NoRadar
NoRadar is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
NoRadar attack path
NoRadar is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on GamePwn evidence, validation, and reusable operator lessons.
Walkthrough flow
Inventory the archive and extract the unstripped...
Use symbols and disassembly to identify...
Parse the static waypoint table copied from .rodata...
Split the coordinate list on (0, 0) sentinels and...
Map the rendered glyphs to letters and leetspeak...
Source coverage
High source coverage
Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- GamePwn/NoRadar/writeup.md
- htb-challenge/GamePwn/NoRadar/notes.md
- htb-challenge/GamePwn/NoRadar/memory-summary.md
- htb-challenge/GamePwn/NoRadar/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__GamePwn__NoRadar__memory-summary.md.b84ba3d6f7.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__GamePwn__NoRadar__notes.md.a79fb4720b.md
Technical Walkthrough
Writeup
Challenge
- Name: NoRadar
- Category: GamePwn
- Difficulty: Easy
- Mode: file
Summary
NoRadar is a file-only GamePwn challenge built as a small unstripped Linux SDL game. The flag is not stored as a string and does not require playing the game manually. The moving green cube route is encoded as a static waypoint table in the ELF; when the zero-separated waypoint groups are rendered as 7x7 line glyphs, they spell the flag. The embedded glyph alphabet includes leetspeak digits, so the right-sided E-like glyph must be read as 3, and the A-like glyph must be read as 4.
Artifact Inventory
files/a12c736e-81ff-4edc-adda-82bb85a6024b.zip: original HTB archive, preserved unmodified.files/extracted/gamepwn_noradar/noradar: Linux x86-64 PIE SDL ELF, not stripped. Evidence:analysis/file-extracted.txt,analysis/nm.txt.files/extracted/gamepwn_noradar/assets.dmp: custom asset dump with a 350x21 map and textures. Evidence:analysis/assets-parse-summary.txt.- Extracted visual aids are under
analysis/textures/,analysis/map-col.png, andanalysis/waypoint-glyphs.png.
Analysis
The binary imports SDL and SDL_image calls, and symbol names reveal game-specific routines such as load_assets, green_cube1_new, green_cube2_new, green_cube3_new, and green_cube3_update. This made the moving cube logic the highest-value target. Evidence: analysis/strings-noradar.txt, analysis/nm.txt.
assets.dmp is loaded by chunk type. The parser reconstructed chunk type 1 as initial player doubles, type 2 as the column-major map, type 3 as the skybox texture, and type 4 as named textures including htb, floor, and green_cube. Evidence: analysis/assets-parse-summary.txt, analysis/textures/0_htb.png.
The hidden payload is not in those texture pixels. The route table copied by green_cube3_update starts at .rodata address/file offset 0x5060. The routine copies 0x176 qwords, which is 187 coordinate pairs. The pairs use (0, 0) as separators; the non-zero coordinates lie on a 7x7 grid. Rendering each group as connected line segments produces readable glyphs. Some glyphs are intentionally digit-shaped leetspeak, not plain letters. Evidence: analysis/disasm-assets-green-updates.txt, analysis/route-table-summary.txt, analysis/waypoint-glyphs-ascii.txt.
Private CTF LightRAG did not return a matching NoRadar solve pattern, so the solution uses only local binary evidence. Evidence: analysis/research-lightrag-noradar.txt, analysis/research/research-records.md.
Solve
Run:
cd <local workspace>
python3 solve/solve.py --output loot/flag-candidate.txtThe script reads the ELF, extracts the waypoint pairs from offset 0x5060, splits them into glyph groups at (0, 0), draws each group with Bresenham line interpolation on a 7x7 grid, maps each rendered glyph to the correct letter or leetspeak digit, and writes the recovered flag candidate. The harness then validates and stores the final flag:
cd <local workspace>
./scripts/challenge_harness.py capture-flag GamePwn/NoRadar --from loot/flag-candidate.txtFlag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
- For small unstripped GamePwn binaries, symbol names can make static analysis faster than runtime game interaction.
