Write-ups for the game challenges at Insomni'hack 2018 CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
|As was the case last year, this year's Insomni'hack featured a multi-player game and 3 challenges requiring us to
|hack the game in order to get the flags
|It was a Unity based game and was written in C#, the core of the game logic was in the Assembly-CSharp.dll and I used dnSpy
|(https://github.com/0xd4d/dnSpy) to decompile the DLL and understand the logic and modify the game.
|This challenge required us to activate 4 buttons within a 6 second window, the game used a master client architecture
|where activating a button would trigger an RPC call to the master client which would keep track of the challenges based
|on player ids. Therefore it was not possible to increase the timer or else. I think the intended solution was to use a TP hack
|to teleport to the 4 buttons and activate them manually but I went with another method.
|The class representing these buttons had a method which was called when we interacted with them, this would trigger an RPC Call
|to the master client telling it that we activated that button and passing it a button ID. I simply modify this method to send
|an RPC call for each button ID which meant that I only had to activate one button to validate all the other ones and got the flag
|We were supposed to read a flag which was part of the environment and which was under a roof of a building we could not
|normally access. I am pretty sure I solved this one unintentionally based on the name of the challenge.
|What I did is modify the `OnGUI` method of the SimpleCrosshair class which would display the HUD to always set my player's
|position to arbitrary coordinates by setting the `transform` property,
|I then bruteforced the positions across reboot until I was a bit under the roof
|and could see red polygons (those were the flag leters) but I was looking at them from the side (they were facing upwards).
|What I ended doing is write a simple loop in the OnGUI method that would start on the left of the flag and increase my position on the Z axis by 1
|every 1000 iteration (2-3s) and by crouching I was able to read the flag letters from below.
|I tried for 15 mn to do this one without too much hacking (just adding a tp hack to the interact button to instantly tp to the egg)
|but apparently I have not played enough cs recently and could not kill the crates. I ended up modifying my tp hack to land
|on top of the egg which meant I only had to aim upwards and shoot mindlessly and I would hit every crate