TunnelMadness — HackTheBox

Description

"Within Vault 8707 are located master keys used to access any vault in the country. Unfortunately, the entrance was caved in long ago. There are decades old rumors that the few survivors managed to tunnel out deep underground and make their way to safety. Can you uncover their tunnel and break back into the vault?"

The challenge provided:

• A downloadable binary file
• A remote server: nc 83.136.248.107 38062

Analysis

Initial Reconnaissance

Downloaded and extracted the challenge files. Found an ELF 64-bit binary called tunnel.

$ file tunnel
tunnel: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked...

String Analysis

Found interesting strings that reveal the challenge mechanics:

$ strings tunnel | grep -E "(Direction|Cannot|flag|vault)"
Direction (L/R/F/B/U/D/Q)?
Cannot move that way
/flag.txt
HTB{fake_flag_for_testing}
You break into the vault and read the secrets within...

Key findings:

• Navigation prompt: "Direction (L/R/F/B/U/D/Q)?" — 6 directions for 3D movement plus Quit
• Wall collision: "Cannot move that way" — indicates invalid moves
• Flag path: "/flag.txt" — server reads flag from file
• Test flag: "HTB{fake_flag_for_testing}" — embedded fake flag for local testing
• Success message: "You break into the vault..." — indicates reaching the goal

Function Analysis

Using objdump to identify key functions:

$ objdump -t tunnel | grep -E "(main|get_cell|prompt|flag)"

Key functions identified:

• main — Main game loop
• get_cell — Calculate cell position in 3D maze
• prompt_and_update_pos — Handle movement input
• get_flag — Read and print flag on success

Understanding the Maze Structure

From disassembly of get_cell:

// Pseudo-code reconstruction
struct Cell {
    int x, y, z;    // Coordinates
    int type;       // 0=start, 1=path, 2=wall, 3=goal
};

...