Challenge Scenario (rev_gameloader) — HackTheBox

Description

Despite having an updated antivirus, my computer was compromised after running a game. Investigate the game and uncover the two-part flag.

Analysis

Initial Reconnaissance

Downloaded the challenge zip (password: hackthebox). Inside: a Godot Engine game with two files:

• Platformer 2D.exe — PE32+ x86-64 Godot Engine binary (44MB)
• Platformer 2D.pck — Godot PCK resource file (2.4MB), encrypted (AES-256-CFB, Godot 4.1.1, 126 files)

PCK Encryption Analysis

The PCK file had encryption flag set (flags=0x1). Studied the Godot 4.1.1 source code (file_access_pack.cpp and file_access_encrypted.cpp) to understand the exact encryption format:

• Header (96 bytes) is unencrypted
• File count (4 bytes) is unencrypted (126 files)
• File directory is encrypted using FileAccessEncrypted format (no magic): 16 bytes MD5 hash + 8 bytes length + 16 bytes IV + AES-256-CFB encrypted data
• Each file's content is also individually encrypted in the same format

AES-256 Key Extraction

The AES-256 key was found in the EXE's .data section using strings and radare2 analysis:

• Key: f2f44f0aaa282c6b66065b1ca437abae05e20a55a0f6b2fd85f5b90576f0c88f

Malicious GDScript Analysis

Found malicious code in player.gd (7530 bytes). The script was heavily obfuscated with dozens of intermediate variables containing integer arrays that represent character codes, which are then joined and base64-decoded.

Key decoded values:

• target_url: http://g4m3l0ad3r-network.htb (C2 server domain)
• ioqw: p47l0ad_binary (download path)
• loap: GD_M@lw4r3_PCB29543} (flag part 2, used as input to MD5 hash)
• aklq+paic: Cookie value for authentication

The malware behavior:

1. Collects system info (OS, CPU, locale, user directory)
2. POSTs JSON to http://g4m3l0ad3r-network.htb/enum
3. On success, downloads payload from /p47l0ad_binary with a specific Cookie header
4. Saves as new_level_mod.exe and executes it via PowerShell with MD5 hash of loap as argument

...