gamepwnfreemedium

StayInTheBoxCorp

HackTheBox

Unity IL2CPP Mario-like 2D platformer game. The goal is to find the hidden flag by analyzing game assets.

$ ls tags/ techniques/
game_hackingtexture_extractionunityasset_extractionil2cppxor_encodinganti_cheatsprite_analysisnative_pluginhidden_sprites
unitypy_asset_extractionsprite_position_analysistransform_coordinate_sortinggap_based_separator_detectionxor_string_decoding

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

StayInTheBoxCorp — HackTheBox

Description

Within the enigmatic corridors of StayInTheBoxCorp, a company operating on a shoestring budget at the frontier of digital innovation, an challenge awaits. Only those who can dance on the edge of shadows shall pierce the veil of the unhackable.

Unity IL2CPP Mario-like 2D platformer game. The goal is to find the hidden flag by analyzing game assets.

Analysis

Technology Stack

  • Unity IL2CPP — identified by GameAssembly.dll (14MB) + global-metadata.dat in il2cpp_data/Metadata/
  • Native anti-debug pluginStayInTheBoxCorp_project.dll with XOR-encoded debugger names (key: 0x37)
  • 2D platformer — Mario-style game with lasers (Goomba enemies) and flag pole at the end

Asset Extraction

Using UnityPy to extract Texture2D assets revealed ~80 textures:

  • Normal game sprites: Cloud, Hill, HardBlock, GroundBlock, Castle, FlagPole, Goomba_Walk2, Heart, Bar
  • Suspicious textures: Many files with random names (ewfg, g09, gi3, gj9, htrh, f202, etc.)

Hidden Flag Discovery

The randomly-named textures were individual green letter/number sprites forming the flag:

...

$ grep --similar

Similar writeups