Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ruelalarcon/game_logic_exploits_ctf

Capture The Flag (CTF) challenges focused on exploiting game logic vulnerabilities
https://github.com/ruelalarcon/game_logic_exploits_ctf

ctf cybersec exploitation game logic nodejs webapp

Last synced: 6 days ago
JSON representation

Capture The Flag (CTF) challenges focused on exploiting game logic vulnerabilities

Awesome Lists containing this project

README 

          
# Game Logic CTF Challenges



> Capture The Flag (CTF) challenges focused on exploiting game logic vulnerabilities:

>

> 1. **Card Trading Game**: A multiplayer card trading game where players need to obtain duplicate name cards to capture the flag. The challenge involves exploiting faulty logic in the card gifting system.

>

> 2. **Dice Guessing Game**: A dice prediction game where players need to correctly guess 10 rolls in a row. The challenge involves analyzing and predicting the output of a Linear Congruential Generator (LCG). Most likely via brute force but can also done intelligently using incremental modulo backtracking.



## Setup Requirements



- Docker

- Git



## Getting Started



### Clone the Repository



```bash

# Using HTTPS

git clone https://github.com/ruelalarcon/game_logic_exploits_ctf.git

cd game_logic_exploits_ctf



# Or using SSH

git clone git@github.com:ruelalarcon/game_logic_exploits_ctf.git

cd game_logic_exploits_ctf

```



### Environment Setup



Create a `.env` file in the root directory with the following variables:



```env

SESSION_SECRET=your_random_secret

DICEGAME_FLAG=your_flag_here

CARDGAME_FLAG=your_flag_here

```



### Deploy with Docker



Build and start the container:

```bash

docker compose up -d

```



The application will be available on port 3000 by default.



### Changing the Port (If Needed)



To run the application on a different port, modify the `ports` section in `docker-compose.yml`:



```yaml

services:

  app:

    # ... other configuration ...

    ports:

      - "8080:3000"  # Change 8080 to your desired port

```



## Running the Solutions



The repository includes solution scripts for both challenges.



First, `cd` into the solutions directory:

```bash

cd solutions

```



These require Python 3.7+ and the following dependencies:



```bash

pip install -r requirements.txt

```



### Card Game Solution

```bash

python cardgame_solution.py

```

The script will:

1. Create two accounts

2. Exploit the race condition in the gifting system

3. Obtain duplicate name cards

4. Retrieve the flag



> Note: By default, this solution connects to `localhost:3000`. If you've changed the port or are running on a different host, modify the `HOST` and `PORT` variables in the script.



### Dice Game Solution

First, change the "history" array at the top of the file to your dice roll history array.

```bash

python dicegame_solution.py

```

The script will:

1. Use the provided roll history to determine the RNG state

2. Calculate the next 10 rolls

3. Print the predictions for manual entry



## Nginx Configuration Requirements



If you're using Nginx as a reverse proxy, ensure your configuration includes WebSocket support:



```nginx

location / {

    proxy_pass http://localhost:3000;  # Change port if needed

    proxy_http_version 1.1;

    proxy_set_header Upgrade $http_upgrade;

    proxy_set_header Connection "upgrade";

    proxy_set_header Host $host;

}

```



## Challenge Details



### Card Trading Game

- Players can trade cards with each other

- Each account gets a unique "name card" on registration

- The goal is to obtain two identical name cards

- The gift handling is given as a hint

- Vulnerability: Race condition in the card gifting system

- Solution: Exploit the race condition by sending multiple gift requests during the artificial delay



### Dice Guessing Game

- Players must correctly guess 10 dice rolls in a row

- The game uses a Linear Congruential Generator (LCG) for randomness

- The RNG implementation is "accidentally" leaked

- Vulnerability: Predictable random number generation

- Solution: Analyze the roll history to determine the LCG state and predict future rolls



## Notes



This was designed by Ruel Nathaniel Alarcon for the USASK Cybersecurity Club's meeting/presentation on Advanced Game Exploitation.