SEPC (Secure Enclave) — HackTheBox

Description

We've extracted an embedded operating system running on an intercepted deep-space satellite launched by Arodor. If we can breach the secure enclave and extract their security mechanisms, we can crack their encrypted communications.

The challenge provides a bootable Linux system: bzImage (kernel), initramfs.cpio.gz (filesystem), run.sh (QEMU launch script). The goal is to reverse a kernel module that implements password verification through a character device and extract the flag from the .rodata section.

Analysis

Step 1: Extracting the Filesystem

Unpacking initramfs.cpio.gz reveals the structure:

/init              — boot script
/checker           — ELF 64-bit statically linked stripped (userspace)
/checker.ko        — Linux kernel module (not stripped)
/initramfs.cpio.gz — internal initramfs (empty/incomplete)

The /init script shows the interaction architecture:

insmod checker.ko
mount -t proc none /proc
mount -t sysfs none /sys
mknod /dev/checker c 137 0
chmod 0666 /dev/checker
exec /checker

Key point: the kernel module checker.ko is loaded, a character device /dev/checker is created with major number 137, then the userspace binary /checker is launched which communicates with the kernel through this device.

Step 2: Analyzing the Kernel Module (checker.ko)

The module is not stripped — all symbols are available for analysis. It creates a character device with 4 handlers:

Handler	Behavior
open	Single-open guard; initializes counter = 0, clears state
release	Resets the open flag
write	Copies exactly 1 byte from userspace to BSS buffer
read	Main verification logic — byte-by-byte XOR comparison

The read handler implements byte-by-byte verification:

// Pseudocode of read handler
if (count != 1) return -EINVAL;

byte expected = rodata[0x60 + counter] ^ rodata[0x20 + counter];

...