flare-on
Flare-on 5 - 1
· ☕ 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Starting off the 5 series of challenges we have a very simple password challenge, when extracting the archive you have one file extracted. MinesweeperChampionshipRegistration.jar: Java archive data (JAR) When running the file, you are prompted for an invitation code. I unzipped the jar file finding the metadata and a class file.

Flare-on 3 - Challenge 2
· ☕ 4 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The archive for this challenge included 2 files. BusinessPapers.doc: data DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows I first took a look at the .doc file and it looks to be random data. After doing some initial analysis on the executable file, I found many references to encryption routines in the imports.

Flare-On 3 - Challenges 1
· ☕ 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge is like a lot of the first levels is a password challenge decoding challenges. In the next screenshot, you can see what happens when you run the executable. I opened the binary up in IDA and found the main function. The Main function starts off setting up handles to read input and loading a string from the .

Flare-on 2 - Challenge 5
· ☕ 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary. Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content.

Flare-on 2 - Challenge 3
· ☕ 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at λ file elfie elfie: PE32 executable (console) Intel 80386, for MS Windows As I said we are greeted by thie goat that eats magic keys

Flare-on 2 - Challenge 2
· ☕ 3 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme. First things first I validated what kind of file I was looking at. λ file very_succes very_succes: PE32 executable (console) Intel 80386, for MS Windows When running the file I entered some test data to see how it looked to a user.

Flare-on 2 - Challenge 1
· ☕ 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input

Flare-on 1 - Challenge 5 - 5get_it
· ☕ 3 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file. 5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost.

Flare-on 1 - Challenge 4 - Sploitastic
· ☕ 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools pdf-parser.py -f APT9001.orig.pdf > apt5.txt Looking through the content I find a block of Javascript code that looks interesting

Flare-on 1 – Challenge 3 - Shellolololol
· ☕ 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 3 brings a PE executable file to take a look at. such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code.

Flare-on 1 – Challenge 2 - Javascrap
· ☕ 5 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In Challenge 2 the zip file extracts a html and png file. From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the img directory. The file looks to be a normal PNG file and displays image data when loaded.

Flare-on 1 - Challenge 1 - Bob Doge
· ☕ 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the very first challenge you are presented with a windows executable and when you run it you are presented with a Bob Ross painting a nice scene. But, when you click DECODE! You get a Bob Doge with an weird text string. Digging a little deeper to see what type of file we have we find we hace a .