Skip to content

Instantly share code, notes, and snippets.

@bkth

bkth/Insomnihack pwn arena

Last active Apr 27, 2020
Embed
What would you like to do?
Write-ups for the game challenges at Insomni'hack 2018 CTF
As was the case last year, this year's Insomni'hack featured a multi-player game and 3 challenges requiring us to
hack the game in order to get the flags
It was a Unity based game and was written in C#, the core of the game logic was in the Assembly-CSharp.dll and I used dnSpy
(https://github.com/0xd4d/dnSpy) to decompile the DLL and understand the logic and modify the game.
Nightcrawler:
This challenge required us to activate 4 buttons within a 6 second window, the game used a master client architecture
where activating a button would trigger an RPC call to the master client which would keep track of the challenges based
on player ids. Therefore it was not possible to increase the timer or else. I think the intended solution was to use a TP hack
to teleport to the 4 buttons and activate them manually but I went with another method.
The class representing these buttons had a method which was called when we interacted with them, this would trigger an RPC Call
to the master client telling it that we activated that button and passing it a button ID. I simply modify this method to send
an RPC call for each button ID which meant that I only had to activate one button to validate all the other ones and got the flag
Xray visions:
We were supposed to read a flag which was part of the environment and which was under a roof of a building we could not
normally access. I am pretty sure I solved this one unintentionally based on the name of the challenge.
What I did is modify the `OnGUI` method of the SimpleCrosshair class which would display the HUD to always set my player's
position to arbitrary coordinates by setting the `transform` property,
I then bruteforced the positions across reboot until I was a bit under the roof
and could see red polygons (those were the flag leters) but I was looking at them from the side (they were facing upwards).
What I ended doing is write a simple loop in the OnGUI method that would start on the left of the flag and increase my position on the Z axis by 1
every 1000 iteration (2-3s) and by crouching I was able to read the flag letters from below.
Aimbox:
I tried for 15 mn to do this one without too much hacking (just adding a tp hack to the interact button to instantly tp to the egg)
but apparently I have not played enough cs recently and could not kill the crates. I ended up modifying my tp hack to land
on top of the egg which meant I only had to aim upwards and shoot mindlessly and I would hit every crate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment