Hello Cyber Enthusiats! How are you doing?
Well, TryHackMe has released the Day 06 challenges of the Advent of Cyber 2023.
So, here we are with its walkthrough. Throughout this walkthrough, we’ll learn how variables in any programming language can overflow into adjacent memory and corrupt it, and we will learn about buffer overflow vulnerability.
Buffer overflow is a security vulnerability that occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. This overflow can lead to unpredictable behavior, crashes, or even security breaches.
In the context of security, attackers can deliberately exploit buffer overflow vulnerabilities to inject malicious code into a program’s memory. This injected code might lead to unauthorized access, data manipulation, or even the execution of arbitrary commands.
Due to overflow, data in adjacent memory locations can be overwritten, leading to unintended consequences. This could corrupt variables, function pointers, or even control flow data, potentially compromising the integrity and security of the system.
Let’s have a look at the challenges.
If the coins variable had the in-memory value in the image below, how many coins would you have in the game?
What is the value of the final flag?
We have given you a game. There are two characters, Van Holly and Van Frosty. Van Holly changes the player’s names for 1 coin per character. We, as players, can buy ornaments to decorate our Christmas tree from him.
We need to buy a star for our Christmas tree to win this game.
So let’s start playing this game. There is a direct link given, so first start your machine, then copy this link into your browser.
The direct link given is: http://10-10-97-201.p.thmlabs.com/
Now that your game is started, press the Spacebar button on your keyboard to start your game.
After that, you will find the game controls, like the Tab button to see the debug panel, the Spacebar button [SPC] to interact / speak with other characters, the Backspace button [BKSPC] to reset inventory, the arrow buttons to move yourself as the player in the game, and the Spacebar [SPC] button to continue this game.
You can clearly see that to finish this game, we need to get a start to put on our Christmas tree.
After you get the star, just interact with the Christmas tree, and that’s it; we will win.
We can buy as many ornaments as we need to decorate our tree
We have one coin for now.
When I was exploring this game, I interacted with Van Frosty. He asked me if there was anything I wanted to buy. I pressed SPC to see what products he had.
He had a lot of ornaments with their cost, like a red ball at $5, a green ball at $10, a mushroom at $16, and a star at $1000, like wise.
I tried to buy the star by pressing it’s ID, ‘d’.
It says you don’t have enough money! Use the PC to get more coins. Now we know that we can earn coins from the PC.
If you press the key once, you’ll earn one coin. Similarly, the number of coins you earn corresponds to the number of times you press the key.
We had earned 12 coins. So let’s buy something.
I bought a green ball for $10.
He says thanks for your purchase. And our coins get reduced. We can see our green ball on our list on the left side of the game window.
I went to the Christmas tree to decorate it with my newly purchased green ball.
It says, ‘You still don’t have a star. Get one and talk to me’. That is sad for me.
I went to the PC to earn some more coins.
I was sad because the Christmas tree refused to interact with me. So I was trying to earn more money so that I could buy the Star of $10000.
I earned 16 coins, then I saw that the PC was broken. It broke my heart, too. Now, how will I earn $10,000?
I went to Van Holly to change my name.
It said, ‘I can change your name for 1 coin per character’. I had 16 coins. So I kept my new name, ‘I’m saddypersonn’.
And I pressed enter. Oh my God! What I saw. I saw that I now have 1852731251 coins.
Now I can buy a star for my Christmas tree.
I pressed ‘d’ to buy the star.
And it says, ‘Hey! You are not supposed to have that kind of money…
What is this behaviour.
It says, ‘The game is supposed to be unwinnable’.
It gave me a cooler item for the same price, but not the Star.
The game is over for now. Let’s use the information we’ve learned so far in this walkthrough.
Press the Tab button to see the debug panel and check out what’s happening here.
We saw that 12 bytes are assigned for the player name variable, and we have covered 16 bytes, overflowing the Coins variable.
When we see its value in hex format.
The first four bytes are 63 48 6e 6e. And now we write these bytes in little endian order. It will be 6e 6e 48 63.
Let’s convert these hexadecimal values into decimal values. You can use any calculator, like rapid tables.
So its value is 1852721251, which is the same number of coins we have.
It’s clear that the game doesn’t check if the player_name variable has enough space to store the new name.
Instead, it keeps writing to adjacent memory, overwriting the values of other variables. This vulnerability is known as a buffer overflow and can be used to corrupt memory right next to the vulnerable variable.
Here, the vulnerable variable is Player Name, and we can overwrite the values of other variables as well.
The question hint says to check out the inventory. The variable for the inventory is inv_items.
To manipulate this variable, we must allocate at least 60 bytes to the player_name.
Don’t get confused about the 60 bytes. You can calculate the bytes of space from the player_name to the inv_items.
Let’s change our name to almost 60 bytes. “aaaaaaaaaabbbbbbbbbbaaaaaaaaaassssssssssddddddddddffffffffff”.
We see that inv_items has been overwritten, and we have six stars in our bucket list.
That’s because of our name; the character ‘d’ is overwritten six times in the inv_items variable.
Let’s go to the Christmas tree.
Our Christmas tree is decorated. Press spc.
Press spc
We got the flag THM{mchoneybell_is_the_real_star}.
For further details, refer to their documentation. I’ve kept it beginner-friendly. Some aspects might seem dull to you, but I believe it will be beneficial for those entering the field of cybersecurity.
If you have any doubt, you can connect with me on LinkedIn and feel free to resolve your doubts.
Check out our YouTube channel, Ethical Empire.
If you’re preparing for the CEH Practical Exam, don’t forget to check out our playlist, ‘CEH Practical Exam Preparation’.
Until next time, stay secure, stay curious, and keep exploring the fascinating world of cyber security.
![Hack The Box: [Easy]OSINT Challenges Writeup](https://ethical-empire.com/wp-content/uploads/2024/04/image-1-1024x535.jpeg)
![Hack The Box: [Medium] OSINT Challenges Writeup](https://ethical-empire.com/wp-content/uploads/2024/04/image-2-1024x535.jpeg)