Monday, November 25, 2024

SANS: Holiday Hack 2024: Act 2: Snowball Showdown

Snowball Showdown

Silver Medal

This challenge is in Act 2, The Front Yard, near Dusty Giftwrap.  

Hi there! I'm Dusty Giftwrap, back from the battlefield! I'm mostly here for the snowball fights!

But I also don't want Santa angry at us, you wouldn't like him when he's angry. His face becomes as red as his hat! So I guess I'm rooting for Alabaster.

Alabaster Snowball seems to be having quite a pickle with Wombley Cube. We need your wizardry.

Take down Wombley the usual way with a friend, or try a different strategy by tweaking client-side values for an extra edge.

Alternatively, we've got a secret weapon - a giant snow bomb - but we can't remember where we put it or how to launch it.

Adjust the right elements and victory for Alabaster can be secured with more subtlety. Intriguing, right?

Raring to go? Terrific! Here's a real brain tickler. Navigator of chaos or maestro of subtlety, which will you be? Either way, remember our objective: bring victory to Alabaster.

Confidence! Wit! We've got what it takes. Team up with a friend or find a way to go solo - no matter how, let's end this conflict and take down Wombley!


Click on the "We Want You" sign to see the game.  It's a snowball fight.  The goal is to hit Wombley more times than he hits Alabaster Snowball.

https://hhc24-snowballshowdown.holidayhackchallenge.com/?&challenge=termSnowballShowdown

This game can either be played with friends or alone.  When the game is first launched, it's in multi-player mode.  Clicking on Join a private room brings up more source code.  Keep in mind, viewing information in different browser tools may make the source code look different.

In Chrome, under Sources, there's a page that has: game.html?username=<Your user name>&roomId=<your room time>&roomType=private&id=<your id>… as the file name.

It shows this source regarding single player mode:

var singlePlayer = "false"

    function checkAndUpdateSinglePlayer() {

      const localStorageValue = localStorage.getItem('singlePlayer');

      if (localStorageValue === 'true' || localStorageValue === 'false') {

        singlePlayer = String(localStorageValue === 'true');

      }

      const urlParams = new URLSearchParams(window.location.search);

      const urlValue = urlParams.get('singlePlayer');

      if (urlValue === 'true' || urlValue === 'false') {

        singlePlayer = String(urlValue === 'true');

      }

    }

It looks like singlePlayer mode can be set in the url like this:

https://hhc24-snowballshowdown.holidayhackchallenge.com/game.html?username=<You Player Name>&roomId=<room id that was created>&roomType=private&singlePlayer=true

Good, now it can be tinkered around with without waiting for other players or disturbing them.

In the source, phaser-snowball-game.js, there's many parameters that can be tinkered with to give the player the advantage.

hhc24-snowballshowdown.holidayhackchallenge.com/js/phaser-snowball-game.js

Chrome or Firefox Developer Tools, or Burp could be useful for this challenge.  Overrides can be defined in Chrome or Firefox to load the local copy of a source instead of a remote copy.  That local copy can be manipulated.

Example:

Imagine changing the amount of time the elves are incapacitated (ie frozen), the blast radius is changed so that snowballs hit larger areas, throw speed and rate are manipulated,etc.

Unfortunately, only manipulating the settings in this script don't seem to earn silver.  

Watching the traffic in flight and manipulating web socket traffic seemed to do the trick.

The screen has a HACKER DETECTED MESSAGE when the player is doing something that will cause a win condition for silver.

mainScene.ws.sendMessage({"type":"snowballp","x":525,"y":918.5343627929688,"owner":"<player id generated in game>","isWomb":false,"blastRadius":200,"velocityX":957.5500105745144,"velocityY":-142.96013007093308,"id":285})

This changes the blast radius from 24 to 200 for the player and can be useful if the player aims at the same spot on the screen (ie has the line on top of where wombly could be).  Manipulating the phaser-snowball-game.js to have non-healing terrain and aiming straight for Wombley while repeatedly running the web sockets message up there tends to do an ok job of helping the elves win.

this.healingTerrain = true; to this.healingTerrain = false;

There are likely more efficient elegant ways to win, but it was enough to get a silver medal.

Gold Medal

Gold was considerably easier to get.  Dusty Giftwrap mentions finding a weapon.

Alternatively, we've got a secret weapon - a giant snow bomb - but we can't remember where we put it or how to launch it.

Searching the source code for "bomb" and there's many references to the bomb.  Considering we used websockets to get silver, it's a safe bet to look in websocket source.  In reconnecting-socket.min.js, there are a few references to bomber that look interesting.  Like this one for instance.

mainScene.bomberContainer = mainScene.add.container(400, 300),

What's happening above this?

It talks about a moasb.  How do we call this?

Looking at other references, it says this:

mainScene.ws.sendMessage({type: 'moasb', launch_code: '85e8e9729e2437c9d7d6addca68abb9f'})

However, running this alone doesn't seem to be enough to get gold, but it does give an idea of format.

mainScene.ws.sendMessage({type:'moasb'})

It doesn't seem to matter if it's called in correctly - the bomber is still spawned in, which causes 999 hits against Wombley and automatically wins the game.

Gold Metal Achieved.










No comments:

Post a Comment