- Named textures can be useful clues, but the actual payload may live in movement/route data rather than pixels.
- Zero-separated coordinate tables are worth rendering visually before attempting deeper decompilation.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: NoRadar
- Category: GamePwn
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-09T11:33:10Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c736e-81ff-4edc-adda-82bb85a6024b.zip | 1786667 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-09T11:33:10Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-09T11:33:38Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-09T11:35:14Z | hypothesis recorded | hypothesis-board.md | Static route extraction from green_cube3_update waypoint table | Medium | Parse the 189 waypoint pairs from .rodata and derive final/current green cube coordinates; validate against constructor/reset logic. |
| 2026-06-09T11:35:14Z | research task | analysis/research/task-20260609T113514483249Z-681c6ef8.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-09T11:35:50Z | research record | analysis/research/research-records.md | Research tagged MISSING | Medium | Validate against current evidence |
| 2026-06-09T11:40:53Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-09T11:42:31Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
| 2026-06-09T11:46:58Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-09T11:48:19Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
| 2026-06-09T12:03:05Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-09T12:03:06Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
- The provided ZIP extracted to
gamepwn_noradar/noradarandgamepwn_noradar/assets.dmp; seeanalysis/unzip.txt. noradaris an unstripped Linux x86-64 SDL ELF with visible functions includinggreen_cube3_update; seeanalysis/file-extracted.txtandanalysis/nm.txt.assets.dmpcontains a 350x21 column-major map plus textures namedhtb,floor, andgreen_cube; seeanalysis/assets-parse-summary.txt.- The
green_cube3_updateroutine copies a static waypoint table from.rodataat0x5060; plotting zero-separated 7x7 waypoint groups renders the hidden flag glyphs; seeanalysis/waypoint-glyphs-ascii.txtandanalysis/waypoint-glyphs.png. solve/solve.pyreconstructs the glyphs from the ELF. Two glyphs are leetspeak digits rather than letters: the right-sided E-like glyph is3, and the A-like glyph is4. The solver writes the corrected HTB-format flag toloot/for harness capture.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: GamePwn
- Challenge: NoRadar
- Difficulty: Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Inventory the archive and extract the unstripped Linux SDL ELF plus custom
assets.dmp. - Use symbols and disassembly to identify
green_cube3_updateas the moving target logic. - Parse the static waypoint table copied from
.rodatainto 187 coordinate pairs. - Split the coordinate list on
(0, 0)sentinels and render each non-empty group as connected 7x7 line glyphs. - Map the rendered glyphs to letters and leetspeak digits, then capture the corrected HTB-format flag through the harness.
Reusable Lessons
- In file-only GamePwn challenges, movement paths can encode text even when textures and strings do not contain the flag.
- For unstripped C/SDL games, start with symbol names and targeted disassembly before heavyweight game execution.
- Render small coordinate tables as glyphs or paths early; visual encodings are common in easy game/reversing hybrids.
- Do not normalize glyph text blindly: E-like/right-sided glyphs may be
3, and A-like glyphs may be4in leetspeak flags.
Dead Ends
- The named
htbtexture was only a branded wall pattern, not the flag. - CTF LightRAG did not contain a relevant NoRadar-specific prior solve.
Tool Quirks
- macOS
otooldid not parse the Linux ELF;file,strings,nm, andobjdumpwere sufficient. - The harness-native RAG query validator rejected broad wording; a manually recorded missing research result was enough because local binary evidence drove the solve.
Evidence Paths
analysis/assets-parse-summary.txtanalysis/disasm-assets-green-updates.txtanalysis/route-table-summary.txtanalysis/waypoint-glyphs-ascii.txtanalysis/waypoint-glyphs.pngsolve/solve.pyloot/flag.txt
Ingestion Decision
- Proposed for LightRAG: yes
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Static route extraction from green_cube3_update waypoint table | Unstripped ELF exposes green_cube3_update and copies a waypoint table from .rodata at 0x5060; scenario asks to track green cube location. | Parse the 189 waypoint pairs from .rodata and derive final/current green cube coordinates; validate against constructor/reset logic. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Memory Summary
approval_required: true
Sanitized Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: GamePwn
- Challenge: NoRadar
- Difficulty: Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Inventory the archive and extract the unstripped Linux SDL ELF plus custom
assets.dmp. - Use symbols and disassembly to identify
green_cube3_updateas the moving target logic. - Parse the static waypoint table copied from
.rodatainto 187 coordinate pairs. - Split the coordinate list on
(0, 0)sentinels and render each non-empty group as connected 7x7 line glyphs. - Map the rendered glyphs to letters and leetspeak digits, then capture the corrected HTB-format flag through the harness.
