$ cat writeup.md…
$ cat writeup.md…
HackTheBox
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
A Unity IL2CPP Windows game where you need to get 1,000,000 points to buy the flag via /buyflag endpoint.
Files provided:
LightningFast.exe - Main Unity game executableGameAssembly.dll - IL2CPP compiled game codeglobal-metadata.dat - IL2CPP metadataThe presence of GameAssembly.dll and global-metadata.dat immediately identifies this as a Unity IL2CPP game. IL2CPP (Intermediate Language to C++) is Unity's AOT (Ahead-of-Time) compilation technology that converts C# code to C++.
First, we extract C# class definitions from the IL2CPP binary:
# Extract metadata and generate dummy DLLs Il2CppDumper.exe GameAssembly.dll global-metadata.dat output/
This reveals several interesting classes:
Player.Post() - method that sends score data to serverScoreHandler - uses ObscuredInt (XOR encrypted values from Anti-Cheat Toolkit)ShopMenuHandler.BuyFlag() and GetFlag() methodsInitial probing of the server reveals:
# Check the buyflag endpoint curl "http://94.237.61.249:48085/buyflag" # {"result":"You need 1000000 more points."} # Try the ack endpoint curl "http://94.237.61.249:48085/ack" # Returns acknowledgment
The /buyflag endpoint confirms we need 1,000,000 points.
Decompiling GameAssembly.dll in Ghidra shows:
ObscuredInt XOR-encrypts values in memoryHowever, the exact request format remained unclear from static analysis alone.
Since static analysis wasn't revealing the full picture, we set up a Windows VDS to run the game:
pktmon (built-in Windows packet monitor) to capture traffic# Start packet capture pktmon start --capture --file game_traffic.etl # Play the game, die to trigger score submission ...
$ grep --similar