Holiday Hack 2021: Shellcode Primer
Objective
Terminal - Holiday Hero
Challenge
Up on the KringleCon roof alongside NetWars, Chimney Sciccorsticks is too preoccupied with Holiday Hero to talk about shellcode:
Woo! I’m Chimney Scissorsticks, and I’m having a great time up here!
I’ve been hanging out with all these NetWars players and not worrying about what’s going on next door.
In fact, I’ve really been having fun playing with this Holiday Hero terminal. You can use it to generate some jamming holiday tunes that help power Santa’s sleigh!
It’s more fun to play with a friend but I’ve also heard there’s a clever way to enable single player mode.
Single player mode? I heard it can be enabled by fiddling with two client-side values, one of which is passed to the server.
It’s so much more fun and easier with a friend though!
Either way, we’d really appreciate your help getting the sleigh all fueled up.
Then I can get back to thinking about shellcode…
The game is a take on Guitar Hero, where the player has to push the keys when the notes are at a certain place along with the music. It says it must be played with a partner, either a random match, or where one player starts a room, and the other joins it:
Solution
Enable Single Player Mode
To enable single player mode and have the computer join as the second player, there are two places I need to change.
First, on visiting “CREATE ROOM”, a cookie is set, which can be seen in the Chrome dev tools:
I’ll update that to true:
Looking at the JavaScript source, about 21 lines in (after letting Chrome beautify the one long line of JS), there’s this function:
spi = setInterval(function() {
single_player_mode && (clearInterval(spi),
player2_label.showMessage("P2: COMPUTER (On)"),
player2_power_button.anims.play("power_on"),
toastmessage.showMessage("Player 2 (COMPUTER) has joined!"),
player2_power_button.anims.pause())
}, 100);
Until spi
is cleared, it’s going to check this periodically. And there’s a variable named single_player_mode
.
At first I thought that would be set by the cookie, but even after refreshing the frame with the cookie set to true, it still showed as false (it is set at the start of the script, single_player_mode = !1
). So I just set it in dev tools console. It’s important to make sure the console is in the context of the frame after selecting “Create Room”:
Win the Game
Here’s a quick video of my hacking and winning the game:
Shellcode Primer
Hints
Chimney is now ready to talk shellcode:
You did it - rock on! We’re all set now that the sleigh is fueled!
So hey, let me talk to you a bit about manual exploitation.
If you run into any shellcode primers at the North Pole, be sure to read the directions and the comments in the shellcode source!
Also, troubleshooting shellcode can be difficult. Use the debugger step-by-step feature to watch values.
Lastly, be careful not to overwrite any register values you need to reference later on in your shellcode.
That’s it! I know you can do it!
He also unlocks three hints in the badge:
- If you run into any shellcode primers at the North Pole, be sure to read the directions and the comments in the shellcode source!
- Also, troubleshooting shellcode can be difficult. Use the debugger step-by-step feature to watch values.
- Lastly, be careful not to overwrite any register values you need to reference later on in your shellcode.
Challenge
Ruby Cyster is in Jack’s office on the 15th floor of Frost Tower, standing next to a computer terminal with the Shellcode Primer on it:
Hey, I’m Ruby Cyster. Don’t listen to anything my sister, Ingreta, says about me.
So I’m looking at this system, and it has me a little bit worried.
If I didn’t know better, I’d say someone here is learning how to hack North Pole systems.
Who’s got that kind of nerve!
Anyway, I hear some elf on the other roof knows a bit about this type of thing.
The terminal itself presents a walkthrough of how to build simple shellcode in assembly. In the end, I’ll need to write assembly that will print the contents of a file to stdout.
Solution
The steps of the primer slowly build to add more and more capability. Here’s my walkthrough:
The last step is to build shellcode that prints a file to the screen. Here’s my assembly:
; Get a reference filename string
call oxdf
db '/var/northpolesecrets.txt',0
oxdf:
; Call sys_open
pop rdi
mov rax, 2
mov rsi, 0
mov rdx, 0
syscall
; Call sys_read on the file handle and read it onto stack (RSP)
mov rdi, rax
mov rax, 0
mov rsi, rsp
mov rdx, 1000
syscall
; Call sys_write to write the contents from rsp to stdout (1)
mov rdx, rax
mov rax, 1
mov rdi, 1
mov rsi, rsp
syscall
; Call sys_exit
mov rax, 60
syscall
On running that, it prints contents of the file:
Flag: cyber security knowledge