Flare-On 7 2020 Challenge #8: Aardvark

We got a binary file ttt2.exe and when I run it, I received the following error:

I opened the file with IDA Pro and it seems that it tries to connect to a Unix socket named 496b9b4b.ed5.

But why a Windows binary file will try to connect to a Unix socket?

After it connects to the socket, it calls to a function at 0x140001829 that I renamed as unpackResource because it uses FindResource to find and unpack resource from itself:

When I checked the binary with Resource Hacker I noticed that it has a resource with GUI of a board:

And also a ELF (Unix binary) file:

This mix of Windows with Unix should remind you the WSL (Windows Subsystem for Linux). If you had it installed in your Windows, it would save you the time to understand this challenge.

I didn’t have it installed so I wasn’t sure if this is the case but when I dig a little bit on the functions inside unpackResource I found an interesting function at 0x140001930 that checking the Windows version of the system:

I noticed that if I had Windows 10 1803 or Windows 10 1809 it will lead me to a function that creates a LxProcess:

LxProcess is an instance that is being created by the LxssManager which is related to WSL. I searched for details about LxProcess but what helped me is to set breakpoint on CoCreateInstance and see what parameter are passing to this function. We can see that the GUID {4F476546-B412-4579-B64C-123DF331E3D6} was passed to this function (see in the dump in Little Indian):

I confirmed it part of the WSL from Microsoft WSL Github.

I decided to install Windows 10 1809 with WSL on a new VMware machine to make the environment suitable for this challenge.

After installing the operating system and WSL I received the following message:

I installed the Ubuntu image from Microsoft Store and now I got WSL with Ubuntu image:

When I run the CTF I got a Tic-Tac-Toe game:

The program always start with X in the middle which will prevent from winning it. It will end up with a draw or win for the “X” opponent:

I tried to search for the place where it doing it moves and sabotage it but then I thought about different approach to solve, if the advantage is for the program that starts with “X” in the middle, why not change it? Yes! change the board.

I needed to understand where the board is being created and I saw already in the function that connected to the Unix socket a reminder for the board:

The CreateDialogParamA receives the following parameters:

HWND CreateDialogParamA(   
HINSTANCE hInstance,
LPCSTR lpTemplateName,
HWND hWndParent,
DLGPROC lpDialogFunc,
LPARAM dwInitParam

The interesting one is the lpDialogFunc which received a pointer to the dialog box. In our case its name is DialogFunc and when accessing it we can see interesting stuff. Notice to the interesting 0x2020202020202020 value:

It has 8 times 0x20 and our board game is 9 cells while one is already contained with “X”. I guessed that this is the initialize of the board.

I opened the binary with Resource Hacker and dump the ELF resource and searched for 20 20 20 20 20 20 20 20 and found it, then I changed it to 20 4F 4F 4F 20 20 20 20 like that:

Now the board contains 3 “O” in the beginning:

It was easy to win like that:

flag: c1ArF/P2CjiDXQIZ@flare-on.com

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)