back to home

ART/ARF Challenge #1 - DOOMSCROLL

This challenge can be found when the trio has to enter the "Quest for Doomscroll" skinscape.

The Setup

Eli and Wheeler have found this game in the restaurant.

It looks impossible to win at first but maybe you can get through the portal with some freebooting...

You can also run it locally on your system:

We are given a link to a web-based game, as well as binaries to run the file on mac/windows/linux.

The Cheat

The game looks like a dungeon crawler, where you can move around and use the space bar to defeat monsters and pick-up gold coins.

A portal asks you to get to 1000 points. There is one gold coin on the ground, which will give you one point, and five monsters spawn around you when you start. You can defeat the monsters at close range by hitting the space bar. They will each drop one gold coin, giving you each one point.

After some playing around, I figured out that points do not reset after you die, so in theory it is possible to get 5 points, get killed by the last monster, do it again 200 times until you get to 1000 points. I have not tried this and would not recommend it. There is a better way.

Taking a look at the Network tab from the Web Developer Tools of my browser, I can see that when I reload the page, a js, wasm and pck file are loaded. The js is JavaScript and will tell the browser how to load the two other files. The wasm is WebAssembly and contains the game logic (such as what happens when I press buttons). The pck contains the game assets, such as the images, constants and text.

By right-clicking on each request you can "Save Response As" and save each file. Now, let's run our trusted friend strings:

$ strings doomscroll-quest.js | grep KEY{

$ strings doomscroll-quest.wasm | grep KEY{

$ strings doomscroll-quest.pck | grep KEY{
KEY{something}

Whoop whoop the flag was successfully freebooted!

Another way to get the flag, a bit more cumbersomely, is via gdsdecomp, which is a reverse engineering tool for Godot projects. After decompiling the .pck file, you can find the flag in the scenes/flag.tscn file.

There was some discussion in the comic's Discord where people were wondering if this was the "intended" solution, and after taking a hard look at the files given, my impression is that it is. I could find no underflow to exploit, no backdoor to invoke to solve this challenge directly from the browser.

Eli's shortcut

Eli shared a shortcut to the flag: you can just download one of the zips, unzip it and run strings on everything.

But you can go even simpler than that: extract in-place in the pipe to strings.

unzip -p linux.zip | strings -n 11 | grep 'KEY{'

This also works with windows.zip and macos.zip.

If you found another alternative way of getting to the flag, I would be happy to document it here, shoot me an email!