Satellite Hijack — HackTheBox

Description

The crew has located a dilapidated pre-war bunker. Deep within, a dusty control panel reveals that it was once used for communication with a low-orbit observation satellite. During the war, actors on all sides infiltrated and hacked each others systems and software, inserting backdoors to cripple or take control of critical machinery. It seems like this panel has been tampered with to prevent the control codes necessary to operate the satellite from being transmitted - can you recover the codes and take control of the satellite to locate enemy factions?

Files

• satellite - ELF 64-bit executable
• library.so - ELF 64-bit shared library

Analysis

The challenge involves reversing a binary that loads a shared library with flag verification logic protected by three layers of obfuscation.

Layer 1: memfrob Obfuscation

The code section at offset 0x11a9 in library.so was XOR'd with 0x2a (42) — this is the key used by the memfrob() function. The send_satellite_message function checks an environment variable and if set, calls a function that uses memfrob to deobfuscate the code.

Layer 2: Position-based XOR Comparison

After deobfuscation, the flag comparison logic is revealed. It uses the algorithm:

(input[i] XOR key[i]) == i

This means the correct input is: key[i] XOR i for each position.

Layer 3: Overlapping Memory Writes

The key is constructed from four 8-byte strings loaded via movabs instructions, but they are written to overlapping memory regions:

• s1 (l5{0v0Y7) at offset 0
• s2 (fVf?u>|:) at offset 8
• s3 (>|:O!|Lx) at offset 13 (overlaps s2!)
• s4 (!o$j,;f\0) at offset 21

Solution

Step 1: Deobfuscating library.so

XOR the code section with 0x2a to remove memfrob obfuscation:

#!/usr/bin/env python3
# Deobfuscate memfrob (XOR 0x2a)

...