Image for post
Image for post

We got a binary file ttt2.exe and when I run it, I received the following error:


Image for post
Image for post

Tools

We received a capture network file named: re_crowd.pcapng.

Notice that there are number of records with PROPFIND:


Image for post
Image for post

We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.


Image for post
Image for post

When I tried to open the report.xls file I received an error:


Image for post
Image for post

Tools to use:

  • IDA
  • x64dbg

When start the program, we received a game menu:


Image for post
Image for post

Tools to use:

  • x64dbg
  • HxD
  • pestudio
  • upx-3.96-win64
  • IDA
  • Python

When I tried to load the file to x64dbg I received a message that this is an invalid PE file:


Image for post
Image for post

We received the application binary file together with the python source code.

Tools to use:

  • notepad++

When you start the application, you get:


Image for post
Image for post

This year I participated in Flare-On 7 (2020) and I wanted to share my thoughts about this great CTF.

Overview

The challenges were great this year, I learned a lot and they were pure reversing. For anyone wants to strength his reversing skills, flare-on is a great choice. This is like an intensive reversing course for six weeks that you will suffer and enjoy both together.

Solutions

I separated my solutions into different pages to make it more readable:

  1. Challenge #1 - Fidler
  2. Challenge #2 - garbage
  3. Challenge #3 - wednseday
  4. Challenge #4 - report
  5. Challenge #5 - TKApp
  6. Challenge #6 …


Sometimes it happens, in my case, in CTF challenge - the day when you received an ELF binary but your host machine is Windows and your IDA+license is already installed on your host. One option is to install a free version of IDA on a virtual Linux machine but there is another option that sounds in the beginning complex, but actually it is not.

This option called “Remote Debugging”, the ability to debug a process from your host while it runs on a “remote” machine or in my case, virtual machine.

The scenario: We need to debug 32-bit ELF binary…

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store