Stop Drop and Roll Writeup - Cyber Apocalypse 2024

Last update: March 22, 2024

1 Introduction
2 Key Techniques
3 The rules of the game
4 Automating gameplay
5 Obtaining the flag
6 Conclusion

→ 1 Introduction

This writeup covers the Stop Drop and Roll Misc challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. Similar to the Character challenge, the challenge involved automation to interface with a TCP service but was slightly more complex.

The description of the challenge is shown below.

Stop Drop and Roll challenge description

→ 2 Key Techniques

The key techniques employed in this writeup are:

Writing a Python script that uses pwntools to automate interaction with a TCP service

→ 3 The rules of the game

Upon connecting to the endpoint using nc, the response indicated the instructions for playing a game:

===== THE FRAY: THE VIDEO GAME =====
Welcome!
This video game is very simple
You are a competitor in The Fray, running the GAUNTLET
I will give you one of three scenarios: GORGE, PHREAK or FIRE
You have to tell me if I need to STOP, DROP or ROLL
If I tell you there's a GORGE, you send back STOP\n"
If I tell you there's a PHREAK, you send back DROP\n"
If I tell you there's a FIRE, you send back ROLL\n"
Sometimes, I will send back more than one! Like this:
GORGE, FIRE, PHREAK
In this case, you need to send back STOP-ROLL-DROP!
Are you ready? (y/n)

→ 4 Automating gameplay

An exploit.py Python script was written Using pwntools to automate interaction with the game. Please see the inline comments.

 #!/usr/bin/python3
 # Depends on pwntools. In kali, install via:
 #    sudo apt install python3-pwntools
 # Configure: change the IP address passed to the remote function.
 # Run:  python3 exploit.py

 # Library
 from pwn import *

 # Enable debug so that all received data is printed.
 context.log_level = 'debug'

 # Open connection to a remote process.
 r    = remote('83.136.255.205', 41685)

 # When prompted, enter 'y'.
 r.recvuntil(b'Are you ready? (y/n) ')
 r.sendline(b'y')

 # Function that will map a scenario to STOP, DROP or ROLL
 def mapit(scenario):
     if scenario == b'GORGE':
         return b'STOP'
     if scenario == b'PHREAK':
         return b'DROP'
     if scenario == b'FIRE':
         return b'ROLL'

 # Keep looping for ever. Alternatively, we could have explicitly looped until the flag is received
 while True:
     # Keep reading lines until a line is received containing at least one of GORGE, PHREAK or FIRE
     scenarios = r.recvline_contains(('GORGE','PHREAK','FIRE'))
     log.debug(f"scenarios: {scenarios}")

     # Keeep reading bytes until the given prompt.
     r.recvuntil(b'What do you do? ')

     # Split the received scenarios by comma.
     items = scenarios.split(b', ')

     # Map each scenario to one of STOP, DROP or ROLL
     instructions = map(mapit, items)

     # Join the instructions together, separated by a dash
     response = b'-'.join(instructions)

     # Send the response
     r.sendline(response)

→ 5 Obtaining the flag

exploit.py was run and eventually the flag was printed:

[4123][REDACTED/stop-drop-and-roll]
$ python3 exploit.py

[+] Opening connection to 83.136.255.205 on port 41685: Done
[DEBUG] Received 0x220 bytes:
    b'===== THE FRAY: THE VIDEO GAME =====\n'
    b'Welcome!\n'
    b'This video game is very simple\n'
    b'You are a competitor in The Fray, running the GAUNTLET\n'
    b'I will give you one of three scenarios: GORGE, PHREAK or FIRE\n'
    b'You have to tell me if I need to STOP, DROP or ROLL\n'
    b"If I tell you there's a GORGE, you send back STOP\n"
    b"If I tell you there's a PHREAK, you send back DROP\n"
    b"If I tell you there's a FIRE, you send back ROLL\n"
    b'Sometimes, I will send back more than one! Like this: \n'
    b'GORGE, FIRE, PHREAK\n'
    b'In this case, you need to send back STOP-ROLL-DROP!\n'
    b'Are you ready? (y/n) '
[DEBUG] Sent 0x2 bytes:
    b'y\n'
REDACTED/stop-drop-and-roll/exploit.py:35: BytesWarning: Text is not byte
s;suming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  scenarios = r.recvline_contains(('GORGE','PHREAK','FIRE'))
[DEBUG] Received 0x38 bytes:
    b"Ok then! Let's go!\n"
    b'FIRE, PHREAK, PHREAK\n'
    b'What do you do? '
[DEBUG] scenarios: b'FIRE, PHREAK, PHREAK'
[DEBUG] Sent 0xf bytes:
    b'ROLL-DROP-DROP\n'
[DEBUG] Received 0x1e bytes:
    b'GORGE, PHREAK\n'
    b'What do you do? '
[DEBUG] scenarios: b'GORGE, PHREAK'
[DEBUG] Sent 0xa bytes:
    b'STOP-DROP\n'
[DEBUG] Received 0x16 bytes:
    b'GORGE\n'
    b'What do you do? '
<snip/>
[DEBUG] scenarios: b'GORGE, GORGE, PHREAK'
[DEBUG] Sent 0xf bytes:
    b'STOP-STOP-DROP\n'
[DEBUG] Received 0x2b bytes:
    b'PHREAK, FIRE, PHREAK, FIRE\n'
    b'What do you do? '
[DEBUG] scenarios: b'PHREAK, FIRE, PHREAK, FIRE'
[DEBUG] Sent 0x14 bytes:
    b'DROP-ROLL-DROP-ROLL\n'
[DEBUG] Received 0x47 bytes:
    b'Fantastic work! The flag is HTB{1_wiLl_sT0p_dR0p_4nD_r0Ll_mY_w4Y_oUt!}\n'

→ 6 Conclusion

The flag was submitted and the challenge was marked as pwned