Recon
What we’ll be going over in this post is external recon of the game. What I mean by external recon is just getting and overview of how the game is working without going in detail and finding entry points for exploiting.
In the Previous Post
We set up the game server and game client for both windows and linux in the previous post. One error that you might face which I faced was libssl
and libcrypto
was missing the game currently uses an older version of this library and I had to install it separately. link
Libraries
Lets start first by looking the dynamic libraries linked with the game binary through the ld
command. We see many common libraries which are being used. There is libpthread
which is used for threading. There is a custom libGameLogic
library which might be useful. Using the file command on libGameLogic
we see - The file has debug information which makes our life a lot easier. Looking at the other libraries we see libcrypto
and libssl
which might be used for encryption and TLS.
Process Overview
Let’s look at the process in Linux. Each process has a pid
(process id). Lets see the process in pstree
to see its child process and threads.
Here we see all of the threads and their pids as well all of these components must be handling some sort of functionality.
/proc/pid
The /proc
is a a special directory which contains information about running processes. First we’ll grab the pid through the command -
1
ps aux | grep -i pwn
Then change the directory to /proc/pid
you’ll see something like this in the directory. Here the files represent different information about the process. E.g cmdline
shows the cmdline arguments for running the process, maps
show the virtual memory mapping of different libraries,stack,heap etc,the fd
folder has info about the open file descriptors,environ
has information about the environment variables. Upon inspecting the fd directory we see that there are standard file descriptors open like STDIN
,STDOUT
,STDERR
etc and also file descriptors for packed textures and models.
Network
Lets check the network side of things with the command -
1
netstat -ac | grep "pwn"
We see that there are 2 repeating connections to master.pwn3:3333
and master.pwn3:3000
where the second connection is essentially to game.pwn3:3000
as its connecting to the game server and thats the hostname we gave it.
Master Server
Lets see the packets sent to the master server when the game starts. So we’ll check the packets sent to port 3333 on wireshark. We see TLS as the protocol which must have been used for the certificate for secure communication between the master server and our client. We see strings like ghostintheshellcode which is the name of the organizer.
Game Server
Lets see the packets sent to the game server on port 3000 for me. We constantly see packets being exchanged between the server. There are 2 things to see.
First, When we move we see a special string mv
in the packets.
Second, When we jump we see a special string jmp
in the packets.