NoClip
NoClip is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
NoClip attack path
NoClip is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on GamePwn evidence, validation, and reusable operator lessons.
Walkthrough flow
Reverse the non-stripped SDL2 raycaster binary enough...
Parse assets.dmp as sections: player coordinates,...
Validate from disassembly that map cells are indexed...
Treat hidden collision-wall values as one-based...
Follow the connected no-clip character lattice...
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- GamePwn/NoClip/writeup.md
- htb-challenge/GamePwn/NoClip/notes.md
- htb-challenge/GamePwn/NoClip/memory-summary.md
- htb-challenge/GamePwn/NoClip/hypothesis-board.md
Technical Walkthrough
Writeup
Challenge
- Name: NoClip
- Category: GamePwn
- Difficulty: Medium
- Mode: file
Summary
NoClip is a file-only SDL2 raycaster challenge. The binary is small and not
stripped, so the useful path was to reverse the asset loader and map access
rather than play the game manually.
The flag is encoded in assets.dmp as character-texture references on hidden
collision walls plus two floor-marker digits. The key correction was that the
game indexes the map as x * height + y, and hidden collision bytes are
one-based texture references.
Artifact Inventory
files/extracted/gamepwn_noclip/noclip: ELF 64-bit PIE, dynamically linked,
not stripped, SDL2 raycaster.
files/extracted/gamepwn_noclip/assets.dmp: asset container with player
coordinates, map data, skybox, and 18 named textures.
Analysis
load_assets showed the asset format:
- section
1: initial player coordinates - section
2: map width, map height, thenwidth height 3bytes - section
3: skybox texture - section
4: texture count and named textures
The player input and raycast disassembly showed the game uses the map index
x * height + y. Earlier row-major parsing made the map look scrambled and made
one hidden value appear invalid. With the corrected indexing, hidden wall bytes
map cleanly to the character texture table using one-based IDs.
The character-bearing cells form a connected lattice route. Starting at the
HTB{ prefix and following the readable no-clip path gives a leetspeak phrase
that normalizes to break_the_wall, matching the title and scenario.
Evidence:
analysis/disasm-load-assets.txtanalysis/disasm-player-input.txtanalysis/disasm-raycast.txtanalysis/assets-special-tiles.txtanalysis/map-corrected-lattice.md
Solve
Run:
python3 solve/solve.py --output loot/flag-candidate.txt
cd <local workspace>
python3 scripts/challenge_harness.py capture-flag GamePwn/NoClip --from loot/flag-candidate.txtThe solver parses assets.dmp, reconstructs the corrected map, extracts
character nodes from hidden walls and floor digit markers, follows the
validated no-clip lattice path, and writes the recovered flag candidate.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
- For custom game assets, verify the binary's indexing convention before
trusting a visual map dump.
- The display texture index and the hidden data index may use different base
conventions. Here, wall-hidden values were one-based, while visible texture
indices were zero-based.
- For file-only GamePwn, a reproducible parser can be a cleaner solve than
patching movement or building an emulator.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: NoClip
- Category: GamePwn
- Difficulty: Medium
- Mode: file
- Remote instance: none
- Start time: 2026-06-13T01:42:23Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c7384-767f-4974-a3b9-b768068d7a7f.zip | 1836302 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
files/extracted/gamepwn_noclip/assets.dmp | 4894749 | <hash redacted> | data | |
files/extracted/gamepwn_noclip/noclip | 22816 | <hash redacted> | ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=<hash redacted>, for GNU/Linux 3.2.0, not stripped |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-13T01:42:23Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-13T01:42:23Z | artifact inventory | analysis/artifact-inventory.json | 3 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-13T01:42:54Z | hypothesis recorded | hypothesis-board.md | Reverse the small non-stripped SDL raycaster and assets.dmp to find map/win/exit logic; patch or solve movement/map constraints to reach the resident's escape path and recover the flag. | Medium | Disassemble named functions and parse assets.dmp dimensions/data; search for embedded flag, exit tile, map boundaries, collision checks, or asset tile values. |
| 2026-06-13T01:42:54Z | checkpoint recorded | analysis/checkpoint-triage-20260613T014254484255Z-e2bd4614.md | Checkpoint for TRIAGE | High | Use checkpoint to drive next decision |