Reusable Lessons
- In file-only GamePwn challenges, movement paths can encode text even when textures and strings do not contain the flag.
- For unstripped C/SDL games, start with symbol names and targeted disassembly before heavyweight game execution.
- Render small coordinate tables as glyphs or paths early; visual encodings are common in easy game/reversing hybrids.
- Do not normalize glyph text blindly: E-like/right-sided glyphs may be
3, and A-like glyphs may be4in leetspeak flags.
Dead Ends
- The named
htbtexture was only a branded wall pattern, not the flag. - CTF LightRAG did not contain a relevant NoRadar-specific prior solve.
Tool Quirks
- macOS
otooldid not parse the Linux ELF;file,strings,nm, andobjdumpwere sufficient. - The harness-native RAG query validator rejected broad wording; a manually recorded missing research result was enough because local binary evidence drove the solve.
Evidence Paths
analysis/assets-parse-summary.txtanalysis/disasm-assets-green-updates.txtanalysis/route-table-summary.txtanalysis/waypoint-glyphs-ascii.txtanalysis/waypoint-glyphs.pngsolve/solve.pyloot/flag.txt
Ingestion Decision
- Proposed for LightRAG: yes
- Requires user approval before ingestion: yes
Notes
Notes
Scope
- Challenge: NoRadar
- Category: GamePwn
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-09T11:33:10Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c736e-81ff-4edc-adda-82bb85a6024b.zip | 1786667 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-09T11:33:10Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-09T11:33:38Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-09T11:35:14Z | hypothesis recorded | hypothesis-board.md | Static route extraction from green_cube3_update waypoint table | Medium | Parse the 189 waypoint pairs from .rodata and derive final/current green cube coordinates; validate against constructor/reset logic. |
| 2026-06-09T11:35:14Z | research task | analysis/research/task-20260609T113514483249Z-681c6ef8.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-09T11:35:50Z | research record | analysis/research/research-records.md | Research tagged MISSING | Medium | Validate against current evidence |
| 2026-06-09T11: <REDACTED> | |||||
| 2026-06-09T11:42:31Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
| 2026-06-09T11: <REDACTED> | |||||
| 2026-06-09T11:48:19Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
| 2026-06-09T12: <REDACTED> | |||||
| 2026-06-09T12:03:06Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
- The provided ZIP extracted to
gamepwn_noradar/noradarandgamepwn_noradar/assets.dmp; seeanalysis/unzip.txt. noradaris an unstripped Linux x86-64 SDL ELF with visible functions includinggreen_cube3_update; seeanalysis/file-extracted.txtandanalysis/nm.txt.assets.dmpcontains a 350x21 column-major map plus textures namedhtb,floor, andgreen_cube; seeanalysis/assets-parse-summary.txt.- The
green_cube3_updateroutine copies a static waypoint table from.rodataat0x5060; plotting zero-separated 7x7 waypoint groups renders the hidden flag glyphs; seeanalysis/waypoint-glyphs-ascii.txtandanalysis/waypoint-glyphs.png. solve/solve.pyreconstructs the glyphs from the ELF. Two glyphs are leetspeak digits rather than letters: <REDACTED>, and the A-like glyph is4. The solver writes the corrected HTB-format flag toloot/for harness capture.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Technical analogy
How to remember this solve
Think of the game like an arcade cabinet with a score counter behind the glass. The solve is finding where the game stores state and reading or changing it at the right moment.
For NoRadar, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.