Flare-On 7 2020 Challenge #8: Aardvark

Image for post
Image for post

We got a binary file ttt2.exe and when I run it, I received the following error:

Image for post
Image for post

I opened the file with IDA Pro and it seems that it tries to connect to a Unix socket named 496b9b4b.ed5.

Image for post
Image for post

But why a Windows binary file will try to connect to a Unix socket?

After it connects to the socket, it calls to a function at 0x140001829 that I renamed as unpackResource because it uses FindResource to find and unpack resource from itself:

Image for post
Image for post

When I checked the binary with Resource Hacker I noticed that it has a resource with GUI of a board:

Image for post
Image for post

And also a ELF (Unix binary) file:

Image for post
Image for post

This mix of Windows with Unix should remind you the WSL (Windows Subsystem for Linux). If you had it installed in your Windows, it would save you the time to understand this challenge.

I didn’t have it installed so I wasn’t sure if this is the case but when I dig a little bit on the functions inside unpackResource I found an interesting function at 0x140001930 that checking the Windows version of the system:

Image for post
Image for post

I noticed that if I had Windows 10 1803 or Windows 10 1809 it will lead me to a function that creates a LxProcess:

Image for post
Image for post

LxProcess is an instance that is being created by the LxssManager which is related to WSL. I searched for details about LxProcess but what helped me is to set breakpoint on CoCreateInstance and see what parameter are passing to this function. We can see that the GUID {4F476546-B412-4579-B64C-123DF331E3D6} was passed to this function (see in the dump in Little Indian):

Image for post
Image for post

I confirmed it part of the WSL from Microsoft WSL Github.

I decided to install Windows 10 1809 with WSL on a new VMware machine to make the environment suitable for this challenge.

After installing the operating system and WSL I received the following message:

Image for post
Image for post

I installed the Ubuntu image from Microsoft Store and now I got WSL with Ubuntu image:

Image for post
Image for post

When I run the CTF I got a Tic-Tac-Toe game:

Image for post
Image for post

The program always start with X in the middle which will prevent from winning it. It will end up with a draw or win for the “X” opponent:

Image for post
Image for post

I tried to search for the place where it doing it moves and sabotage it but then I thought about different approach to solve, if the advantage is for the program that starts with “X” in the middle, why not change it? Yes! change the board.

I needed to understand where the board is being created and I saw already in the function that connected to the Unix socket a reminder for the board:

Image for post
Image for post

The CreateDialogParamA receives the following parameters:

The interesting one is the lpDialogFunc which received a pointer to the dialog box. In our case its name is DialogFunc and when accessing it we can see interesting stuff. Notice to the interesting 0x2020202020202020 value:

Image for post
Image for post

It has 8 times 0x20 and our board game is 9 cells while one is already contained with “X”. I guessed that this is the initialize of the board.

I opened the binary with Resource Hacker and dump the ELF resource and searched for 20 20 20 20 20 20 20 20 and found it, then I changed it to 20 4F 4F 4F 20 20 20 20 like that:

Image for post
Image for post

Now the board contains 3 “O” in the beginning:

Image for post
Image for post

It was easy to win like that:

Image for post
Image for post

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store