Exatlon — HackTheBox

Description

The challenge provides a packed ELF binary exatlon_v1 that prompts for a password and validates it. The goal is to find the correct password, which is the flag.

Analysis

File Identification

$ file exatlon_v1
exatlon_v1: ELF 64-bit LSB executable, x86-64, statically linked, no section header

The file is a 64-bit ELF, statically linked, with no section headers — typical signs of a packed binary.

UPX Detection

$ strings exatlon_v1 | grep UPX
UPX!
$Info: This file is packed with the UPX executable packer $

The binary is packed with UPX — a standard packer for reducing executable file size.

Unpacking

$ upx -d exatlon_v1 -o exatlon_unpacked
                       Ultimate Packer for eXecutables
  File size         Ratio      Format      Name
  ----------   ------   -----------   -----------
  2202568 <-    709524   32.21%   linux/amd64   exatlon_unpacked

Unpacked 1 file.

Size increased from ~710 KB to ~2.2 MB — typical ratio for UPX.

String Analysis of Unpacked Binary

$ strings exatlon_unpacked | grep -i "exatlon\|password\|enter"
exatlon.cpp
[+] Enter Exatlon Password  :

The binary is written in C++ (source exatlon.cpp), prompts for "Exatlon Password".

Encoded Password Discovery

Among the strings, a suspicious sequence of space-separated numbers was found:

1152 1344 1056 1968 1728 816 1648 784 1584 816 1728 1520 1840 1664 784 1632 1856 1520 1728 816 1632 1856 1520 784 1760 1840 1824 816 1584 1856 784 1776 1760 528 528 2000

These are 35 numbers — exactly the number of characters in a flag with format HTB{...}.

Encoding Algorithm Identification

Number analysis:

• First number: 1152. If this is H (ASCII 72), then 1152 / 72 = 16
• Second number: 1344. If this is T (ASCII 84), then 1344 / 84 = 16
• Third number: 1056. If this is B (ASCII 66), then 1056 / 66 = 16
• Fourth number: 1968. If this is { (ASCII 123), then 1968 / 123 = 16

Pattern: each password character is multiplied by 16 (equivalent to bitwise left shift by 4: << 4).

This matches the challenge name "Exatlon" — a hint at shift operations.

Solution

Decoding Script

#!/usr/bin/env python3
"""
Exatlon decoder — HackTheBox Reverse Engineering
Encoding: char * 16 (logical left shift by 4 bits)
Decoding: number // 16 -> ASCII char
"""

encoded = [
    1152, 1344, 1056, 1968, 1728, 816, 1648, 784,
    1584, 816, 1728, 1520, 1840, 1664, 784, 1632,
    1856, 1520, 1728, 816, 1632, 1856, 1520, 784,
    1760, 1840, 1824, 816, 1584, 1856, 784, 1776,
    1760, 528, 528, 2000
]

password = ''.join(chr(x // 16) for x in encoded)
print(f"Password: {password}")

One-liner

python3 -c "print(''.join(chr(x//16) for x in [1152,1344,1056,1968,1728,816,1648,784,1584,816,1728,1520,1840,1664,784,1632,1856,1520,1728,816,1632,1856,1520,784,1760,1840,1824,816,1584,1856,784,1776,1760,528,528,2000]))"

Result

Password: HTB{l3g1c3l_sh1ft_l3ft_1nsr3ct1on!!}

Lessons

1. UPX is the first thing to check — if file shows "no section header" or "statically linked" for a small binary, check strings | grep UPX
2. Challenge name is a hint — "Exatlon" hints at shift operations, which was confirmed by the << 4 algorithm
3. Test hypothesis on known characters — knowing the flag format HTB{, you can quickly calculate the encoding coefficient
4. Static analysis is sufficient for simple challenges — no disassembler or debugger was needed, strings and arithmetic were enough

Alternative Approaches

• Ghidra/IDA — full disassembly to confirm the << 4 algorithm in code
• ltrace/strace — call tracing to observe the comparison
• GDB — set breakpoint on the comparison function and read the expected value from memory