Let's have a quick look at Pwn Adventure 3: Pwnie Island - an intentionally vulnerable MMORPG game.
Pwn Adventure 3: Pwnie Island is an MMORPG game set on an idyllic island filled with beauty (and some beasts). The game is intentionally vulnerable, similar to other intentionally vulnerable applications to teach web or binary exploitation. The game was created for Ghost in the Shellcode CTF in 2015.
One of the main goals of this game is to let developers know how games can be abused and what not to do while developing the game. Back in 2015, I was just getting started with CTFs and didn't have any clue what to do, and it was scary, so I didn't bother giving it a try. That was until @Beaujeant wrote me on twitter that he was offering training with the game and told me that I could make a video on it and he would help. I appreciate the help and support that I got, but I couldn't just use his material because I wanted to solve the challenges on my own. The situation here is similar to the readme_revenge challenge, which I looked up to a couple of years ago and finally reached a point where I wanted to try it on my own. So @Beaujeant is the reason why I finally decided to look at it. And of course, I'd like to thank the creators of Pwn Adventure 3. It was created by Rust Wagner, who works at Vector35 which is also the company responsible for the creation of the disassembler Binary Ninja. Anyway, this is a bit of a casual blog post, but this will lead to many posts coming out in the future. The next post in this series will be about setting up our very own game server to test things out locally. The game comes with the server to run on Ubuntu 14.04 64bit, and there are game clients for Windows, OSX, and Linux. Since I have more experience with Linux, I will be using the Linux one. If you want to follow along or try it yourself, links are in the Resources section at the end. If you're going to look at the solutions, there are tons of writeups out there, and also I've already made videos on them on my channel. In this post, I will be focusing on the solely playing the game just to get a feel for it and observing some behaviours along the way, so basically nothing technical.
Right off the bat, the game looks fantastic, and the fact that it was created just for the CTF is just crazy. When we start the game, we get a splash screen of Ghost in the Shellcode and in the bottom left, there is some useful information like who created this game and what did they use to create it. As it turns out, they used the Unreal Engine, and the code is written in C++. After the splash screen, we are presented with the game menu.
I must say the music is amazing, what a great job! Once you are done spending like 3 hours listening to the soundtracks, we can click on the play button which gives us a popup asking for the user credentials. Remember that I mentioned that the game is MMORPG; basically it means you could play with other people! Well, this requires a game server but it can be downloaded from their website as I mentioned earlier. To have a first look I setup the server already. But don't you worry, we'll be looking at how to set this up in the next blog post, this one is non-technical, sit back and relax.
Additionally, if you don't have an account, you can create one right there in-game. After logging in, we get to create a character where you can select the avatar and dress them up as you like. Once we are done with the character creation, we get to play.
We are placed somewhere inside a dungeon, and the first quest is to get out of the cave. We have to explore the cave and find a way out. As you can see from the image, it's a first-person camera view. Playing a bit, like moving around and sprinting, it feels like it has some decent controls, but when jumping, you can feel that there's a bit of lack of gravity, makes you fly for a millisecond, and there's no fall or even fire damage. Anyway, you also see the bar at the bottom, which show's your health, items/spells and mana.
When exploring the cave you might run into some bushes blocking us from getting outside. But in another area of the dungeon, there's a book floating on a small island-ish place.
You can learn a spell from that book - it's the fire spell "Great Balls of Fire" and as usual it uses mana. Now we can bust our way out of the bushes which leads us to the underground sewer where cat-sized rats are trying to kill us. We can kill them with the special skill that we've learned - shooting fireballs. After this, we finally get out of the underground sewer, and we reach the "Pwnie Island"!
New music ... Epic!
The island looks enormous and amazing, a lot of mountains, trees and all we have left is a muddy road to follow. Following the path, we end up at a place where there are some houses. There also seems to be an underground area where you can fast travel to different places, think of it as a portal, and it's called Pwnie Express - heh.
In one of the buildings nearby is a gun shop, where you could buy guns using in-game money called Pwn Coins. Since we had none of them, we couldn't buy anything, but we could talk to the seller and get more information. One of the things he mentioned is that you can complete quests and also fight with creatures to obtain some legendary weapons. These legendary weapons aren't usually sold in the gun shop; we have to earn it ourselves.
In an adjacent building, there was a person we could talk to know his story. He mentions that there are some bears following him everywhere he goes and these bears also defend a legendary chest, which might hold our flag. All he wants is the bears to disappear, and he gives us a quest called "Unbearable Revenge".
Roaming around the place we end up at a cave, going inside it leads us to these small tasks. The task is simple; there are a few logical gates which are connected in some manner. We need to get the output of this small logical circuit to true, then the door to the next task opens. Solving three simple tasks lead us to a monstrous task which has like 32 inputs and an insanely huge room filled with circuitry. It's very complicated and would be super time-consuming trying to map out every connection to solve it. At the end of the huge hall, there's a room with a glass door preventing us from reaching the chest inside. So we have solve this task in order to get to the chest.
Since in this first episode we are just enjoying the game and getting a feel for it, I left the the blocky quest cave to see if I could find any other quests. After a while of roaming, I saw a small village. Along the way I also killed some huge rats which give us Pwn Coins and Rifle Ammo. Also, there was a pirate ship, near the village and it had a chest, but you couldn't open it - we need an unlock key.
Fast traveling back to the spawn area and following another path, we find bears. Killing them would also give us stuff we can use in-game like Pwn Coins and Ammunition, but I continue and we end up at a chest that is being defended by the bears... a lot of bears. This is the "Unbearable Revenge" quest!
Once we try to open the chest a timer of 5 minutes is started, we need to remain in proximity to the chest and a lot of bears start spawning trying to kill us. As expected, we are outnumbered by these bears, and we die soon.
Exploring the island further, we find another dungeon, where there's a huge monster called "Magmarok". The quest "fire and ice" seems to indicate we have to kill him.
He can shoot fireballs just like we can, and it doesn't really damage him because he's made up of fire. So we get out of there and try looking for more spells. We go around and kill some spiders in an ice cave, which dropped an ice spell for us; Maybe we can kill Magmarok now? We come back to use the spell we've acquired - shooting ice balls towards Magmarok and id does decrease his health! But when his health gets to 50%, he heals right back to the full amount. That means we have no way to defeat him with what we have at the moment.
I hope you are as excited as me for hacking this game! In the next blog post we will start by setting up the Server things and do some information gathering.