STHACK 2024 : Dofus challenges Link to heading
This week-end, we participated in the french CTF competition in Bordeaux “Sthack” and placed 3rd. This is the writeup on how we solved most of the dofus challenges.
The elite spell Link to heading
When talking to “Way Hersharck” - Wireshark - we get told to forget the spell “Cwachat Acide”, spell that we don’t even have:
On the custom server, there’s a new NPC in the tavern that let us forget a spell we evolved, when we forget one we know, this is what the request looks like:
When we try with a different spell, we notice the only the number (here 169) changes. We assume that this number is the spell id and confirm this by searching our spells on a dofus database:
And when we look for the spell “Cwachat Acide”, we get the id “1337” (👀)
The last thing to solve this challenge, is to find a dofus proxy (or make one ourselves) and send the request “SF1337”.
I used this proxy and we got the flag !
A Baulte from the blue Link to heading
The NPC “Yuchein Baulte” wants to race from the start of Incarnam to the end, but there’s no apparent way to beat him so we have to find a way to become really fast.
We searched for a long time until we understood that when you click somewhere on the map, the client sends the server a packet that have the start case and the end case. Once the avatar finished walking, the client sends another packet indicating that it finished the route (GKK0).
This has an obvious flaw: since it’s the client telling the server that he’s reached the end of the path, we can manually send requests telling the server that we’re going somewhere and then instantly arrived. Once we understood this, the exploit was pretty straight forward: manually travel to the end of the race while noting each request made and replay them in the proxy.
We added a custom command ‘.tp’ with the hardcoded requests in the D1 proxy :
public class TpCommand implements Command {
@Getter
private final String description = "[DEBUG] Envoie un packet";
private final Proxy proxy;
public TpCommand(Proxy proxy) {
this.proxy = proxy;
}
@Override
public void execute(ProxyClient proxyClient, String args) {
proxyClient.sendMessage("coucou");
var cmd = new SendCommand(proxy);
// go to (0, 3)
cmd.execute(proxyClient, "GA001cfsbg7ag9bhm");
cmd.execute(proxyClient, "GKK0");
// go to (1, 3)
cmd.execute(proxyClient, "GA001ce7bgv");
cmd.execute(proxyClient, "GKK0");
// zaap to (6, 4)
cmd.execute(proxyClient, "GA500214;114");
cmd.execute(proxyClient, "WU10317");
// go to (7, 4)
cmd.execute(proxyClient, "GA001bdsadube9ae-");
cmd.execute(proxyClient, "GKK0");
// talk to the bot
cmd.execute(proxyClient, "DC-3");
cmd.execute(proxyClient, "DR8102|8102");
}
}
As you can see, we also replayed the zaap teleportation to avoid having to go through every maps. Here’s the result in video.
Very Ignorant Programmer Link to heading
The description of the challenge told us to meet “Céline ‘C’ Emesse” - CMS - in Amakna (0,0). When we reached her (it’s a long way), she tells us that she managed to became a VIP during registration without using kamas:
When looking at the site we used to register, we see that it seems to be a real CMS used by the dofus community:
We didn’t find anything online about known vulnerabilities on the CMS, so we looked a bit more in the registration process and checked what was the request sent:
username = "test"
password = "test"
password_conf = "test"
pseudo = "testtesttest"
email = "[email protected]"
quest = "test"
answ = "test"
vip = "0"
captcha = "DD4CC"
rule = "check[]"
register = "Inscription+!"
Manually setting ‘vip’ to 1 gave us the vip role.