CubeMadness1

Technical Walkthrough

Writeup

Challenge

• Name: CubeMadness1
• Category: GamePwn
• Difficulty: Very Easy
• Mode: file

Summary

The completed path is a Unity asset extraction, not the earlier live-memory branch. Runtime work proved the game launches and that the visible cube counter can be patched, but that only changed UI text and did not trigger the win condition.

The decisive step was to extract Unity textures from sharedassets0.assets. Two large black textures contained the flag rendered as green text. The final solver exports textures with UnityPy, OCRs them with Tesseract, writes the recovered raw flag only to loot/flag.txt, and leaves OCR transcripts redacted under analysis/.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

Analysis

• Public challenge-specific research had already suggested that CubeMadness1 is solved by editing a live cube counter rather than by recovering a flag purely from static IL2CPP artifacts.
• Runtime validation on the Pwnbox confirmed that the Windows Unity build can be launched under Wine/Xvfb without adding new tooling. See <local workspace> and <local workspace>.
• The first launch created <local workspace> CubeMadness1/Player.log and a game-specific registry key at Software\\HackTheBox\\HackTheBox CubeMadness1, which confirms that the live runtime path is real and not just a static theory.
• The first persisted-state review showed only display/session values in that registry key, so there is no verified cheap PlayerPrefs-only shortcut yet. See <local workspace>.
• Focused scene-string extraction proved that the scene contains cubeCounter and the UI text Cubes: 0 / 20, which validates the likely win threshold as 20. See <local workspace>.
• Asset correlation also confirmed challenge-specific classes CubeCounter and FlagCheck in Assembly-CSharp.dll metadata context, supporting the live counter/win-gate theory. See <local workspace> and <local workspace>.
• Live process-memory probing against the actual HackTheBox CubeMadness1.exe process then surfaced writable runtime occurrences of Cubes: 0 / 20, CubeCounter, and FlagCheck. See <local workspace>.
• A bounded runtime mutation successfully rewrote the live counter text buffers to Cubes: 20 / 20, and a post-patch screenshot was captured back into the workspace. See <local workspace>, <local workspace>, and <local workspace>.
• OCR of the post-patch screenshot did not produce a flag-shaped value, so the validated live patch appears to affect the UI/runtime-string layer rather than the underlying gameplay counter.
• After revisiting static assets, solve/extract_flag_texture.py used UnityPy to export 85 Unity textures from the extracted game assets.
• The exported textures analysis/texture-export/sharedassets0_35.png and analysis/texture-export/sharedassets0_120.png contain the same flag rendered as green text on a black background.
• The solver uses Tesseract OCR to recover the flag-shaped value, writes the raw flag only to loot/flag.txt, and redacts OCR transcripts in analysis/texture-export/ocr/.

Solve

Run:

cd <local workspace>
.venv/bin/python solve/extract_flag_texture.py

The script:

1. Loads the Unity asset files from files/extracted/gamepwn_cubemadness1.
2. Exports Texture2D and Sprite objects into analysis/texture-export/.
3. OCRs exported textures with Tesseract.
4. Writes the recovered raw flag to loot/flag.txt.
5. Keeps OCR artifacts redacted outside loot/.

Flag

Captured through the harness. Raw flag is stored in loot/flag.txt only.

