Game Logic CTF Challenges

Capture The Flag (CTF) challenges focused on exploiting game logic vulnerabilities:

1. Card Trading Game: A multiplayer card trading game where players need to obtain duplicate name cards to capture the flag. The challenge involves exploiting faulty logic in the card gifting system.

2. Dice Guessing Game: A dice prediction game where players need to correctly guess 10 rolls in a row. The challenge involves analyzing and predicting the output of a Linear Congruential Generator (LCG). Most likely via brute force but can also done intelligently using incremental modulo backtracking.

Setup Requirements

• Docker
• Git

Getting Started

Clone the Repository

# Using HTTPS
git clone https://github.com/ruelalarcon/game_logic_exploits_ctf.git
cd game_logic_exploits_ctf

# Or using SSH
git clone git@github.com:ruelalarcon/game_logic_exploits_ctf.git
cd game_logic_exploits_ctf

Environment Setup

Create a .env file in the root directory with the following variables:

SESSION_SECRET=your_random_secret
DICEGAME_FLAG=your_flag_here
CARDGAME_FLAG=your_flag_here

Deploy with Docker

Build and start the container:

docker compose up -d

The application will be available on port 3000 by default.

Changing the Port (If Needed)

To run the application on a different port, modify the ports section in docker-compose.yml:

services:
  app:
    # ... other configuration ...
    ports:
      - "8080:3000"  # Change 8080 to your desired port

Running the Solutions

The repository includes solution scripts for both challenges.

First, cd into the solutions directory:

cd solutions

These require Python 3.7+ and the following dependencies:

pip install -r requirements.txt

Card Game Solution

python cardgame_solution.py

The script will:

1. Create two accounts
2. Exploit the race condition in the gifting system
3. Obtain duplicate name cards
4. Retrieve the flag

Note: By default, this solution connects to localhost:3000. If you've changed the port or are running on a different host, modify the HOST and PORT variables in the script.

Dice Game Solution

First, change the "history" array at the top of the file to your dice roll history array.

python dicegame_solution.py

The script will:

1. Use the provided roll history to determine the RNG state
2. Calculate the next 10 rolls
3. Print the predictions for manual entry

Nginx Configuration Requirements

If you're using Nginx as a reverse proxy, ensure your configuration includes WebSocket support:

location / {
    proxy_pass http://localhost:3000;  # Change port if needed
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
}

Challenge Details

Card Trading Game

• Players can trade cards with each other
• Each account gets a unique "name card" on registration
• The goal is to obtain two identical name cards
• The gift handling is given as a hint
• Vulnerability: Race condition in the card gifting system
• Solution: Exploit the race condition by sending multiple gift requests during the artificial delay

Dice Guessing Game

• Players must correctly guess 10 dice rolls in a row
• The game uses a Linear Congruential Generator (LCG) for randomness
• The RNG implementation is "accidentally" leaked
• Vulnerability: Predictable random number generation
• Solution: Analyze the roll history to determine the LCG state and predict future rolls

Notes

This was designed by Ruel Nathaniel Alarcon for the USASK Cybersecurity Club's meeting/presentation on Advanced Game Exploitation.