| 2026-06-13T01:43:08Z | RAG query | analysis/rag/rag-query-20260613T014254584750Z-3bb447f0.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-13T01:43:29Z | RAG record | analysis/rag-records.md | Retrieved memory tagged GENERIC | Medium | Validate or reject with live evidence |
| 2026-06-13T01:43:38Z | research record | analysis/research/research-records.md | Research tagged GENERIC | Medium | Validate against current evidence |
| 2026-06-13T01:59:21Z | research record | analysis/research/research-records.md | Research tagged MATCHED | Medium | Validate against current evidence |
| 2026-06-13T01:59:21Z | instrumentation plan | analysis/instrumentation-plan.md | Recover the file-only NoClip flag from the raycaster assets without guessing. | High | Stop if the recovered path does not use the expected HTB prefix/suffix and normalize to a readable challenge-themed phrase from the character lattice. |
| 2026-06-13T01:59:44Z | evaluator | analysis/evaluator-20260613T015944122630Z-c87d4d13.md | Proceed | High | capture-flag from loot/flag-candidate.txt |
| 2026-06-13T01:59:58Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-13T02:02:17Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
noclipis a non-stripped SDL2 raycaster; the useful symbols areload_assets,
input, and raycast.
assets.dmpstores player coordinates, a 43 by 21 map with 3 bytes per cell,
one skybox texture, and 18 named game textures.
- The game indexes map cells as
x * height + y; row-major parsing is misleading. - Hidden collision-wall bytes are one-based references into the texture table.
This makes byte 18 the closing-brace texture.
- Floor byte
6marks visible1characters that participate in the final
connected no-clip path.
solve/solve.pyreconstructs the flag candidate from the corrected asset
interpretation and writes it under loot/.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: GamePwn
- Challenge: NoClip
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Reverse the non-stripped SDL2 raycaster binary enough to recover the asset
format and map indexing convention.
- Parse
assets.dmpas sections: player coordinates, 3-byte-per-cell map,
skybox texture, then named texture table.
- Validate from disassembly that map cells are indexed as
x * height + y,
not row-major y * width + x.
- Treat hidden collision-wall values as one-based texture references and
floor texture 1 markers as additional character nodes.
- Follow the connected no-clip character lattice beginning at the HTB prefix;
the recovered inner phrase normalizes from leetspeak to break_the_wall.
Reusable Lessons
- For raycaster/game asset challenges, disassemble the loader and movement or
render functions before trusting an assumed map layout.
- If a texture index appears off by one, check whether the hidden data field and
render field use different conventions.
- When gameplay is mostly a container for a hidden asset puzzle, a deterministic
asset parser is usually cleaner than patching movement or attempting manual
play.
Dead Ends
- Initial row-major map parsing made the layout look plausible but placed
character nodes incorrectly.
- Treating hidden wall collision bytes as zero-based texture IDs left value
18 looking invalid; one-based mapping resolves it as the closing brace.
Tool Quirks
- The binary uses
x * height + yfor map indexing, which is easy to miss when
dumping a rectangular map visually.
- Direction texture file names are not needed for final recovery; only the
character texture names and floor 1 markers are used.
Evidence Paths
analysis/disasm-load-assets.txtanalysis/disasm-player-input.txtanalysis/disasm-raycast.txtanalysis/assets-special-tiles.txtanalysis/map-corrected-lattice.mdsolve/solve.pyloot/flag.txt
Ingestion Decision
- Proposed for LightRAG: yes
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Reverse the small non-stripped SDL raycaster and assets.dmp to find map/win/exit logic; patch or solve movement/map constraints to reach the resident's escape path and recover the flag. | ELF strings expose symbols game/player/raycast/window/load_assets; challenge title NoClip suggests wall collision or map traversal is the intended primitive. | Disassemble named functions and parse assets.dmp dimensions/data; search for embedded flag, exit tile, map boundaries, collision checks, or asset tile values. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Technical analogy
How to remember this solve
Think of the game like an arcade cabinet with a score counter behind the glass. The solve is finding where the game stores state and reading or changing it at the right moment.
For NoClip, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.