leHack 2025 - Wargame

July 1, 2025 - 4 mins read

Intro

This year I had the pleasure to be invited at leHACK 2025, one of (if not) the biggest hacking convention in France. The talks and hosts were amazing ! Special shoutout to Tuxlu, with whom I had the pleasure to discuss during the event.

On Saturday evening, a public wargame was hosted with PWN, Reverse, Web, Game Hacking and Cryptography challenges. Though I typically enjoy solving Forensics challenges, I here had to adapt and change categories.

This blog post will thus contain the writeups for the challenges I managed to solve with my team.

See ya !

Game Hacking 🎮

The challenges were aligned with the four levels of Tuxlu’s Flag Quest game. This game was specially made for this event and its trailer can be watched here.

Level 1 - Platforming King

Difficulty: Easy
Flag: leHack{PWN_4DV3NTUR3R}

The game starts with an introduction scene where our character founds the F.L.A.G. (Faster than Light Acceleration Generator) but it gets stolen by their enemies, the Siedparis. intro-1 intro-2

This first level revolves around platforming mechanics and, while at first nothing stands out, we rapidly face our difficulty

level1-3 level1-4

We fire up CheatEngine and start collecting coins to isolate the correct location in memory that we’ll need to modify in order to move on in the level. level1-5 Once found, we modify it to 250 and beat this first step. level1-6

Next, the way gets blocked by a wall. The solution here is to find the character’s position in memory. level1-7 To do so, we move our character back and forth to narrow down the possible memory locations. level1-8

Once found, we can alter them to teleport our character on the other side of the wall. level1-9

But we are immediately informed that this technique won’t work anymore level1-10

Indeed, if we try it, we get insta-killed level1-11 level1-12

We progress further and in the level and are given the ability to double jump. However, this ability is taken away only two platforms later, leaving us with no way to reach the next platform. level1-13 level1-14

We repeat the same process as before, with the exception of a small parameter. Indeed, by default CheatEngine only searches for 4-Bytes values and I had the feeling this time the value would be binary. I thus set the search parameter to ALL, and started the level again and again to change the state of the value in charge of enabling or disabling the power-up.

Once found, we can re-enable the double jump ability and progress to the next platform level1-15

We can finally finish this first level and obtain the flag ! level1-16 level1-17

Level 2 - Solid Lore

Difficulty: Easy
Flag: leHACK{SOLID_LORE_SKIPPER}

This level is a reference to early Metal Gear dialog scenes that aims at giving us more lore about the scenario of the game

level2-1 level2-2

However, the antagonist does so verryyyy slowly, and it takes a long time to go through the whole dialog. level2-3

To speed things up, we are going to use CE’s Speedhack feature… level2-4

…and get the flag :) level2-5

Achievments

The game also contained achievments, some I managed to obtain. Here is the detailed list :

1- Game breaking bug!

achievment-1

2- diaLOGic

achievment-2 achievment-2-1

3- Lore master

This achievment was obtained if you listened through the whole dialog without Speedhacking. achievment-3 achievment-3-1

4- brainscan

In the third level of the game, this old man gives you a hint to find a piece of info in memory. achievment-4 achievment-4-1 achievment-4-2

Web 🌐

Kubain (EASY)

Difficulty: Easy
Flag: LeHack{hacking_a_pod_is_nice}

When we visit the URL of the chall, we arrive on this page web-1

Each cigar category is clickable and is used to check the stock of each of them. I immediately notice something interesting in the URL: https://kubain.wargame.rocks/stock?cigar=cohiba

web-2

We test this theory by trying to view the content of another file, in this case /etc/passwd https://kubain.wargame.rocks/stock?cigar=../../etc/passwd web-3

Success! Now that we know that the parameter given in the URL is essentially just passed to the “cat” command, we may exploit it to display the content of another command. To do so, we use the “%0A” delimeter and check the content of the “/app” folder: https://kubain.wargame.rocks/stock?cigar=%0Als -la /app/ web-4

We enumerate the content of the folders here, and find a suspicious “flag.yml” inside the “kubernetes” folder… web-5

…and open it to get the flag in base64 encoding web-6

Finally, we decode it using cyberchef web-7