Dicetrix

they told you to touch grass, but did you listen?

(you will need your DiceBadge for this challenge)

dicetrix.dicec.tf

Challenge

Images of the badge:

Badge Picture

Visitng the challenge website presents us with this webpage:

Initial Webpage

Here we are prompted with connecting our badge.

Demo

After doing so we can see a few things here. We are able to move around in this enclosure that the dice is in. There is a red box that seems to be a escape where we can continue to move forward towards a golden ball, which assumably is our goal. Once entering that box though we can see that our next move is blocked and prevents us from moving forward.

Looking at the web page source code we can see a snippet in the javascript that hints at our win condition:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function handleLine(line){
      if (!line) return;
      try {
        const msg = JSON.parse(line);
        switch(msg.type){
          case 'start':
            ...
          case 'facing': 
            ...
          case 'move': 
            ...
          case 'led_on':
            ...
          case 'led_off':
            ...
          case 'bad':
            ...
          case 'blocked':
            ...
          case 'flag': {
            alert(`Flag received: ${msg.digest}`);
            break; }
          case 'too_slow':
            ...
          default:
            log('Unknown msg '+line);
        }
      }catch(e){ /* Not a JSON line, ignore */ }
    }

Here we can see that most of the game logic is handled on the actual badge. So until we know what we need to do from the badge, we cannot achieve our goal.

Using picotool we can dump the firmware of the badge and start reverse engineering the code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
anthony@ubuntu:~/dicebadge$ picotool info -F
Tracking device serial number E6635898634FB821 for reboot
The device was asked to reboot into BOOTSEL mode so the command can be executed.
Waiting for device to reboot

Program Information
 name:          dicebadge_fw
 web site:      https://github.com/your-username/dicebadge_fw
 features:      USB stdin / stdout
 binary start:  0x10000000
 binary end:    0x1000d6b8

                The device has been left accessible, but without the drive mounted; use 'picotool reboot' to reboot into regular BOOTSEL mode or application mode.
anthony@ubuntu:~/dicebadge$ picotool save -a firmware.bin
Saving file:          [==============================]  100%
Wrote 2097152 bytes to firmware.bin

Flag

flag{flag}