TryHackMe: Advent of Cyber 2023 (Day 6) Memories of Christmas Past
“Throughout the merger, we have detected some worrying coding practices from the South Pole elves. To ensure their code is up to our standards, some Frostlings from the South Pole will undergo a quick training session about memory corruption vulnerabilities, all courtesy of the B team. Welcome to the training!”
“In this game, you’ll play as CatOrMouse. Your objective is to save Christmas by buying the star for your Christmas tree from Van Frosty. In addition to the star, you can buy as many ornaments as you can carry to decorate your tree. To gain money to buy things, you can use the computer to do online freelance programming jobs.
You can also speak to Van Holly to change your name for a fee of 1 coin per character. He says that this is totally not a scam. He will actually start calling you by your new name. He is, after all, into identity management.”
There’s an issue though. The totally not creepy Van Jolly approaches you and says the Ghost of Christmas Past is haunting the game.
“Van Jolly explains that when you change your name to anything large enough, the game goes nuts! Sometimes, you’ll get random items in your inventory. Or, your coins just disappear. Even the dialogues can stop working and show random gibberish. This must surely be the work of magic!”
Seems legit, Van Jolly…
But you know better, you let Van Jolly know that this is probably the result of memory corruption, NOT a Christmas Haunting.
I started testing a few things out. I got 16 coins from the computer (then it promptly broke), and changed my name to falalalalalalala. The game did indeed act weird, and I got over 1 billion coins, lol.
Then I tried to buy my star for the tree, but got accused of cheating!
The game has major issues with buffer overflow. Because the player name can only accommodate 12 bytes, if you input anything more than that, it will overflow into the next variable, in this case, the coins. You could use this to add as many characters as you want to your name and overwrite all of the variables in turn.
Q1: If the coins variable had the in-memory value in the image below, how many coins would you have in the game?
I used a hex to decimal converter to do the calculations
The challenge text explains that they are stored backwards due to little-edian byte order.
Q2: What is the value of the final flag?
I will exploit the buffer overflow vulnerability by changing my name to something super long that fills in all of the memory spots, and then gives me all of the inventory items.
You can see there are 44 boxes that make up all the variables up until inv_items. So I’ll use 44 random characters to fill them all up and then write in all of the inventory item IDs with the remaining 16.
I went back to change my name and carry out the plan.
It worked!
❤
