .NET, Webassembly, and Linux, with special appearances of Bootloaders and Bootkits. This is one of the only Windows-centric CTF challenges out there and we have crafted it to represent the skills and challenges of our workload on the FLARE team. If you complete the Flare-On Challenge you will receive a prize and permanent recognition on the flare-on.com website for your accomplishment. Prize details will be revealed when the contest ends, but as always, it will be something that will be coveted and envied by your peers. In prior years we’ve had rodeo belt buckles, replica police badges, challenge coins, and a huge pin. Check out the Flare-On website for a live countdown timer and to see the previous year’s winners. For official news and support we will be using the Twitter hashtag: #flareon5. 9 days left, better brush up your skills and make sure your tools are in good order! Official site: http://www.flare-on.com/ Edited August 15, 2018 by kao 6
GautamGreat Posted August 25, 2018 Posted August 25, 2018 FlareOn5 Challenge started and I'm already stuck on challenge #3 I managed to get all the 48 PNGs from but now I have no clue how to get the flag. Can someone give some hints
Extreme Coders Posted August 25, 2018 Posted August 25, 2018 @GautamGreat The numbers in the images have a purpose.
GautamGreat Posted August 25, 2018 Posted August 25, 2018 @Extreme Coders 48 Files with 48 uniques number that means flag has 48 characters ?
GautamGreat Posted August 26, 2018 Posted August 26, 2018 On #4 we need to reverse that vuln JavaScript right?
Rurik Posted August 26, 2018 Posted August 26, 2018 That JavaScript integrates with something else, so you'll likely have to attack it in its final form. Or so I guess. It's where I'm at, and it's very frustrating :D I've not seen JS like that before, and hard to debug. Also, anyone else have their Firefox debugger unable to set breakpoints? It just doesn't let me :((
GautamGreat Posted August 27, 2018 Posted August 27, 2018 14 hours ago, Rurik said: That JavaScript integrates with something else, so you'll likely have to attack it in its final form. Or so I guess. It's where I'm at, and it's very frustrating I've not seen JS like that before, and hard to debug. Also, anyone else have their Firefox debugger unable to set breakpoints? It just doesn't let me :(( I manged to break the JS file. It is first time, took so much time but yeah finally I did it
kao Posted September 4, 2018 Author Posted September 4, 2018 It's official - I finished as #4 this year! Subjectively - first challenges are a bit harder than last year, probably due to the exotic targets (wasm, webinjects, etc..). All in all, I enjoyed it immensely! 5
Rurik Posted September 4, 2018 Posted September 4, 2018 (edited) Congrats @kao! I just saw the tweet. Cue the hundreds of randos asking you for answers 😃 So far I've loved the challenges. Good variety, learned lots of new things. #6 went off rails a bit with a seemingly 'yet another reimplement this routine'. I'm hoping they pick up good after Edited September 4, 2018 by Rurik
kao Posted September 4, 2018 Author Posted September 4, 2018 @Rurik: Thanks! I don't actually use Twitter, so random DMs will not bother me at all...
Ahmad_k Posted September 4, 2018 Posted September 4, 2018 i know it is too late to solve these challenge but i did start today, i have some free time. For challenge 3 i also got all those 48 PNGs in automated way. Now i'm stuck, i have tried multiple flags with no success. i can't find the clue
kao Posted September 4, 2018 Author Posted September 4, 2018 Try to run those EXE files (with a correct password).
Ahmad_k Posted September 4, 2018 Posted September 4, 2018 i did and i got all those 48 pngs. Each png has a number from 1 to 48, here i am stuck. The last pic show FLARE with two lego man on it.
Rurik Posted September 4, 2018 Posted September 4, 2018 Each EXE produces *two* things. The PNG is just one of them.
Ahmad_k Posted September 4, 2018 Posted September 4, 2018 yes i got it, thank you anyway i forgot those little single char
Eskalina Posted September 5, 2018 Posted September 5, 2018 Hi. Anybody can help me with 12 challenge. I am extract 2 vm and recover key check function. But when i try find correct bytes, i can't do it. WTF?
kao Posted September 5, 2018 Author Posted September 5, 2018 @Eskalina - IF you have recovered key check function correctly, you've done 95% of the task. After that it takes a few minutes of calculations to get the correct bytes. So, most likely you have made a mistake somewhere.. Spoiler If nothing else helps, read solutions of last year's FLARE - might give you some ideas on how to approach it.
msr Posted September 7, 2018 Posted September 7, 2018 For #7 - I think I got "the trick", however I am a bit lost. Debugging inside some network functions and connect()s don't seem to connect (I have a listener and packet capture going) and then recv() randomly receives (same) bytes every time and just outputs those + @flare-on.com . Any tips on what I am missing ?
kao Posted September 8, 2018 Author Posted September 8, 2018 (edited) @msr : Spoiler Not all connect()s are the same. Edited September 8, 2018 by kao
bandit Posted September 14, 2018 Posted September 14, 2018 Stuck on ch#7 as well. None of my connect()s work either :(
Sina_DiR Posted September 22, 2018 Posted September 22, 2018 @kao I'm totally stuck on level 10 without any idea what should I do, any suggestion?
kao Posted September 23, 2018 Author Posted September 23, 2018 @Sina_DiR: Where exactly are you stuck? Driver does something, usermode EXE does something. Analyze what exactly they do. 1) To load and run the driver, you need a reasonably new CPU and VM. My configuration was Intel i5-2500K and VMWare 12 with "Virtualize Intel VT-x/EPT or AMD-V/RVI" option enabled. 2) If you can't run driver for some reason (twitter commenters say they had some issues), just analyze it statically. Driver is based on open-source code, it should get you started.
Sina_DiR Posted September 24, 2018 Posted September 24, 2018 @kao Thank you for your reply, I'm able to load the driver, I was trying to debug its driver but it seems nothing called from fhv.sys I have no idea about VMCALL so let me try again...
bandit Posted September 26, 2018 Posted September 26, 2018 Any hints for ch#11? Trying to figure out the network comm between the sample and JJ-pc... Any hints on decrypting the responses received from the pipe?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now