Un-mad-ning The CubeMadness1 [HTB Writeup]
Writeup of Hack The Box's GamePwn Challenge, CubeMadness
Hey There👋, how y’all holding up? Without further ado, let’s get to business.
HTB(Hack The Box) has released a new challenge type called “GamePwn” recently with a challenge so far. And it is nonetheless, CubeMadness1. It is ranked as “very easy” but for a beginner it also is not(I guess 🤷♂️). So here’s my writeup on it.
What we need?
- The game(Downloaded it from HTB) : What we gonna pwn
- The Cheat Engine (CE from herewith): What we gonna pwn with
Before downloading Cheat Engine setup please turn off your Antivirus solution as it could flag CE as malware. I had to do this even when using the CE. You also need to be an Administrator to install the CE.
Install the CE and extract the zip file you obtained[password found below the hash of the file on the HTB challenge pane] and run the .exe with the HTB icon(the actual game)
Knowledge wise… (FEEL FREE TO SKIP IF YOU PREFER)
- Apart from other challenges, this one doesn’t actually requires any code-authoring. You can get away with few basic concepts. Even though knowledge on how executables work is preferrable. Let me get you the few necessary concepts first
- All the information you see on the screen is either from the registers or RAM itself. Nothing is from HDD/SSD during real-time.
- RAM + HDD/SSD makes up a Virtual Memory managed by the OS. And a part of this memory is assigned to a process by the OS. This memory sector is then divided into HEAP and STACK for that particular process.
- Data that needs to be persist and managed manually by the process is stored on the HEAP and function-bound data on the STACK.
- Process(actually the developer) assumes that its HEAP and STACK can only be written/read by itself or its children. But the OS(Kernel) also actually can. This lets us do what we want in certain time and what we will do for the challenge.
How data is accessed
- A data in the RAM is accessed using a unique id(termed ADDRESS of that cell) by the CPU.
- Changing this will alter flow/behavior of the process. Same goes for altering a datum in a cell too, and that’s our key to the challenge.
How we gonna do this?
Launch the game(filename), I will assume that you already got yourself wrapped around this game, if not go ahead and give it a try.
Launch CE and attach the process to the CE
1. Click here to open process selector
2. Attach the HackTheBox CubeMadness1.exe
Type 0 and scan.
Change the value to 0 and hit “New Scan” ensuring scan type is “Exact Value”
Here we are scanning the memory area assigned to the game and get the address of the cell with value recognized. I almost got about million, which is way too high to digest, so let’s filter it.
Press Spacebar to jump and grab a cube.
Now go to CE and change 0️ ➡️ 1 and change the scan type to ⚠️“Increased by”⚠️ and hit scan.
Now change the value to 1 and the scan type to ⚠️“Increased value by” the hit ⚠️“Next Scan”
Now go to the game and get 2 cubes
Then in CE change 1➡️ 2 and hit scan
We took 2 cubes at one to eliminate any false positives that may occur or any anti cheat tech developer employed.
Now you get the idea, now the results must have significantly dropped. Again get 1 cube and change the value to 1 and scan.
Then get 2 cubes and hit scan after changing the value to 2.
Now what you see in the results pane is far fewer that what we had. Select them and hit the red arrow(in down-right corner) of the pane.
Select the constant results and hit the arrow icon
Then in the bottom panel, you can select the values and hit enter to change the value in those addresses. You can explore changing to whatever but 20 will get the job done as the description of the Challenge states…
“Gotta collect them all.”
You should see the flag on the game screen somewhere. If not, then try starting with 1 instead of 0 from the beginning and follow the same idea.
Enjoy the day 🤗.
Here are some resources you may find useful…
That’s it for this writeup, if you encounter anything or have doubt or such write to me via social medias or the comments. I would love to hear it from you. Till then this is BE signing-off🛑.