Back to Blog

The Maze - CyberChallenge.IT 2021

Game logic analysis and execution flow manipulation

April 14, 2022 writeup
pwnrevcyberchallenge2021logic-puzzle

Challenge Information

The Maze - GOTY edition

This fabulous "Game Of The Year" edition contains all the levels, characters and DLCs of the acclaimed game "The Maze".

"The Maze" is a text-based game where you play as Ampersand, the iconic hero that should avoid all the monsters (that's easy, actually: there are none) and find the precious treasure.

Of course, as a CTF player, you don't really care about the treasure, do you? Yes, you want a flag, that's clear. There are no flags in the maze, though. You should probably find a way to escape...

MD5: 07785b37292c80ee1de683913fb43384 the_maze

Remote: nc maze.challs.cyberchallenge.it 9404

Download binary: the_maze

The Maze Layout

+-+
|&|  <--- Start
| |
| +-----------------------------+
|                   X X X       |
| XXXXXXX X XXXXX X X X XXX XXXX|
|       X X     X X     X   X   |
| XXXXX X X XXX XXXXX X X X X XX|
|   X X X X X       X X   X     |
| XXX XXXXX XXXXXXXXXXXXXXXXX XX|
|       X X                 X X |
|XX X XXX XXXXX X XXX X X XXXXX |
|   X         X X   X X X       |
|XXXXXX XXX X X X XXX XXXXXXXXXX|
| X       X X X X   X           |
| XXX X XXXXXXXXX XXX XXX XXX X |
|     X         X X   X X   X X |
|XX X X X XXX XXXXXXXXX X XXXXX +----------+
|   X X X X         X         X   Treasure |
+------------------------------------------+

Solution

This challenge is a maze game, you have to go from the start to the treasure to win, but we care about the flag, so I started reading the decompiled code and I easily spotted a system("cat flag.txt").

I checked if there was a buffer overflow, and there is a fgets which writes 4096 bytes on a small buffer, but we can't use it to control the execution. Besides, checksec showed: 

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled

so we couldn't overwrite the return address anyway without bypassing the canary, which we can't leak.

The next thing I checked was if we could manage to execute system("cat flag.txt"), and the only way this is possible is by playing the game and passing all the checks until that instruction.

The most difficult check is v4==4, and to pass it we have to go right 16 times (to set v2 to 17) and down 5 times (to set v3 to 6), but some movements are blocked by the walls and the only combination possible is: "ddd"+"r"*16+"dd".

After understanding this we simply have to increment v4 from 1 to 4, and some checks specifically do this:

After doing so we simply send a newline (0x10) and the binary will print us the flag.

Exploit Script

Key Concepts

  • Reverse Engineering: Using disassemblers to understand program logic
  • Game Logic Analysis: Understanding how game state variables work
  • Constraint Solving: Finding valid paths through the maze with multiple constraints
  • Static Analysis: Identifying hidden functionality through code review