The Unofficial Flare-On 11 Challenge Solutions

CTFs are a fun way to test your skills (or lack of) in various challenges, I won't do a CTF 101, you can find more info at CTF Time.

Ever since Rapid7 stopped doing the Metasploit CTF, Flare-On is my most favorite CTF, because it is mostly reverse-engineering oriented, a skill that I rarely use and can always improve by learning new tricks.

Recently, Flare-On 11 ended and Google posted official solutions.

Although I didn't advance much due to lack of free time, I did solve some parts, most interestingly, in a different way than the official solution.

It is known that sometimes there is more than one solution for those challenges, reading those write-ups might give you idea for solutions for other challenges, #sharing_is_caring

Flare-On 11 Challenge 1: frog

This is a python game challenge, this is not the first time the first challenge is written in python.

I gave the python challenge from Flare-On 7 to a friend of mine, which I consider as a Python master programmer, he solved the challenge, it took him few hours reading the whole code few times and fully understanding it to solve the challenge.

Some might say this is how proper RE should be done, but this is not the "Hacker" way.

I solved the same challenge in few minutes by simply manipulating the python code, his mind was blown, he said I was cheating, well, he was not wrong, it was a PyGame so I "cheated" to receive the flag for the CTF :)

This is exactly what I did in the "frog" challenge in Flare-On 11, it is a game that you need to win to receive the flag, I "cheated" again to get the flag in a way that is not part of the official solution.

The official solution is to play the game and move the frog, after you saw in the source code where are the passable blocks.

Alternatively, another official solution is to manually calculate the values for the decoding routine after we known the wining position, which is kind of boring.

In PC games, sometimes cheating is done by trainers or "patching" the game.

Making a "trainer" or patching the executable is complete overkill for this challenge as we have the python source code.

However, with just "patching" 2 lines of code, I solved the challenge:

First, we comment line 132, by doing this, we "jump" over the win condition check and we straight up win when the game starts.

However, this is not enough because the flag generation requires the winning tile coordinates, my patch didn't move the frog. To overcome this we need to change line 134 and send the winning coordinates by force to generate the flag correctly.

Profit:

As you can see, the frog didn't move (unlike in the official solution) and the game was won showing the correct flag, mind blown?

Bonus: Flare-On 11 Challenge 2: checksum

While I did not fully solve this challenge as I mentioned in the intro of this blog, I spent too much time on solving the initial part of this challenge, which is solving math problems...

One of the single and the most important things I learned from doing a bachelor degree in "Mathematics and Computer Science", is that the computer can crunch the numbers much better than me.

Surely you need to know to translate the equations into code for the computer to correctly solve them.

However, in this challenge, it is a regression, the computer ask me to solve math challenges?

“You dare use my own spells against me," ComPotter?

As a matter of fact, I saw similar math problems in other CTFs, but those were ELF files which can be easily solved with bash-fu skills or pwntools.

Unfortunately, checksum is windows executable, pwntools initially didn't support windows and someone tried to make a clone to support windows named pwintools.

Pwintools didn't work for me, however, after some digging, I found out that pwntools added support for windows a year ago, but this is not reflected in their official documentation.

After a few trial an errors, I managed write a short script to solve the math challenges, as I feared I would have to manually solve them each time I would run the program while debugging:

from pwn import *

p = process("C:\\Users\\IEUser\\Desktop\\checksum.exe")
while True:
    q = p.recv().decode()
    #print(q)
    if "Checksum:" in q:
        break
    q_fix = q.split(": ")
    print(q_fix[1])
    math = q_fix[1].split(" ")
    first = int(math[0])
    second = int(math[2])
    res=str(first+second)
    p.sendline(str.encode(res))
    print(res)
p.sendline(str.encode("TBD"))
q = p.recv()
print(q)

Profit: