SokobanHTB

Technical Walkthrough

Writeup

Challenge

• Name: SokobanHTB
• Category: GamePwn
• Difficulty: Easy
• Mode: file

Summary

SokobanHTB is a native Windows x64 GamePwn challenge. The level is intentionally impossible from normal gameplay, but the win path embeds enough state to recover the flag offline.

The decisive path was static reverse engineering: validate the executable and assets, locate the embedded Sokoban map, identify the TEA decrypt routine and ciphertext constants, derive the same key material from the map target coordinates, and decrypt the flag locally. The raw flag is stored only in loot/flag.txt.

Artifact Inventory

• files/a12c73a3-f9b4-4665-8b99-9d0320dc157e.zip: original challenge archive, preserved unmodified.
• files/extracted/gamepwn_sokobanhtb/out/build/x64-release/SokobanHTB/SokobanHTB.exe: native Windows PE32+ x86-64 executable.
• files/extracted/gamepwn_sokobanhtb/assets/X.png, box.png, player.png: image assets referenced by the game.
• analysis/artifact-inventory.json, analysis/file-types.txt, and analysis/sha256-extracted.txt record the inventory and hashes.

Analysis

• analysis/interesting-strings.txt confirms the binary is the Sokoban game and references SFML/OpenGL plus the three bundled assets. No plaintext flag was found through normal string search.
• analysis/pe-section-table.txt maps PE sections so static virtual addresses can be tied back to file offsets. The relevant data lives in .rdata, with the executable code in .text.
• analysis/map-cells-validated.txt validates a 6x7 map table recovered from .rdata. The cell layout contains targets, player, and box state matching the challenge premise.
• analysis/disasm-tea-cipher-grep.txt shows the TEA final sum 0xc6ef3720, which indicates a 32-round TEA-style decrypt routine.
• The same disassembly output shows ten immediate ciphertext words loaded near VA 0x140005751.
• Local validation in analysis/tea-decrypt-validation.txt confirms that decrypting those words with the recovered key material produces an HTB-format flag. The flag text in that analysis file is redacted.
• Public challenge research was treated only as a lead. The accepted evidence is the local binary disassembly, map extraction, and local decrypt validation.

Solve

Run:

cd <local workspace>
python3 solve/solve.py

The script:

1. Uses the ciphertext words recovered from the executable.
2. Uses the Sokoban-derived TEA key [154, 512, 384, 640].
3. Decrypts the ciphertext block-by-block.
4. Verifies that the result is flag-shaped.
5. Writes the raw flag only to loot/flag.txt.

The harness then captures the flag with:

cd <local workspace>
python3 scripts/challenge_harness.py capture-flag GamePwn/SokobanHTB --from loot/flag.txt

Flag

Captured through the harness. Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For native GamePwn binaries, an impossible map often means the intended route is to inspect the win/decrypt path rather than brute force gameplay.
• Public writeups are useful leads, but they should not be accepted until the local artifact proves the same constants and flow.
• Keep flag-bearing decrypt output in loot/ only; redact validation transcripts in analysis/.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: SokobanHTB
• Category: GamePwn
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-09T14:02:42Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The archive extracts to a native Windows x64 console/game executable plus three PNG assets: SokobanHTB.exe, X.png, box.png, and player.png.
• Static strings identify the executable as an SFML/OpenGL Sokoban game and show asset references, but no plaintext flag string.
• PE section mapping and disassembly identify a TEA-style decrypt routine: the binary loads the TEA final sum 0xc6ef3720 and ten 32-bit ciphertext words near VA 0x140005751.
• The relevant .rdata map cells are a 6x7 Sokoban grid. The validated X-mark / target coordinate material supports the key [154, 512, 384, 640] used by the decrypt path.
• solve/solve.py reproduces the decrypt path locally, writes the raw flag only to loot/flag.txt, and prints only a sanitized status line.
• The harness captured the flag from loot/flag.txt; no raw flag value is present in analysis notes.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: SokobanHTB
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract and inventory the archive; identify the native Windows x64 SokobanHTB.exe and bundled SFML-style assets.
2. Use PE section mapping and disassembly to locate the TEA-style decrypt routine and embedded ciphertext constants.
3. Recover the Sokoban map table from .rdata; use the target-coordinate-derived key material that the binary's win/decrypt path expects.
4. Decrypt the embedded ciphertext offline with TEA and write the raw flag only to loot/flag.txt.

