Recently, I found myself in need of SSL traffic analysis coming out of IoT and mobile devices. After some considerations about the setup of monitoring gear I ended up with using Raspberry Pi 3 as a platform for that because most of the devices were with wifi only and I needed something more mobile at hand. There are some guides to set such platform up but I found them lacking certain things that prevented the whole thing from working for me.
Flare-On 2014 Chellage 1
The binary can be downloaded from the original site. Quick check shows that this is a .NET executable with some humor:
Using very handy .NET decompiler, ILSpy, let’s check the source of this funny thing with emphasis on the implementation of Decode event handler:
private void btnDecode_Click(object sender, EventArgs e) { this.pbRoge.Image = Resources.bob_roge; byte[] dat_secret = Resources.dat_secret; string text = ""; for (int i = 0; i < dat_secret.Length; i++) { byte b = dat_secret[i]; text += (char)((b >> 4 | ((int)b << 4 & 240)) ^ 41); } text += "\0"; string text2 = ""; for (int j = 0; j < text.
Flare-On 2014 Chellage 2
In this one, flare-on.com site was attacked. The attacker left “something” behind for us to investigate. We are getting the snapshot of the site for analysis and the email is somewhere inside:
After analysis of the original site against the challenge files, the “secret” is found in the image file (flare-on.png) and that is where the “digging” will take place:
Let’s extract that hidden message for further processing - Stage 0:
Flare-On 2014 Chellage 3
This challenge is about analyzing a binary file. Using IDA. we see here a sort of “obfuscation” where the actual code (payload) is moved into the stack by the loader and executed from there:
The payload is actually a multi-stage xor based, self decrypting code which in our case has various funny sentences revealed in every decrypted part:
Stage Result I hope, you’ve got the idea here.
Flare-On 2014 Chellage 4
In this task, there is a PDF file only. The first thought that crossed my mind was that there is some kind of exploit embedded in it. Let’s analyze the file to see what secrets it got hidden. There are several ways to do it: online resources (wepwet) or local. I’ll use the later as online will do most of work for you and you will miss all the fun and knowledge.