TryHackMe – Advent of Cyber 2023 Day 6
Day 6 of the TryHackMe Advent of Cyber 2023 challenge has a fun game that teaches us the concept of buffer overflows! Along the way, we get to learn about computer memory and how memory safety vulnerabilities can be exploited. We’ll also get some practice in decimal-hex-ascii conversion, which is super important in learning assembly language, reverse engineering, and even malware development.
Personally, this was my favorite challenge of Advent of Cyber 2023 so far. I really enjoyed this format and found it to be a great way to introduce buffer overflows and related concepts in a fun, intuitive way.
The TryHackMe Advent of Cyber 2023 challenge can be found at https://tryhackme.com/room/adventofcyber2023.
About This Walkthrough/Disclaimer:
In this walkthrough I try to provide a unique perspective into the topics covered by the room. Sometimes I will also review a topic that isn’t covered in the TryHackMe room because I feel it may be a useful supplement.
I try to prevent spoilers by requiring a manual action (highlighting) to obtain all solutions. This way you can follow along without being handed the solution if you don’t want it. Always try to work as hard as you can through every problem and only use the solutions as a last resort.
Walkthrough for TryHackMe Advent of Cyber 2023 Day 6
Understanding the Game and Day 6 Activities
The activities for Day 6 are centered around a simple game created by the TryHackMe team to demonstrate some important security concepts in a fun, friendly game.
To access the game, you need to start a VM using the green ‘Start Machine’ button at the top of the Day 6 activity/text section. Then you’ll need to access the link provided by TryHackMe in the ‘Connecting to the Machine’ section.
When you load the game, you will see the controls menu:
The game itself is very simple. Basically there is a single computer icon that you can use to ‘program’ and gain a coin. ‘Programming’ requires pressing the spacebar.
There are also two NPC’s, ‘Van Holly’ and ‘Van Frosty’. ‘Van Holly’ (in green) will allow you to change your name, and ‘Van Frosty’ (in blue) will give you access to the store.
The goal of the game is to put a star on the Christmas tree. As it is designed, it is impossible to win. However, we can use our h4kker skills to beat it!
To start investigating how game data is stored in memory, I first collected 16 coins (at which point the ‘computer’ breaks!) then looked at the memory in ASCII view:
And in hex view:
If I change my character’s name to ‘scroogerocks!’, we can see that the name overflows into the section of memory used to hold the coin value. The exclamation point ‘!’ overflows into ‘coins’, giving us 33 coins.
Note than the exclamation point ‘!’ corresponds to the value 33 in decimal, or 0x21 in hex:
Note: I find the table on this page from FreeCodeCamp helpful for decimal-ascii-hex conversions.
Next, I repeated this process using the name ‘aaaabbbbccccx. This replaces the name, including the exclamation point. In this case, the ‘x’ value overflows into the ‘coins’ memory space. Lowercase ‘x’ in ASCII corresponds with a decimal value of 120 and a hex value of 0x78.
Knowing how this part of the game works, we can move on to answering question # 1.
Question 1
If the coins variable had the in-memory value in the image below, how many coins would you have in the game?
As shown in the question, the hex value that we need to convert to decimal is 0x[4f 4f 50 53].
To answer the question, we need to understand three things: (1) hex is often stored in 1-byte increments (each hex digit stores half a byte so two hex digits is equivalent to 1 byte). (2) Hex is stored in little-endian, so we need to reverse the byte order. (3) Even though the hex is stored in 1-byte increments, to get the equivalent decimal value, we need to convert from the entire hex value (not in 1-byte chunks).
In other words, first we must take the number 0x[4f 4f 50 53] and reverse the bytes: 0x[53 50 4f 4f].
Next, we remove the spaces from each 1-byte increment so it becomes a single hex number: 0x53504f4f
Now we can finally convert this hex number to decimal using a converter:
Answer (Highlight Below):
1397772111
Question 2
What is the value of the final flag?
In order t o win the game and get the flag, we need 10,000 coins. Let’s take what we’ve learned and figure out how to do this!
First, let’s convert the number 10000 in decimal to hex:
10000 = 0x2710 (in big-endian) = 0x[10 27] in little endian
Now let’s convert this into ASCII and win the game!
0x10 = Data Link Escape
0x27 = Escape
These values don’t correspond to typable characters! Luckily, we only need to get at least 10000 coins to beat the game. I decided to keep it simple by changing my name to ‘aaaabbbbccccdddd’:
Now we should be able to buy a star from the store:
But instead of getting a star, we are given a nutcracker! So we’ll need to figure out how to hack the game to get a star in our inventory.
Let’s take a look again at our memory:
Notice that inventory items are stored at the bottom, and the inventory item’s ascii designation corresponds with the same designation in the store .
The star is item ‘d’ in the store, so we should be able to get a star in our inventory by putting a ‘d’ into the corresponding spot in memory.
To do so, we’ll change our name again. I used ‘aaaabbbbccccddddeeeeffffgggghhhhhiiiiijjjjkkkkd’ to keep things simple.
Just like that, we get a star! And we didn’t even have to buy it!
Now we can put the star on the tree and get our flag!
Answer (Highlight Below):
THM{mchoneybell_is_the_real_star}
Conclusion
This challenge did a great job of introducing buffer overflows and related concepts in a fun and engaging way! I sincerely enjoyed it, and I suspect many others did/will as well! Even though the game itself is simple, it is really a phenomenal tool to help learn buffer overflows and we can tell how much work was put into it.
I honestly wish it was accessible outside of the Advent of Cyber 2023 challenge so anyone could use and learn from it more easily. But I’ve felt this way about other Advent of Cyber activities, challenges, and games too. It just goes to show that Advent of Cyber is a great way to learn!