gamepwnfreemedium

LightningFast

HackTheBox

$ ls tags/ techniques/

api_abuse game_hacking network_analysis unity il2cpp

traffic_captureendpoint_discoveryapi_manipulation

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

LightningFast - HackTheBox

Challenge Description

A Unity IL2CPP Windows game where you need to get 1,000,000 points to buy the flag via /buyflag endpoint.

Files provided:

LightningFast.exe - Main Unity game executable
GameAssembly.dll - IL2CPP compiled game code
global-metadata.dat - IL2CPP metadata

Initial Analysis

Identifying the Game Type

The presence of GameAssembly.dll and global-metadata.dat immediately identifies this as a Unity IL2CPP game. IL2CPP (Intermediate Language to C++) is Unity's AOT (Ahead-of-Time) compilation technology that converts C# code to C++.

Static Analysis with Il2CppDumper

First, we extract C# class definitions from the IL2CPP binary:

# Extract metadata and generate dummy DLLs
Il2CppDumper.exe GameAssembly.dll global-metadata.dat output/

This reveals several interesting classes:

Player.Post() - method that sends score data to server
ScoreHandler - uses ObscuredInt (XOR encrypted values from Anti-Cheat Toolkit)
ShopMenuHandler.BuyFlag() and GetFlag() methods

Server Endpoint Discovery

Initial probing of the server reveals:

# Check the buyflag endpoint
curl "http://94.237.61.249:48085/buyflag"
# {"result":"You need 1000000 more points."}

# Try the ack endpoint
curl "http://94.237.61.249:48085/ack"
# Returns acknowledgment

The /buyflag endpoint confirms we need 1,000,000 points.

Ghidra Analysis

Decompiling GameAssembly.dll in Ghidra shows:

Anti-Cheat Toolkit (ACTk) is used for memory protection
ObscuredInt XOR-encrypts values in memory
Score submission happens via HTTP POST

However, the exact request format remained unclear from static analysis alone.

Dynamic Analysis - The Breakthrough

Setting Up Windows Environment

Since static analysis wasn't revealing the full picture, we set up a Windows VDS to run the game:

Windows Server 2022 VDS
Installed the game
Used pktmon (built-in Windows packet monitor) to capture traffic

Traffic Capture

# Start packet capture
pktmon start --capture --file game_traffic.etl

# Play the game, die to trigger score submission

...

$ grep --similar

Similar writeups

[reverse][free]CubeMadness2— HackTheBox
[reverse][free]FlappyFlopper— HackTheBox
[gamepwn][free]StayInTheBoxCorp— HackTheBox
[gamepwn][free]InfiniteDoge— HackTheBox
[gamepwn][free]CubeMadness1— hackthebox