Lessons

• Runtime memory edits can prove a theory, but they are not always the shortest route.
• For Unity GamePwn challenges, asset extraction should run before deeper live-memory mutation if textures are present.
• Raw flags must stay in loot/; OCR and other analysis outputs should be redacted.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: CubeMadness1
• Category: GamePwn
• Difficulty: Very Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-07T12:52:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The public runtime-edit theory is validated enough to continue: the game launches in an isolated Wine/Xvfb environment on the Pwnbox and exposes a real window.
• The on-screen objective text is statically confirmed as Cubes: 0 / 20, so the likely win threshold is 20 cubes.
• Live process-memory probing against the real HackTheBox CubeMadness1.exe process confirmed writable runtime occurrences of Cubes: 0 / 20, CubeCounter, and FlagCheck.
• A bounded runtime mutation successfully changed the visible live counter text to Cubes: 20 / 20, proving the runtime patch path works, but the post-patch screenshot/OCR did not yet surface a flag, which suggests the current patch is reaching the UI layer rather than the underlying gameplay counter.
• The initial PlayerPrefs-style registry key only contains screen/session values after first launch, so the cheapest persisted-state shortcut was not confirmed.
• The remaining blocker in this session is environmental: the Pwnbox SSH port timed out before the next live mutation/interaction step could be completed.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: CubeMadness1
• Difficulty: Very Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract Unity Texture2D / Sprite objects from globalgamemanagers* and sharedassets0.assets.
2. OCR exported textures; CubeMadness1 contains the flag rendered as green text on black textures.
3. Store the raw flag only in loot/flag.txt; redact OCR transcripts and flag-bearing exported images in analysis/.

Reusable Lessons

• For Unity GamePwn challenges, run asset extraction before spending time on deeper live-memory mutation.
• A live memory edit that changes UI text may not satisfy the underlying game state or win condition.
• If OCR is used, redact OCR artifacts outside loot/.

Dead Ends

• Patching visible Cubes: 0 / 20 strings to Cubes: 20 / 20 proved runtime control but did not trigger flag display.
• First-launch PlayerPrefs / Wine registry review did not expose a saved counter shortcut.

Tool Quirks

• UnityPy successfully exported the relevant textures locally.
• tesseract --psm 6 cleanly read the flag-shaped value from the exported texture.

Evidence Paths

• solve/extract_flag_texture.py
• analysis/texture-export-run.txt
• analysis/texture-export/ocr/
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: CubeMadness1
• Difficulty: Very Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract Unity Texture2D / Sprite objects from globalgamemanagers* and sharedassets0.assets.
2. OCR exported textures; CubeMadness1 contains the flag rendered as green text on black textures.
3. Store the raw flag only in loot/flag.txt; redact OCR transcripts and flag-bearing exported images in analysis/.

Reusable Lessons

• For Unity GamePwn challenges, run asset extraction before spending time on deeper live-memory mutation.
• A live memory edit that changes UI text may not satisfy the underlying game state or win condition.
• If OCR is used, redact OCR artifacts outside loot/.

Dead Ends

• Patching visible `Cubes: <REDACTED>
• First-launch PlayerPrefs / Wine registry review did not expose a saved counter shortcut.

Tool Quirks

• UnityPy successfully exported the relevant textures locally.
• tesseract --psm 6 cleanly read the flag-shaped value from the exported texture.

Evidence Paths

• solve/extract_flag_texture.py
• analysis/texture-export-run.txt
• analysis/texture-export/ocr/
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: CubeMadness1
• Category: GamePwn
• Difficulty: Very Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-07T12:52:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The public runtime-edit theory is validated enough to continue: the game launches in an isolated Wine/Xvfb environment on the Pwnbox and exposes a real window.
• The on-screen objective text is statically confirmed as Cubes: 0 / 20, so the likely win threshold is 20 cubes.
• Live process-memory probing against the real HackTheBox CubeMadness1.exe process confirmed writable runtime occurrences of Cubes: 0 / 20, CubeCounter, and FlagCheck.
• A bounded runtime mutation successfully changed the visible live counter text to `Cubes: <REDACTED>, proving the runtime patch path works, but the post-patch screenshot/OCR did not yet surface a flag, which suggests the current patch is reaching the UI layer rather than the underlying gameplay counter.
• The initial PlayerPrefs-style registry key only contains screen/session values after first launch, so the cheapest persisted-state shortcut was not confirmed.
• The remaining blocker in this session is environmental: the Pwnbox SSH port timed out before the next live mutation/interaction step could be completed.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.