Reusable Lessons

• In impossible-map GamePwn challenges, inspect the win condition and decrypt path before trying to patch or solve gameplay.
• A recognizable crypto constant such as TEA's final sum can quickly anchor the reverse engineering path.
• Treat public writeups as leads only; validate constants, map state, and decrypt output against the local binary.
• Redact flag-shaped decrypt validation output in analysis/; keep raw flag material in loot/.

Dead Ends

• Plain string search did not reveal a flag.
• PNG metadata and direct asset inspection did not contain the flag.
• Dynamic game execution was unnecessary once the decrypt path and constants were validated statically.

Tool Quirks

• macOS /usr/bin/strings did not support the GNU -e usage attempted during triage; normal ASCII strings and LLVM tools were sufficient.
• llvm-objdump and PE section mapping were enough to validate the static route without Ghidra/radare2.

Evidence Paths

• analysis/file-types.txt
• analysis/pe-section-table.txt
• analysis/map-cells-validated.txt
• analysis/disasm-tea-cipher-grep.txt
• analysis/tea-decrypt-validation.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: SokobanHTB
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract and inventory the archive; identify the native Windows x64 SokobanHTB.exe and bundled SFML-style assets.
2. Use PE section mapping and disassembly to locate the TEA-style decrypt routine and embedded ciphertext constants.
3. Recover the Sokoban map table from .rdata; use the target-coordinate-derived key material that the binary's win/decrypt path expects.
4. Decrypt the embedded ciphertext offline with TEA and write the raw flag only to loot/flag.txt.

Reusable Lessons

• In impossible-map GamePwn challenges, inspect the win condition and decrypt path before trying to patch or solve gameplay.
• A recognizable crypto constant such as TEA's final sum can quickly anchor the reverse engineering path.
• Treat public writeups as leads only; validate constants, map state, and decrypt output against the local binary.
• Redact flag-shaped decrypt validation output in analysis/; keep raw flag material in loot/.

Dead Ends

• Plain string search did not reveal a flag.
• PNG metadata and direct asset inspection did not contain the flag.
• Dynamic game execution was unnecessary once the decrypt path and constants were validated statically.

Tool Quirks

• macOS /usr/bin/strings did not support the GNU -e usage attempted during triage; normal ASCII strings and LLVM tools were sufficient.
• llvm-objdump and PE section mapping were enough to validate the static route without Ghidra/radare2.

Evidence Paths

• analysis/file-types.txt
• analysis/pe-section-table.txt
• analysis/map-cells-validated.txt
• analysis/disasm-tea-cipher-grep.txt
• analysis/tea-decrypt-validation.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: SokobanHTB
• Category: GamePwn
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-09T14:02:42Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The archive extracts to a native Windows x64 console/game executable plus three PNG assets: SokobanHTB.exe, X.png, box.png, and player.png.
• Static strings identify the executable as an SFML/OpenGL Sokoban game and show asset references, but no plaintext flag string.
• PE section mapping and disassembly identify a TEA-style decrypt routine: the binary loads the TEA final sum 0xc6ef3720 and ten 32-bit ciphertext words near VA 0x140005751.
• The relevant .rdata map cells are a 6x7 Sokoban grid. The validated X-mark / target coordinate material supports the key [154, 512, 384, 640] used by the decrypt path.
• solve/solve.py reproduces the decrypt path locally, writes the raw flag only to loot/flag.txt, and prints only a sanitized status line.
• The harness captured the flag from loot/flag.txt; no raw flag value is present in analysis notes.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.