Challenge 1

What Da Dog Doing?

The challenge starts by downloading a binary named "C1.exe" from https://flare-on.com/.

The binary seems to be a self extracting binary.

It extracts to two binaries - "Challenge1.exe" and "Flare_On_Challenge.Exe" and a disclaimer.

Upon initial triage in cutter, the binary seems to be developed in MSIL (Microsoft Interpreted Language) and imports "mscoree.dll", suggesting that its based on .NET Framework.

Upon execution, a picture of Bob Ross pops up along with a button to "Decode".

The "Decode" button turns Bob ross into Doge. NOOOO BOB ROSS NOOOOOO!!

In order to get what this challenge is about, we need to dig deeper. Seeing as this app is made of C#, we can use "dnspy" to peek into it.

In the resources section of the PE, "re_challenge_1.dat_secret.encode" seems interesting. Let's save it and decode it. Using "Detect it Easy" tool, we can see that it is a plain text file. HxD confirms it to have hexadecimal data with the value -

A1 B5 44 84 14 E4 A1 B5 D4 70 B4 91 B4 70 D4 91 E4 C4 96 F4 54 84 B5 C4 40 64 74 70 A4 64 44

We need to decode it. For that, we can use a python script -

from binascii import unhexlify

datsecret= unhexlify("A1B5448414E4A1B5D470B491B470D491E4C496F45484B5C440647470A46444")
str1 = ""

for num in datsecret:
    str1 += chr(((num >> 4) | ((num << 4) & 0xF0)) ^ 41)

print(str1)

The output is -> "3rmahg3rd.b0b.d0ge@flare-on.com". This is the flag for this challenge.