Satellite Hijack — HackTheBox

Description

The crew has located a dilapidated pre-war bunker. Deep within, a dusty control panel reveals that it was once used for communication with a low-orbit observation satellite. During the war, actors on all sides infiltrated and hacked each others systems and software, inserting backdoors to cripple or take control of critical machinery. It seems like this panel has been tampered with to prevent the control codes necessary to operate the satellite from being transmitted - can you recover the codes and take control of the satellite to locate enemy factions?

Files

• satellite - ELF 64-bit executable
• library.so - ELF 64-bit shared library

Analysis

The challenge involves reversing a binary that loads a shared library with flag verification logic protected by three layers of obfuscation.

Layer 1: memfrob Obfuscation

The code section at offset 0x11a9 in library.so was XOR'd with 0x2a (42) — this is the key used by the memfrob() function. The send_satellite_message function checks an environment variable and if set, calls a function that uses memfrob to deobfuscate the code.

Layer 2: Position-based XOR Comparison

After deobfuscation, the flag comparison logic is revealed. It uses the algorithm:

(input[i] XOR key[i]) == i

This means the correct input is: key[i] XOR i for each position.

Layer 3: Overlapping Memory Writes

The key is constructed from four 8-byte strings loaded via movabs instructions, but they are written to overlapping memory regions:

• s1 (l5{0v0Y7) at offset 0
• s2 (fVf?u>|:) at offset 8
• s3 (>|:O!|Lx) at offset 13 (overlaps s2!)
• s4 (!o$j,;f\0) at offset 21

Solution

Step 1: Deobfuscating library.so

XOR the code section with 0x2a to remove memfrob obfuscation:

#!/usr/bin/env python3
# Deobfuscate memfrob (XOR 0x2a)

with open('library.so', 'rb') as f:
    data = bytearray(f.read())

# Deobfuscate code section starting at 0x11a9
offset = 0x11a9
for i in range(offset, len(data)):
    data[i] ^= 0x2a

with open('library_deobf.so', 'wb') as f:
    f.write(data)

Step 2: Extracting Key Strings

After deobfuscation, movabs instructions loading key parts are visible in radare2:

movabs rax, 0x3759305630307b356c  ; "l5{0v0Y7"
movabs rax, 0x3a7c3e753f665666    ; "fVf?u>|:"
movabs rax, 0x784c7c214f3a7c3e    ; ">|:O!|Lx"
movabs rax, 0x00663b2c6a24216f    ; "!o$j,;f\0"

Step 3: Reconstructing Key with Overlaps

#!/usr/bin/env python3
"""
Satellite Hijack - Flag Decoder
Accounts for overlapping memory writes
"""

# Four key parts from movabs instructions
s1 = b'l5{0v0Y7'   # offset 0
s2 = b'fVf?u>|:'   # offset 8
s3 = b'>|:O!|Lx'   # offset 13 (overlaps s2!)
s4 = b'!o$j,;f\x00' # offset 21

# Construct key with overlapping writes
key = bytearray(29)
key[0:8] = s1      # bytes 0-7
key[8:16] = s2     # bytes 8-15
key[13:21] = s3    # bytes 13-20 (overwrites 13-15 from s2!)
key[21:29] = s4    # bytes 21-28

print(f"Key (hex): {key.hex()}")
print(f"Key (raw): {key}")

# Decode: flag[i] = key[i] XOR i
flag = bytes([key[i] ^ i for i in range(27)])
print(f"\nFlag: HTB{{{flag.decode()}}}")

Step 4: Result

Key (hex): 6c357b3076305937665666...
Key (raw): bytearray(b'l5{0v0Y7fVf?u>|:O!|Lx!o$j,;f\x00')

Flag: HTB{l4y3r5_0n_l4y3r5_0n_l4y3r5!}

Complete Solution Script

#!/usr/bin/env python3
"""
Satellite Hijack - Complete Solution
HackTheBox Reverse Engineering Challenge

Three layers of obfuscation:
1. memfrob (XOR 0x2a) on code section
2. Position-based XOR comparison: (input[i] ^ key[i]) == i
3. Overlapping memory writes for key construction
"""

def decode_flag():
    # Key parts from movabs instructions (little-endian)
    s1 = b'l5{0v0Y7'    # at offset 0
    s2 = b'fVf?u>|:'    # at offset 8
    s3 = b'>|:O!|Lx'    # at offset 13 (overlaps s2!)
    s4 = b'!o$j,;f\x00' # at offset 21
    
    # Reconstruct key with overlapping writes
    key = bytearray(29)
    key[0:8] = s1
    key[8:16] = s2
    key[13:21] = s3  # Overwrites bytes 13-15 from s2
    key[21:29] = s4
    
    # Decode: flag[i] = key[i] XOR i
    flag_content = bytes([key[i] ^ i for i in range(27)])
    
    return f"HTB{{{flag_content.decode()}}}"

if __name__ == "__main__":
    flag = decode_flag()
    print(f"Flag: {flag}")
    # Output: HTB{l4y3r5_0n_l4y3r5_0n_l4y3r5!}

Flag Meaning

The flag l4y3r5_0n_l4y3r5_0n_l4y3r5! is leet speak for "layers on layers on layers!" — an apt name referencing the three layers of obfuscation protecting the flag.

Key Indicators

Use this technique when:

• Binary loads a shared library with non-standard behavior
• Calls to memfrob() or XOR with constant 0x2a are visible
• Multiple movabs instructions load string data
• Memory writes occur at overlapping offsets
• Comparison uses element position in the algorithm

Lessons

1. memfrob — a standard glibc function that XORs data with 42 (0x2a). Easily reversible.
2. Overlapping writes — a classic obfuscation trick: the final value depends on the order of writes.
3. Position-based encoding — when the index participates in the algorithm, you need to accurately reproduce the logic.