Tuesday, October 9, 2018

Flare-on 2018 Challenge #1

Flare-on 2018 was upon us again this past August 24th through October 5th 2018. Every year I get excited to try out some of the challenges and also use them as a team building exercise at work. I love the challenge and excitement it brings to the table over the last 5 years! After signing up for the challenge you are presented with the first challenge, shown below. You're presented with the first challenge file which is a password protected 7-zip file. The goal of this (and every) flare-on challenge is to find a unique flag value, in the form an email address ending in "@flare-on.com".

Once we expand the 7-zip archive with the password "infected" we are left with a Java binary or .JAR file named "MinesweeperChampionshipRegistration.jar". Basic file metadata is:

Filename: MinesweeperChampionshipRegistration.jar  
File Type: JAR
MD5: f6168f080361569c3e1cfe7e397ac0a7
SHA-1: 36fb104e6b55d265c344ca1d47631c45d4f5345a
SHA-256: 9bcce226836b5226f9ecb17b13a2842dfc21931e15864cc4d85079f948f7a70e
Size: 1.1 KB (1111 bytes)

Java is compiled bytecode, so my first thought was to open it up in JDgui, an exellent free Java decompiler. It breaks down Java .class files into source code allowing for quick analysis with out the need to inspect .JAR files dynamically. Once doing so the answer was very easy to spot!

To summarize, the first challenge was very easy. For a new malware analyst all one really needed to know was that it'd be a good starting point to decompile "MinesweeperChampionshipRegistration.jar". On to challenge #2, which we know will not be nearly as easy!

No comments:

Post a Comment