LightningFast

Technical Walkthrough

Writeup

Challenge

• Name: LightningFast
• Category: GamePwn
• Difficulty: Medium
• Mode: hybrid

Summary

LightningFast is a Unity IL2CPP game that stores the player's score on the supplied self-hosted backend. The client hides the current score routes behind /endpoints, but the backend trusts the score value submitted by the client. Once the dynamic setter route is recovered, submitting the required score and then calling /buyflag returns the challenge flag.

Artifact Inventory

The archive contains a Windows x64 Unity IL2CPP build:

• LightningFast.exe
• GameAssembly.dll
• UnityPlayer.dll
• LightningFast_Data/il2cpp_data/Metadata/global-metadata.dat
• LightningFast_Data/data.unity3d

The remote service is an Express-style HTTP backend at <TARGET>:31741. Local probes confirmed /ack, /endpoints, a dynamic getter route, a dynamic setter route, and /buyflag. The full inventory is in analysis/artifact-inventory.json.

Analysis

Static strings showed the obvious client routes /ack, /buyflag, and /endpoints, plus the PlayerPrefs names getScore and setScore. Those PlayerPrefs names are not the actual score routes; they are local keys used after the client retrieves dynamic route names from /endpoints.

IL2CPP recovery with Il2CppDumper identified the relevant classes: MenuHandler, OptionsHandler, Player, ScoreHandler, and ShopMenuHandler. The recovered flow showed:

• OptionsHandler validates a user-supplied http://<ipv4>:<port> server and checks /ack.
• MenuHandler requests /endpoints, parses the JSON response, and stores the returned getter and setter values in PlayerPrefs.
• ScoreHandler reads the saved getter route and fetches the current score.
• Player.OnTriggerEnter2D submits a JSON body shaped like {"score": <score>} to the saved setter route when the game ends.
• ShopMenuHandler calls /buyflag.

The important correction was that Anti-Cheat Toolkit obfuscation only protects the local integer representation. The submitted HTTP body contains the decrypted score string, so defeating or patching the obfuscation was unnecessary. Live validation in analysis/endpoints-probe.txt and analysis/score-set-buyflag-probe.txt confirmed the backend accepts a direct score update and then allows /buyflag.

Solve

Run the reproducible solver:

cd <local workspace>
python3 solve/solve.py --base-url http://<TARGET>:31741 --output loot/flag-candidate.txt

Then capture it through the harness:

cd <local workspace>
python3 scripts/challenge_harness.py capture-flag GamePwn/LightningFast --from loot/flag-candidate.txt

The solver asks /endpoints for the current getter and setter route names, posts a score of 1000000 to the setter route, calls /buyflag, and writes the result to loot/flag-candidate.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For Unity IL2CPP GamePwn challenges, metadata strings are useful but must be tied back to code flow; getScore and setScore were storage keys, not remote routes.
• Dynamic backend configuration routes are high-value targets because they often reveal hidden API paths without needing client patching.
• Client-side anti-cheat does not matter if the server accepts trusted plaintext state from the client.
• Keep live probes small and client-derived. The successful path came from reversing the Unity flow, not broad fuzzing.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: LightningFast
• Category: GamePwn
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-13T04:51:36Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The archive is a Unity IL2CPP game client with network logic in custom classes recovered through metadata and Il2CppDumper output.
• /endpoints returns dynamic getter/setter routes that the client stores under local PlayerPrefs keys.
• The setter route accepts a plaintext JSON score value from the client.
• Once the required score is set, /buyflag returns the challenge flag.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: LightningFast
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Treat the downloadable game as a Unity IL2CPP client and recover metadata/code flow before guessing routes.
2. Use metadata strings to identify /ack, /endpoints, /buyflag, getScore, and setScore.
3. Confirm with IL2CPP recovery that getScore and setScore are PlayerPrefs keys populated from the /endpoints JSON response.
4. Request /endpoints from the live backend to get the dynamic getter/setter route names.
5. POST a JSON score body to the returned setter route with the required threshold value.
6. Call /buyflag after the accepted score update and capture the HTB-format flag through the harness.

Reusable Lessons

• In Unity GamePwn challenges, do not assume visible strings are direct remote routes; distinguish storage keys, literal routes, and dynamically populated fields.
• Anti-cheat integer obfuscation can be irrelevant when the network request serializes the decrypted value.
• A small client-derived HTTP solver is preferable to broad fuzzing once the Unity flow identifies exact request shapes.
• Dynamic backend endpoint discovery routes are a strong target when a game is described as self-hosted.

Dead Ends

• Broad /ack query/body score guesses did not change score state.
• Treating getScore and setScore as literal remote paths was incomplete; they are local key names.
• Defeating Anti-Cheat Toolkit internals was unnecessary for the final solve.

Tool Quirks

• Il2CppDumper required a local .NET runtime setup under analysis/tools/dotnet.
• UnityPy helped inspect serialized scene objects, but the route fields were populated at runtime from /endpoints.

Evidence Paths

• analysis/artifact-inventory.json
• analysis/metadata-literals-interesting.txt
• analysis/il2cppdump/dump.cs
• analysis/il2cppdump/menu-core-disasm.txt
• analysis/il2cppdump/missing-methods-disasm.txt
• analysis/endpoints-probe.txt
• analysis/score-set-buyflag-probe.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes, after user approval
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches